An interview with Darren Mullan, Chair of the KoSA and Bahrain RIG, Head of Risk & Compliance at Bahri 

Interviewed by: Gareth Byatt, IRM APAC Global Ambassador; Principal Consultant, Risk Insight Consulting

Gareth: Darren, thanks for making the time to catch up with me to talk about “where should risk management should be heading” – for both businesses and projects.

I’m looking forward to us discussing whether risk management is adding enough value in the modern business and project world, and whether the “traditional way of approaching risk management” is still relevant, or is it time that we “upended it” to do something different.

What do you think about the so-called traditional way of approaching risk management – with a process, a framework, tools and techniques. Is it still relevant today for achieving business and project value?

Darren: I am a strong advocate for a structured and systemic approach to risk management, whether it is called ‘traditional’ or simply ‘standard practice’. My rationale for this approach is that whatever your approach to risk management, it must be sustainable and integrated.

With regards to sustainability, what happens if a risk manager designs a bespoke, non-standard risk management system and then that risk manager leaves the organisation? By developing and implementing a risk management system which is aligned to a traditional, recognised framework the risk manager is ensuring that when they leave organisation, the next risk manager is better able to build on the existing system, rather than have to start all over again.

With regards to integration, again if the risk manager moves too far away from existing, recognised frameworks (e.g. ISO31000) then it makes it more difficult for other disciplines to integrate their systems (e.g. ISO9001, ISO27001, ISO14001). If the organisation’s management systems are not fully integrated, then we are potentially introducing weaknesses that could affect overall organisational success. 

Once a sustainable and integrated risk management system has been established and embedded, then the risk manager has the opportunity to build on this foundation and introduce innovation, but not before.

Gareth: The business world, and the project world, is changing a lot today. What do you think this pace of change means for people who work as Risk practitioners? Are we agile enough to change? Are we helping our businesses and projects to achieve effective change?

Darren: I have no doubt that risk managers are just as agile as any other discipline, whether it be finance, safety, project management, quality, engineering, etc.

I would also argue that, irrespective of the specific changes taking place within the particular organisation or sector, risk managers should stay true to the basic fundamentals of making sure that:

- Risk management activities within the organisation are aligned to, and providing timely support for, the important organisational decisions

- The risk management system is integrated with other relevant systems (e.g. quality and safety), as sometimes it is better to slow down changes and stay integrated than become too agile and compromise these key interfaces.

 In my experience, both points are particularly important within projects as, by their very nature, there can be a lot of turbulence and changes within the early stages of the project where there is an environment of ‘storming’ and ‘forming’.


Gareth: What role do you think technology has, in various forms, to the risk professional of tomorrow? Will it be an influential enabler to help people take and manage risk in the next five to ten years, and what does this mean for our profession if so?

Darren: In my opinion, technology, or as a minimum the use of tools, has always been an enabler for the risk profession, especially when it comes to capturing, analysing and visualising data.

Tools and technology have been an influential enabler for the risk profession for a very long time; from the abacus, which is thought to have appeared over 5,000 years ago, through to today’s artificial intelligence and the use of algorithms to dramatically increase the accuracy of decision-making

For the risk professionals of tomorrow, I still see us continuing to provide an invaluable role alongside enabling tools and technology. After all, there will always be a role for people for critical decisions, and where people are involved in making decisions there will always be a role for risk management.

 Gareth: From your point of view, does certification and training in risk management need to change to keep up with where things need to head?

Darren: At our recent inaugural IRM regional event for the Kingdoms of Saudi Arabia and Bahrain, we had an insightful presentation from Dr. Suzanne White on risk management training and certification.

Suzy’s presentation made me reflect on this topic as, like many people, I had fallen into the trap of thinking that certification and training were the same thing.

So, whilst I see the enduring need for certifications as ‘common currency’ to help us differentiate between our types and levels of competency, the underpinning training needs to be agile and relevant.

This problem is compounded by the wide range of available certifications and training, which are available in the marketplace.

In my opinion, I would recommend you select and pursue the training which interests you and is relevant to your specific organisation and sector – focus on the content and relevance of the training, how it is delivered, and the competence of the individual trainer. However, I would recommend that you pursue certification through an established professional institute like the IRM.


Gareth: What role do international risk standards and industry standards have to play in future, do you think? 

Darren: As I mentioned earlier, international risk standards and industry standards promote sustainable risk management systems, which are also integrated with other key organisational management systems.

During my career, I have worked across a number of sectors and organisations where there have been ‘mandated’ industry, or organisational, risk management standards and frameworks. Whilst the initial reaction is sometimes to resist these standards, find fault in them and succumb to ‘not invented here’, I have learnt that these standards are often there to support sustainability and integration.

Therefore, I see these international risk standards and industry standards continuing to provide this important role for the foreseeable future.


Gareth: Is the risk profession collaborating closely enough around the world? What more do you think we can, and should, do to improve this?

