How “risk management” acquired the appearance of substance

The risk management millstone is the burden of registers, committees, and frameworks that organisations carry under a label with no consistent meaning.

”Risk management” is a much-heard expression these days. Despite having no consistent meaning or form, organisations are encouraged by its advocates to adopt its complicated structures and language, ostensibly to address uncertainty. And yet, despite the investment and inconvenience involved, achieving sufficient certainty is seldom the result.

It has only been in the past few decades, and even then rather by accident, that some of the ideas and practices to improve decision-making acquired this label. The explanation lies in insurance. Insurers refer to whatever is being insured as “the risk.” When an insurer agrees to provide cover, they describe themselves as being “on risk.”

In advocating different approaches, insurers sought to change “the risk” to their advantage. They did this via client selection, incentive pricing and policy wording to make the outcome of their contracts more predictable. By describing the myriad of practices they were coercing clients to adopt as “risk management,” they shifted the focus from their own interest to something ostensibly associated with the client’s management of their organisation.

A meaningless label that caught on

Furthermore, this new compound noun, “risk management,” acquired the appearance of something of substance that was tangible, definitive, beneficial and noble. The label caught on. It became adopted in a generally random way by legislators, regulators, and advocacy groups to label their own “wisdom.” It was also seized on by consultants because it provided the illusion of something of substance and authority which could therefore be sold.

In the same way that the label became attached to many different ideas, so too did the word “risk” acquire many meanings. The core word of an increasingly popular expression was effectively meaningless. The expression itself fared no better. It has never described a solid foundation of tested academic endeavour. It is an informal label for diverse, constantly changing and often conflicting concepts, vaguely related to uncertainty. Roger Estall and I trace this history in Deciding, showing how the label distracted organisations from the Universal Decision-Making Method they were already applying.

The compliance machine

The label alone would not have done the damage. What entrenched the label was the compliance obligation that grew around it. Legislators wrote it into corporate governance codes. Regulators made it a condition of licensing. Some national stock exchanges included its practice as a necessary condition for listing. The entirely untested belief was that practising the discipline, in whichever guise, was prima facie evidence of sound management.

This created a lucrative circle. Organisations were forced to seek “expert” guidance to avoid penalties for non-compliance. Consultants won work preparing organisations for certification. Certifiers won work certifying them. When the client fell short, more consulting work followed for remedial actions. Not a virtuous circle, certainly a profitable one. Four groups sustain the arrangement, each with reasons to study uncertainty but none of them concerned with helping a particular Decider resolve a particular question by a particular deadline. I traced this pattern in detail in my conversations with Mark Siwik.

The result is an industry detached from the activity it claims to serve. The IIA’s Three Lines Model codifies this into an organisational chart: three separate functions, each justified by the existence of the others, none asking whether the decisions being made are any good. COSO ERM proved the point during COVID-19, when organisations under genuine pressure ignored their risk registers and simply decided.

The language problem

Much of what comes with the apparatus is illogical and defies common sense. The first ISO “risk management” standard contained 29 labels that relate to either ordinary words given a special meaning or to contrived expressions involving the word “risk.” Even the label “risk” itself is so ill-defined as to require five accompanying notes to its own definition, each of which either contradict or confuse. The dichotomy of “risk and opportunity,” for instance, is about as logical as pairing bulldozers with cauliflowers.

A transactional term must mean the same thing to both parties in a conversation, or the conversation is theatre. When a board member says “risk” and means the chance of losing money, while the risk manager says “risk” and means deviation from objectives, and the insurer says “risk” and means the asset being covered, no shared understanding is possible. They are not debating policy. They are speaking past each other. This is not a problem that can be solved by adding more definitions. The word is spent.

Advocates became the masters

At the heart of the problem is that it has been the advocates, rather than the organisations and their Deciders at which the discipline is targeted, who have become “master.” The word means what the advocate chooses it to mean. The organisation follows. Whereas good decisions have always depended on good thinking, consultants fostered the fiction, often with evangelical zeal, that mastery of the artificial edifices and jargon of their particular scheme was the key to organisational success.

Most organisations do not even attempt to adopt any of these belief systems. Of the few that either buy in or are forced in by regulators, fewer still master the intricacies or fundamentally change the way they operate. Most comply on paper while changing nothing in practice. The paraphernalia is complicated and unnatural. It does not pass the pub test. It hinders rather than helps Deciders to function, compounding decision fatigue rather than reducing it, and so it is either ignored or paid lip service.

The pattern repeats in risk registers that nobody reads, in frameworks that failed their first real test, and in structural models that mistake organisational charts for decision quality. Trying to graft the Universal Decision-Making Method onto this construct would only confuse and complicate, keeping alive the very thing that needs to be shed. The question was never “how do we manage risk?” It was always “how do we make better decisions under uncertainty?” Once you see that clearly, the millstone can be put down.


Grant Purdy is the co-author, with Roger Estall, of Deciding (2020), and the architect of the Universal Decision-Making Method.

If you have a decision you are working through, the Walk can help.

Start a Walk