IMHO: Ditch the matrix. Lead with uncertainty

I never wanted to be a risk manager. What a miserable profession, I thought. Being accountable (or seen by others as being accountable) for all the problems or potential problems of an organisation.

Spending most days workshopping with reluctant participants, discussing what might go wrong in their functions and compiling ever-growing lists of risks, undertaking pseudo-mathematical likelihood/impact scoring, trying to differentiate between ‘inherent’, ‘residual’ and ‘target’ risk levels, between ‘controls’, ‘mitigations’ and ‘treatments’ and with increasing layers of ‘sophistication’ in applying international standards and ‘best practice’ methodologies. For what? The top 10 risks to be plotted on a 5x5 matrix quarterly for ‘noting’ by the board, with risk a specific topic towards the end of the agenda, after the ‘real’ business of the meeting. Grim.

Of course, that is not what risk management is. Unfortunately. it is how it often plays out.

I joke that risk is not a four-letter word. It is in fact just ‘uncertainty’ (or more precisely ‘the effect of uncertainty on objectives’). Without uncertainty there would be no opportunity for things to be different (better or worse). That simple reframing and change of language unlocks the true value of risk management.

The real value in risk comes from enabling a consistent and effective way of making decisions with a clear understanding of:

• • Why we exist as an organisation and what matters the most to us (purpose)
  • Who we are accountable to, what they expect from us and what we have promised to do or deliver (priorities)
  • The major areas of uncertainty within our external and internal environment that might impact on our purpose and priorities. Uncertainty that could result in upside opportunity if understood and managed well, or threat if not (risk)
  • The level of uncertainty we are prepared to live with (risk appetite)
  • What we are prepared to do to manage this uncertainty (control)
  • How we know this is effective (assurance)

When done well, this does not look like risk management, it looks like good governance.

Surprisingly, not all boards (let alone the wider leadership team) have a simple, clear and consistent view of this ‘golden thread’ or use this to set the board forward work-programme and agenda.

Rather than ‘risk management’ being approached as a distinct discipline, separate from ‘management’, perhaps the answer is to take the word ‘risk’ out, and focus on what this is all about: making good evidence based and informed decisions in the face of uncertainty, on the things that matter the most for the organisation to be successful.

This is the opportunity in risk. To change the perception, language and ways of working so that risk management is in effect good planning, decision making, resource allocation, operational delivery and organisational performance management.

How to bring this to life

1. Flip it on its head, i.e. a top-down approach considering uncertainty, tied to the purpose of your organisation and shared view of the board as to what ‘success’ looks like
2. Substitute the word ‘uncertainty’ for ‘risk’ and remove as much of the jargon and language associated with traditional risk management approaches as possible
3. Draw out the uncertainty inherent in every board agenda item, discussion and decision

The trick for risk management is for it to be almost invisible, just good governance and management.

Most organisations should have a clear understanding of their purpose and priorities. From this it can be helpful to explicitly draw out an agreed view of the single thing is that matters the most to the organisation. Once agreed, this is essentially your ‘super-risk’.

For most (all?) organisations, this super-risk tends to be existential, i.e. the extent to which we maintain the trust and confidence of our stakeholders and our continued social license to operate. Everything else either contributes to this (opportunity) or detracts from this (threat).

Risk management therefore should feel like governance, strategic planning, operational delivery, and reporting – i.e.:

1. What do we promise, to whom and when (planning)
2. What are the enables or barriers to achieve this (opportunities / threats, i.e risk)
3. How do we manage this (operating model)
4. How are we going/how did we go (governance, reporting, assurance)

A few immediate practical ways to focus on the upside / opportunity from risk:

• • One page dashboard: Have a simple visual way to show the link between purpose, success and uncertainty related to this. This is in effect your strategic risk profile
  • One page management plans: For each critical area of uncertainty identified, provide a simple one page way of understanding this, i.e. the drivers of this uncertainty (causes), why it matters (consequences including resulting opportunities or threats), how this is addressed, monitored and assured
  • Confidence / concern rating: Unless there is reliable evidence to support likelihood/probability scoring, don’t do this. Rather embrace the fact that a risk rating is usually subjective. As a board, consider the level of ‘confidence/concern’ you and the leadership team collectively have that major areas of uncertainty/risk are fully understood and managed appropriately.
  • Opportunity register: Mirror bottom-up risk registers with an opportunity register. It is equally important to track what might go right as well as what might go wrong, with controls to ensure this. Assign an ‘opportunity owner’, report the top opportunities regularly with consideration of your ‘opportunity appetite’, i.e. what level of opportunity are you prepared to leave on the table and what do you need to act on.

To bring out the opportunity is risk, I encourage boards to consider the uncertainty and opportunity (not just threat) inherent in every agenda item and decision at hand.

David Nalder is a New Zealand governance and risk specialist who serves across multiple public-sector and not-for-profit bodies. He is a Member of the Risk and Assurance Committee for the New Zealand Public Service Commission, a Member of the Risk and Advisory Committee for the Ministry of Business, Innovation and Employment, a Member of the External Advisory Board for Toitū Te Whenua Land Information New Zealand, as well as a handful of not-for-profit entities and NGOs.

Alongside these appointments, he is the Managing Director of Efficus Limited, where he advises organisations on purpose-driven strategy, governance, decision-making, and large-scale transformation. He brings decades of experience from senior roles in both the public and private sectors, including at PwC for over 20 years, where he was a Partner responsible for Risk Assurance nationally.