Risk Management: Why You Hate It and How to Make It Useful

Show Notes

Risk management—it’s the corporate equivalent of eating your greens. You know it’s good for you, but sometimes you’d rather scoop your eyeballs out with a teaspoon than sit through another risk workshop. Yet, as this episode of A Job Done Well reveals, risk management isn’t just about spreadsheets, buzzwords, and endless meetings. It’s about stopping bad things from happening, so you can actually get on with your job.

Joined by risk expert Richard, Jimmy and James dissect why risk management often feels like a bureaucratic nightmare, why people hide problems instead of addressing them, and how middle managers can use risk frameworks to their advantage—without losing their minds. Richard, who’s seen risk from every angle (and survived), explains how good risk management is less about ticking boxes and more about having honest conversations, making decisions, and owning your shop like a CEO.

The trio also tackle the absurdity of risk scores, the art of dissenting without getting fired, and why the real risks aren’t meteor strikes—they’re the small things piling up until everything goes belly up. So if you’ve ever rolled your eyes at a risk workshop or pretended everything’s “green” to avoid scrutiny, this episode is for you. Because, let’s face it, ignoring risk won’t make it go away—it’ll just make the fallout worse.

Five Key Points:

• Risk management isn’t just for auditors—it’s about owning your work and avoiding chaos.
• The best risk culture starts with honesty: if everything’s “green,” someone’s lying.
• Middle managers: run your team like a CEO, document your risks, and use the system to your advantage.
• Risk managers aren’t the enemy—they’re there to help you succeed (without the slip-ups).
• The real risks aren’t meteors—they’re the small failures that add up to disaster.

Transcript

Speaker 0:03

Hello, I'm James. Hi, I'm Jimmy and welcome to a Job Done Well, the podcast that helps you improve your performance enjoyment at work.

James 0:15

Good How you doing? I'm doing well, James, how are you? I'm fabulous. Thank you very much. What we talking about today then?

Jimmy 0:23

Today we have a special guest a good friend of ours who's a risk expert, and it's a subject that we have had digs at on a number of occasions, and we both know it's a little bit like medicine. You've got to have it. It's good for you, but sometimes you hate it. So we

James 0:42

mate. I would rather scoop my eyeballs out with a teaspoon than sit in some wrist meetings, but.

Jimmy 0:47

Well, we are going to talk about why you have it, how it helps you, how it's done well, and what you as an individual can do to manage risks and perform better as a result of it. So Rich is going to convert us into risk disciples over the next half an hour or so, welcome, rich.

Richard 1:09

So.

Jimmy 1:11

Well, for those who are diligent listeners to the podcast they will recall that James used a conversation we had with rich a while ago. As a, as, what was it, James? It was how not to respond because Rich. Yeah.'cause it was a battle. It was reform, Richard against liberal law there. And and yeah, we will stay off politics today and we will stick to risk. Risk, but welcome. Rich why don't you tell us a bit about yourself and kick off.

Richard 1:40

I mean, I think one of the reasons I can almost do this podcast is I've had a bit of a curly career, so I'm not someone who studied risk management in universities and never done anything else. So I've been an auditor. I've been a airline strategy consultant. I've been a program manager. I've done internal audit. I've run operations and contact centers, which is when we work together. I've worked in first line risk, second line risk regulatory relations. I've presented to boards, I've been on boards, so I've seen risk management from all different angles, so I can very much appreciate your perspectives. When you say it's a tiny bit annoying'cause I've sat on that side of the fence as well as the side of the fence I currently set up. And so currently I work for. A company called VocaLink, which is part of MasterCard, which you've probably never heard of. But we essentially run realtime payments, direct debit ATMs and so 70% of household bills, we process and pay 90% of salaries. We process and pay and 98% of state benefits. So we're pretty fundamental to the UK economy and how things work.

Jimmy 2:48

So generally if we ever wanna see any money again, we have to be nice to use the long, short.

Richard 2:54

It means my risk management screwed up. I'm somewhere

Jimmy 2:58

We know. We know who to come after.

Richard 3:00

Exactly. Exactly.

James 3:02

So let me ask a very simple question to start off with then. Rich. What is risk management?

