By Alan Ferguson – Approved Trainer for PRINCE2®, MSP®, M_o_R®, MoP®, P3O®, Change Management™, Managing Benefits™, AgilePM™, APM IC & APMP
Mature risk management is about culture as well as process.
In the 1971 movie, Dirty Harry, Clint Eastwood says the following lines:
“Uh uh. I know what you’re thinking. ‘Did he fire six shots or only five?’ Well to tell you the truth in all this excitement I kinda lost track myself. But being this is a .44 Magnum, the most powerful handgun in the world and would blow your head clean off, you’ve gotta ask yourself one question: ‘Do I feel lucky?’ Well, do ya, punk?”
Although this is a rather violent film, this is a perfect illustration of risk appetite. When the police officer, Harry Callahan, asked the bad guy if he felt lucky, he was only assessing that individual’s risk appetite.
So what’s your risk appetite? Are you risk averse – avoiding risks if at all possible? Or you could be risk seeking – looking for risks, thrills, when they are available. Then of course the balance in the middle would be risk neutral.
Now it’s interesting to think about one’s personal risk appetite but the concept also applies to an organization. Risk appetite can be defined as ‘the amount and type of risk that an organization is willing to take in order to meet their strategic objectives.’
Like everything else there are stereotypes – the risk averse local authority that goes from striving to provide us with services reliably, every day to failing to innovate or the financial institution that goes from sensible speculation to taking unwarranted investment risks.
When implementing, assessing, or improving risk management across an organization we can all too easily focus on the process. We put in place more precise guidance or more sophisticated risk management tools.
We often overlook the culture of risk management.
We fail to properly understand the organization’s risk appetite. Very often the organization\’s risk appetite is either not written down, or if it is written down the words on paper do not truly reflect the behaviors of the people in the organization. We need to understand the organization’s risk appetite and reflect it in the way the organization manages risk.
But I think you can take this discussion a little further. If we’re talking about changing an organization’s behaviors, its culture, then we are moving into the world of change management. We can’t simply alter behaviors across your organization by publishing a new set of procedures, guidelines, or standards. If the organization is resistant to change, it is likely to have a low risk appetite. This type of organization has a very deep-seated reluctance to change.
I can play this linkage in both directions. If as a change manager, I see there is a risk averse culture, then I’m going to have to work more slowly, carefully, and sensitively on my change management initiatives.
On the other hand if as a risk manager I see that there is a low risk appetite, then I may have to use change management techniques in order to improve risk management in the organization.