Innovating Risk – Some ideas


Over the last few weeks I have discussed innovation and risk and begun to explain what this means to the organisation and why this is important for the risk profession.  Risk management is seen as an important consideration for business decisions but it is not thought of an area that needs to innovate itself to perform more effectively.

So rather than just step right back into the topic for this posting I thought I would discuss some thoughts I have had recently on how you can innovate risk.

Detailed below are some of the key principles (thoughts) that are worth considering in innovating the risk management process.

Forget the process, have the conversation

Frameworks are great but they are not the way to think about risk.  Risks are best assessed and addressed through an open and free dialogue.  No lip service – for example meetings dedicated to risk but outside the meeting risks are not discussed and addressed.

This sounds simple but so often have we not seen that the people and/or organisations come undone because risks are not thought through and the process of risk management seems more important (and for some people, more important to show others “just how important risk management is to me“) than having real discussions.

Focus on "what can go right"

Think about what can go right in a thought, idea, process or conversation.  For example, ask yourself the question of what positive outcomes come from this idea.

Let’s take the example of Apple and the iPod.  This was a huge risk for a PC company who had no involvement in music, other than some programs that played songs and was watching as “pirate” downloads were becoming more popular.  They asked themselves the “what can go right” question and we all know how that turned out.  Of course, they still considered “what could go wrong” (the traditional risk question).  Through looking at both sides though, ideas can breathe and grow.

Take a different angle on things

When assessing a number of ideas, initiatives or projects for your business, make an assessment of their risk impact from a number of  “axes of perspective”.

One axis could be an operational risk perspective (I will explain this is more detail in a future post – in the meantime wikipedia has a good definition) whilst the second axis could be a technology risk perspective.  Then for each initiative, use a bubble size to represent the size of the project in dollars.  Using this type of analysis you can make decisions on the type of risk assessment required and / or whether or not a project should continue.  Alternative axes are regulatory compliance risk, financial risk, or reputation risk (over time I will endeavour to cover each of these in more detail).

And, finally,

Take risk outside of its element

Forget traditional practices and risk management techniques and challenge people to think about multiple future scenarios and possibilities.

Risk management is strategy” and is not about seeing itself as an input to strategy.  Risk scenario planning is about taking the business through many future possibilities, and without losing sight of all the possibilities, consider key decisions that should be made to make key decisions  such as “lead the way” or “wait and watch”.

[flashvideo file=”/wp-content/uploads/2010/01/iStock_000006213021Small-We.flv” /]

For so long people have considered risk management as something that needs to be considered as part of implementing an idea or an initiative.   The reality is of course that risk decisions were made the moment the idea came into your head.

Take for example, the decision to perform “Guarantees” which give the customer the opportunity to receive a discount / reward if they have found a better price or product somewhere else.  This may not initially seem to be a risk decision but it is on many levels.  There is:

  • financial risk (What will be the dollar impact on the bottom line?);
  • operational risk (How do you educate your staff on this?  How do we ensure we educate the staff on what is allowed? How do we track the discounts given?);
  • reputation risk (What does this do to the brands perception? What happens if an error occurs and gets into the media?); and
  • regulatory compliance (How do we make sure we comply with the relevant local laws?)

Some people would not even think about these risks, whilst others will consider them but without even realising they have done so.

The majority of people have thought through the risks in their head and have made a decision based on this risk assessment.  A higher quality outcome is achieved through working with the relevant experts in the areas detailed above plus taking the ideas of others and combining them into an optimal outcome.

Of course, you need to be wary of “too may cooks spoiling the broth” but this can be managed through the engagement process and taking an approach that “many heads make better ideas“.


Scott North has extensive experience in enterprise risk management, internal audit, operational risk and compliance, risk strategy, scenario planning, technology risk, technology business analysis, systems design, financial accounting, and management accounting. Scott is a Fellow of the Australian Institute of Chartered Accountants with a Masters Degree from the University of Melbourne in Business and Information Technology. Scott is also a Fellow of the University of Melbourne.