Are old-school risk management approaches such as risk matrices and heatmaps preventing it from being seen as driver to business performance? Hans Læssøe principal consultant at AKTUS and former risk manager of The LEGO Group, provides his advice for reinventing risk management

Change directions

Risk management has, in multiple shapes and forms, been around and explicit for more than a century; and a plethora of approaches has been developed to handle different types of risks throughout organisations.

Even today, most of these are reactive and protective in nature and focus on minimising potential losses from events or developments based on decisions already taken. Direct involvement of risk specialists in strategic or business decision making is rare. Risk managers are seen as needed specialists, but not the ones who drive or even support good business performance.

To some extent, this is the fault of risk managers themselves as too many have been stuck in old-school approaches like:

  • Risk workshops, where they ask executives which risks, they should report on, and hence add little or no value of their own
  • Risk matrices/heat-maps which take an absolute approach to each risk rather than accepting any one risk will/can have a range of outcomes
  • Drive risk handling through a compliance mindset, rather than one of delivering business value
  • Rarely look effectively beyond financial risks
  • Fail to effectively address opportunities as well
  • Fail to apply valid risk portfolio prioritisation and consolidation of exposure

 Risk managers are seen as needed specialists, but not the ones who drive or even support good business performance.

This leaves executives with the question, “is my risk management providing real value for money – or should I cut it and focus elsewhere?”.

Companies and organisations are still faced with uncertainties. The complexity and speed of the world is faster than it ever has been before, and hence slower than it ever will be… a change towards a more valuable approach is long overdue, and some companies are beginning to apply this.

Leveraging a quality assurance paradigm

Many risk management functions have been spun off audit, compliance, or finance functions, and hence the paradigm by which these have been designed have matched audit, compliance and finance.

In past articles, I have also used the finance paradigm to explain risk processes and impact. However, it has dawned upon me, that it may not be optimal. Instead, I suggest another, well known functional entity to be used as frame of reference for risk managers. That of quality assurance.

QA teams focus their attention on “what will we do to ensure the product we deliver meets the specifications defined”. The mindset is one of “everything is possible, it just takes work” and leverages the statement of the 5 Ps “Proper Preparation Prevents Poor Performance”. This is true for business decisions everywhere.

Similarly, the risk functions, hereby rebranded as “success assurance (SA) teams” can focus their attention on “what will we do to ensure this strategy/project/decision meets our aspirations/targets”.

Again, a positive “can do” mindset is applied – at least until analyses show that the defined strategies, resources allocated and actions taken are unlikely to lead meeting the aspiration defined.

QA teams systematically work to define processes and tools which, given the uncertainties of raw materials and manufacturing conditions (e.g. temperature, humidity), still deliver products which meet quality specifications. Similarly, SA teams should work on defining processes and tools which, with the uncertainties of the future, still deliver results that meet the aspirations and targets defined.

QA teams systematically monitor and leverage insights from past or like situations and developments to ensure decisions and designs are made founded on the best possible and factual insight. Similarly, SA teams can leverage information from other/parallel decisions, other industries, and whatever else relevant information available to ensure decisions and strategies are soundly based … and not as many today, founded on gut-feeling and human biases.

Best in class QA teams have for decades been directly involved end-to-end in all steps from product design, through development to manufacture and after sales services to ensure products and processes are designed to provide the specified quality. Please note that:

  • QA does not design products. Product development does that – but QA is supporting and challenging design to drive a “design-for-quality” approach. Many product designs are great from the offset … but preparing these for being manufactured meeting a specified quality level may lead to adjustments of the design here and there.
  • QA does not develop manufacturing equipment, but support and challenges equipment specifications to drive “manufacture-for-quality” approach.
  • QA systematically audit/verify the quality of products, and leverage insights found to fine-tune and adjust processes and tools to ensure products meet quality specifications. They leverage known and systematic processes such as Failure Mode Effect Analytics (FMEA), Fishbone analyses, statistics, etc. Similarly, SA team can be involved in all steps from strategy development to implementation, resource allocation and execution as well as after-action-reviews to ensure business results meet defined targets.
  • SA teams should not define strategies, but can support and e.g. deploy scenario session to ensure the defined strategies are resilient to changes in a strategic “planning for success” approach. As shown by Xavier Gilbert et al, in their book “Smarter Execution”, most companies have great strategies, but fail to implement these effectively or to adjust them to meet business conditions. SA teams should not do the resource allocation, but may support and challenge decisions based on insights as to e.g. demand or cost structure volatility.
  • SA teams should monitor actual performance vis a vis defined targets and leverage insights to provide input on needed/valuable decision adjustments and hence drive meeting targets, despite emerging turmoil and changes. They should be able and ready to leverage systematic analytical approaches such as bow-tie, fishbone, war game, back testing and statistics, etc.

Leveraging this change of paradigm will mean that risk managers become known as “success assurance specialists” – and hence linked to something positive (success) rather than something negative (risk).

QA teams have significant technical insight, and the best do, from time to time, provide active input to enhance the consumer/customer perceived value of a product which can be added at reasonable costs and efforts. Similarly, SA teams must have significant business and strategic insights to, from time to time, provide active input to enhance business performance and leverage opportunities.

Leveraging this change of paradigm will mean that risk managers become known as “success assurance specialists” – and hence linked to something positive (success) rather than something negative (risk).

What does it take to get there?


