By Hans Læssøe
To many risk managers, who have spent years identifying, analysing and mitigating risks, the concept of decision focused risk management may seem very different, daunting or even somewhat scary. However, despite the inherent differences, the change is not as big as it may appear at first.
Yes, there are differences. Let me refer to traditional risk management as execution risk management as opposed to decision focused risk management. In real life, a company will have a balanced approach – and some risk management will have element of both. Hence, it is not either or, but a continuum from one end to another. Some of the differences are:
Beyond these differences, the most important one is that decision focused risk management is made during preparation and before the decision is made, whereas execution risk management is essentially managing risks already taken by the company.
However, to the risk manager, there are also some very significant similarities between the two approaches – which means that there are considerable insights, processes and tools known to the risk manager, which can be leveraged in decision focused risk management.
1. We still have to identify the risks and opportunities – and be sure we do this holistically and hence look at the decision and the direct effects – but also the implications to upstream and downstream as well as supporting processes. Furthermore, we have to look at relevant business conditions and the risks and opportunities emerging from there.
The process and skill and inclination to do this is a trade mark of the good risk manager.
2. We still have to analyse the risk on impact and likelihood. This should (please do) be done by measuring metrics and never asking a manager the irrelevant question of whether this risk is “low, medium or high). Douglas Hubbard has shown in his book How to Measure Anything: Finding the Value of Intangibles in Business that even a weak measurement is more accurate than a biased gut feeling – and gut feelings are always biased.
This analytical capability is also the trade mark of the good risk manager, who can do some analytics alone, but who will also know who to liaise with to get the rest done and get organisational buy-in to results.
Just one final, but important thing – be sure to measure impact in project relevant KPI and/or performance metrics – anything else will derail the approach.
3. We still have to come up with, what do we do about the risks – if anything. Not all risks need active handling, many can be accepted as is, and doing something about these anyway is a waste of resources. This is where the liaison skill and network of the good risk manager comes to play.
Based on this, the key traits of a risk manager also come naturally into play in decision focused risk management – they just do so before the decision and the resources allocation and timing is cast in stone. The approach can ensure achievability of projects and may even lead to raising the bar on some (I have been working with projects, where meeting the target was shown to be such a “walk in the park” that project management and steering committee agreed to reach higher – and the project even exceeded this successfully).
Traditionally, most risk managers keep some register (one or more) of the risks taken. When relating to a specific decision or project/initiative – this is actually ineffective. As risk management must be an integral part of decision making, the direct approach is to collaborate closely with the (often financial) business controller and/or project manager and include/embed the risks into the project planning spreadsheet (trust me, there is ALWAYS some spreadsheet). Leverage your data on risks and opportunities with the business case model and enable Monte Carlo simulation of the outcome.
This way, you can show management the likelihood of meeting targets on whatever parameters have been defined for the project, you can show percentile best/worst cases as well as leveraging tornado diagrams to show remaining key uncertainties. These are all valuable pieces of information to a management who naturally find it irrelevant to see four “red” and 12 “amber” risks.
Dear risk manager – leveraging your skills into decision risk management does put yourself at risk in one way, which is where you need to treat softly. By calculating and showing the risk exposure prior to decision making you are inherently challenging the decision maker, who is used to make decisions without this (and believes he/she has a track record that earned him/her than right). Hence, if you push too hard, you’ll be sent out of the office and not asked again. So – be humble and supporting in your approach. This is in fact the biggest risk you are taking.
So – go do it – leverage your capabilities for the good of your company:
- Find a project/initiative you wish to impact – preferably one where you have a good liaison with the project manager and the project owner (don’t make it harder than you need to).
- Deploy and communicate as described above – give them all the support you can muster.
- Measure the final outcome vs. targets and compare this to the outcome of like projects.
- Look for the next project/initiative and the next, and the next – one day, they will start asking for you as properly risk management projects succeed to a higher degree than others.
About the author
Hans Læssøe is founder and principal of the Denmark-based consulting firm AKTUS, which is a merging of the Danish words “aktiv” and “usikkerhed” (active uncertainty). Before starting his consulting firm in 2017, Hans was responsible for establishing and leading the Strategic and Enterprise Risk Management functions at the LEGO Group. He is an ISO 31000 Certified Professional and Approved Trainer and holds an MSc in Electric Power Engineering. Hans is a prolific writer, speaker, and advisory member of the Strategic Risk Management Development Council for RIMS. He is also author of the book Prepare to Dare: Using risk management to make manoeuvrability your strategic advantage in a volatile world. Learn more about Hans and AKTUS by visiting http://www.aktus.dk.