By Adrian Sparrow
Telstra seems to be following the modern route to managing risk. According to Kate Hughes (Chief Risk Officer) and Mike Burgess (CISO), speaking at the recent Gartner Security & Risk Management conference in Sydney, they prefer to start conversation with “You can if…” rather than “You can’t because…” And that’s a good place to start, because risk management is about reducing uncertainty; to help line managers take better business decisions.
Systematic management of risk is not a handbrake on happiness. It should provide guard rails to keep the business safely on the road, rather than building speed bumps to slow managers down. After all, risk management is just applied common sense, so we shouldn’t get paralysed by “managing risks”, but use it as way of constantly looking at the most important aspects of business. That means revisiting decisions in an iterative process to a) check the appetite for risk and b) ensure that the treatment is still appropriate for the context.
Extending that outside a business, a strong client-supplier relationship benefits from consciously working together to ensure that while risk may be transferred from one to the other, both have an active interest in managing uncertainty to their mutual benefit.
For all parties, internal and external, this comes down to three simple considerations to calculate risk and reward:
a) Are risks understood?
b) Are risks treated consciously?
c) Are risks and the management of them priced appropriately?
Trying to achieve this through a compliance-driven risk framework will inevitably lead to unpleasant surprises, because while people resent and avoid speed bumps they seldom have a problem with guard rails. So when there’s some uncertainty, start to manage it by saying “You can if…”
Adrian Sparrow is Datacom’s Manager of Assurance & Risk. He was formerly Risk Advisor at The Treasury, Director Corporate Assurance & Risk at MAF (now MPI) and a risk management consultant for KPMG and Deloitte.