Risk Management Insights

I want to join the BLOG

David Tattam, Executive Director, The Protecht Group

Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).
Find me on:

Recent Posts

18/04/2018 / Risk Culture, Risk Management, Risk and Reward

Risk Management to Management? Is “Decision Support” the future?

Three key treasures of good risk management

The future of “Risk Management” would look brighter if we removed the word “Risk”. It is just “Management”. If “Risk” is “the effect of uncertainty on objectives”, Risk Management must be “managing the effect of uncertainty on objectives”. This is “Outcome Management”.  

Business Management involves making decisions aimed at achieving business objectives. Outcome management is therefore just management.

The future success of risk management relies on making it an integral part of management. This will only happen if risk management provides the right incentives. Humans and hence organisations run by humans, respond to incentives. Read related article: '10 keys to Risk Management Success'.

Psychologists have discovered that when a person is handed an unexpectedly hot cup of coffee, they typically drop the cup if they perceive it to be inexpensive but manage to hang on if they believe the cup is valuable.

Read More

27/03/2018 / Enterprise Risk Management, Risk Management, Risk Management Training

Enterprise Risk Management made Personal

PRM and ERM – use it in your Personal life

PRM? As we haven’t got enough acronyms in risk management already, I thought another one was required– right?  So, what is PRM? I just made it up – Personal Risk Management! 

They say charity starts at home – so why don’t we look at ERM, sorry PRM, in our personal lives? We can learn a lot from what we do well in our own lives and apply the same principles to our work lives and, bingo, we have good ERM working in our business!

One of the objectives of most people in their personal lives, I hope, is: To live a long and healthy life.

Read More

20/11/2017 / Compliance Management, Risk Culture, Risk Management

Compliance Risk Management Real Example

Gorillas and Bears – Comply or Die!

The story of Harambe, the Cincinnati Zoo’s much-loved Gorilla, went global in its interest. A defenceless animal was shot and killed to save a child who had fallen into its enclosure, not to mention the trauma suffered by the child. Investigations have since found that the barrier separating the public from the gorilla was not in compliance with primate-housing standards and requirements.

This simple story serves as a reminder as to the real reason for the compliance requirements and obligations we face, that is, protection of the various stakeholders of our businesses.

Read More

21/07/2017 / Enterprise Risk Management, Risk Culture, Risk Management, Risk Controls

Prevention is better than cure - and other risk management cliches

There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:

Every cloud has a silver lining:  If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.

What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.

And my favourite…

Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management. 

Read More

25/04/2017 / Risk Management, Performance Management, Risk and Reward

Opportunity risk management

Writing blogs in risk management is risky. It has a potential upside and a downside.  On the upside, the hope is that the blog adds to the development of risk management thinking and at the least promotes discussion on ideas that could lead to improvements in this great discipline. On the downside, it opens oneself up to criticism, usually relating to the view that we are overcomplicating things and/or not being technically correct. 

I for one, think the risk is worth taking as I believe the upside outweighs the downside and by and large positive and/or constructive feedback outweighs any negative and or destructive comments.

Read More

23/03/2017 / Risk Management Training, Inherent & Residual Risk

Risk Appetite - Inherent and Residual?

 The case for setting both an Inherent and Residual Risk Appetite

In the last two blogs, Inherent Risk - It is useful? and Expected and Targeted risks, I discussed the potential value of assessing inherent, residual, expected and targeted risks. In this article, I go one stage further and discuss the potential relevance and value of setting both an inherent and residual risk appetite. 

The instigator that prompted me to consider this topic came from a board risk appetite setting session I conducted a short time ago. It was clear that the board was not going to agree on the levels of risk appetite for certain risks as their views were quite diverse.

At one extreme, one director wanted to set high appetites, especially for strategic risk, while another more conservative director was very uncomfortable with this and wished to set much lower appetites.  Listening to the conversations it becomes clear that the discussion was at cross purposes.

Read More

10/03/2017 / Enterprise Risk Management, Risk Culture, Risk Management

How to Achieve your Risk Management Goals

TEN KEYS to Risk Management Success 

Having worked with many clients over the years in implementing, maintaining and developing their risk management systems you learn what works and, on the other hand, what does not.

The following are my top TEN KEYS to success – get these right and you will have a risk management function that is seen as critical as any other management function in the value it adds.

1. Keep it Simple

With any developing discipline, there is a tendency to invent new words and use big words that sound smart but no one understands. Risk management is no exception with a myriad of fancy words and acronyms. 

Read More

23/02/2017 / Risk Management, Risk and Control Self Assessment, Risk Maturity, Risk Controls

Expected and Targeted Risks

Are they useful?

Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process. 

In a previous blog article,  we questioned whether inherent risk was useful. We concluded on balance that it can be a useful concept to recognise and assess. Inherent risk is useful in providing assistance when assessing the importance of controls and helping in the understanding of stress test scenarios.

This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful. 

Read More

26/01/2017 / Enterprise Risk Management, Inherent & Residual Risk, Risk Controls

Inherent Risk – Is it useful?

The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment. The main areas of contention are:

What does Inherent Risk mean?

There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”. 

Read More

25/01/2017 / Risk Culture

The 6 key elements to creating and maintaining a good risk culture

You can take a horse to water but you cannot make it drink. You can take risk management to your business but you cannot make them do it. People, to be successful in anything they do, must have a desire to do it.

This breeds passion which drives people to excel.

Getting the right culture to support risk management across your business is the most important ingredient for success. 

So what does the right “risk culture” mean and how do we create and maintain it? Culture is embedded within people’s thoughts which then influence their behaviours and actions. Risk culture, is their thinking, behaviours and actions around risk and risk management.

Read More