“Every block of stone has a statue inside it and it is the task of the sculptor to discover it.”
Michelangelo felt that defining a beautiful statue was a constant labour of chipping away at the stone that wasn’t ‘David’, for instance. It wasn’t a process that started at the feet and ended at the head. There was structure to his activity but none which could be codified.
Corporate Risk Management is far less artistic but the analogy is nonetheless useful. Risk Management often defies process because it is not an architectural pillar of the business. There is no design in Risk Management. By its very nature it revolves around the constant engagement with the business to define and refine the potential impact of business problems. Risk Management, therefore, is highly iterative but just in the same way that Michelangelo chipped away at the statue, so too does the effective Risk Manager chip away at corporate problems in order to define their true reality.
This lack of process is upsetting to some and indeed unsettling to many Risk Managers. Corporate Services, unnerved by their lack of operational necessity always feel they have to sit within a process in order to find meaning in their labours as opposed to defining the value they create in the overall outputs. Risk Management – as part of the Assurance function – needs to justify its intrusion into the business by:
- the costs and time it helps to save,
- the risks it helps to mitigate, and
- the workload it reduces within teams.
and ultimately by doing so in the least obtrusive manner.
Like the sculptor, however, there is process underneath it but this is often highly specific to the industry and level of the role. What is key is that there is a common maturity level in Risk Management, namely:
- Structure. Risks must achieve structure before anything else. They need to be made up of singular statements of atomic risk, i.e. the risks are granular. The statements themselves need to be clear and precise and broken into causation, risk and impact which articulates a complete and direct causal chain. The key to remember is that the structure and the granularity of the statement will refine over time as more information is borne out. Risk is fractal. The closer one looks, the more detail becomes apparent. Structural weaknesses giving rise to problems can be traced deeply; internally and externally. Knowing when to stop is often half the art.
- Completeness. The risk statement must also be complete. Like structure, completeness will be a battle. Mitigations will change and develop over the life of the project as will impacts as the resilience of the surrounding architecture develops.
- Quantification. Risks should be quantified but not all of them can. It is hard to quantify reputation and relationship risks. However, at the operational, service and technical levels quantification in terms of time and cost impacts will be vital.
- Traceability. Risks need to be traced. It is self evident that a risk must have provenance if it is even to be considered. If it can’t it does not necessarily mean that it won’t eventually be a risk but rather that, currently, all it can be is the feeling of a problem; however legitimate a feeling nonetheless.
- Utility. Lastly but most importantly, a risk must be useful., either to the business or the team. Regardless, if the risk does not add value then it serves no purpose.
METHODOLOGY v PROCESS
These five points go to the heart of effective Risk Management: that it is not process but methodology which drives its effectiveness. Section 3(J) of ISO 31000 clearly sets out that Risk Management is an iterative process. A process, on the other hand would imply a sequential jump from one completed phse of Risk Management onto the next. According to Deloitte’s (Figure 1 below), the third biggest challenge to businesses is in achieving clear and effective risk data. A concern which underscores the need for iterative cycles of assurance right throughout complex projects. Chipping away at risks using the aforementioned approach, therefore, is a useful and highly effective way to achieve assured projects without the need for over-prescriptive and intrusive processes.
“The financial crisis has underscored how insufficient attention to fundamental corporate governance concepts can have devastating effects on an institution and its continued viability. It is clear that many banks did not fully implement these fundamental concepts. The obvious lesson is that banks need to improve their corporate governance practices and supervisors must ensure that sound corporate governance principles are thoroughly and consistently implemented.”
Danièle Nouy, President of the Supervisory Council at the European Central Bank.
Trying to add too much structure is doomed to failure and being over-prescriptive is counter productive. Risk does not create value and so the RM needs consent and co-operation to perform deep, effective risk management because it iss all about gaining trust and confidence to explore into the deepest and darkest spaces of the business. Indeed, the entire Assurance function needs to justify its interference and intervention to make sure that it’s not holding up delivery or interfering with operations. This can be extremely uncomfortable and even confrontational.
In large and complex programmes the burden of governance is onerous. Lots of things can go wrong and statistically they do and ultimately people are working with and because of someone else’s money. For that reason project teams need to structure for transparency and be prepared to report the detail and context of their variances. Under such circumstances the process of sculpting risk becomes much easier. The image of David more obvious.
The organisation should be motivated to maximise their gains, tempered only by a mature, well-developed, empowered and independent assurance function which has the ability to monitor, measure and rein in projects in a precise and appropriate way. This relies on the systems to achieve transparency and the expertise to achieve visibility.
It is impossible to say how effective this approach is as the more successful Risk Management is the more likely it is to be seen as unnecessary. The approach, however, is certainly more sustainable. The pendulum swings between over-regulation and laissez-faire operational focus. Rigid structures are always too brittle to survive. The only way to achieve a sensible and sustainable balance is not to clip the wings of the business but give them give them strict parameters within which to spread them and fly. As the saying goes:
“You don’t know who’s swimming naked until the tide goes out.”