Organisational Risk Leadership

“System Capability Audits” – the necessary next step in management auditing

Compliance auditing is very familiar to most of us.  Useful as far as it goes, the value of compliance auditing is limited.  In a rapidly changing world fixed rules are often out of date and compliance to rules does not mean that an organisation is performing well or that it will perform well in future.

Many of us are also familiar with performance auditing, which focuses on whether agreed outcomes are being met and if not, why not.  Performance audits require skill, experience and high situational awareness but they too have limits to their value.  Not achieving targets may be due more to external forces than to poor management and the achievement of specific targets can be at the cost of performance in other areas.  In a changing world, the ability to achieve targets set 12 months earlier is of limited value when the targets themselves should be moving.

System Capability Audits take the next step, to test the capability of whole business systems in their current and emerging context.  Although existing rules, standards and performance targets are still relevant, systems capability audits go much further by exploring how the dynamics within an organisation enable it to maximise (or otherwise) achievement of its purpose.

To do this System Capability Audits use a process of open inquiry and systemic analysis to discover what happens and why, and how those dynamics contribute to (or detract from) the possible delivery of the purpose.   This is true systems thinking work from first principles.  It can be scary and difficult and because it reveals underlying root causes (cans of worms) it can be a thankless task.

Nonetheless, System Capability Auditing is necessarily the way of the future.  In a world of uncertainty and change, it is the only effective way to validate governance systems and to predict future performance.  It is a powerful tool for those leaders willing to grasp the nettle and take the risk.

Risk management today – on the edge of change

It is easy to show that traditional risk management approaches are useful to a point (they are much better than no risk management at all) AND also that they are far from the best approach to uncertainty in organisations.   AS/NZS ISO31000 may represent accepted practice but it is certainly not best possible practice, even when applied within a larger Enterprise Risk Management (ERM) approach.

The world we live in is complex and constantly changing.  We also face constant uncertainty simply because people are involved and this means that everything we do is impacted upon by intangible factors such as relationships, agendas, and biases.  Many of these are hidden and unknowable or at best can be inferred from behaviour.   Let’s not leave out risks that are sensitive to talk about because they involve people.  It’s not likely that you will feel free to list the incompetence of your boss as a source of risk in your risk register, despite the huge impact that this could have on your future success!

Traditional forms of risk register are NEVER the whole risk story.  They can’t be, even in an organisation that is working well and succeeding.  This is demonstrated whenever disasters or serious failures are investigated.  In almost every case some or all of the major sources of risk were NOT in the risk register.  If we accept that risk registers are never the whole story and that many risks are hidden, intangible, subtle and inter-related then we have to look beyond current accepted risk management approaches.  They simply are not enough.

Arguably, we should re-frame risk management from first principles.  What is a risk and what is it a risk to?  How can leaders make the best possible decisions when always faced with uncertainty including unknowable unknowns?  How do we find the root causes and leverage points in complex, inter-related organisational issues, factors and sources of risk?  What do we do about risks that are hard to talk about, let alone write down?

Today, right now, what advice and support can risk professionals give to leaders of organisations so that they are able to make the best possible decisions in our uncertain, complex world?   What does best practice risk management really look like?

For some thinking  and practical responses to these questions go to or to    Or simply surf the web looking for people working innovatively on risk and uncertainty.

Risk – a better definition

Definitions are boring and arguing about them is even worse.  Rather than saying why and how current risk definitions are ineffective, limiting, this post simply provides a useful, powerful definition of risk.


A risk is any threat to the maximum achievement of our purpose


Using this definition makes a material difference.  It changes the level and nature of risk conversations and requires decision makers to do more than just “tick the boxes” to achieve satisfactory outcomes.


Feel free to ask questions, to challenge and collaborate.

Sensitive risks – real, deadly and often not dealt with

Sensitive risks don’t get a lot of press – perhaps because (by definition) they are not easy to talk about or to manage.  Sensitive causes of risk abound – for example, when a colleague is distracted by important personal issues it is less likely that they will be effective in their work and if true, this creates risks to success.  Despite the risks created, this is likely to be ignored completely or to be handled on the quiet.  Even if it is handled well, it will almost never be entered into any form of risk report or risk register.  This is yet another reason why any risk management framework that relies heavily on risk registers is flawed.

Some might say that this kind of problem is a “management issue” rather than a source of risk, since the risk event has already happened.  Not so.  If we limit risk management to “events that might happen” we deal with only some of our sources of risk.    In any case, separating risks and issues into two different categories is “reductionist”.  It compartmentalises them for no good reason except to make them seem easier to manage.   The reality is that this leads to poorly integrated responses that are sub-optimal and that can often be shown to have perverse unintended consequences.

Risk consequences can be sensitive too.  For example, a risk of project delays can be sensitive if delays are politically unacceptable or unpalatable.  Leaving aside questions of integrity and transparency, people often avoid documenting or reporting risks if the possible consequences have flow-on implications that are hard to write down.

Internally generated risks (IGR) were mentioned in a previous post.  IGR are often sensitive, if only because they arise from within and may imply criticism of our managers, colleagues, staff or stakeholders.

Any organisation that wishes to deal well with uncertainty, whether threats or opportunities, needs to be good at finding and managing risks that are sensitive.    This is difficult precisely because of the nature of the risks.  Fortunately, there are ways of building the internal people and process capabilities necessary.  Unfortunately, those capabilities are closely linked with leadership and culture and are not easily shifted.

Show me an adaptive, flexible project or organisation that manages risks well in uncertain times and I will show you a strong, capable leader who tackles sensitive, difficult issues that others avoid.

Internally Generated Risks – hidden, complex, powerful

Internally Generated Risks (IGR) are the risks we create for own organisation or project by how we work and the decisions we make.   For example, whenever we make a key decision without consulting appropriate stakeholders or we use an ineffective internal business process or we hire someone unsuited to their role, we make success less likely.  That is, we create risk.  When this happens, we can’t blame external forces or technology or bad luck.   The risk is internally generated.

IGRs are often sensitive to talk about and to document, may be treated as “management issues” rather than risks and can be complex and subtle to identify and to define.  Consequently, they seldom appear in risk registers and are often poorly managed, if at all.   Recent research shows that only about 25% of such risks are acknowledged and even less are documented and managed.  Yet the evidence is overwhelming.   The root causes of most major disasters are internally generated.

When (or if) your project or organisation experiences an avoidable failure, the root causes will almost certainly NOT be in your risk register!!!    So if your risk management practice and thinking depends on the use of risk registers and apply the traditional risk management process described in ISO31000, you should stop and think.   The sources of risk that will cause your next disaster are almost certainly NOT being managed as risks.

Understanding and managing Internally Generated Risks is just one part of the unique Manex Organisational Risk Leadership approach to maximising success in an uncertain world.

If you want to grab hold of organisational uncertainty and risk and to turn them to your advantage, feel free to contact Dr Richard Barber at