Risk Management vs Managing Risk
Hello and welcome to this session. What I want to talk about today is doing risk management and managing risk. So many organisations that I go into say, “Yeah we do risk management,” but the reality is that there is a huge gap between simply doing risk management and managing risk. The difference is this: the organisation that is doing risk management is doing what it needs to do to be compliant, whether that is with a regulation or whether that is with legislation or whether that is with policy. Now we have the Public Governance Performance and Accountabilities act coming in at a federal level, my concern with the PGPA is that agencies are now going to as much as they need to do to be compliant with the legislation. They will simply be doing risk management but the difference between doing risk management and managing risk comes with the actual treatment of those risks. It comes with developing the risk culture, it comes with making informed decisions based on the risks that you have identified. It is turning that organisation into one that has a no blame culture. In those organisations you are managing risk.
If you are managing risk, you will find an improvement in performance, less crisis management, improved reputation in your stakeholder community with your regulators and shareholders, and you will find that staff will be more able to raise these issues which can be dealt with a lot earlier. Simply doing risk management is a mechanical process, where we go through and do our risk assessments and so forth, and we put them into our risk register and hope that at some point during the year those treatments will be done. But these businesses do nothing to actively promote that, we don’t capture those treatments in our business plan, we don’t allocate resources to them, we don’t allocate a person – someone responsible and accountable for the development of that treatment. Of course if no one will be accountable for it and of course it’s not going to be done.
The reality is that the move from doing risk management to managing risk is not a big jump. In terms of resources and in terms of money but the results are miles apart. If you move from the doing to the managing you are going to see significant benefits and you are going to be if you are a private enterprise, you are going to get competitive advantage. If you are a public organisation or a government organisation you are going to satisfy a lot more of your stakeholder’s expectation and that can’t be a bad thing particularly since it’s our money. That’s all I’ve got for this session so as always, let’s be careful out there.