Internally Generated Risk

“System Capability Audits” – the necessary next step in management auditing

Compliance auditing is very familiar to most of us.  Useful as far as it goes, the value of compliance auditing is limited.  In a rapidly changing world fixed rules are often out of date and compliance to rules does not mean that an organisation is performing well or that it will perform well in future.

Many of us are also familiar with performance auditing, which focuses on whether agreed outcomes are being met and if not, why not.  Performance audits require skill, experience and high situational awareness but they too have limits to their value.  Not achieving targets may be due more to external forces than to poor management and the achievement of specific targets can be at the cost of performance in other areas.  In a changing world, the ability to achieve targets set 12 months earlier is of limited value when the targets themselves should be moving.

System Capability Audits take the next step, to test the capability of whole business systems in their current and emerging context.  Although existing rules, standards and performance targets are still relevant, systems capability audits go much further by exploring how the dynamics within an organisation enable it to maximise (or otherwise) achievement of its purpose.

To do this System Capability Audits use a process of open inquiry and systemic analysis to discover what happens and why, and how those dynamics contribute to (or detract from) the possible delivery of the purpose.   This is true systems thinking work from first principles.  It can be scary and difficult and because it reveals underlying root causes (cans of worms) it can be a thankless task.

Nonetheless, System Capability Auditing is necessarily the way of the future.  In a world of uncertainty and change, it is the only effective way to validate governance systems and to predict future performance.  It is a powerful tool for those leaders willing to grasp the nettle and take the risk.

Sensitive risks – real, deadly and often not dealt with

Sensitive risks don’t get a lot of press – perhaps because (by definition) they are not easy to talk about or to manage.  Sensitive causes of risk abound – for example, when a colleague is distracted by important personal issues it is less likely that they will be effective in their work and if true, this creates risks to success.  Despite the risks created, this is likely to be ignored completely or to be handled on the quiet.  Even if it is handled well, it will almost never be entered into any form of risk report or risk register.  This is yet another reason why any risk management framework that relies heavily on risk registers is flawed.

Some might say that this kind of problem is a “management issue” rather than a source of risk, since the risk event has already happened.  Not so.  If we limit risk management to “events that might happen” we deal with only some of our sources of risk.    In any case, separating risks and issues into two different categories is “reductionist”.  It compartmentalises them for no good reason except to make them seem easier to manage.   The reality is that this leads to poorly integrated responses that are sub-optimal and that can often be shown to have perverse unintended consequences.

Risk consequences can be sensitive too.  For example, a risk of project delays can be sensitive if delays are politically unacceptable or unpalatable.  Leaving aside questions of integrity and transparency, people often avoid documenting or reporting risks if the possible consequences have flow-on implications that are hard to write down.

Internally generated risks (IGR) were mentioned in a previous post.  IGR are often sensitive, if only because they arise from within and may imply criticism of our managers, colleagues, staff or stakeholders.

Any organisation that wishes to deal well with uncertainty, whether threats or opportunities, needs to be good at finding and managing risks that are sensitive.    This is difficult precisely because of the nature of the risks.  Fortunately, there are ways of building the internal people and process capabilities necessary.  Unfortunately, those capabilities are closely linked with leadership and culture and are not easily shifted.

Show me an adaptive, flexible project or organisation that manages risks well in uncertain times and I will show you a strong, capable leader who tackles sensitive, difficult issues that others avoid.

Internally Generated Risks – hidden, complex, powerful

Internally Generated Risks (IGR) are the risks we create for own organisation or project by how we work and the decisions we make.   For example, whenever we make a key decision without consulting appropriate stakeholders or we use an ineffective internal business process or we hire someone unsuited to their role, we make success less likely.  That is, we create risk.  When this happens, we can’t blame external forces or technology or bad luck.   The risk is internally generated.

IGRs are often sensitive to talk about and to document, may be treated as “management issues” rather than risks and can be complex and subtle to identify and to define.  Consequently, they seldom appear in risk registers and are often poorly managed, if at all.   Recent research shows that only about 25% of such risks are acknowledged and even less are documented and managed.  Yet the evidence is overwhelming.   The root causes of most major disasters are internally generated.

When (or if) your project or organisation experiences an avoidable failure, the root causes will almost certainly NOT be in your risk register!!!    So if your risk management practice and thinking depends on the use of risk registers and apply the traditional risk management process described in ISO31000, you should stop and think.   The sources of risk that will cause your next disaster are almost certainly NOT being managed as risks.

Understanding and managing Internally Generated Risks is just one part of the unique Manex Organisational Risk Leadership approach to maximising success in an uncertain world.

If you want to grab hold of organisational uncertainty and risk and to turn them to your advantage, feel free to contact Dr Richard Barber at