One of the worst insults you can throw at a risk practitioner is that you are merely a “checklist designer”. Chapter 6 of my book Risky Business: How Successful Organisations Embrace Uncertainty is titled Designing Success. When I run the RMIA’s Enterprise Risk Management program we discuss the level of maturity of the organisations that participants work in using the scale from “compliance” to “leadership” as I described in this recent blog. And then we discuss the level of influence a practitioner has in organisations at various levels of maturity. And the lowest level of influence is in organisations that treat risk as a compliance activity which makes the risk team simply “checklist designers”.
One step up are organisations that require risk to provide “comfort” to the audit and risk committee or the board or a regulator. The risk team is then seen as “framework designers”. Look no further than these quotes from the APRA report into the culture in CBA to reinforce the perceptions of some risk teams as checklist or framework designers:
“… over 100 respondents expressed the sentiment that risk management activities are ‘onerous’, ‘complex’, ‘time consuming’, and ‘really achieves very little other than as a form filling exercise.’”
“The risk function was also described as focusing on policy writing and correctness of frameworks over implementation and engagement with the business.”
Ironically, framework design is critical to growing a strong risk culture. The problem is that many, many designs are overly complex, overly onerous and overly long! If you want to design a great framework, grab a copy of my book and come to the next RMIA ERM course!