White Paper #22
THE RISK OF RISK MANAGEMENT
By: Garth Holloway
Tel: +61 (0)2 9451 0707
Last year I published an article on Governance and a number of people wrote to me, critiquing the
article over its failure to adequately include risk as a separate item in the frameworks I was using.
Their point was that while risk management is an integral and mandatory discipline for executive
management and company directors, it is sufficiently important for it to be addressed as an item in
its own right.
I agree with this point of view but am not convinced that risk management is something separate
from the day to day running of the business. To be fair I don’t think the people critiquing my article
intended that risk be separated from the business; rather their view was that it is a specific discipline
and it requires special emphasis in the business. This is particularly true as the operational time
horizon shifts from tactical to strategic for the more senior levels of management in the
organisation. This includes directors.
At the senior levels, the strength of the focus on risk is so strong that risk is frequently governed
through a stand‐alone committee (risk or risk and audit committee) or through a specialised role
such as chief/senior/global risk manager.
The problem is that best practice (of any sort) embraced at senior levels, frequently, does not filter
down to the operational level. And when it comes to risk management this schism remains
unchecked by the advisory community (consultants etc) and tactical risk plans seldom, if ever,
adequately reference the strategic risk frameworks that are used at the senior levels in the
The majority of the tactical risk management plans comprise of the same elements; Identify and
Assess, Evaluate, Manage and Measure.
While the verbs may change from model to model and author to author, the intent remains
consistent between the various models.
The standard approach at the tactical level is to hold workshops to identify and assess and evaluate
the risks facing the business or project. Comprehensive lists of risks are produced.
My view is that these workshops fall foul of the principle that – you don’t know what you don’t know
– and it should be expected that important risks will be missed. This is the risk of risk management.
It is impossible to remove the problem of, you don’t know what you don’t know, but it is possible to
mitigate it if you change where you start, and you don’t start with Identify.
My recommendation is that the preparation of a tactical risk management plan should start with an
articulation of company culture and a reaffirmation of the risk appetite of the business. Risk appetite
can be defined, as the nature and extent of risk a company is willing to take in order to meet its
medium to long term strategic objectives. To have clarity on risk appetite, demands that the
business understand exactly what business it is in and whether the business strategy is aligned to the
business itself. For example, the major food retailers are not really in the business of selling food.
Rather they are in the treasury business. Every day they collect millions in cash deposits and
therefore have no problems with accounts receivable. On the other ‘side’ they pay suppliers slowly.
Their true business is to invest and grow the funds in between.
Confirming there is a common understanding of the company culture is important. The simple
definition of culture is – the way we do things around here and the risk appetite should be aligned to
the culture. Obviously a high risk appetite will not fit a company with a highly conservative culture.
Risk appetite is different to risk tolerance in that risk tolerance defines how much of each risk type
the business will accept. It is the risk parameter for each risk type. Risk tolerance allows the risk
appetite to be broken down into measurable components.
I am not suggesting that the team preparing a tactical risk management plan should start with
redefining the culture in the company. Rather they should make sure that everyone agrees what the
culture is and make sure they fully understand the risk appetite and associated tolerances for the
At the tactical level, the ‘Identify’ activity then becomes an exercise in aligning identified tactical
risks to the short term tolerance levels. This will ensure the tactical risk management plan is aligned
to types and areas of risk the company is willing to embrace as risk tolerance is informed by risk
appetite. It also encourages the completeness of thought around tactical risks. A quick review for
‘widows and orphans’, between the tolerances and the tactical risk plan, should quickly identify
missed or non‐aligned risks.
Using risk tolerance means that you already have the parameters for your risk model. This does not
mean that the parameters at the tactical mirror those of the strategic level, but there should be
some obvious alignment.
From a risk management point of view you are now in a strong position to identify and assess,
evaluate and manage risks.
The manage step can be complex and the title is misleading. A more fitting title would be ‘Protect’ as
in how does the company protect itself against risk. There are three primary defences:
2. Transfer risk – external insurance
3. Reduce it. Operational response
These three choices should be used concurrently. The weighting between each ‘protection’ option is
determined by the risk appetite, the specific risk under consideration and the time horizon
associated with that risk.
By way of example, consider reputational risk. There is little point taking internal or external
insurance against reputational risk as once it manifests you can’t undo it. You can’t un‐sink a cruise
liner or un‐crash a crashed IT server. Insurance money will help pay for the PR campaign required to
rebuild the reputation and other associated costs such as liability payouts or consequential legal
fees. But these are different risks, not reputational risk. When it comes to reputational risk,
prevention is the preferred option. The same applies for employee safety.
The concept of risk prevention is also a misnomer. You do not want to prevent risk as to achieve
anything in business requires a certain amount of risk. To prevent a cruise liner sinking you would
not go to sea. Rather the intent of risk management is to reduce risk in terms of frequency,
likelihood, and consequence. That is, reduce the frequency of having to face the risk, the likelihood
of the risk materialising and the impact to the business should it materialise.
Self‐insure and risk transfer are predominately financial decisions and will not discussed further.
Effective risk reduction comes from using an appropriate risk framework and relating it to the
business processes and to the control points within the processes.
This model extends to reference the process manager and the process owner should these roles be
The importance of relating risk to process cannot be overstated. The definition of risk appetite is ‘the
nature and extent of risk a company is willing to take in order to meet its medium to long term
strategic objectives’. You have to take risks to be in business and the products and services of the
business are delivered through the business processes. Therefore risk and business process can
never be separated.