Richard 3:07

Yeah, I mean the key thing about risk management, James, is it's very simple. Anyone can do it. We all do it. We all do it instinctively. and I know you love a model. So there are really four steps. It's what's my risk? How scary is it? on that, what am I gonna do about it how do I monitor things to make sure nothing changes that I'm unaware of? And so this morning, like many people I went on the school run. As the weather's particularly miserable at the moment, so there's a chance it's gonna tip it down. And so what I did is what loads of people do I worked out? What's the chance of it raining? How long am I gonna be in that rain? And then I worked out, do I need to put some controls in place? Do I need to take an umbrella? Do I need to take a coat? I need to drive or walk? Do I need to ask my wife to do it? And you reach that kind of instinctive balance of mitigating that risk that works for you, which is exactly what happens in companies.

Jimmy 4:03

So the reality is, on one level we all do it all of the time. When you brought it to life with that example, I wouldn't have thought about risk at all, but obviously you are thinking about it, but it's all really instinctive, isn't it?

Richard 4:16

It is. But the thing is you've gotta be more sophisticated, the more important it is. so if it's me going to, take the kids on the school run. The downside is fairly small.

Jimmy 4:27

Yeah.

Richard 4:29

If it's me in my professional job, the downside is pretty big, as we just said. And so dependent on how big the consequences are, you build a lot more sophistication and rigor into that. But sometimes you can lose the key message. And so, what is my risk can run from? Sitting down and saying what keeps you up at night? The classic question to

Jimmy 4:51

Yeah.

Richard 4:51

kind of set of workshops with challenge from different lines of defense with a risk taxonomy to make sure you're not missing anything So you can really make this sophisticated or you can keep it simple, but at the core, it's exactly the same thing.

Jimmy 5:07

Yeah.

James 5:08

And I think my take rich,, I'm a bit of a risk bashier. It depends how well it's done. So I have sat in meetings, or I remember one organization I worked for. I used to sit in a meeting three hours every month where they would talk through risks. And it was a bit of a game in how many big words can I use and what is the most complicated chart I can put on the, yeah.. Right. I mean, just ridiculous. So, and I do think there's a bit of game playing goes on as well, so people will talk happily about risks. There is a risk, I'll get hit on the head with an asteroid, there is a risk. Yeah. Because they can, look knowledgeable about it, but people don't really talk about the issues they've got, the actual problems that are going on. So that's my I suppose my rather jadous view of it. But on the other side though is actually if you stop a risk from happening, well that's progress, isn't it? You stop, bad things happening, it's going better. And so actually a whole host of organizational productivity and however you want to look at, it's fundamentally based on good risk management. So I'm a bit conflicted on it.

Richard 6:12

Yeah, which is entirely fair enough and certainly it can be done well and it can be done badly. I think people often focus on the cost of risk management.'cause you're in those workshops, you're filling in a spreadsheet, you'd rather be a process diagram or something very exciting and sexy like that. However, you know the.

James 6:33

Yeah, I take your risk form and I

Jimmy 6:35

I,

James 6:35

you a

Jimmy 6:36

I,

James 6:36

map. Yeah. Stick that.

Jimmy 6:38

I feel like, like, like definitely the rows between two thorns a risk workshop or a process workshop, anything is the answer I would rather do than those two things.

Richard 6:48

certainly can but what you've gotta realize is, you successfully avoid things, it makes your organization's life enormously better. I've worked in organizations where there've been problems, they've not been addressed at the root cause, and things have grown and got really gnarly to unwind. And you lose control over your own destiny for a period.'cause you've gotta remediate, you've gotta

Jimmy 7:11

Yeah.

Richard 7:11

money at it, you've gotta throw resource at it. I mean, you never stop bad things happening. But minimizing the cost of that rework is really important

Jimmy 7:21

My perspective is similarly slightly schizophrenic in that. On one level, I know you need it.'cause it's like you say, if stuff goes wrong, you're not gonna be performing well and you're gonna be up to your neck in auditors and stuff. you need it. I guess the. Flip side of it is, I think I've been on the wrong end of it at times because it becomes suffocating and it becomes bureaucratic and it it becomes a box sticking exercise. And so you find yourself playing games of what's the minimum I can do that keeps the auditors and risk managers away from me. But does that really add value?

Richard 8:01

Yep. Yeah, and it's my job now. I'm old enough to be towards the top of that tree to try and make sure that you cut down on bureaucracy as far as you can and make sure it is important because. good risk management is about having conversations and about making decisions based on those conversations. often you get lost in a maze of spreadsheets and indicators and this sort of thing, and you actually lose focus on what you're trying to do

Speaker 2 8:32

Our podcast is all about helping people, teams, and organizations perform better and enjoy work more.

