Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

BSI speech Graphic
Problem areas for current risk management standards

by Matthew Leitch, 23 February 2004


Preface
Introduction
Exciting future developments
Objectives and risks for a standard
Problem areas
Potential wording
Conclusion
References

Preface

On 13 and 20 February 2004, the British Standards Institute held an event to explore demand for new standards in the area of risk management. The event was repeated because of huge interest. I was lucky enough to be one of the speakers and had the opportunity to argue for future standards that would support technical developments in the area rather than holding them back.

The following is not an exact transcript of the speech I gave on either occasion, but an amalgam that is as close as I can get to the intention of both speeches. This is the speech I was trying to give.

Introduction

"Good morning ladies and gentlemen. My name is Matthew Leitch and I'm interested in internal controls and risk management. My topic is 'Problem areas for current risk management standards.' Actually I have in mind all official documents that want to tell us how to do risk management - statutes, regulations, official 'guidance' documents, and standards.

Exciting future developments

"I'm here because I think risk management has an exciting future. An exciting future of technical developments. These developments will make risk management more popular, give it more impact, and ultimately make it more valuable. We will be heroes - even more than now!

Areas of technical development still to come include these:

At the end of this speech is a list of references to papers exploring some of these developments and illustrating the kind of progress I have in mind.

Objectives and risks for a standard

"Let's try to eliminate faulty practices and encourage experimentation and technical improvements.

That's a pretty generic objective for a new standard, but I want to draw your attention to the word 'experimentation.' If people do not feel safe to try new things risk management will not develop as quickly as it could.

The risks we face in trying to draft a new standard include:

Problem areas

"Here are some areas of risk management where we need to be especially careful in any new standard. That's because they are areas that, though important, are not well understood even by experts. The areas are controversial and experts disagree.

Existing standards tend to handle these badly, usually by being inappropriately prescriptive. They demand one approach and exclude others - sometimes giving advice that is quirky and unlikely to stand the test of time.

So, in all these areas, we need to be very careful what we write in a standard. It would be easy to block good ideas. What wordings could we use?

Potential wording

"Let's consider some of our alternatives for just one of the areas of difficulty: the upside. How much for or against including upside risks should it be? How prescriptive should it be?

Upside
Mandatory?
Extra kudos if done?
Constrained approach?Prescribed approach?
Covered by standard if done?
No comment?
Not allowed?
Downside

In this illustration I've put options favourable to upside risk management to the top and those against it towards the bottom. I've also put options that are high risk to the right hand side, and lower risk options to the left.

By 'high risk' I mean that the risk of making a mistake in writing the standard is high. In particular, contrast a prescribed approach, where we say risk management must be done in a certain way, with a constrained approach where we could put any constraint on the way people work short of saying what they must do. For example, we could say "Do it any way you like as long as you write down your approach", or "...as long as you explain why you have chosen to do it that way.", or "...as long as you don't do any of the following six illogical things."

If we prescribe a single way to do risk management in any of the areas I have highlighted as problematic there is a very high risk of writing a standard that blocks technical development, and a high risk of writing something that turns out to be flat wrong.

Conclusion

"But whatever words we use, however we approach standards, letís make sure they promote the exciting future development of risk management instead of standing in the way."

References

Here is a selection of papers from my web sites illustrating the potential for technical development in risk management.

At www.dynamicmanagement.me.uk:

"An illustration of upside risk management"

At www.internalcontrolsdesign.co.uk:

"What makes evolutionary project management so effective?" (answer = improves risk profile dramatically)

"Rapid project risk management"

"Everyday risk management"

"Risk modelling alternatives for risk registers"

At www.managedluck.co.uk:

"How to be convincing when you are uncertain"

"How to talk openly about uncertainty at work"

"The basics" (i.e. of risk management - includes 7 techniques for busy people)



Words © 2004 Matthew Leitch
New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr