If Risk Management is to survive/thrive as a formal management discipline in 2017 and onwards, then…

Happy New Year All! As is traditional at this time of year I have found myself reflecting on both my personal growth as a Complex-Risk Specialist as well as the state of my working world in order to assess what needs improvement in 2017.

In so doing, I couldn’t help but notice that the last three or so years have been particularly trying for those of us invested in the art of Risk Management, especially within the heavy industries; natural resources, engineering, construction, energy, infrastructure and such. As a result, I find myself wondering whether Risk Management is battling to survive/thrive as a formal management discipline in the modern era and what we (the invested Risk Community) should be doing to improve our discipline.

There is no doubt, that our working world has evolved exponentially over the last decade and I fear that during this evolution many of the traditionally accepted Risk Management methodologies have failed to keep up with the demands of a world that is now significantly more complex, dynamic, interconnected, informed and disruptive than any other era in history.

This in turn got me thinking, if I could make a set of New Year’s Resolutions that would help me to improve the way we (the invested Risk Community) view and practice Risk Management in 2017 and onwards, what would it be?

Some context as to the current reality

Since early 2014, the global natural resources’ industry has suffered perhaps the largest economic depression in this generation as oil, gas, coal, iron ore and most base metal prices have tumbled to record lows and then stayed there for almost 3 years. Those invested in these industries have seen their discretionary spend came to an abrupt halt and many organisations have since gone into severe cost cutting mode in an effort to “right size”. As one major player stated in a recent investor report; “in 2014 it was all about right sizing, then in 2015 it was all about cost cutting but by 2016 it became just about surviving”.

As a result of this industry upheaval I have seen many organisations radically downsize their Risk capability in an apparent attempt to eliminate “non-critical” overheads. At least two separate multi-billion dollar organisations practically dissolved their Risk Management functions and absorbed their limited Risk efforts into other organisational disciplines. Many of my peers and colleagues working within the world of Risk have either lost their jobs outright or become increasingly nervous as to the sustainability of their employment. Those that have been fortunate to keep working now face significant heat within their retrospective organisations whereby they have to justify their existence on an almost daily basis.

Also, I have seen many of the professional service firms that provide Risk Services and Consulting expertise to these industries go through tremendous turbulence. Most appear to have now morphed into providing low margin compliance and audit services rather than high end Strategic Risk Services as these appear to be the only high volume Risk Services in demand right now. I notice that many people who sold themselves as Risk Specialists during the boom years have diversified their resumes in an attempt to market themselves in other areas due to the lower demand for their support.

Risk in crisis?

I fear that Enterprise-wide Risk Management has lost its shine since the years immediately preceding the 2001 Enron Scandal and the 2008 Financial Crisis. In many ways these where the glory years for Risk Managers as our art become more mainstream and front of mind. Organisations took Risk Management more seriously and the investment into the discipline was positive and growing.

But by late 2016 many historically strong organisations were now struggling and in turn; questioning why their noticeable investment in Enterprise Risk Management during the Boom years had not helped them proactively mitigate against the negative impacts of the upcoming Depressive years. A fair question, after all hadn’t Enterprise Risk Management advertised itself for all those years before as being critical to organisational success by helping to proactively mitigate against the harmful affects of uncertainty on objectives?

Historically, Risk has always been the “poor cousin” to strategy and operations and has rarely been given the same respect and resources as other management disciplines such as finance, operations, procurement and the like. However, the noticeable reduction in investment in the discipline over the past 3 years across many leading organisations and industries suggests that the discipline may actually currently be in crisis?

Case in Point – consider the following industry indicators as to the current state of Enterprise-wide Risk Management;

  • In mid-2014 a $35 billion, global gas organisation based in Europe “right sized” their entire in house Enterprise Risk Management capability down to only two internal auditors. Although this particular reduction was extreme it was not an isolated incident within the sector. An informal survey of Risk Management role reductions during the 2014-2016 period saw full time equivalent resources(FTE’s) reduce by between 30% and 90% across nine leading organisations in the broader natural resources sector. This FTE reduction rate was grossly disproportional to the reductions experienced in other management disciplines during the same period. If Risk Management is indeed so critical to organisational success why do organisations feel comfortable reducing their Risk capability in times of trouble?
  • During 2015/16 a number of the World’s Mega-projects worth in excess of $20 billion were observed as operating without a specifically dedicated (and suitably qualified) Project Risk Function? If Risk Management is indeed so critical to project delivery success, then why do so many Mega-project investors feel comfortable proceeding without a Project Risk capability that reflects the degree of investment at risk?
  • In mid-late 2015 a major infrastructure PMO in the Australian public sector advertised for Industry Risk Specialists who could provide deep expertise across a broad portfolio of major projects within a vendor panel arrangement. Of the 280 individual “Specialist Risk” resumes received during the tender period, only five applicants had earned themselves tertiary qualifications in Risk Management (Diploma, Bachelor’s Degree, Masters, PHD etc.). I find this ratio alarming as it implies that only 1 in 50 people operating as a Risk Specialist is academically qualified in the Science of Risk Management. If Risk Management is indeed such a critical specialist discipline, then why are there so few practising Risk Professionals who have actually studied Risk at an advanced level? Such a low rate of study surely devalues the currency of Risk by implying that the discipline is not sophisticated enough to require formal study. It also suggests that a low grade of empirical rigour underpins the practices accepted within the field and questions the quality of the knowledge base which defines the discipline.

