Why Does New Zealand Treat Risk Management Like an Accounting Exercise

I came across a job posting recently that stopped me in my tracks. A significant Australian-New Zealand business was recruiting for a Head of Risk and Assurance position. The role description covered all the usual risk management responsibilities - the kind you could pull from any Google search. But the required qualifications? CPA or CA. Accountancy credentials only. No risk management qualifications whatsoever.

Surely this was a mistake? I rang their HR department to check. No mistake. Their overseas head of risk, also an ex-accountant, specifically wanted an accountant because they were "only interested in the financial impact of risk to the business."

When I asked about reputational damage, performance issues, time-related risks, or quality concerns, the response was clear: that's not what they're looking for.

The Fundamental Misunderstanding

Here's the problem with this approach. Accountancy measures things that have already happened. It's about costs incurred, money spent, numbers from the past. Risk management, by definition, deals with uncertain future events that may impact your objectives.

These are fundamentally different skill sets requiring different training, different thinking, and different qualifications. Yet in New Zealand, this confusion is perfectly normal. Risk management isn't recognised as a distinct profession. Instead, it's treated as a bolt-on responsibility for someone already in the management team.

The logic goes something like this: "Risk? That's got costs involved. Give it to the accountant." Or: "Audit and risk are basically the same thing, right? The auditor can handle it." Sometimes it lands with the quantity surveyor or the commercial manager.

But none of these professionals entered their careers planning to become risk managers. They haven't pursued the qualifications, the continuous professional development, or the specialised knowledge needed to stay at the forefront of a constantly evolving field. And anyone working in risk management knows that risk and uncertainty are constantly changing. This is the stuff that's happening in the future - we don't necessarily know what it is yet. Sure, we can look at history to give us a rough guide to future possibilities, but it really takes specific skills and knowledge to support executives in exploring the future scenarios that may impact their objectives. You can't just download a list of nice-sounding risk management activities from Google and expect meaningful results.

The National Cost of Getting This Wrong

The consequences of this approach show up in our national statistics. New Zealand sits in the top 10% of OECD nations for funding and initiating projects. We're ambitious, we're well-resourced, and we're ready to invest.

But we're in the bottom 10% when it comes to actually delivering those projects successfully and realising their benefits.

Why such a dramatic gap between our intentions and our outcomes? Multiple factors contribute, certainly. But I'd argue that our casual approach to risk management plays a significant role. We're far too optimistic about our capabilities, and we operate in a business environment dominated by small to medium enterprises with little resilience to risk events.

Why This Matters More Than Ever

The current environment makes proper risk management even more critical. Global political complexity is increasing. Supply chains face unprecedented uncertainty. Resource availability fluctuates. The recent fuel crisis is highlighting just how vulnerable our small business ecosystem really is.

Consider our third-party risk exposure. Many of our largest infrastructure projects face delays primarily around procurement - finding and retaining the tradespeople and suppliers we need. When a small contractor we depend on goes out of business or takes a hit from an unexpected risk event, entire projects pause whilst we return to market.

Our construction supply chain relies on materials from overseas, typically managed through just-in-time procurement with zero resilience built in. COVID-19 demonstrated this vulnerability clearly. Yet we still haven't adjusted our approach. The fuel crisis is showing us the same lesson again - so many small businesses rely on vehicles for transportation and all the other parts that feed into their operations. When that gets disrupted, the ripple effects hit everyone.

The Organisational Barriers

Even when businesses do employ dedicated risk managers, they often bury them somewhere in the tertiary levels of an operational department. Their reports pass through multiple hands before reaching decision-makers, getting tweaked, minimised, and adjusted along the way to avoid raising red flags or upsetting leadership.

This defeats the entire purpose of risk management. The role exists to provide real, quality information that supports governance and strategic decision-making. When that information gets filtered and softened before it reaches the people making decisions, you're not managing risk - you're creating a false sense of security.

Many New Zealand businesses still present boards with traditional heat maps and lists pulled directly from risk registers. What exactly is a board supposed to do with that information? How does it support actual decision-making?

This is why so many organisations keep getting shocked and surprised when things go wrong, despite having "a risk management process" and "a risk manager." They're running what I'd call risk management theatre - it looks like the real thing, but it provides no actual protection.

What Needs to Change

We need to recognise risk management as a profession in itself, with specific skills, knowledge, and experience requirements. You can't simply tap a mid-level operations manager and say "you're now responsible for risk" and expect meaningful results. That approach just provides a tick box for leadership whilst actually increasing the likelihood of nasty surprises.

Risk managers need to sit where they can influence and advise leadership directly. Their insights need to reach decision-makers without being diluted or dismissed. And businesses need to understand that effective risk management isn't about eliminating uncertainty - it's about making better decisions in the face of it.

As a member of both RiskNZ and the RMIA, I'm focused on uplifting New Zealand's capabilities, understanding, and recognition of risk management as a discipline. We have the resources and ambition to succeed. We just need to take risk management seriously enough to do it properly.

If your organisation wants risk management to actually make a difference - particularly given the increasing complexity we all face - it starts with recognising that this work requires dedicated professionals with the right training and the right seat at the table.

What's your experience with risk management in New Zealand organisations? Are we finally ready to treat it as the strategic function it needs to be?