Darren: As a profession, I do think there is close collaboration around the world, driven by a number of factors:

· As a profession, we are still part of a relatively small community of practitioners

· Aside from the financial sector, our risk management frameworks, tools and techniques are very transferrable across sectors and organisations

· Our professional institutes, such as the IRM, are proactively developing and supporting a global networks to share our knowledge.

Of course, we could and should improve this collaboration in a number of areas, such as improving our collaboration with related disciplines and professions, such as quality, safety, security and finance – this is something our professional institutes can lead with, by:

  • Establishing mutual recognition, and convergence, of each other’s risk management methodologies
  • Improving consistency across terminology and definitions.


Gareth: Thanks for these insights, Darren. Let’s check in this time next year to see how things are moving forward!


















Gareth: Thanks for making the time to talk with me about your role in risk management for UniSport Australia. A couple of years ago you chatted to the IRM about your role and experiences, and we thought it would be good to touch base with you again to find out how things are currently shaping up. 

Donna: Well, 2018 has been a busy year for us. Some things have changed, some have not. 

In the university sport sector in Australia, a big focus for us has been on incident and crisis management in the last two years. That’s not to say that general risk management processes are not ongoing, they are still important, it’s just that we have focused particularly on education and training on incident and crisis management for our staff and for staff that work in sport on university campuses across the country. 

Part of this has been to ensure university sports departments are well equipped to deal with the risks they face if they turn into incidents. 

We have also been focusing on ensuring that various university sports departments are aware of the Risk departments that are on their campuses, and the help that is on hand to help them with their activities. 

We are also, as part of this, starting to link in with National University Sports Federations around the world. 

We are fortunate that our UniSport Australia risk management and incident management model and the way it deals with identification of risks and handles crisis management, is quite well respected.


Gareth: This is interesting to know. Hopefully the international spread of the IRM can help a little with connecting people together as well. 

Donna: Absolutely. It will be great to liaise and connect with people internationally who work in the sports sector, and of course other sectors.

We have learned from incidents that have happened to us, and from other incidents, and we focus on passing on and sharing learnings. 

The next “phase” of our Risk approach is to help others in our sector internationally, recognising that the university sports sector has some particular unique elements to it. 

For example, the risks that university sport faces include: 

  • From an incident perspective, what happens when you take a team on tour, if a crisis happens – whether it is in “the next suburb” or on the other side of the world – what risks and processes do we have that can quickly “kick in”? 
  • The profile of a university student is also changing. What does this mean for the risks that we face now and in future, including their ability to participate in sport given other pressures of education, work and life.


Gareth: This is interesting to see. Looking back at the last couple of years, how has the IRM helped you move forward in risk management? 

Donna: For me personally, the IRM has been a great basis to build from. 

The biggest thing is keeping up to date with news and thinking in risk management. It’s about “keeping a finger on the pulse” and having confidence in your abilities. This has helped me to be more active in risk work locally and more generally in the State of Queensland. 


Gareth: There’s been quite a lot of discussion this year on keeping risk management simple (for example, it’s been a topic discussed in the IRM’s Enterprise Risk magazine). Are you an advocate of this approach and ethos? 

Donna: Most certainly. We still have some way to go to simplify what we do. 

My organisation has faced this in the past couple of years. Keeping in simple definitely helps me and the team I work with. 

I appreciate that it depends on the industry that you are in. Some industries require certain processes to be followed. For us, we want and need to make risk management simple for Sports Officers and Sports Coordinators and other key stakeholders that we work with and not over complicate the process with lengthy forms or documents that may spend more time on the shelf than being read. This is where our regular staff training using scenarios really helps us. 


Gareth: Moreover, is it fair to say that communications skills are a key part of a Risk Manager’s make-up?

Donna: Absolutely. It’s so important that a Risk practitioner has good communications skills and is very approachable. They need to know how to talk to the people they work with in a way that connects with them, to get on their wavelength. For example, with Finance people the conversation could be quite different to people working as athletics coaches (we have Finance people in our organisation, of course, as well as other support functions). 


Gareth: As part of our role, we also need to understand cognitive biases. 

Donna: Absolutely, we need to avoid falling into the trap of thinking there is “one way for everyone”. We also need to think outside the box on how we ensure good risk management is practised by the people we work with. 


Gareth: Are you working with other organisations in APAC? 

Donna: We are planning to engage with University Sport Federations in the Asia region in 2019. We already have some good ties in the region including in China, and we work in the Pacific region specifically around taking teams away to play sport, to help them to identify the Risk processes that will safeguard them. 


Gareth: Perhaps there may be some opportunities to link up with our IRM members in APAC countries? 

Donna: Yes, definitely. It would be great to further connect with other IRM members in the regions and nations in which we will be more active in the coming year.


Gareth: I’d like to finish by asking you about any tips you have for IRM members in the APAC region. In your last interview from February 2017 you mentioned 

1) You will always succeed if you enjoy what you do. 

2) Stay relevant and up to date. 

3) Ensure you network with others in the risk industry. 

Donna: The main think I would add to this is: look for and seize opportunities to improve what you do, to push yourself forward for new experiences and growth. If we are not careful, we can rest on our laurels – avoid this by looking forward and grabbing opportunities that you see.