I once read an article titled ‘Ten Top Tips for Effective Risk Management’. Tip number 4 was “Kill the Risk Manager”! But the author was not suggesting that we should go out to commit murder. Instead he was recommending that the job title of risk manager should be killed off. Why?
What would you expect a risk manager to do? A risk manager manages risk, of course. But this is both wrong and unhelpful. Everyone should take responsibility for managing their own risks, and not leave it to one person to deal with them all. This fact arises from the way that risk is defined.
All definitions of risk make a clear link between risk and objectives. For example the international risk standard ISO31000:2009 Risk Management – Principles and Guidelines says risk is “effect of uncertainty on objectives”, and the Project Management Institute Practice Standard for Project Risk Management defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”
Wherever objectives exist there are also risks that might affect them. This is why managing risk is so important, because it focuses attention on the uncertainties that matter. Linking risks to objectives helps us to identify uncertain events or conditions that could influence our chances of success. Then we can prioritise these risks and respond proactively, preventing bad things from happening or protecting ourselves in advance from threats, as well as promoting good things and positioning ourselves to take advantage of opportunities.
As a result of this linkage, the right person to manage a particular risk is the person who owns the objective that could be affected. If risk is “uncertainty that matters”, then a specific risk only matters to someone whose objective is at risk. And that person naturally should take responsibility for managing risks to their objectives (although they might involve other people to help them). So we are all ‘risk managers’ for the set of risks that matter to us, based on the objectives that we own.
Does this mean there should be no specific risk-related role in a project or business? No, it would still be useful to nominate someone to run the risk process, to make sure that it happens smoothly and effectively, to ensure adherence to standards, to encourage and inspire people to be involved and committed to managing risk, and to coordinate data management and risk reporting. But it is misleading to call this person the risk manager.
Instead, we should use a job title that reflects what they actually do. Good alternatives include risk coordinator, risk facilitator, risk champion or risk process manager. These names explain what the role actually does. They will also prevent people from expecting someone else to manage their risks for them.
So if your project or business has a risk manager, you might like to warn them that their job could be in danger unless they change its name. Suggest that they change to a job title that matches what they are expected to do. And make sure that everyone understands that we are all risk managers, from senior executives to frontline workers.
If I have to meet an objective, then I need to know what risks could affect my ability to achieve it, and I should take responsibility for managing those risks. No one else can or should do that for me. You are the only ‘risk manager’ who can manage the risks that matter to your objectives.
This article was originally titled ‘Kill the risk manager!‘ and has been reproduced with permission.