Why risk management must be agile

There is much more to modern risk management than simply saying “no” to things. Risk management activity has to be about everyone helping to achieve company goals.

Businesses now require a much broader understanding of how things and people interact, and how those interactions lead to different outcomes for business goals. The sheer complexity of modern life means it is no longer sufficient to consider “chains” of events, whereby sequences of factors might lead to adverse outcomes and try to intervene in that chain to preserve success. So-called “causes” are simply not that linear or visible any more.

Indeed it is not even productive to think of risks arising simply by people “doing wrong”. Many catastrophic failures arise despite people trying to “do the right thing” under difficult circumstances that were not covered by the governance manual. No. The uncertainties affecting modern business are much more about a complex network of factors that act in sometimes mysterious unseen ways to influence your business destiny, as illustrated in the graphic below. Risk management’s job is therefore to lay out these unfolding patterns and to ensure that discussion takes place about how they should be taken into account.


Risk, by definition, lies in the future so we need to anticipate the ways in which current trends might unfold. Many risk assessment frameworks assume too much about the degree to which we “know” where we are and therefore build upon false foundations to make spuriously accurate statements about the future. However, by being honest about what we do and don’t know, it turns out that with the right perspective, we can start to make some real sense of where we are, how we got here and what might happen next.

This is important. In a world of complexity, we have to get back to the business of making sense of things rather than pretending we can control everything. This requires an evolution of enterprise risk management into a new form – this is Agile Risk Management™.

The focus must be on things that matter to success and aligning the whole organisation around that goal

Agile Risk Management embraces the complexity of modern business and offers a more useful path to organising business activity in such a way that goals are delivered within the board’s appetite for risk. Recognising that “controlling” complexity means bringing visibility of enterprise context to managers who deal locally with risk and uncertainty is crucial. It is a proven fact that central command-and-control structures cannot efficiently guide complex dynamic outcomes as efficiently as a decentralised, but well-informed, approach can.

Aligning the organisation around clear outcomes means that local “best endeavours” accumulate to provide better overall outcomes. And accepting that some things cannot be known ensures people remain sceptical, alert and flexible, rather than stuck in a rut reporting the same old indicators each week. In this way companies become resilient to changing circumstances rather than paranoid about risk. In a world where the best of intentions can still lead to risk, such resilience is essential.

Developed alongside Telos Solutions, as experts in advising boards and chief executives, Agile Risk Management explicitly addresses the need for “risk” activity to be rooted in terms of business performance. The focus must be on things that matter to success and aligning the whole organisation around that goal. This also requires acceptance that risk management is about more than “oversight”, and is actually about building common narrative around uncertainty and recognising solutions require an understanding of the cultures within the organisation.

Agile Risk Management embraces the fact that companies are made of people. Cultural assessment techniques developed in conjunction with Dr Hilary Lewis of Systemic Consult provide important insights into how people carry out key activity in the business. This knowledge helps to ensure all perspectives are heard and the intended outcomes actually happen, not just that the processes written in the policy documents are acted out.


So how do you manage the performance of business in an agile way? The answer is by providing managers with insight. Insight into what is going on and what might happen next. This insight must lay out a clear picture of the interacting factors that are driving outcomes right now. To do this we need to determine where we are now, the path we followed to get here from the last time period and a falsifiable claim about where we think we will be next time. With this we can start to spot patterns, learn about evolving dynamics in our business and get smarter at making improvements.

Unlike the classic static management information reports, dashboards like the one above illustrate how your knowledge and your data can be combined to provide a real-time dynamic view of business performance. Rather than simply looking at the typical array of indicators which may or may not tell you something about your targets, this multivariate approach reveals which collections of indicators really are driving performance at each time. Armed with this knowledge we can start to look ahead and forecast possible outcomes.

So risk management should no longer just be about “worry lists”. Taking an agile approach focuses on business outcomes – using decentralised, but universally informed, control and explicitly demanding cultural diversity to determine the best solutions. It is no longer possible to avoid risk, so the next evolution of risk must be agile and centred on delivering business performance through aligned local endeavours.

For more information please contact Neil Cantle, MA FIA MIoD CERA, principal, Milliman, neil.cantle@milliman.com