Three decades is a long time in any professional field, and the field of risk management has changed substantially in the period I have been working in it. The frameworks have evolved. The technology has changed. The language has refined and, in some ways, proliferated to the point of obfuscation. But what the frameworks cannot teach — and what I find consistently absent in practitioners who have been trained within the frameworks rather than in spite of them — are the things that actually determine whether someone manages risk well or poorly under conditions that matter.
The Difference Between Risk Management and Risk Administration
The first thing thirty years teaches you is the difference between risk management and risk administration. Risk administration is the maintenance of risk artefacts — the register, the matrix, the committee reports, the board pack. Risk administration is necessary. It is not risk management. Risk management is the ongoing process of ensuring that decision-makers have an accurate understanding of the material uncertainties they are operating under, and that the organisation is making conscious, proportionate decisions about which of those uncertainties to accept, reduce, transfer, or avoid.
The gap between these two activities is large, and most organisations that believe they are doing risk management are largely doing risk administration. The test is simple: ask whether the risk management process has changed any significant decision in the last twelve months. If the answer is no, or uncertain, the process is probably administrative rather than managerial.
Uncertainty Is Not the Enemy
Risk management frameworks are often built on an implicit assumption that uncertainty is a problem to be solved — that the purpose of risk management is to identify, quantify, and eliminate uncertainty. Thirty years teaches you that this is wrong. Uncertainty is the condition under which all interesting decisions are made. The purpose of risk management is not to eliminate uncertainty but to navigate it intelligently — to be honest about what you know and what you do not know, to make proportionate decisions under genuine uncertainty, and to maintain the adaptability to correct course when reality diverges from assumption.
Organisations that are pursuing risk management frameworks primarily as a tool for achieving certainty — that want the risk register to be accurate, the risk ratings to be correct, the controls to be complete — are pursuing an impossible standard. The frameworks that serve decision-makers best are those that are honest about their limitations, explicit about their assumptions, and structured to facilitate learning rather than provide false confidence.
People Are the Primary Variable
Risk management frameworks are implemented by people. The quality of the framework is secondary to the quality of the people who are running it, the culture in which they are operating, and the degree to which the organisation genuinely values what they do. I have seen world-class frameworks produce poor outcomes because the people implementing them were not empowered, not trusted, or not competent. I have seen simple frameworks produce excellent outcomes because the people running them were genuinely skilled, had organisational authority, and worked in a culture where risk information was welcomed rather than managed.
Investment in people — in the professional development of risk practitioners, in the education of board members and executives about what risk management actually requires, in the cultural conditions that enable risk information to travel freely upward in organisations — is the highest-return investment in risk management capability available. It is consistently undervalued relative to investment in frameworks, technology, and certification programmes.
Simple Questions Are More Useful Than Complex Frameworks
The frameworks have become more complex over thirty years. The certifications have multiplied. The language has become more specialised. And yet the most useful thing a risk practitioner can do in most organisational settings is ask simple questions in a rigorous way. What could go wrong? How bad could it be? How likely is it? What are we doing about it? How do we know the controls are working? What would we do if they failed? These questions, asked consistently, with genuine curiosity and without tolerance for evasive or incomplete answers, produce better risk management than most frameworks ever will.
The risk practitioners I respect most — the ones I have worked with over thirty years who were genuinely effective — were not the ones with the most sophisticated methodologies. They were the ones who asked hard questions, who were honest when they did not know the answer, who communicated risk clearly to people who needed to make decisions, and who maintained their professional independence under pressure to reach conclusions that were convenient rather than accurate.
The Frameworks Cannot Give You This
The frameworks cannot give you the judgement to know when a risk register entry is genuine and when it is cosmetic. They cannot give you the communication skills to convey a complex risk picture to a board in a way that produces genuine understanding rather than box-checking. They cannot give you the professional courage to hold a position under pressure from someone senior who does not want to hear it. They cannot give you the contextual wisdom to know when a textbook approach is appropriate and when the situation requires something different.
These are capabilities that come from practice, from experience, from exposure to a wide range of organisations and situations, and from the willingness to reflect honestly on what worked and what did not. They are also capabilities that are directly available from practitioners who have spent the time building them — which is, in the end, the case for working with experienced advisers rather than relying solely on internal capability for the risk challenges that matter most.
The frameworks are tools. Like all tools, their value depends on the skill of the person using them, the quality of their judgement, and the degree to which the organisation they are working in is genuinely committed to what they are there to do.
Tony Ridley provides senior advisory, board engagement, and practitioner mentoring in enterprise risk and security management. Contact us to discuss how we might work together.