Risk management maturity – moving beyond risk registers?

An interesting article on risk register obsolescence

I recently read this article by Michael Werneburg which was subsequently updated here. The article deals with the evolution of risk management in organisations beyond the use of risk registers into a risk mature organisation. It restates and reiterates a number of points that have been made by Matthew Leitch in the past on his blog Working in Uncertainty. The basic gist of the argument put forward is that risk mature organisations no longer need risk registers or any kind of specific risk management procedure because they have embedded the risk (management) dimension into their daily management practices.

Well, I can tell you that I am torn by that position. On the one hand, I do believe that the authors have a point as far as risk mature organisations are concerned. A well established risk management practice will lead to risk thinking becoming embedded in management’s mind and integrating in management’s agenda.

Risk maturity requires an evolution

However, I do not agree at all with the assumption that is being put forward which states that because this is the case, we can take the training wheels of any organisation, abandoning a formal, procedural approach to risk management and evolve straight into risk maturity without passing through a risk learning process. I think that position is fundamentally wrong. Werneburg describes in his update how risk maturity came about, and while details are limited, it appears the organisation underwent a significant evolution to come to a risk mature structure.

Organisations do not self-mature. People don’t either (not really)

Now, why do I react so vehemently to this type of thinking? I am very much aware that this thinking fits into the self-maturing organisation thinking some management philosophies currently embrace. They imply that if you leave your collaborators alone, they will make mistakes but will learn from them and evolve based on that learning to a mature state.

First, this is an assumption that is based on scant evidence at best. For every maverick like Ricardo Semler that succeeds in implementing such a change in an organisation, there are tens of organisations that fail to appropriately implement this kind of self-rule. If this would work, the banking crisis would have been avoided all together. However, individuals are often selfish rather than selfless operators.

Gambling with tax payers’ money

Second, especially in a public sector context, this type of laissez-faire attitude is a gamble with tax payers’ money. As public sector transparancy is already much under scrutiny, consciously risking budgets for a ‘learning experience in risk’ while very hard budget choices need to be made with very real effects on very real people, can hardly be considered as mature behavior.

Public sector organisations need their risk training wheels

As far as managing risk exposure is concerned, a lot of public sector organisations still need their risk training wheels. They also need a strong, directive management, especially in light of the significant personnel cuts which are not always in line with the real needs in the different departments.

Establishing a common language by means of a risk model, ensuring that appropriate risk identification is timely and consistently performed and using the risk model as an aggregating structure to bring together solutions that actually work in specific situations is an approach that organisations that have not yet reached risk maturity need.

Falling on their proverbial faces

Any management team that fails to put in place these essential systems and practices cannot expect to escape the confrontation with reality unscathed. They will fall on their proverbial faces. Much to my regret, experience and common sense cannot be transferred through osmosis. It’s not by standing next to greatness or experience that you will become more experienced. Unless someone clearly explains the dynamic or organisations and their management teams auto-magically becoming risk mature without doing the work and the learning, my cynical internal auditor’s heart will have to assume it is not happening.

Trust, but verify

Let us not forget the Russian proverb “doveryai no proveryai”, which translates to English as “trust, but verify”, which became Ronald Reagan’s signature phrase in the US-Soviet Union relations of the mid and late 1980’s. A risk model based risk management system for a young or maturing organisation as contained in a written and applied risk management process, combined with a well functioning internal audit department provides a decent basis for this verification component. You may trust, but internal audit will make sure it gets verified.