Enron's auditors praised the quality of its enterprise 'risk management'. Boeing's 737 MAX programme operated within a full 'risk management' framework. Australia's Royal Commission into banking misconduct found that every major bank had 'risk' committees, Chief Risk Officers, comprehensive 'risk' reporting, and assurance processes.
Enron collapsed. 346 people died in two Boeing crashes. The Australian banks had been engaged in systematic unethical and arguably criminal conduct for years.
These organisations did not fail because they lacked 'risk management'. They had all of it. Every register, every matrix, every committee, every report. The paraphernalia was fully assembled and fully useless when it mattered most. The question is why.
How a belief system sustains itself
It has only been in the past few decades, and rather by accident, that certain practices to improve decision-making acquired the label of 'risk management'. Insurers, probably the earliest source of institutional advocacy for improved decision-making, referred to whatever was being insured as 'the risk'. When they advocated practices to make outcomes more predictable, they called it 'risk management'. The label caught on. Legislators, regulators, and consultants adopted it to label their own decision-making 'wisdom'.
The word 'risk' thus acquired so many meanings that the core word of an increasingly popular expression was effectively meaningless. 'Risk management' champions appear to have adopted the same approach as Humpty Dumpty: "When I use a word, it means just what I choose it to mean, neither more nor less."
At the heart of the problem is that it has been the advocates of 'risk management', rather than the organisations and their Deciders at which it is targeted, who have become master.
Despite having no solid foundation or universal meaning, the advocates created a perception that 'risk management' was good and should therefore be adopted. Organisations were encouraged to superimpose a 'risk management framework' comprising various edifices: 'risk committees' of the Board, 'Chief Risk Officer' positions, policies, reporting requirements and so on. The Purpose for establishing this paraphernalia was seldom transparent, explicit, or understood. 'Risk management' thus became not a discipline but a belief system, and belief systems inevitably start with the answer rather than with careful and objective definition of the problem.
The lucrative circle
Four groups sustain this belief system, each with strong self-interest. Insurers need to price premiums. Regulators need to demonstrate oversight. Academics need to publish. Consultants need to bill. Each group has legitimate reasons to study uncertainty. None of them is trying to help a specific executive make a specific decision on a specific timeline.
Whereas good decision-making has always been dependent on good thinking, consultants fostered the fiction, often with evangelical zeal, that mastery of the artificial edifices and jargon of their scheme of 'risk management' was the key to organisational success. The compliance obligation created a further effect that turbocharged the whole arrangement. Organisations were forced to seek 'expert' guidance to avoid penalties for non-compliance. More consulting work preparing for certification. More work certifying. More work helping with remedial actions where the client fell short. While not a virtuous circle, certainly a lucrative one.
Some national stock exchanges included practice of 'risk management' as a necessary condition for listing. The entirely untested belief was that practising 'risk management', in whichever guise, was prima facie evidence of sound management. Enron proved that assumption spectacularly wrong. Its auditors at Arthur Andersen, a firm once widely respected, had been fulsome in their praise of Enron's 'risk management' practices. Both collapsed. The paraphernalia was there. It did nothing except provide the illusion that due diligence had been done, which is worse than having done nothing at all, because at least then the Deciders would have known they still needed to decide.
The register that nobody reads
The 'risk register' is one of the more common and time-consuming pieces of paraphernalia that Deciders are expected to create or consult. These pieces of paper seem to have taken upon a life of their own. Organisations generate far too many columns of information, most of which nobody uses. The test is simple: can a normal person read across the page and understand the conversation that took place? In most registers the answer is no, because narrow spreadsheet columns force compromises in both quality and understanding.
The register is created at a point in time, and few if any registers record the prevailing Context, which will inevitably change and invalidate the diagnosis. Last year's register has literal meaning for next year's decisions: very little. Furthermore, the list of 'risks' can only ever be a sample. The practical task of filling out the columns distracts Deciders from achieving sufficient certainty that their decision will deliver the required outcomes.
Context statements, risk treatment plans, control assurance plans are much, much more important and valuable. But regrettably, most organisations do not keep those. They keep the register, because the register is what the auditor checks.
Why it cannot be fixed
The unmistakeable evidence is that most organisations do not even attempt to adopt any type of 'risk management' belief system. Of the relatively few that either buy in or are forced in by regulators, few if any master its intricacies or fundamentally change the way they operate. They might 'talk the walk' but do not in fact 'walk the walk'.
The reasons are not mysterious. The paraphernalia is complicated and unnatural. The first ISO 'risk management' standard contained 29 labels that relate to either ordinary words given a special meaning or to contrived expressions involving the word 'risk'. Even the label 'risk' is so ill-defined as to require five accompanying notes to its own definition, each of which either contradict or confuse. Much of what comes with 'risk management' is illogical and defies common sense, easily recognised as such by most people. The dichotomy of 'risk and opportunity', for instance, is about as logical as pairing bulldozers with cauliflowers.
At the human level, it can seem that 'risk management' advocates are saying "here is the answer, now fit your problem into that." As a result, 'risk management' does not pass the pub test in the eyes of most Deciders. It hinders rather than helps them to function and so it is either ignored or paid lip service. Despite adoption of some of the trappings, pronouncement of policies, references in the annual report, sporadic use of the jargon, little if any change occurs in the way decisions are actually made.
Any attempt to cross-map the Universal Decision-Making Method with 'risk management' will have no benefit. It will confuse and complicate and have the effect of keeping alive what is trying to be shed. The question was never "how do we manage risk?" The question was always "how do we make better decisions?" Once you see that clearly, the register becomes what it always was: compliance paperwork dressed up as governance.
Roger Estall and I wrote Deciding because nearly five decades of advisory work taught us that the organisations that made the best decisions were not the ones with the most elaborate 'risk management' apparatus. They were the ones whose Deciders actually did the thinking. The Universal Decision-Making Method we developed exists to make that thinking structured, explicit, and defensible, without the millstone.
Grant Purdy is the co-author, with Roger Estall, of Deciding (2020), and the architect of the Universal Decision-Making Method.
If you have a decision you are working through, the Walk can help.
Start a Walk