Confessions of a Risk Practitioner

I’ve probably been a risk practitioner my entire life - I don’t do roller coasters or bungee jumping; I don’t gamble or smoke. In other words, I’m pretty risk adverse, and therefore well suited to this profession.

My early career as an occupational therapist probably reinforced my focus on risk - assessing client risk of falling, choking, getting lost, being exploited - it’s a scary world out there and my job was to identify and manage that uncertainty to protect people from harm.

Then I worked in private health, personal injury and state-based insurance entities and identified risks to organisations, people, places and things.

And as if that wasn’t enough, I became a board member and navigated the uncertainty that comes with collective decision-making, where you meet infrequently with people you barely know and where your decisions can impact livelihoods and whole communities.

So, I’ve learned a few things along the way about getting the best out of a risk management approach. Here are some assumptions that I’ve made along the way that don’t hold to good practice: confessions about my risk practice journey and tips for improved practice.

1. I thought risk management was hard

• In fact, we all manage risk, to a greater or lesser extent, all day every day – we weigh up information to assess our willingness to take or respond to uncertainty in our environment.

• In organisations, managing risk is no different – we take the available information we have and make an informed decision that we think will help us achieve our objectives and create value for, or help protect the value of the organisation.

• If we get it wrong or get access to new information, we reassess, adjust and make the next set of decisions – it’s a dynamic and iterative process but should always align to our purpose and objectives.

• Whilst it’s good practice, and sometimes a regulatory requirement, to formally review our risk profile and related documents annually, it’s better practice to routinely review our risk profile in response to changes in our environment or circumstances, including new strategic plans, changes to leadership, IT systems or funding streams.

• There are many small things that can help embed a culture of risk management in each board, committee and leadership meeting such as having strategic risks attached as a reference appendix to refer to when making decisions, or rotating a ‘risk champion’ role at the board table to ask risk-related questions and prompt discussion from a risk management perspective.

• The board has a responsibility to drive a positive culture around risk management. Having a culture in the board room that promotes risk identification, discussion and management, sets the tone for how the whole organisation manages risk.

2. I thought the risk related jargon was important

• Like the legal and medical professions, risk practice has developed its own language, but most terms can be interchanged for plain language.

• We don’t want terminology to be a barrier to engagement by decision makers, so think about swapping out ‘risk’ for ‘what’s creating uncertainty for us?’, ’tolerance’ for ‘what do we need to protect when we take or respond to a risk?’ and ‘appetite’ for ‘what actions do we want/need to take to meet our goals and/or manage a risk?’

• Many boards have a glossary of terms as a reference appendix to board and committee papers. Make sure risk terms are included so everyone has a common understanding.

• Gentle reminder: the terms Inherent and Residual Risk have not been part of the AS/NZ ISO 31000:2018 standards since 2018 – if they’re still in use at your place, it’s time to thank them for their service and delete them – the risk is just the risk.

3. I thought Likelihood and Consequence were the only things that mattered to rating and acting on risk

• It’s common to put a lot of weight on likelihood (i.e. how likely is the risk to materialise) and consequence (i.e. how significant is the impact should a risk materialise) tables/heat maps to guide our decisions about taking action to manage a risk.

• In practice, heat maps are, at best, a guide to set some parameters for discussion about prioritising actions, but often time is spent debating the rating (i.e. medium/high, orange/red) rather than discussing the need to act in response to the risk or not.

• There are so many other factors that contribute to our decision-making about managing uncertainty such has how quickly a risk might materialise (i.e. risk velocity), how much time, energy or money it would take to manage the risk to an acceptable level, would taking action even address the risk? Not every risk that’s rated high warrants action. There are circumstances where the board will have confidence that the controls (i.e. things you’re already doing to manage a risk such as policies, governance structures, IT systems, audits) are working as expected and we’re comfortable that no additional action is required at this time.

4. I thought you had to identify risks by category

• It’s common for risks to be categorised by Financial, People & Culture, Cyber or other categories of risk but this often plays into the habit of brainstorming everything that could go wrong under that heading, rather than articulating the uncertainty we have about our ability to meet our goals.

• Contemporary audit practice looks at end to end processes such as recruitment or procurement to identify weaknesses in controls across functional areas of accountability. This strengthens our confidence that controls are working as they should in context. Risk management practice could benefit from the same approach.

• When we ask, ‘what’s creating uncertainty about our ability to reach our goal?’, the answer is likely to reflect multiple reasons/causes for that uncertainty. It’s likely to cross different categories, business domains and accountable people, which in turn will benefit from a more coordinated and integrated approach to managing the uncertainty.

5. I thought we needed to identify things we couldn’t control

• All risk management is about how we respond to what we can’t control, not just listing things that we can’t control.

• It’s common to see risks described as ‘fail accreditation’ or ’lack of government funding’, but what does that really mean? The challenge is to ask, what about our ability to respond to changes in government funding or failing accreditation is creating uncertainty for us?

• The impact of the same risk materialising will be different for each organisation, so it’s important to tailor the risk management language to our specific circumstances.

• Some good questions to ask are ‘who do we rely on achieve our objectives?’ and ‘who relies on us to achieve their goals?’. These questions challenge us to think about the uncertainty that third party relationships have on our ability to achieve our objectives.

I have a long list of other things I could confess about my risk practice journey, but I trust these insights give you courage to make risk management an integral part of collective decision making at your board table and beyond.

This article was first published in the 2025 Better Boards Conference Magazine.

Further Reading

Strengthening Risk Management at the Board Table

Practical Risk for Company Directors Course

Risk Matrix with Examples

Risk Register: Definition, Example & How to Create One

The Intersection of Risk, Culture and Crisis and at What Price