For certain, this change is not an overnight – “new title = new job” – change. To succeed becoming a success assurance manager, the former risk manager must acquire skills not normally found in the risk management community:

  • Statistical and analytical skills … well most risk managers already have acquired these, but now need to deploy these effectively – potentially based on the question “Which data and analytics do I need to provide to explain this uncertainty, and how do I get that”.
  • Business dynamics. Just like the QA specialists know exactly how equipment and processes work, the SA specialist should know how strategies affect business dynamics and performance. Just as the QA specialists can analyse and leverage insights on external factors (like raw material variations) and how they affect product quality, the SA specialist should be able to analyse the effect of external changes (e.g. competitive landscape, business conditions) on business performance.

Business system. The QA specialist looks at product quality and looks at process and material uncertainties and quality vulnerabilities to which parameters. In parallel, the SA specialist should look at business performance and know which parts of the business system can be highly efficient (and hence somewhat rigid) and which need to be more flexible (and hence effective).

Decision processes. Just like the QA specialist knows and understands the manufacturing process, the SA specialist must know and understand the company’s decision processes – including the effect of human biases, company politics etc.

Collaborative skills. Where the risk manager often was working within his/her specialist area and was highly focused (read: siloed), the SA specialist needs to collaborate with those making decisions, and defining strategies. This matches the QA specialist who is working actively with product development, manufacturing and even vendors to ensure product quality meets specifications with increasing efficiencies.

This may sound like a completely different job – requiring a different employee profile, and sure – in some organisations, it will be exactly that. For others, it will be a unique opportunity for a qualified risk manger to develop his/her job to that of success assurance manager.

Implementing success assurance will also affect the way things are done within the company:

  • Leaders must have and demonstrate a buy-in to new ways of deciding. Here as in so many other situations the tone-from-the-top is pivotal. A former executive I worked for years ago used the phrase “Why should we not do today, what a new management team would do tomorrow” – this helped drive his leadership team to be bolder and more up-front active than they had set out to be.
  • Key decision processes need to be analysed and adjusted – some more than others. For one, targets need to be defined in ranges of “good performance” rather than absolute numbers which will never be (exactly) met anyway. For another, decisions can be set to include actions defined to address specific issues (risks and/or opportunities) as well as monitoring to timely show developments which need a change of action.
  • Heat-maps must be replaced by analytical simulation-based sensitivity charts to show the true vulnerabilities of decisions and highlight issues to address. Strategic and other long-term planning as well as strategies/ plans to move into the “unknown territory” of a new industry or market must be supported by scenario analyses to pinpoint and prioritize issues to address as well as define agile implementation which can accommodate and handle any changes enforced by the changes emerging during implementation.
  • Risk reporting can be substituted with a “success rating” whereby data and insights are used to monitor the likelihood of a strategy/project/decision meeting defined targets. Each company will have further, individual, points to add. Bear in mind, this will take time to do – which is more a burning platform than a reason not to get started.

How to implement the change

Effectively implementing success assurance is, as stated, not an overnight effort – but in some instances a cultural change within the company. Do not try to eat the elephant all at once – but split the endeavour in a series of steps based on what will bring added value to the company most effectively. Two approaches can be applied, even in parallel.

Process approach, where the focus is on already existing decision processes like resource allocation, investment, project portfolio management or the like.

Have the emerging SA specialist attend and analyse the processes and the material upon which decisions are currently being made. The analysis may be based on “how can we ensure these decisions are successful” and reveal which uncertainties are predominately affecting performance and what can we do about these to increase the success rate. I recently learned about one industry were more than half of all projects were more than 10% over time/over budget an obvious platform for improvements. With one such process “under the belt” look for the next, and the next and…

Peter Drucker once stated that “Culture eats strategy for breakfast” – in this context, I believe culture sees compliance as a light snack

Leader approach, where the focus is on decisions being made by a specific leader like the head of Engineering, Purchasing, R&D or the like. To initiate a positive spiral, start with a manager with considerable decisions to make, and who is prone to accept that there may be better ways to make decisions.

Have the SA specialist liaise with, and support, the leader, and make any and all analyses needed to provide a stronger and more fact-based decision material for the decision, and include whatever additional actions may be prudent to embed in the project/decision to increase the success rate of this. With a good result (hopefully), the leader will be likely to wish to continue using this collaborative approach, and may also advocate this to his/hers (leader) colleagues.

Both of the above can be enforced by defined compliance criteria – however, I believe a lot more in the voluntary buy-in to an approach, leaders have seen being valuable, than monitored compliance with less buy-in. I have never met a manager/executive who wholeheartedly support and comply with a rule he/she does not believe in.

Peter Drucker once stated that “Culture eats strategy for breakfast” – in this context, I believe culture sees compliance as a light snack. Without honest buy-in – no real change.


Changing the description, approach and perception of (the negative) risk management to (the positive) success assurance is by no means a quick fix. However, given the potential value it may bring, it will be worthwhile doing. Companies as most organisations are facing constant competition – both from incumbents and from other companies who leverage their technology by disrupting or entering “your” industry and change the “name of the game”.

Hence, those who make this change from risk management to intelligent risk taking and success assurance first and most effectively will have a competitive advantage over the laggards.

Today’s business environment is not for the traditionalist who hold on to what has “always worked” – and remember that the world will not in foreseeable future change as slowly as it has done. Risk management becomes a matter of intelligent risk taking leveraging effective processes and decision tools.