Beware the Risk Bureaucrats

One of the notable things about Risk Management literature is the variety of ways authors have chosen to define ‘risk’. As it happens, here’s a likely version at the front of the class, waving its hand franticly in the air and fairly wetting itself to be chosen first:

the effect of uncertainty on objectives

Hmm. Definitions don’t usually aim to be opaque, but that effort from the ISO Guide 73 is scoring high on the ‘not shedding any light’ index.

Never mind, here’s another, this time from the Business Dictionary:

A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action

Well, there’s certainly a bit more to that one. And wouldn’t you know it, here’s a third:  

The product of the chance that a specified undesired event will occur and the severity of the consequences of the event (OGP)


These examples all have something in common: they’re all missing a bit that says ‘that we can think of’.

That’s the thing about risks: they are ideas, speculation, conjecture, mental constructs. A risk is something we think could transpire at some future point and it follows that, if risks are the products of our minds, then to understand our capacity to think of risks becomes really important to the success of Risk Management.

So it’s strange to note that, when it comes to putting Risk Management into practice, the psychological dimension is frequently overlooked. All too often a risk bureaucracy is implemented, awash with procedures, matrices, criteria and taxonomies while failing to prioritise an appreciation of how people think and why they hold a particular set of views.

Understanding the risk-taking psychology at the key decision-making points in the organisation would seem to be a good thing to do, but that would require a shift in tone for Risk Management in many firms and a challenge for the risk bureaucrats.