Risk is something most organizations get wrong.
Part of the problem is caused by how the modern discipline of risk management evolved from independent roots in the worlds of insurance and banking, of science and engineering, and of economics. Another part of the problem is how boards manage risk.
The term “risk management” was introduced by Russell Gallagher in the Harvard Business Review in 1956, one year after the title “risk manager” was proposed as a name for those whose had until then been called insurance buyers or insurance managers. This link to insurance resulted in risk being understood to be financial risk, which diminished the importance of managing risk – pushing it down into a silo and, worse, tending to make it the responsibility of the finance department, even though it requires different competencies to manage.
Financial scandals in the 1980s and 90s, caused a compliance focus to evolve, firmly anchoring risk under the umbrella of finance and accounting. When it made the radar of senior executives, they wanted easy ways to digest information, without needing to delve into quantitative details, and so, with help from consultants, the simplest possible approaches to thinking about and communicating risk became popular, even though they were flawed. The emphasis on audits and compliance grew and the likelihood of organizations adopting a holistic approach, integrated with governance, diminished.
In most organizations risk remains poorly understood and poorly managed. One reason for this (propagated by ISO 31000) dates back to a 1921 book by economist Frank Knight – the mistaken view that risk is exposure to uncertain outcomes, including positive ones. Risk is exposure to loss or harm. A potential positive outcome is not a risk but an opportunity. Defining risk to include opportunities makes as much sense as defining “right” to be “left.” However, a bigger problem than this is how most organizations calculate and communicate risk using a combination of qualitative, ordinal rating scales and risk matrices. Both of these introduce errors that can result in sub-optimal or even detrimental decisions.
The largest problem of all is that organizations tend to think managing risk is the job of risk management, a function which, as mentioned, sits in a silo somewhere. Risk would be more suitably managed at board level, or, better again, appropriately distributed across the organization.
In excellent organizations, the management of risk is an integral part of decision making and the day-to-day management and governance of the organization. It is proactive rather than reactive (simply responding to yesterday’s problems), understands what risks to take, and is just part of the way the organization does business.