The discipline of risk management promises a consistent way for organisations to identify, analyse, and respond to the individual and aggregated likelihood and consequences of any possible event, with the goal of informing decisions that lead to better outcomes in any setting. In publicly funded organisations, structured risk management frameworks often rely on people identifying and assessing risks speculatively, rather than analytically.
We all need to manage risks to survive and thrive, but risk management was recognised as a discipline only after World War II. At that stage, it primarily focused on financial risk, especially via insurance against accidental loss. Financial risk management grew more sophisticated over time, including complicated capital calculation formulas, derivatives, hedging, and the governance and regulation of risk management.
Most types of organisations need to consider uncertain outcomes when making decisions, so financial risk management techniques were gradually formalised, refined, and adopted widely. This framework for understanding and managing risk is now the dominant approach and an essential compliance obligation for most publicly funded activity.
Over time, the risk management approach that evolved from financial risk management has become so pervasive that we no longer recognise the validity of other approaches to managing risk.
Complicated frameworks for evaluating and valuing probabilities work best where quantitative analysis already drives routine decisions. In many settings, however, probabilistic thinking is unfamiliar to decision makers who are accountable for many, often competing, performance metrics. Without underlying evidence or expertise, risk assessment is little more than structured speculation, driving risk management to become a resource-intensive compliance activity that is disconnected from day-to-day decision making and does not improve outcomes.
Publicly funded organisations can, and do, understand and manage risk in many different ways. Recognising these as legitimate forms of risk management can offer more engaging, robust, efficient, and effective alternatives to generic risk management frameworks.
Responsive models, like how health systems manage clinical governance or quality and safety, can suit established, high-volume operations. Some risks are better managed by individuals than enterprises, where professional judgement is limited to people with special qualifications, like doctors or judges. Many workers use risk-based decision support tools that are designed for a specific context, such as via research to inform screening for domestic violence risk, or via simulations or wargames to gather information about what people really do, rather than what they estimate.
It is valuable to remember that the risk management standards we have come to think of as generic, or even universal, were designed for a specific context and purpose. They have quickly become ubiquitous, but there is limited evidence that these frameworks drive universally better decisions or outcomes, despite the high transition and ongoing administrative costs of applying risk management as a core technology of governance and management.
There are alternative frameworks for understanding uncertainties about the work that people do in specific contexts, what might go wrong, how often, and how best to respond. In practice, targeted frameworks can be more accessible to the people who need to use them, and more grounded in the best evidence available, than highly processed risk speculation.