Three Lessons on Judgment and Communication from an Unlikely Source: Risk Auditing

Introduction: Uncovering Wisdom in Unexpected Places

In any professional role, we constantly navigate a spectrum of issues. We face major crises that threaten our goals, minor glitches that create friction, and simple opportunities to do things a little better. The challenge lies in telling them apart. Without clear judgment, we risk escalating minor annoyances into team-wide emergencies or, worse, downplaying critical failures until it’s too late.

Where can we find a better framework for this kind of clarity? The answer comes from an unexpected place: a technical lecture on conducting ISO 31000 risk management audits. While the subject is niche, its core principles for evaluating and communicating problems offer powerful, practical lessons for any professional. This article distills the most impactful takeaways on developing clear judgment and communicating what truly matters.

1. The Courage to Call a Problem a Problem

In auditing, an "Opportunity for Improvement" (OFI) is a constructive suggestion for strengthening a process beyond its minimum requirements. It’s not a formal failure, or "nonconformity," and it doesn't require mandatory corrective action. An OFI is appropriate and value-adding when processes are effective but could be more mature, when practices vary between teams, or when reporting could be enhanced to be more decision-focused. It is, in essence, helpful advice.

The counter-intuitive insight, however, is how this helpful tool is often misused to avoid difficult conversations. Rephrasing a clear failure as a mere "suggestion" is a common error, often born from a desire to soften a message or avoid conflict. As the source material bluntly states, this points to a deeper human challenge:

An audit full of OFIs but no findings often indicates lack of auditor courage.

This point is crucial because true progress requires the professional courage to state clearly when something is wrong. Hiding a genuine problem behind the gentle language of an "opportunity" doesn't solve it; it only ensures the risk remains. The guiding rule is simple and absolute: "If there is a risk to objectives, it is a finding, not an OFI."

2. Poorly Written Findings Damage Credibility More Than Poor Risk Management

In a professional setting, identifying a problem is only half the battle. The quality of your communication is paramount, because how a problem is articulated determines whether it will be taken seriously and acted upon. The lecture makes this point with a startlingly clear statement:

Poorly written findings damage credibility more than poor risk management.

This is true because for an observation to be defensible, it must be more than an opinion. Vague assessments like something "needs improvement" are easily dismissed and weaken trust. To build a credible, fact-based case, professionals can use a simple four-part structure:

• Condition: What was observed? (The facts)
• Criteria: What is the standard or expectation that was not met? (The rule)
• Cause: Why did the deviation happen? (The root cause)
• Effect / Risk: Why does it matter? (The consequence)

For example, a vague complaint like "Some people are late with their tasks" becomes a defensible finding when structured this way: "Risk treatment actions were overdue in 3 of 12 cases (Condition), contrary to the procedure requiring defined timelines (Criteria). This was due to unclear ownership during restructuring (Cause), increasing the likelihood that residual risk remains unmanaged (Effect/Risk)." This structured, evidence-based approach commands attention and drives action, preserving your credibility and ensuring real problems get solved.

3. The One Question That Separates Annoyances from Crises

When faced with multiple problems, how do we prioritize? The audit framework provides a powerful method for distinguishing between a "Major" and a "Minor" finding. The key is that severity is not about the size of an issue, but its ultimate impact.

A Major Finding indicates a systemic failure that fundamentally undermines objectives. It's a problem that affects decision integrity and exposure, creating unacceptable risk or invalidating leadership choices.

In contrast, a Minor Finding is a localized weakness that affects consistency and reliability. It doesn't compromise the entire system on its own, but it signals a gap that could escalate. Crucially, a minor finding becomes major if it is repeated, ignored, or becomes widespread.

To distinguish between the two, the lecture offers a "Quick Auditor Test." While the title of this section highlights one key question, the full diagnostic is a three-part assessment:

• Does this issue affect decision integrity?
• Does it create uncontrolled exposure?
• Is it systemic or isolated?

The first question is the most powerful focusing mechanism. If the problem could cause leaders to make the wrong choice because they are working with flawed information or a broken process, it is likely major, no matter how small it seems. The other two questions provide essential context on exposure and scale, creating a comprehensive tool for any professional trying to separate true crises from manageable annoyances.

Conclusion: From Audit to Action

The technical world of risk auditing offers three profound lessons for any professional: have the courage to label problems correctly; remember that credibility rests on your ability to communicate those problems using a clear, factual structure; and finally, learn to prioritize by assessing whether an issue impacts the integrity of decisions or merely affects operational consistency.

The next time you report an issue, will you focus on its size, or on its impact on the integrity of your team's decisions?

Share This Article

Found this useful? Share it with your network: