The question of whether “risk wins” or “the business wins” when there is a disagreement between them was an interesting one for me to ponder. My company most often lets the business win, which puts tremendous pressure on the team executing projects to get the thing off the ground even under difficult circumstances because of the amount of risk taken on. The high risk and no margin is exhausting for people, even when the result is still success.
A very timely article for me, thank you. I am currently working with a team, in an industry not particularly well known for a collective view on risk, where I simply couldn't find the correct articulation. Now I see a few bits of the jigsaw I was probably trying to place forcibly, perhaps even incorrectly. This has helped me to a very large extent, so again, thank you.
I'm glad to hear this feedback, it's good to know writing it was worthwhile! If there are other topics you'd like to see me write about, just let me know, you can (Edit since emailing riskmusings at substack isn't working for some reason) reply to any newsletter I email via Substack, and I'll get it.
That's so true about the tone at the top and the signals that are sent about who is rewarded. I remember reading something about the way risk managers were marginalised or sidelined in various banks in the leadup to the 2008 crisis.
I would say this was largely true (but not universally). And my view is that data management capabilities (how quickly and effectively important information can flow to decision makers) can make a big difference - IF decision makers are willing to hear the message. You need: systems and culture that empower people to speak up (the precondition); someone willing to speak up; someone with sufficient power who is willing to listen.
The point about decision-makers being willing to hear the message is an important one. I spent a lot of my career working on ways to work with decision-makers so that they listened to what risk assessments were saying (but also working with risk assessors so that they understood the criteria which decision-makers were using, which I think fits with what you mean about understanding the organisations risk appetite and risk tolerance).
Yeah, exactly! Risk assessors need to measure the right things (or they can muddy the waters), and if the right things are measured, decision-makers will get information about things that matter to them (risk appetite and risk tolerance adherence).
You covered a lot of ground today -- a fun read. My experience in largish complex organizations was risk management was often treated as a necessary evil rather than a strategic benefit. I thought the best organizations created dependency across organizations, spread budgetary allowances and reported to a central organization. In that way, excellent outlier behavior was celebrated and laggards self-identified. It was easier to understand who didn't play nice and fiefdoms could be burned down early. Finally cross-team development introduced the broader organization to best practices and they became obvious. It is always nice when you find out something is getting done better and for less expense somewhere else in the organization. I came to appreciate the organizations that spoke plain language and limited the use of Powerpoint.
You wrote: -> "fiefdoms could be burned down early"
Excellent point! Yes, good communication and reporting lets divisions learn from each other and spread good approaches across the org. But it also lets senior management squelch fiefdoms before they become entrenched. You're absolutely right.
Risk management can be a strategic benefit, but it takes thinking about it differently. We (as individuals) weave risk management into our everyday decisions pretty seamlessly, yet orgs tend to struggle with getting this right. Maximize profit/minimize costs tends to flip risk into the wrong bucket - the cost bucket - when it's an integral part of maximizing profit, if done right.
The question of whether “risk wins” or “the business wins” when there is a disagreement between them was an interesting one for me to ponder. My company most often lets the business win, which puts tremendous pressure on the team executing projects to get the thing off the ground even under difficult circumstances because of the amount of risk taken on. The high risk and no margin is exhausting for people, even when the result is still success.
A very timely article for me, thank you. I am currently working with a team, in an industry not particularly well known for a collective view on risk, where I simply couldn't find the correct articulation. Now I see a few bits of the jigsaw I was probably trying to place forcibly, perhaps even incorrectly. This has helped me to a very large extent, so again, thank you.
I'm glad to hear this feedback, it's good to know writing it was worthwhile! If there are other topics you'd like to see me write about, just let me know, you can (Edit since emailing riskmusings at substack isn't working for some reason) reply to any newsletter I email via Substack, and I'll get it.
That's so true about the tone at the top and the signals that are sent about who is rewarded. I remember reading something about the way risk managers were marginalised or sidelined in various banks in the leadup to the 2008 crisis.
I would say this was largely true (but not universally). And my view is that data management capabilities (how quickly and effectively important information can flow to decision makers) can make a big difference - IF decision makers are willing to hear the message. You need: systems and culture that empower people to speak up (the precondition); someone willing to speak up; someone with sufficient power who is willing to listen.
The point about decision-makers being willing to hear the message is an important one. I spent a lot of my career working on ways to work with decision-makers so that they listened to what risk assessments were saying (but also working with risk assessors so that they understood the criteria which decision-makers were using, which I think fits with what you mean about understanding the organisations risk appetite and risk tolerance).
Yeah, exactly! Risk assessors need to measure the right things (or they can muddy the waters), and if the right things are measured, decision-makers will get information about things that matter to them (risk appetite and risk tolerance adherence).
You covered a lot of ground today -- a fun read. My experience in largish complex organizations was risk management was often treated as a necessary evil rather than a strategic benefit. I thought the best organizations created dependency across organizations, spread budgetary allowances and reported to a central organization. In that way, excellent outlier behavior was celebrated and laggards self-identified. It was easier to understand who didn't play nice and fiefdoms could be burned down early. Finally cross-team development introduced the broader organization to best practices and they became obvious. It is always nice when you find out something is getting done better and for less expense somewhere else in the organization. I came to appreciate the organizations that spoke plain language and limited the use of Powerpoint.
You wrote: -> "fiefdoms could be burned down early"
Excellent point! Yes, good communication and reporting lets divisions learn from each other and spread good approaches across the org. But it also lets senior management squelch fiefdoms before they become entrenched. You're absolutely right.
Risk management can be a strategic benefit, but it takes thinking about it differently. We (as individuals) weave risk management into our everyday decisions pretty seamlessly, yet orgs tend to struggle with getting this right. Maximize profit/minimize costs tends to flip risk into the wrong bucket - the cost bucket - when it's an integral part of maximizing profit, if done right.
Besides it is fun to say fiefdom :)