Risk management is a mental process, not a technical one of data gathering, evaluation and reporting. Those who do nothing will just be exploited by those who constantly change and improve. So, swap tradition for a four-tiered ‘radical’ risk management process, writes Horst Simon of Risk Culture Builder

If you are still trying to identify all the risks you are exposed to within the context of your business, or spend endless hours converting historic data into useless risk reports in an effort to mitigate as much risk as possible for a green light on the road to taking less risk (for less reward); or spending a fortune on controls and the digging of trenches for your lines of “defence”…. Fear no more!

The ‘radical risk management process is here and the future is bright for those who choose to go through the disruption of dumping outdated thinking, concepts, models and processes. These are things like risk management “process”, based on the assumption that it is possible to identify all the risks you are exposed to and then follow a dedicated process of mitigating all those risks, as well as ideas like “green is good” and the 3/4/or even worse, 5 “lines of defence”.

The management of risk is a mental process, not a technical process of data gathering, evaluation and reporting at consistent intervals, with an expectation of a different outcome; or even “improvement.” Those who do nothing will just be exploited by those who change and get better at the management of risk.

This radical process involves only four components:

  1. Situational awareness
  2. Mental simulation
  3. Naturalistic decision-making
  4. Response execution

These are built around key elements of an effective risk culture, namely:

  • Risk Intelligence gathered from everywhere (not just last quarter’s outdated risk report),
  • A risk nervous system through which this information can flow everywhere in the business (not a process of sanctification where reporting gets better the higher it goes)
  • Competencies and skills – all employees having the competencies and skills to manage the risks associated with their jobs daily to ultimately build sustainable competitive advantage for the organisation (no levels of assurance, squadrons of policemen or lines of defence, there is nothing to defend against).

In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions daily.

In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimise risks to make informed decisions and build sustainable competitive advantage for the organisation.

Success depends on the levels of accountability you drive in your organisation and the time and effort you put into building an effective risk culture. Do not even attempt this if you are going to keep a process of making risk decisions in committees where these decisions are “syndicated” without anybody taking any accountability. That will not work in the radical risk management process!

There is also no need to employ consultants to help you with this. I could never anyway understand why organisations would pay “outsiders” to come in and gather ideas from their staff and convert these into PowerPoint presentations that they sell back to the organisation.

There is no blueprint of one-size-fits-all in the radical risk management process. You have to build the unique process in your organisation, based on the underlying corporate culture and organisational structure and focus on driving both the behaviours you want to encourage and the behaviours you want to avoid.

You need to take each of the four components and develop these within the context of your business strategy, goals and objectives. If a risk will not prevent you from reaching your business goals, don’t worry about it; you can never identify all the risks you are exposed to. The key factor is how your employees will respond to a situation of risk in “real-time”. Business is not a game and business decisions based on last quarter’s risk report is not such a good idea in real-life. There is no reset button!

Let us briefly look at the four components:

  1. Situational awareness- “is the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future”; as defined in Endsley’s model of SA.
  2. Mental simulation is our mind’s ability to imagine taking a specific action and simulating the probable result before acting. Anticipating the results of our actions improves our ability to solve new problems. Mental simulation relies on our memory, learned via perception and experience. (Josh Kaufman, The Personal MBA)
  3. Naturalistic decision-making. The naturalistic decision making (NDM) framework emerged as a means of studying how people make decisions and perform cognitively complex functions in demanding, real-world situations. These include situations marked by limited time, uncertainty, high stakes, team and organizational constraints, unstable conditions, and varying amounts of experience, (Wikipedia). Every business in today’s marketplace operates under these conditions and practicing this based on last month’s risk report can be futile.
  4. Response execution. Once these steps are complete and a response has been selected; the response, or action, must be executed. Correct and effective execution requires smooth and timely co-ordination to achieve the desired result of optimising the risk to get maximum benefit for the organisation. The availability of resources also affects a response and inadequate attention results in ineffective execution.

That is it! You have to research each of these four components and apply your learning to your organisation to build a radical risk management process in your organisation. With no blueprint, there is nothing to “implement” and there is also no standard. Hopefully somebody will not try to create a standard for radical risk management and a whole industry of 3-day certification courses to try and certify radical risk management practitioners.

The way forward: You can take the concept and go forward at your own pace and own target, as long as you use the process in the outlined graphic with due reference. Alternatively, you can steal the concept and develop it further for your own commercial gain, but “chickens always come home”.