The Illusion of Risk Management – Siloed Risk Registers Lead Us Astray

By Imran Zia – MSc, ACA ,FCCA,CIA,CISA,CFE,CRMA,GRCP,
Director, Audit & Assurance – MCFD, Government of British Columbia, Canada

 

 

 

“Risk Management is a culture, not a cult.It only works if everyone lives it,
not if it’s practiced by a few high priests” – Tom Wilson

If your Audit or Risk Committee approves your risk profile (typically a risk register) all you are doing is directing a debate and acknowledgement of a snapshot picture at a specific point in time, based on historic data converted into often worthless information.

The perceived sole purpose of a risk function in most organizations is to produce the monthly or quarterly risk registers with at least three colors – Red, Amber & Green; and maybe some up, down or horizontal arrows. A document that is generally well elaborated and sometimes a carefully crafted cut-and-paste job from different sources. This document then receives various levels of attention in gatherings where executives and senior management spend hours debating on the colors, giving and receiving justifications and explanations for the risk snapshot that was taken a month, or even worse, three months ago.

In the end, this picture of the risk register is approved and is framed until the next meeting, as an achievement of corporate collaboration – creating a false sense of security that everything Green is good and sending the officers away with action plans for everything not Green.

In the meantime, out on the battleground of business,the ground soldiers
are taking risk decisions totally unaware of the framed picture
(of the risk register) and clueless on how the outcomes of their daily
decisions will influence the quality of the next picture.

If your Audit or Risk Committee does not get a  “real” and “live” view of the risk landscape and discusses the effects of that on the strategy and goals of the business and proactively debates the influence of emerging risks and global events on that strategy, then the value of such risk management is questionable. The recent COVID-19 litmus test proved the irrelevance of risk registers when most organizations didn’t even refer to their risk registers while juggling with their business strategy to deal with the pandemic.

In reality, risk management involves a complex interplay of dynamic internal
and external influences and unpredictable human behavior – Static risk management
with Red-Amber-Green heat-maps driving suboptimal risk reporting is not enough
to sustain current dynamic businesses.

The concepts that have not served us well must be replaced; and with them the practice of converting historic data into risk reports resulting in hours of unproductive debate on what color the “traffic light” should be needs  to be substituted as well.

Change in Risk Culture and Mindset Will Take Us Forward

Risk Culture Building is the way forward where all people must manage risk at all levels. Having a thorough understanding of interdependencies of risks, integration of risk indicators with business process and establishing a 360-degree risk overview of the business priorities will help us find the true north.

Underlying problem is that we are not conditioned and trained in a way to consider multiple viable options while dealing with risks which ultimately leads to formation of siloed risk registers.

Let’s talk about how our kids’ learning is structured.

Starting with this problem as an example: At 9 am the Blue Car began a journey from a point, travelling at 40 kmph. At 10 am another Red Car started travelling from the same point at 60 kmph in the same direction as the Blue Car. At what time will the Red Car pass the Blue Car?

What is the answer? Most kids and their teachers would tell you it’s 12pm. Sure… in an academic world. What’s the probability that the Red Car would pass the Blue Car at exactly 12pm in real life? It’s close to zero; traffic jams, punctured tires, accidents, weather, none of that exists in the academic world.

Our kids are taught that problems have precise single possible solutions. Every problem in school must have a single correct answer. While in the real world, being alive means making decisions under uncertainty. The real life rarely, if ever, has a single correct answer, there are usually multiple good choices and multiple bad choices. A distribution one might say.

Every real-life decision is a tradeoff between the risks and rewards.
Uncertainty needs to be appreciated, not ignored and we must apply this mindset to real business situations.

Real-time Risk Assurance

Another way of getting out of the static risk management regime is to move towards “Real-time Risk Assurance”.

I will share another example where Real-time Risk Assurance made a huge difference.

A few years ago, I heard the story of a physician at Vanderbilt University Medical Center whose wife was undergoing surgery. During the wife’s time in hospital, the physician noticed many employees caring for her were not consistently washing their hands. He observed 60 instances where a lack of hand washing could have spread communicable diseases and threatened the quality of patient care. He took the problem back to the staff and worked with many different stakeholders to explore how hand washing could become an area of compliance. The team developed a way to observe, monitor, and capture hand-washing data. They learned that staff members were only following the current medical policy 58% of the time. So, they created training and communication initiatives, and developed accountability assessments for individual departments.

Three years after this program began, hand-washing compliance at Vanderbilt increased from 58% to 97%. That’s a fantastic improvement, but the outcomes were even more impressive. Hospital-contracted diseases, such as urinary tract infections from catheters and pneumonia acquired from ventilators, had dropped by 33% and 61%, respectively. In this case, the real-time risk assurance had a material impact on the organization. I love this story, because it opens a new world of thinking (and opportunity) for internal audit and risk professionals; it challenges us to find risk areas and address them in real-time. 

We need to create value by re-imagining how we approach business issues and provide mitigations. This angle of re-imagining the problems and their solutions can open a whole new horizon of opportunities for being a valuable resource and becoming a trusted advisor.

Too often we are looking to implement a model, while we should be focused on shifting a mindset.