The life cycle of risk management

Over the past few weeks I am been thinking through the life cycle of risk management.  Not a life cycle from the perspective of the steps involved in risk management, but more in terms of how risk management develops over time.

Quite simply I see a five stage approach to how risk management evolves in any organisation.  Within each of these five stages there are of course many variations in terms of length of time, impacts and overall organisational change aspects.  However, I have found that these five stages reasonably represent the reality of risk management.

The diagram below is my hand written notes (performed utilising my Entourage Edge) of the five stages.  These stages can occur in quick succession on a specific matter, or over a long time for a business area.  The stages are not meant to reflect “negatively” about any stage.  In actual fact, without going through all these stages, a business will never truly mature its risk practices.

The first stage is typically what people refer to as the “honeymoon” stage.  During this stage the fact that risk management has arrived, and generally provided new resources to the business unit, is a blessing to the organisation that has for so long either gone without this support or had poorly delivered support.  During this period the risk manager is invited to every meeting possible and can at times feel overwhelmed by the situation.  One piece of advice during this period, “don’t let it go to your head”.

The second stage is the most exciting stage.  During this stage, the business begins to comprehend risk management’s role in their business and really begins to see the value in thinking about risk.  This stage generally lasts a considerable period of time, however it also can place you in a false sense of reality.  Both as a risk manager and the business.  It is during this stage that the business starts to talk about risk’s value to others and this conveys a period of real value creation.  My one piece of advice during this stage, “stay alert and keep the business focused on practical risk processes”.

Stage three is where it starts to get interesting.  During this stage the business feels empowered and starts to either consider risk as more of a hindrance than a help, or alternatively risk can be seen as too complicated and slow to respond.  Once you reach this stage, the value of risk starts to slide and people begin to question whether risk management needs to be redesigned or restructured.  There is nothing wrong with reaching this stage, it is natural.  Sometimes it can take years to get here, other times months, for some specific projects/tasks each stage can take hours or days.  My piece of advice during this period, “communicate in a clear manner and remove unnecessary processes from risk”.

The final stage of business as usual is stage four.  During this stage, risk tends to become a responsive mechanism, either to identified failures in business process or failures in decision making processes.  This is a frustrating time for a risk manager because every action seems to be in response to an event or an issue.  The risk manager tends to become the “cleaner”, sifting through the mess and cleaning up any issues.  During this time as well, the risk manager needs to be conscious of not over reacting, and staying focused on continually trying to embed risk in everyday practices.  During this period, my advice is “stay focused and stay ahead”.

Stage five is the “next generation” phase.  It is where we learn from each of the stages before and we develop our risk processes to continually improve from these learnings.  My advice during this stage “think outside the square”.

What makes being in risk management so exciting is we go through these stages sometimes over the course of days, weeks, months and / or years.  They can be for small projects, concepts or activities, or for full businesses.

The best risk manager is someone that can ride these stages through and come out each time improving on the last cycle.  I recently read that a risk manager is an “influencer using information”.  I agree with this but take it a step further, a risk manager is a “change manager utilising information and knowledge to influence others to help them achieve their goals”.

I hope you enjoyed this post.


Scott North has extensive experience in enterprise risk management, internal audit, operational risk and compliance, risk strategy, scenario planning, technology risk, technology business analysis, systems design, financial accounting, and management accounting. Scott is a Fellow of the Australian Institute of Chartered Accountants with a Masters Degree from the University of Melbourne in Business and Information Technology. Scott is also a Fellow of the University of Melbourne.

Read More

Related Articles

How to Ensure Your Sustainability Strategy Stays Clean

As we embrace the shift towards a greener economy, sustainability products are on the rise. However, with this growth, we've also seen an increase...

The Future of Australia’s Financial Services Industry: Embracing the Financial Accountability Regime

APRA and ASIC Spearhead a Revolutionary Change in the Financial Sector Introduction Today marks a significant milestone for the Australian financial services industry as the Australian...

Effective Risk Committees

Every Risk Moment Matters