“WHY” by Barney Moss is licensed under CC BY 2.0
Every stakeholder involved in risk management should step back and ask "why" whenever making a decision PHOTO: Barney Moss

As a young boy, my family spent our vacations at a hotel near Rimini, on the Adriatic coast of Italy.

The hotel owner had a six year old son, Mario.

Mario only spoke a little English, which he had picked up from guests. But he used one word all the time — a word I recommend those involved in risk management adopt now.

The word, which holds amazing power, is “why.”

“Why are you going to the beach?” “Why do you want to swim?” “Why do you want a tan?”

The Power of 'Why'

Let’s think of the power of "why" when it comes to risk and risk management.

For board members and executives, the question is “why should I spend my limited time on risk management? Do I do it only because it is expected or the regulators told us to do it?”

For risk practitioners, the question is “why should risk management be important to the organization and its leaders? Are its leaders only paying scant attention because it is expected or required for compliance with regulatory requirements? Why am I doing this? Is it because my job is to help manage risk, or is it for some larger purpose?”

For internal auditors, the question might be “why should I assess risk management? Is it because that is what internal auditors are expected to do? Is it because it is ‘best practice’ or required by IIA Standards?”

All good questions that demand answers.

The answers are the key to unlocking the value of risk management.

Unlock the Value of Risk Management

The journey to answer the question "why" starts by answering the question "what are we trying to achieve?"

We say that risk is about achieving objectives. So what are they? What are we trying to achieve?

We also say that risk management enables us to make more intelligent and informed decisions, and that making the right decisions is how we achieve our objectives.

Every time we think we need to make a decision, we should ask “What are we trying to achieve?” followed by “Why are we making this decision?”

Now, we can start to think about what might happen (getting rid of the word risk, which only limits our thinking).

We can progress to additional questions, such as “Do I have all the information I need? Am I involving the right people? How will my decision affect my and others’ objectives? What are the options and which is best? Are any of the potential consequences of the decision unacceptable?” and so on.

But if you don’t have an answer to why you are making the decision and what you are trying to achieve, will you make the right decision?

Putting Risk Efforts in Context

Board members and executives need a rational and adult answer to “why should I care” and “why should I spend my time?”

As adults, we shouldn’t be doing things just because we are told to do them.

As children, when our mother told us to make the bed, did we do it well or just enough to get by?

If we were in the armed forces and the sergeant told us to make the bed, we probably made it better than was really needed for our comfort.

As adults, we make it (I hope) well enough to make the room look OK and our bed comfortable when we return to it.

As adults, we should manage risk because of its value to the organization, not because we are told to do it, because it is in the governance code, it is our job or because of professional standards.

Understanding the value starts with “what are we trying to achieve?” on the journey to “why are we doing this?” and “what is the right decision?” The word ‘we’ includes us as individuals, as members of a team, but especially the interests of the organization as a whole.

A Practical Example

Let’s take a specific risk management task: the report to the executives and the board.

Why do we prepare and share the report?

What are we (the risk practitioner) trying to achieve?

What are they (the board and executives) trying to achieve?

Is this the right communication? Is it helping them achieve what they want to achieve?

Are we practicing risk management as children (doing what we are told or is expected) or as adults (doing so because it helps the organization and its leaders succeed)?

I welcome your comments.