Why risk management is not about managing risks

I find it most bizarre that we seem to have created this myth that risk management is about managing risks. This is not the case. Risk management is not an objective in itself. It’s just another management tool to help make better decisions and achieve objectives. There is a big difference between how mature organisations implement risk management and the rest.

Mature organisations do risk analysis when a decision is made, using whatever risk analysis methodology is appropriate for that particular type of decision. The rest do risk management when it’s time to do risk management, be it annually, quarterly or some other regular interval.

Unless our methodologies, approaches and tools allow risks to be analysed at any moment during the day, when an important decision is being made or at every milestone within the core business processes, we are unlikely to get management’s attention. This was a big challenge for me personally and to overcome the challenges I recommend the following:

• Integrate risk analysis into significant strategic, operational or investment decisions.
• Create a methodology that allows management to identify, analyse and document key risks associated with the decision. Make sure the outcomes of the risk analysis have a direct impact on the decision structure or content, otherwise it makes no sense for management to do the risk analysis.
• Provide risk management training and support.
• Create a separate methodology to validate the results of the risk analysis prepared by the management using the information provided by finance, legal, strategy, internal audit and security departments.