Speaker 3 8:41

I get as far as to say that we believe that everyone and every team has the potential to transform their performance by optimizing what they currently do.

Speaker 2 8:49

So if you'd like to discuss how we can help you transform your performance, then get in touch or maybe check out our website. We also do speaking events, mentoring advice, work as well.

James 9:03

So if we talk about bad risk management for a little while. Yeah. Just so things I have seen, for example, You have a risk score, which by definition is an arbitrary sort of score. I have seen people in endless debates trying to minimize the score, so they look like they're doing a good job. They make a damn difference to the business. It's just about the number we put in a spreadsheet. Other thing I see an awful lot of is people not prepared to accept they've got a risk at all. Because it makes them look bad. So what's your take on that? What causes that and what should we do differently?

Richard 9:38

Yeah I think that leads towards what a good risk culture is. And so we really do have to encourage the right behaviors throughout the organization for risk management to work. And that goes from the very top all the way through. people need to be comfortable that their job is to raise stuff and raise it honestly. Because that creates the data. If you've got people down in the organization worried that they can't raise an issue or a risk or a problem you've automatically lost the battle because the data you're trying to mo make decisions on is flawed. and. Senior management can destroy that kind of culture in a heartbeat by shouting and blowing up at people. But what you want is that honesty. And as you move up the organization, what you want is people to engage in, in a debate pick up different perspectives. And, sometimes I take up a contrary position. Just to have the conversation.'cause I feel the conversation needs to be had. And there was a guy who talked about an obligation to dissent. so it wasn't just that you were allowed to dissent if felt strongly about something, you had an obligation to dissent from the Author Orthodox line to challenge it. And that makes the conversation so much better. And so. If you've got people just reading through their risk papers, if you've got people just talking through the, saying everything's green and it's wonderful, then you need to lean in and actually have a conversation about what's really going on or tie it to real world stuff. And so if everything's green, then presumably there are no issues happening in the business.

Jimmy 11:19

I thought the obligation to dissent was a description of your two's relationship. Really? That's what you both do.

Richard 11:25

sometimes it's just fun to get James off on one. So I'll say whatever is necessary to like the blue touch paper.

James 11:31

a big achievement There's a lovely story of, I think it was Alan Mul who was the chief executive at Ford, and I can't remember the numbers, but Ford was gonna lose something like$4 billion a year, and then he introduced a one of his traffic light systems, red, Amber Green and his vice presidents all rocked in. To his meeting once a week. And then they always said everything was green, at which point he lost the plot a little bit and said, well, we're gonna lose$4 billion this year, guys, how can everything be green? And um, but the change happened. Some people reported Amber and then they had a discussion about, it's to your point, but it really came from the top because I, sorry. I think his quote was something like, you have a problem, you are not the problem.

Richard 12:11

Yeah,

James 12:11

Yeah.

Richard 12:12

absolutely.

James 12:12

to that point, then you start to uncover these issues. Which is the real trouble with risk management, I think

Jimmy 12:20

a lot of our listeners are middle managers. So if you are a middle manager stuck in an organization that is doing stuff a certain way, you can't. Necessarily set the tone of the culture and influence the risk frameworks and stuff like that. So what would you be your advice to the frustrated middle manager in this circumstance?

Richard 12:40

And the three of us have all been there and I think the key thing is.

Jimmy 12:44

I.

Richard 12:45

You need to, run your shop as if you are the CEO. And so you need to understand what the risks are. You need to have control of your destiny, you need to write it down and then. Quite frankly, whatever risk management thing is happening in the business, however they run it, you will show up really well because you've taken the time to think about it, understand the weaknesses, and start to fix things. Because You know what the problems are. You know

Jimmy 13:16

Yep.

Richard 13:17

coaching. You need what processes are leading to some of the issues, you have a fair amount of latitude to fix those. you need to write stuff down, and you need to show that you are on it because you understand the problem and you're trying to fix the problem. Then you will always show well, and if someone comes in and does a a red audit or a problem or something like that, then you say, look. had this, I was working on it. And you can use that to gain more resources to fix your problem because you can articulate it and you've got evidence of it.

