In my last blog post I reflected (or ranted?) on why business efficiency and governance are often conflated, referencing several tasks which often sit under governance but are actually business efficiency and management tasks (performance management, budgets and operation). In a moment of self-doubt, I asked myself “where does risk sit?” – if governance is often confused with business efficiency, risk is where the distinction really matters.
‘Risk’ in organisational terms can be split into two different functions: risk management and risk oversight.
Risk management
Risk management is the operational function that most of us will be familiar with and focuses on what day-to-day actions could be taken to reduce risk impact and likelihood. This is the role of managers, or sometimes dedicated teams, and involves identifying risk, implementing controls, and monitoring compliance via tools such as risk registers.
In a recent discussion with a senior colleague, we reflected on the common consensus on how risks are identified and managed and how this usually involves a lot of quantitative data with statistical and trends data. It was during this discussion where the colleague expressed concern that organisations are missing the “navel gazey” part of risk management. This is the abstract part of risk management, the thinking in possibilities, it quite easy to imagine a scenario where every dashboard shows green, yet the organisation feels uneasy. In this, we can create complacency in risk management where we become over-reliant on acting upon only what the quantitative data is suggesting but also stuck in old patterns and ways of thinking. In good risk management, qualitative risk thinking is just as important as the quantitative in allowing us to see previously hidden vulnerabilities.
Risk management needs to find a balance between a mix of qualitative and quantitative, thinking not only “what does the data tell us?” but also “how do things feel?”. The future is unknown, the pandemic taught us that, and having an organisational culture which already values curiosity and adaptive thinking creates resilience when the really unexpected happens.
Risk oversight
Risk oversight is the governance-level responsibility of ensuring risk management is effective and aligned with strategic objectives. Risk oversight is usually exercised by boards or groups, rather than the operational teams who manage the risk. Risk oversight asks “are we managing risks in the right way?” – this is where we also get some more of the “navel gazey” work in challenging assumptions in which risks may be managed within the organisation and thinking more “what if?”. Risk oversight should hold a holistic view, going beyond financial and operational risks and thinking about the impact of risk on the reputation and culture of an organisation.
What should ‘risk’ look like in good governance? A big question, but fundamentally good risk oversight and management should be a core part of organisational culture. Risk oversight should not be treated as a compliance tick-box, as it often is, and instead should be so integrated that a culture of psychological safety is created so issues and near-misses are surfaced early without fear. In this way, risks are transparent and ethical where organisations are not scared to hide emerging risks or issues. Effective risk management and oversight signals competence and integrity, both critical elements for sustaining public trust. Using the superhero analogy in the title, risk management is the superhero on the ground fighting the villains – immediate threats and operational challenges. Risk oversight is the strategist in the secret lair making sure the hero has the right tools, the right mission, and safeguarding the hero’s reputation. Ultimately, however, if the public lose the trust in the hero, the mission fails no matter how many villains are defeated.
Ctrl + Alt + Govern 
Leave a comment