Risk management is an important contributor to project and business success. The past few decades have seen growing consensus on the elements required to manage risk effectively, including an efficient and scaleable risk process that can be tailored to the particular risky situation, an appropriate level of infrastructure to support the risk process, and skilled and competent people who know what to do and how to do it.
However risk management is much more than tools and techniques, processes and systems. One major contributor to effective risk management is a risk-aware supportive culture. But this seems to be the one factor most often missing in major organisations and businesses, leading to an inability to deal properly with risk.
Why do we find it hard to develop the right culture needed to support management of risk? At least part of the answer may lie in a change of perspective, away from risk management and towards risk leadership.
The distinction between management and leadership was first made in the middle of the last century, when businesses were seeking ways to improve organisational effectiveness. What’s the difference?
- Management is the tactical ability to get things done, usually through other people, by setting appropriate targets, defining clear goals, tasking and motivating people, monitoring progress and making necessary adjustments to stay on track.
- Leadership by contrast is a strategic competence, providing vision and purpose, setting overall direction, inspiring people to commit themselves to a course of action. Managers have staff, but leaders have followers.
When dealing with risk in our businesses and projects, have we focused exclusively on the tactical tools and techniques of risk management, and forgotten to exercise risk leadership at a more strategic level?
What does risk leadership look like? In one sense, risk leadership is like any other form of leadership, just applied to the risk challenge. So all the wisdom and insights gained in recent years on general leadership are also relevant here. But one specific thing distinguishes risk leaders from other leaders. Risk leaders are responsible for developing and maintaining the risk culture of their organisation. They do this by:
- setting the tone from the top, giving overall strategic direction and vision in relation to risk.
- defining the risk appetite for the organisation, providing the broad outline of how risk will be addressed, how much risk is acceptable, and what degree of risk exposure will be tolerated.
- leading by example, modelling a mature approach to risk, demonstrating a flexible risk attitude, able to take risk when that is appropriate and prepared to act more cautiously if necessary.
- inspiring the same flexibility in others by rewarding good risk behaviour and encouraging people to adopt the right risk attitude to meet each changing circumstance.
To develop a risk-aware culture, we need risk leadership as well as risk management. If we are unable to identify senior risk leaders in our organisation then perhaps we should take on the role ourselves in our own area of responsibility.
Without risk leadership we will lack the overall direction and vision needed to shape our approach to risk management. But a combination of clear strategic risk leadership together with effective tactical risk management will give us the best possible chance of tackling the risk challenge and meeting our goals.