Jimmy 13:50

what I've seen people do in those sorts of roles is. Almost fight against the system, and you can't change the system. So trying to go with it is, is much more useful because actually when you fight against it, you think, I'm not gonna fill this in. I'm not gonna do this, I'm not gonna play the game. Often you end up in the spotlight and you end up having to do more than everyone else. So figuring out how you use the framework and how you cooperate with the framework rather than just fighting it. that's a much better way than trying to rebel against it in this circumstance.

James 14:25

Yeah. My take, I suppose, is. There is a short term strategy, which is you can say no, there's nothing to see here. Everything's rosy. Or there is a longer term, but much more robust strategy, which is talk to your customers, find out what your problems are, understand what could go wrong. Because if you are listening to people and you are saying, there are problems and you have a plan to deal with them and people will cut you a lot more slack.

Richard 14:54

Absolutely. And you've gotta think about, you've gotta think about your career, just your job, because working like this Exhibiting and displaying these skills where, whether it's not working in this job, then probably someone else in the organization goes, oh, actually I quite like how that guy's thinking. all over this. If I get a role, I would love them to come and apply that kind of thinking to my area. Or you're building up the skills for your next job in, in your next company. Understanding risk management and being able to drop that into CV is a great way of demonstrating you're not just a kind of operational leader, but you're building out your general manager skillset. a couple of other things. One don't discount the fact that you could give some feedback to the risk management function and say, Hey, this would be a lot. Easier for all of us if you did it like this rather than like that.

Jimmy 15:46

Yeah.

Richard 15:46

Because that might actually go down really well. So, for example, if you'd rather do a workshop than fill in lots of spreadsheets, that they might bite your hand off there and that, that could work for more of the organization. Then I think the other thing is, whilst those kind of technical term long tailed events'cause the down that end of the normal distribution, Whilst they're unlikely if they happen. You're screwed and therefore you've got to spend some time thinking about those sorts of things. It's like, you know why we get insurance? You don't think your house is gonna burn to the ground, but it just might. So your control is some insurance,

James 16:24

When things go really bad, it's not the being hit on the head by a meteor, right? It's the cumulation of small things which all come together. Yeah. So the example I would always give is the child playing football by a road where somebody is speeding, there are some cars part illegally, and all of a sudden you've got three or four things going wrong and you can see how it get very bad. One of those things by itself probably not a big deal, My frustration when dealing with risk managers is that they're much more at the meteorite side of it rather than the accumulation of small things, which could make something really bad. So how do you think we should engage with risk managers to get those issues addressed?

Richard 17:03

Yeah, I mean, I think they're probably focused more on that end of the scale because people's natural abilities are more at the other end of the scale. So, they trust you guys to, pick up the things that are very likely to happen because that's part of your day-to-day management. it's slightly different thinking to think about the things that are very unlikely. I mean, you are certainly right James, that you are

James 17:29

say that again mate.

Richard 17:31

The stock clock is right twice a day. You are certainly right James, that these things are often. Almost miraculous the fact that 93 things had to go wrong for this event to crystallize. if you have reasonable risk management, you will pick up on some of those things and make it less likely

Jimmy 17:52

I'm surprised when we got onto big risk events and stuff like that. James, I was sure you were gonna go down. Was it Bo? Pal Chernobyl Titanic. Enron. You love a disaster, James.

James 18:04

a disaster, but all of these things happen to Rich's point. When, and it doesn't need to be 93, but five or six things lined up. When all of a sudden it's all gone horribly belly up. So you get to a position where actually it is the small things which will kill you, not individually, if they line up

Speaker 4 18:24

We hope you're enjoying and getting value from listening to our podcast.

Speaker 5 18:28

If you are, please can you share it online on social media with friends and colleagues.

Speaker 4 18:33

We appreciate five star reviews and we really do, but any feedback on how we can improve or subject that you'd like us to cover, just drop us a line and get in touch.

Speaker 5 18:42

This all helps us bring the best quality show to you to ensure that you can improve your performance enjoyment at work.

Jimmy 18:51

if I'm an individual, or I'm a team leader, unit leader, whatever, managing a group of people, what are the recommendations you would make for me as an individual and me as a leader on how I could use risk management to help me improve my performance and enjoyment at work?

Richard 19:11

Yeah, and so I think there are two angles to this, Jimmy. So one is the improving how you run your shop and so

Jimmy 19:17

Yeah.

