What constitutes risk management – A senior management’s view

When discussing how to improve the value contributed by risk management, I typically start by saying ‘where do we start?’. At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. Because risk profile, appetite and tolerance are different in different organisations, risk management presents itself differently. However, there are 4 fundamental pillars:

  1. Process

Like any value adding activity, risk management requires a process and it entails a purpose, inputs, activities and outputs. According to ISO31000, the activities typically include risk identification, sourcing, assessment, measurement, mitigation and monitoring. The purpose of the process varies from organisation to organisation too. It may be reducing performance variability, prevention of incidents or taking more risks to maximise returns.


  1. Integration

Traditionally as well as in financial services sector, risk management is focused on protecting the value of assets tabled in the company’s balance sheet, related contractual rights and obligations. Typical risk management methods include insurance, tools for treasury risks, mitigation of environmental risks such as health and safety concerns. Whilst these forms of risk management had served a useful purpose in the past, contemporary risk management serves a higher and better use. The relevance of the risk management process increases if it is integrated with core management processes that help the organisation in achieving its objectives and executing its strategy. The degree of the integration again varies and typically include core processes such as strategy formulation, business planning, performance management, capital and funding planning, M&A and project management etc.  effective integration means risk management is embedded into the rhythm of the day to day business decisions and contribute to establishing competitive advantage and boosting performance.

  1. Culture

Effective risk management requires a top down sponsorship and consistent application of conducive behaviours. If the reward system is not balanced with shareholder interests, if the board doesn’t question the assumptions and risks taken for a strategy, or if risk management is restricted to compliance or after-fact firefighting and not focused on strategic issues, risk management will not be able to have an impact at the crucial moment. Robust risk culture promotes open communication, knowledge sharing, promoting best practice and continuous improvement and more recently a focus has been placed on value-driven commitment to ethical and responsible behaviours.

  1. Infrastructure

No given the risk management processes, how it integrated with core business processes and the elements of an organisation’s culture, the focus then turns to whether the organisation has what it takes to get the job done – its infrastructure – its policies, procedures, organisational structure, reporting lines, systems and people related to managing risks. If the infrastructure requires improvement such as a lack of risk management policy, unclear risk appetite, unclear roles and responsibilities, lack of risk reporting process or IT systems (GRC), resources must be diverted to have these areas addressed.

Essentially these 4 elements are the foundation of an effective risk management framework and it should be what senior management and the Board look for when establishing risk oversight, or what a maturity assessment be looking at. Ask some of these questions when you think about your company’s risk management practice:

  • Do we have a process to identify risks related to our strategy?
  • Is our risk management only focused on insurable and financial risks?
  • Is our risk management capabilities coordinated across the company or operate in silos
  • Do we have risk materialise primarily because there is a lack of risk culture or understanding?
  • Is risk management restricted due to resourcing limitations?

What are your thoughts and your experiences in your organisation???

Change management, Resistance and risk management – a hard lesson learnt


I came across this brief slide – I didn’t hear the presentation first hand but the topic itself prompted a great deal of thinking and reflection upon a valuable lesson I learnt recently.

The background

Recently I had a short spell in a tech company that had experienced huge growth and doing fantastically well in recent years. It deliberately maintains a startup mentality but has an aspiration to be more mature in its corporate governance aspects – processes, controls, compliance and risk management. Enter me to the stage – I signed up to a role in a tiny risk management and audit team and saw a great deal of opportunities in implementing risk management from ground up in a greenfield environment. Without going into much details, building a risk management framework is no mean feat – it entails tangible deliverables such as risk process, appetite, reporting, roles and responsibilities and ongoing compliance and maintenance. An effective risk management framework also includes a crucial soft element – risk aware culture that permeates through the organisation so people consciously talk about risk and weave risks into their daily business conversation.

