There’s a subtle idea around risk management that I’ve come to understand, and which Norman Marks repeats often: “It’s not about managing risk. It’s about managing the organization for success!”
I say it’s subtle because I occasionally get it wrong, and it seems well-known organisations do, too, which is what Norman is complaining about in that post—in that case it’s EY.
When we remember, we (hopefully) say the reason we’re “managing risk” is to help the organisation succeed. But what’s the tangible difference between just managing risk and helping the business succeed through our risk management work?
I think Norman helps answer this question later in his piece (which is centred on cyber risk), when he says:
There will be times when the board should tell management to take the cyber risk because the monies it would take to reduce cyber risk further are better spent elsewhere, such as on new product development.
In other words, no kind of risk (cyber, product, financial, etc) can be worked on entirely in isolation, and we need to be able to choose to “take more risk” or “take a risk” because of an upside which benefits an entirely different part of the business. By always working just on cyber risk in one meeting, then just on financial risk in another meeting, etc, we would be unable to make effective decisions that cut across the organisation. This reminds me why I also argued against risk appetites (plural).
Risk management is a phrase which we’ll probably never escape. But the real work is not about managing risk, it’s about working successfully in the face of uncertainty. (Which I suspect is why Matthew Leitch named his site as he did…)