Richard 19:18

that is taking the principles we've talked about at the right level of sophistication for your shop

Jimmy 19:25

Yeah.

Richard 19:26

some time. Yourself and with those of your team that you trust, thinking about what are the real risks, irrespective of the corporate machine? What are we worried about? in your normal business planning cycle, how can we change our processes? How can we change our meeting cadence, how we change our organizational thinking make sure we are, Not subject to those problems, and that will make your shot run more effectively. It'll mean you I think the other thing is looking up embrace risk management because. People in risk are human too. And they would far rather,

James 20:06

the ones I've worked with.

Richard 20:08

they would far rather engage with someone who's interested, knows the business and goes, yeah, that's not important, but these things are, here's what we're doing about them. And you almost become the poster child for it and that will get noticed.

Jimmy 20:21

Therein lies one of the opportunities I think people look at risk managers and think that they should either avoid them. Or that they're the enemy, they're, that they're there to stop you from doing things whereas actually, a good example. In the last organization I worked in actually getting them involved was really helpful rather than how do I keep them at arms' length the whole time? then they can give some valuable perspectives rather than just, and we hold'em a length and if they force me, I'll fill in their spreadsheet, but only if they force me.

Richard 20:56

Yeah. And I think also, when you're doing projects, when you're doing different work like that, then getting these people in at the start can be really helpful because they'll give you a different perspective on

Jimmy 21:06

Yeah.

Richard 21:07

set things up and think which means you're gonna be more likely to be successful and. Risk managers aren't sitting there thinking, how can I destroy everything in the business? They're keen for you to be successful as well. just successful without some of the slipups.

James 21:23

So much. It pains me rich. Quite an interesting conversation.

Jimmy 21:26

Damn by faint praise. Quite interesting.

James 21:28

Let me try and summarize it then. So I think really the key thing here is culture, but culture begins with your own behavior. So it's all about role modeling the behavior that you would want to see. as a manager in an organization, the key takes for me are. got a risk management team, bring them in. Don't hide stuff from'em. Bring them in. Yeah. Get'em to work with you and help you. the second thing is once they're in, pony up on the issues you've got.'cause if you're pony up on the issues, then you can start to address them. Whereas if you're hiding them under the carpet, you never will. It's a bureaucratic nightmare of a process, which was, let's be honest, some of them are, but then there's nothing stopping you suggesting alternatives. There's my short summary. Is there anything you'd

Jimmy 22:07

I'll add a couple of bits in. One is. In thinking about risk management, it bear in mind the benefit that it gives you. in terms of stopping things from going wrong and therefore enabling, successful performance. And I think the other point that you made Rich, which brought it home to me as well, was we do it all the time. We just don't badge it as risk management. So, one of the challenges is, as you say, risk management tends to get applied up here was we do it downhill all the time. If you thought about holistically, we're all risk managers, much as it pains me to say that.

Richard 22:42

Even

Jimmy 22:42

Rich, now you've got a summary from me and James. Tell us what have we missed?

Richard 22:47

I think that's a very good summary. And I think the overall thing is everyone's after the same thing. Here. Everyone is after the organization to be successful,

Jimmy 22:56

I.

Richard 22:57

which means of achieving the organization's objectives, which are your objectives without. Without distractions, without things going wrong, without issues, without remediation, without customer complaints, without regulatory problems, wants the same thing. And so the more open and clear you can be acting like an owner running your shop and giving suggestions, I think that's great for the organization. I think it's great for you.

James 23:24

I

Jimmy 23:24

Well, thank you very much, rich.

Richard 23:26

Thank you guys.

James 23:27

Thanks a lot.

Speaker 6 23:28

We cover a whole host of topics on this podcast

Speaker 7 23:31

from purpose to corporate jargon,

Speaker 6 23:33

but always focused on one thing, getting the job done well,

Speaker 7 23:37

easier said than done. So if you've got. Unhappy customers or employees, bosses or regulators breathing down your neck.

Speaker 6 23:46

If your backlogs are outta control and your costs are spiraling and that big IT transformation project that you've been promised, just keeps failing to deliver,

Speaker 7 23:55

we can help. If you need to improve your performance, your team's performance, or your organizations, get in touch at Jimmy at@jobdonewell.com orJames@jobdonewell.com.