Typically and conveniently, implementing the tangible stuff is the way to go. Usually backed by senior management or compliance regulatory requirements, certain things must be in place to discharge senior management and the board responsibilities. However, without the soft culture environment, many of these processes, reports and tasks remain a paper exercise or deliver limited business values. That’s one of the reasons that risk management sometimes is still perceived as functional support team and struggles to win a seat in the high level decision making round table (again another hefty topic).

Now back to my experience. Within the first 3 weeks, I had drafted a risk management maturity roadmap with strategic and tactical plan items – the tangible and soft elements. I managed to obtain an in-principle endorsement of it without an agreement on exactly what is to be done. I was then tasked with a number of incumbent ‘risk/audit’ projects – some must-dos and some operationally-focused topics that one would say that wasn’t derived from a risk-based planning (that’s a different topic). The only piece of risk-focused project was business continuity implementation, which deals with disruption and availability risks. I sought to leverage on this project to firstly get to quickly understand the most critical parts of the business and secondly, promote risk management as a school of thought and get to people’s mind about its importance and value adding capability. I conducted informal and formal interviews and workshops, always started the conversation with an introduction of who risk management team is – what we do, how we do it and what value we can add, before launching into a tangible risk topic that was business continuity. It was a rather exhilarating experience as I put risk ‘on the map’ – interviewing 50 plus mid and senior managers in a space of 2 months.


I was not Messi in risk management, but I was battling hard and much of time I was battling alone. I had the passion and desire in abundance and hoped hard work and persistence would overcome every challenge. I was working 10-12 hours a day in the office plus some hours at nights. Time flew by but I felt I was in the zone and making solid progress.

So I think I did…

In hindsight, I neglected an important thing to do. To put it in an analogy – I was a charged up and prepared warrior, carrying my swords and jumped right into the battlefield, with my fists clenched and eyes on the target, I fought a hard battle and importantly I made advances according to my war plan, I was hitting milestones. However, I forgot to stop in between battles and turn around and to communicate to my fellow warriors, to report on wins, losses and problems, to ask for reinforcement, to ask for advice, to tell them where I am going and most crucially why I am going that way and doing that thing. Well that’s a bit of exaggeration, I did, but not enough. I lost sight in my own backyard.


Especially when you are new to a company, what I did was doomed to fail – the odds were against me, I was going to fight to my death – either being recognised as a warrior that stupidly took up an unwinnable fight on my own and lost, or most likely I would be seen as someone who didn’t plan well, misjudged the problem, failed to come up with the right solution, failed to see negative obstacles, failed to communicate and most importantly failed to deliver.

I did fail by the way. I am no longer with this company.

When I reflected upon this experience, I could easily blamed a million other things that didn’t go my way.

  • I didn’t have a manager that understood my mission and my war plan, and failed to support me
  • It was a hard battle that no one had fought before
  • The team failed to see what I did was planting the seed and it will take time to yield fruits
  • The team didn’t recognise my efforts and I was helping the team
  • I could go on…

But as I look hard at myself and striping it all down, I was leading a project of change management – changing the risk culture in this case. This project invariably has a lot of obstacles and resistance – people, entrenched mindset, existing way of work, selling the value – the stuff on the battleground. Launching into the battle with a crafted game plan (maturity roadmap), armed with a set of weapons (risk management experience and tools) and a determined mindset can only last you so long. My success also depended on team support, collaboration and communication.

My battle was not lost on the battleground, but was lost in my war room and in my reinforcement and my support battalion. Like a game of football, Messi alone cannot win a game, he needs his team – a coordinated team, a team with shared belief and vision and a supportive team. I didn’t have it and I failed to build one before I went battling.


In any change management project in business or life, resistance is a false proposition – resistance to change doesn’t exist (well said Richard, even I don’t know you). In my case, the number one contributor to my failure that I had control of was ‘Communication’. A hard lesson to learn, but a valuable lesson learnt.

#failure, #lessonlearnt, #riskmanagement, #projectmanagement, #communication, #teambuilding