As much as in any other part of an organisation, risk management is about understanding your stakeholders, taking account of their situation and circumstances, and having a customer service philosophy.

I recently read a risk management article about heat maps that I initially thought would offer interesting insights into one of several valid options for risk reporting. Unfortunately, I was disappointed with the suggestion that risk professionals producing heatmaps (a qualitative approach) were disguising a lack of knowledge, experience, or competence and the company they worked for was taking a poor approach to risk management.

The authors are certainly entitled to their view; although, I don’t believe this is the case at all and any single-minded approach strikes me as potentially dangerous, especially when it comes to risk. However, as I reached the end of the article hoping for a strong conclusion, I realised that this was not at all about discourse or debate. The article’s conclusion was: “Contact us and we can show you how best to do it.”

One size can’t fit all

When it comes to risk management, the reality is that there are many different industries, types, and sizes of businesses in different jurisdictions with diverse legal requirements. So, when it comes to risk management there is no ‘one size fits all’. Qualitative approaches work for some, quantitative approaches work for others, and there are various methodologies for each that are appropriate depending on the situation and circumstances of each organisation.

Risk heat maps can be a great means of risk reporting as they provide a visual representation that may not only suit the organisation’s risk profile but also the way the audience (executives, board members, other levels of management) best responds to the information. After all, the response is as important as the report. As long as there is context behind what is being presented on the heat map that gives the right perspective it’s just as valid as if you represent data with quantitative methodology, such as a Monte Carlo simulation, which also needs context to be valid.

Pushing a sales agenda at the expense of service increases reputation risk

The one size fits all that I will support is that understanding the customer and doing what’s best for your customer’s circumstances and situation is paramount. Consultation with industry peers quickly confirms that I am not the only one with these views, thankfully.

At times, ‘keyboard warriors’ have led me to start to doubt the risk management processes and procedures I have put in place following careful assessment of situation and circumstances. Thankfully, not for long, as I immediately recall the strong engagement and buy-in from my stakeholders, as well as the results.

When in doubt, question yourself

My objective here is to ensure that anyone who has felt self-doubt in the risk management methods they are running within their organisation does not dwell on that doubt. Instead, use it as a trigger for reflection to ask yourself the following questions:

  1. Are the key risks for the business assessed taking the key objectives and strategy into consideration?
  2. Have threats as well as opportunities been considered?
  3. Are the risks consistently assessed against a framework that is understood as well as being applicable?
  4. Do I have buy-in from key stakeholders in the business?
  5. Is the Audit & Risk Committee engaging and happy with the output and the outcomes?

I am sure there are more questions that one could ask oneself, but you get the drift: if you are confident in answering these questions, then you should be confident about feeling a sense of achievement.

The more experience we have, the more we want to keep improving

Continuous improvement is a necessary part of maturing and adapting the risk management framework over time. Some of us may well alternate between a qualitative and quantitative process or adopt methodology for both. The point is to conduct a thorough assessment or review and do whatever makes the most sense for your organisation, considering the situation and circumstances of your organisation at that time. I oppose those who are adamant that only one way is right – there cannot be a one size fits all approach to risk.