Be the first to like this
I feel risk management is on a verge of something interesting, something very exciting at the moment.
For a long time, I naively thought that by doing good risk management all the key stakeholders would be satisfied, but the reality is, different stakeholders want completely different things. There is risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks) and risk management 2 – risk management for the decision makers inside the company.
In this article, I would argue RM1 and RM2 are totally different.
Note, however, the matrix reference is used quite loosely because it’s not really a choice between RM1 and RM2. Both need to be done, unfortunately, because regulators, banks and most external stakeholders still expect all the wrong things. It is rather a choice about how much time should be allocated to each. My rule of thumb is 10% to RM1 and 90% to RM2, but this is pretty much the opposite of how many businesses operate today. Ironically, they argue, that RM1 takes up so much time, that no time left for RM2, even though they supposedly want to. This is simply not true.
The best way to illustrate my point is to group common risk management activities into 2 types and show how significant time can be saved on RM1 to be reallocated to RM2