Strategies for Risk departments

Audit, Assurance, Legal

Managing risk is a core competency of any business that should not be restricted to only one department.

Risk departments can have a leading role in educating the whole business on how to assess and take sensible risks, raising collective performance and enabling better decisions to be made.



Running ‘audits’ to inspect how a group is performing is a highly expensive and disruptive process. There is a better way.

Replace auditing with visibility of work. Make every group make their work visible on a visual dashboard in their team area. Using a Kanban board is one approach.

As well as tracking tasks, track key measures directly associated with the work and how much of the work is done right first time vs. has to be re-done.

Audit the visual dashboards in a simple, brief and regular process. This is far more effective.


A culture of compliance works directly against innovation and people thinking for themselves. It has no place in a modern business that wants to respond to changing needs.

What matters is that people do the right thing and do it well most of the time.

Procedures and Policies are not effective tools to achieve this – far better are a simple set of principles coupled with close collaboration and high visibility of work.

This ensures that people can respond in a varied way according to specific situations but also have a level of oversight and scrutiny that is delivered naturally without the need for ‘inspectors’.


The only quality that counts is the quality of the end-to-end service delivered to customers. This should be primary driver for quality measures.

Quality should be locally defined within each group and be highly visible – for example by creating a visual dashboard on a whiteboard within each group that tracks common measures of the work.

Risk Management

An unhealthy sign is long lists of unlikely but time-consuming-to-capture risks that never occur. In practice there will be a handful of important risks that need active mitigation and the rest are unimportant.

Each department or project should be able to clearly list these with actions and status in less than a single page. Risk Management should involve minimal overhead.


Specialist legal knowledge and advice can be important and should be available as a service within the business on an on-demand basis.

Legal advice is always an opinion and lawyers are skilled at presenting risks on both sides. Decisions should not reside with lawyers, however, executives need to step up and take responsibility.

Handling matters that may involve personal risk can be a big challenge, but the challenge is reduced by informing the decision with data:

How likely is this risk to occur?

Has it happened before?

What will the consequences be if it happens?

Risk management isn’t about eliminating risks, it is about being able to distinguish the good risks from the bad and taking more good risks and fewer bad ones.

This is a process that needs data to work well and should be informed by constant learning from past performance by regularly asking “how accurate is our risk assessment?”

Except for specialised businesses, all facets bar expert legal advice should really be competencies of all departments. So structure the Risk group by sitting most of the staff inside the departments they serve (with lightweight coordination between them) and very few sitting centrally. Exchange expensive auditing and compliance processes for early-warning measures and leading quality indicators built into the service design.

Developing a detailed strategy will also depend on local circumstances. I’d welcome the opportunity to work with you to define a specific approach to your department.

Posted in Strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>