In his book Decision Making: Risk Management, Systems Thinking and Situation Awareness, Dr Alan McLucas introduces the concept of the Risk Management Paradox:
“The task of managing risks effectively is confounded by a classical paradox. That is, if risks are being effectively managed as a matter of routine, there will be very few surprises. Nobody becomes aware of just how effective careful risk-management actions have proven to be. Nobody slaps the manager on the back and congratulates them for a job exceedingly well done. In stark contrast, however, if risks are managed poorly, the whole world lines up to say so.”
This paradox provides two critical insights. The first, and most obvious, is that being a Risk Manager in an organisation is a thankless task – one that rarely draws praise, yet they are the first to be put under scrutiny when outcomes are not as planned. The second insight is that organisations are not adept at measuring the outcomes of risk management and the value it is adding to the organisation.
The task of measuring the benefits risk management brings to an organisation is a challenging one. To overcome this challenge, the measurement of risk management performance needs to consider a wide range of factors. Measurement can be divided into three distinct categories:
- Compliance. This measures whether the organisation is complying with its own risk management policy directives.
- Maturity. This measures the maturity of the risk management program within the organisation against industry best practice.
- Value Add. This measures the extent to which risk management is contributing to the achievement of the organisation’s objectives and outcomes.
COMPLIANCE
Like all programs within an organisation the risk management program should be subject to compliance auditing. This auditing is aimed at ensuring that the fundamental requirements detailed in the organisation’s Risk Management Policy are being adhered to.
For some organisations, the measurement of compliance to the risk management policy is the only measurement that occurs. Simply restricting the performance of the risk management program to compliance against the policy, however, is fundamentally flawed.
Note however, it is actually conceivable that an organisation has 100% compliance against all of the risk management policy requirements and yet their risk management is not contributing to the achievement of effective outcomes.
MATURITY ASSESSMENT
One of the first steps involved in establishing a risk management framework for any organisation is to evaluate existing management processes and systems. The most effective means of understanding the current status of the risk management processes within an organisation is through the conduct of a risk maturity assessment.
Organisations should strive to improve their risk maturity over time.
Whilst measuring compliance and the maturity of the risk management program are absolutely critical, what is not being captured by the majority of organisations is the contribution risk management is making to the achievement of the organisation’s objectives.
The irony is that metrics that are currently being measured by organisations to indicate performance can provide an insight into the contribution risk management is making.
If an organisation continues to improve its risk maturity over time then it follows that the performance against these metrics will also improve. Whilst it is by no means a linear relationship, improved risk maturity will result in improved performance.
The following series of diagrams give an indicator of what this may look like:
What these diagrams demonstrate in practical terms is that everytime the organisation benchmarks its risk maturity, it also needs to benchmark its perfromance measures.
It needs to be recognised, however, that this is not an exact science, and as such a direct relationship cannot be proven, but it does provide an excellent indication of a correlation between improved risk management and improved performance.
When it comes to measuring the outcomes of risk management this is the best you can hope for.
(C) Rod Farrar. Used with permission.
Bio:
If you have any burning questions on risk management, Rod Farrar is always ready for a friendly chat. Contact him at rod@paladinrisk.com.au or 0400 666 142.