Paul Harwood, Member of the Risk Management Board, shares his thoughts.
I had a mentor who would distinguish between those who merely did stuff and those who really meant it. There is a world of difference between ticking boxes and achieving an outcome. Risk management can be frustrating because much of what is written seems to be about managing things how they should be, rather than how they are.
The current focus on operational resilience alongside the pandemic raises the question: did firms implement their business continuity plans and structures, did they use their plans as a starting point, or did they do something else? As we focus on confirming operational resilience, will we use the plan, or what we did, or (probably ideally) something in between? Having suffered the pandemic experience, hopefully our plans will really mean it!
Douglas Hubbard’s book ‘The Failure of Risk Management: Why it’s broke and how to fix it’ is worth a read, whether you support prevailing approaches or feel they lack the outcome test. Interestingly, he identifies four types of risk manager: actuaries are one of them. The profession comes out relatively well, but perhaps this is because we define risk management narrowly, and so run the risk of missing the needs of the wider business community (including regulators).