It is sometimes tempting to respond to a risk or an incident, with a knee-jerk response by throwing time, money and effort at a quick fix. That’s entirely understandable, given that our risk management decision-making evolved from a fight or flight response. As Daniel Kahneman says in his latest book, "Thinking, Fast and Slow"we have two risk management decision making processes. Our ancient limbic brain is largely unconscious and it makes rapid decisions based on memory and emotions. Our more recently developed mammalian brain (neocortex) has the capacity for detailed analysis, abstract thought and logical inquiry. Unfortunately our logical brain is easily distracted, painfully slow and hard to engage, while our Limbic brain is (in todays modern world) wrong as often as it is right.
So, as it turns out, despite millions of years of evolution, we still make the majority of our risk management decisions in the emotional center of our brains. This was fine when we lived in small Paleolithic communities, but the complexity of the modern world means we need better approaches to decision making. Fortunately, we do have the capacity for analysis, and with hundreds of years of research in science, finance and engineering to name but a few, we have a pool of knowledge to draw on.
Until recently, when ISO31000 Risk Management Standard defined risk as “the effect of uncertainty on objectives”, risk management focused on negative risks. In this scenario, risk was bad, and had to be avoided, mitigated or to be transferred to another party through outsourcing or purchasing insurance. This led to risks being addressed as separate compliance issues and not integrated or managed broadly across the organization. Only comparatively recently has the role of Chief Risk Officer been created with the main focus (as it needs to be) on business integration, enterprise risk management and value creation.
Effective implementation of risk management into organizations and projects is not common. Organizations that have tried to integrate risk management into their business processes have reported differing degrees of success and some have given up the attempt without achieving the potential benefits. Aligning risk management with standard management systems including financial systems, workplace health and safety (WHS) and human resources is a key element of success in this area. Existing platforms such as ISO9000 Quality Management and Balanced ScoreCards also help to demonstrate alignment with the business and are a key element of the process.
Linking business management to strategic risk management means setting up the corporate "infrastructure" for risk management. The evolving risk management function is designed to enhance understanding and communication of risk issues internally, to provide clear direction and demonstrate senior management support. To be effective, this risk management framework needs to be aligned with the organization’s overall objectives, corporate focus, strategic direction, operating practices and internal culture. Additionally, in order to ensure risk management is a consideration in priority setting and budget allocation, it needs to be integrated within existing governance and decision-making structures at the operational and strategic levels.