Blog posted by: Kate Boothroyd, Director, KB Risk Consulting Limited, Director, KB Risk Consulting Limited, September 2023.
Organizations put a lot of effort into the identification, prioritization and measurement of risks. But when it comes to thinking about real controls and ensuring they are actually managing those risks, quite often they are doing nothing more than risk register writing.
It is important to follow best practices such as the responses, the bow tie method and the interconnectedness of risks and controls laid out in M_o_RŪ 4. The alternative is the potential of costs overrunning, projects failing, or worse.
Ticking boxes
Interest in risk management has grown over the years. A board's accountability within an organization means it needs to understand the nature of the risks it faces. But the maturity of some companies remains low, where risk management is seen as a box-ticking exercise and writing a risk register means that the job is done.
This is not risk management. Even if it contains a list of controls or actions, a risk register does nothing to actually manage risks. And this can have a significant impact on an organization's projects. Most notably, they suffer cost or time overruns and problems in quality or functionality. People might think they have managed a risk, but all they have done is identify it, not implemented any action to do something about it.
Overcoming complexity
The complexity of risk management can be off-putting. Many of the risks we see today are interconnected. A risk register is typically a long list, however, and does not show how risks - or the controls that manage them - are connected.
Unable to see this interconnectedness, people tend to think they just have more work to do or more actions to perform. They do not appreciate, for instance, that those actions could be managing several risks, or the most important risk to the organization.
This is where the bow tie method - a visual representation of the causes, the risk and its consequence, and the controls that should be put in place to manage them - can be effective. By putting their controls into a bow tie diagram, people can tell simultaneously whether they are managing causes or consequences and which controls are new and which are existing but might need improvement. Quite often, they realize that they need only two or three of the twenty controls in place; the rest are not actually managing either the causes or the consequences of risk. As such, some risks could be over-controlled; conversely, it is important to understand where risks are under-controlled.
Understanding risks and controls
There is also a need to look closely at the more significant risks an organization faces. This helps people understand those risks, name them properly and, perhaps more importantly, to understand whether they are controlling them.
From a risk perspective, a real control is an activity that takes charge of and modifies a risk. And it is these real controls that are often missing. Organizations will often have risk controls and guidance procedures or policies in place, but are these actually managing the risk? Take COVID, for example. A company may have collected data on which of its employees had tested positive for the virus and it may have issued guidance on what those employees should do. But what were they checking? That people had collected the data and been given training or guidance, or that they were actually using the data and following the guidance? It was only when the latter was done that the spread of the virus was reduced.
Opening up conversations
Risk management should provide assurance at board or senior project team level that risks are being managed effectively. At the same time, if someone cannot achieve their objectives because they do not have the authority to carry out particular controls, it should give them the ability to have a conversation with the management level above them. It allows people to go to the right level of authority within their organization, to ask for permission to spend more time managing the risk or, in certain circumstances, even change the parameters regarding the context or objectives.
It should support decision-making for senior management as well, based on greater understanding and clarity of the risks and reasons behind controls. Again, this is often missed. Even when people write down the controls, it can be little more than a tick-box exercise. The key questions are: What are those controls doing? Are they managing risk? Is there support for them? What's required from senior management and how do they have assurance? Effective risk management, following the best practice outlined in M_o_R 4, can open these conversations up at all levels of an organization.
Guiding framework
Every project in every organization is different. Each must therefore consider how it will make risk management work for itself. M_o_R 4, like ISO 31000, the international standard on risk management, is a series of guidelines. It does not tell practitioners what to do. Rather, the hints, tips, tools and techniques it contains are designed to provide a guiding framework, while requiring some tailoring or customization.
Risk management is so much more than writing a risk register and thinking the job is done. M_o_R 4 is not a box-ticking set of activities - it is guidance on how to implement effective risk management in a way that suits your organization and your projects so that objectives can be met and value can be created, maintained and protected.