risk data, risk visualisation

Is it time to overhaul the risk register?

My background is in the field of risk, governance and assurance. I have always gravitated towards technical models and frameworks used in this field and enjoyed the intellectual stimulation and challenge that they represent. I know that having attended training courses and network events that I am in good company and other risk professionals feel the same. We are ‘cut from the same cloth’ – we are many and there is safety in numbers – and this should reassure me. I have always had confidence in the organisational risk register as a management tool – if not always the quality or completeness of information that it contains. However, more recently, I’ve begun to question whether it continues to have the same value it once did in light of changing times and business needs.

Risk management as a discipline has well-established methods for measuring, managing and reporting and these have been valuable and proven. Most innovations in risk in recent times have usually been variations and refinements of existing practices and methods. This can lead to ever diminishing returns in the impact that they can make and their influence within organisations. This is at a time when the need to manage change and uncertainty has never been more important for boards, managers and front-line teams looking for ways to gain comfort that they have things under control.

Whilst consistency and uniformity have their place, there can be a problem with familiarity, routine and repetition. To be blunt, our data and systems can become boring (hands up, who gets excited about the prospect of being sent yet another spreadsheet!). Our data and systems get lost amid the volume and noise of all the data and systems of everyone else in our organisations, as well as those of our stakeholders. They are often generic – they aim to work for everyone but end up being truly relevant to no one. Disruptive technologies are teaching us that ‘one size no longer fits all’ and that increasingly discerning and demanding clients – inside or outside our organisation – want solutions that meet their needs because the technology is in place to make this possible.

The embodiment of my discomfort is now the organisational risk register. At its most basic, it distills the complex, changing, inexact and uncertain nature of possible events that may affect an organisation into two values – impact and likelihood. It assigns each of them a number – a devil’s advocate may argue that these values may be somewhat arbitrarily awarded – and the product is a composite number that measures the overall risk exposure. This is something that I am increasingly uneasy about. Given that risk is something that affects the achievement of an organisation’s aims and objectives, can we really manage such an important, dynamic, complex and demanding area by reducing it to a (single) number?

This is two-dimensional thinking in a world that has many dimensions and complexities and it is no longer fit for purpose.

My other ‘challenge’ is that this information is often static and can breed static behaviours. In worst case scenarios, this data is dusted off and updated to report to the next board or audit committee but does not feed the business with practical and current information to help manage in the intervening periods. I once worked in an organisation where the HR director told me that she was fully committed to risk management and in future would set aside an hour once a fortnight, every other Friday between 10am and 11am, to ‘manage risk.’ On hearing this my heart sank and I had to explain that risk was variable, uncertain and didn’t ‘behave’ in a way that meant it could be fitted conveniently into a box or respected people’s diaries!

What can we, as risk professionals, do about this? How do we break this cycle of behaviour and thinking so that we produce useful, current and influential information?

There are examples all around us but an unlikely model exists in the field of wearable fitness bracelets. This industry offers some interesting learning points in how we can design risk information for managers, directors and stakeholders in our organisations and there transferrable principles for better quality risk data. So, does your risk information pass the ‘fitness test?’

  • Always on and in real-time: good quality wearable devices show the current status information at that point in time informing behaviour (decisions) to be taken on the latest data. Many risk registers and risk systems are created with the best of intentions but are then updated on a more periodic basis (i.e. monthly, quarterly, etc.) meaning that there are periods when the risk data does not reflect the current position or status of that risk. The advent of such technology also means that wearable devices in close physical proximity to base systems are regularly updated and ‘in synch.’
  • Facts and comparisons: I have often challenged users who populate their risk registers to tell me if the content is fact or opinion. For me, it’s an important distinction: judgement is necessary but I am always more comfortable when making decisions about risk that are based on fact. Wearable fitness devices record activity (facts) on which to base judgements and decisions and also enable comparison with other communities of users with the same technology; there are logical implications here for the use of risk data for benchmarking internally or with others.
  • Customisable and configurable: many wearable devices require users to provide some basic personal data to enable more meaningful information and reports for them. This includes entering data such as height, weight, age, gender, etc. so that any activity that is recorded or reported is done in a context relevant to that user. Do our risk information systems routinely reflect the specific characteristics and circumstances of an organisation’s operating environment, managers, situations, projects or departments?
  • Portability: traditionally information has been managed and produced through the use of static devices at desktops but the growth in mobile working and devices has seen a shift in user expectations for information to be available on the move. Fitness devices have this as a standard feature. Many organisations still base their risk information on basic registers that use approaches such as spreadsheets which are not easily accessible or usable on the move.
  • Targets, limits and thresholds: risk appetite and tolerances are well established concepts and a similar concept also exists for wearable fitness devices, where targets and limits can be defined, often in relation to a specific person (see customisable and configurable, above). The devices with more advanced features allow thresholds to be determined and alerts to be sent to the owner when their activity levels approach or exceed an agreed limit… these can even be revised in light of recent performance; a feature that could recognise a specific element of project risks with changing baselines.
  • Comprehensive: the management dashboard is an accepted management tool. New technology is now capable of providing history and movement across a range of measures and indicators but many risk systems don’t provide this contextual information to understand trends and support intelligent and insightful decision-making.
  • Security: portability and mobility also bring the possible threat of security or data breaches even though the mobile working phenomenon creates many opportunities too. The sophisticated features of this technology enables the appropriate and proportionate access to, and control of, this data even when on the move.
  • Stimulates decision-making: most people I know who have fitness bands are influenced by the regular feed of information that they get from their ‘tech’ – it provides regular commentary of how they’re doing and they often respond with increased or different activity to meet a target. In short, it is information that prompts action and is not a million miles away from the ‘nudge theory’ thinking of the writer Richard H Thaler. The nature of the information means that actions and decisions are taken in real-time… many risk registers do not promote such responses and are reviewed retrospectively when it’s too late.

On first viewing, risk registers and wearable fitness technology appear to be unrelated. Dig a little deeper and they share transferrable principles that go to the heart of what organisations now need from their risk function and offer a blueprint for a service that provides insight, ideas and impact. I am not proposing for a moment that we abandon the risk register but the changes we have made in the past effectively feel like we have been giving it a re-spray. What’s really needed is that we trade in the old model for a brand new one that is more efficient and has many more sophisticated features to meet all of our modern needs. The risk register is dead – long live the risk register!