From the above it is clear there are some significant challenges in the manner in which Risk is perceived and practised within industry. My personal experience over the past three years has been that organisations are now more likely to be questioning the value and return of their investment in Risk Management than embracing it as a crucial enabler of success. Again, you can argue it any way you want but the number of Risk based FTE job losses and lower employment opportunities are formidable indicators supporting this point!

Who is to blame?

Now it would be easy to blame these organisations divesting from Risk and call them immature or state that they simply don’t get the value of Risk Management but I don’t believe such stock standard criticism is good enough anymore. Organisations have never had a problem in investing in things that offer tangible returns and if they are indeed divesting from the Risk Management discipline then clearly they feel they are not getting their money’s worth – simple as!

How much confidence can we seriously expect industry to put in Risk Management when only 1 in 50 of its practising officers have actually completed formal studies in the Science of Risk? Consider how little confidence we would have in the Medical Industry if only 1 in 50 of its practising Doctors had completed their studies in medicine or the aviation industry if only 1 in 50 Pilots had actually studied the laws of aerodynamics?

There comes a point when those of us who are appointed to promote the art of Risk Management within these organisations need to start taking responsibility for our role in allowing this apparent divestment to happen. If organisations are struggling to see the value in Risk Management then whose fault is that – those who buy the services (them) or those who sell the services (us)?

To this end, I have lost faith in many of the traditional Risk Management methods as I feel they have been ineffective in addressing the complex challenges which global business are currently experiencing nor have these methodologies done much to secure the employment of those who have studied and endorsed them. I believe that many of the industry accepted, “Brand Name” Risk Management methodologies have failed to keep up with the evolution of the Modern, Global Risk Context and many are teaching risk control principles which are rapidly becoming obsolete in a world that is highly dynamic, complex and unpredictable.

I now more than ever believe that radical, possibly even disruptive, changes are required in the way organisations embrace and enable Enterprise-wide Risk Management if Risk is to survive/thrive as a formal management discipline in future years. Advanced Risk situations require advanced Risk thinking!

More to the point, I believe that if the art of Risk Management is to survive as a formal management discipline in 2017 and onwards, then…

  1. Appointed Risk Officers need to start demonstrating themselves to be “Risk Leaders” rather than just mere “Risk Administrators”. In my opinion far too many appointed Risk Managers have allowed themselves to become Risk Administrators rather than actual Risk Leaders. As result they are more likely to be the appointed keepers of the organisation’s Risk Register, Risk Software and/or the organisational Audit check lists – a far cry from being an actual Risk Adviser trusted by the organisational leadership. This I believe is half the problem because if those appointed to oversee the management of Risks cannot even elevate themselves to where they have secured the confidence of the executive leadership, then what hope has the art of Risk Management have of being a trusted organisational management discipline. If Risk Management is to truly add value in the new age then the world needs more Risk Leaders, not more Risk Administrators.
  2. Risk Management needs to start demonstrating tangible value in addressing the specific challenges of the modern context. We are now living in one of the most complex, dynamic and disruptive eras in history and unfortunately its only going to get more turbulent and more extreme. The days of “Risk Management by checklist” are no longer suited to today’s complex challenges. The invested Risk community needs to become better at understanding and addressing the specific behaviours and characteristics associated with complexity, as complexity is the biggest driver of Risk in the modern era of global inter-connectivity, rapid disruption, perpetual dynamism and severe unpredictability. Until Risk Managers become invested students in the science of complexity (complex systems theory, complex risk theory, chaos theory and the like) they simply will not have the mental toolkit necessary to address today’s complex challenges. You can quote me on that!
  3. Risk Managers need to start demonstrating genuine innovation in their Risk Management efforts. Seriously, the working world has evolved exponentially over the past decade yet Risk Management practices have stayed largely static in this time. When last did someone actually introduce something truly new or innovative into the Enterprise Risk Management discipline? If Risk Managers wish for the world to change then they need to become the change they desire for the world (Gandhi?). The new generation of Risk Leaders needs to start challenging and disrupting the conventional Risk wisdom. If you do the same things you always done, then you gonna get the same results you always got (Einstein?). If Risk Management is indeed in crises then it is necessary to be innovative and where possible; disruptive. Risk Managers need to bring new thinking to the table, because the old thinking is tired, stale and no longer working in the current era of advanced complexity and severe unpredictability!!!

So there it is, my New Year’s Risk Management Resolve for 2017… in return I would love to hear of your respective Risk Management resolutions and wishes.

Now allow me to put the same question to you;

If Risk is to survive/thrive as a formal management discipline in 2017 and onwards, what do you feel is critical to its’ sustainable success?

What needs to change? What needs to be done better? What needs to be scrapped?

Post your comments below and I will be sure to read them… oh yes, and again; Happy New Year, I hope you all have a cracker!

Follow us

This submission is part of a series of thought pieces which have been developed whilst engaged in a Higher Degree in Research into “Controlling risks in complex-uncertain project environments”

Follow my research on LinkedIn whereby I will regularly post conceptual learnings and dilemmas for industry practitioners to review and hopefully comment on. Also please feel free to share this thought piece with like minded professionals who may also be interested in the topic.

This thought piece is Copyrighted to Warren Black (2016) a Higher Degree in Research Candidate at the Queensland University of Technology

https://au.linkedin.com/pub/warren-black/15/464/625