June 8, 2016
Key Misunderstanding on Risk Management
by Norman Marks
The concept that we must mitigate all risks is absurd. We cannot survive, let alone thrive, if we do not take risk.
Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now senior fellow and Marvin Bower professor of leadership development, emeritus at the Harvard Business School. (I have never had the privilege of meeting him.)
His colleague, Anette Mikes, was with him at Harvard, and she is now professor of accounting and control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes her. (I have heard her speak but have never met her one-on-one.) She has made important contributions to the academic study of risk management that includes a case study of John Fraser’s Hydro One and a similar case study on Lego.
I have shared my thoughts with her on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.
Kaplan and Mikes recently published a Harvard Business School working paper, “Risk Management – the Revealing Hand.”
While there is some value in the paper — such as its insistence that risk management must be continuous as well as its discussion of overreliance on models — it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organizations to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in its 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believe risk management supports their ability to develop and execute on business strategy very well.
See also: How to Remove Fear in Risk Management
How can risk management practitioners demonstrate value and significantly contribute to the success of an organization when they:
- Focus on a list of potential harms;
- Don’t focus on enabling intelligent and informed decisions from strategy to tactics; and
- Talk in technobabble instead of the language of the business?
I see risk management as about the following:
- Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization toward its objectives.
- Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives and what (if anything) we need to do about it.
- Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo.
- Knowing how to evaluate the potential for any event or situation to have good, bad or a combination of good and bad effects — and providing a structured process for making decisions about the path forward.
- Promoting intelligent and effective management that enables the organization to succeed.
Kaplan and Mikes say there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note: EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)
Is the conclusion by Kaplan and MIkes because they don’t understand what risk management should be, that it is not about managing a list of potential harms (what Jim DeLoach calls “enterprise list management”)? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out, or, would you dismiss the pessimist with disdain?
Here are just a few quotes to support my view:
- “Enterprise risk management helps an entity get to where it wants to go.” – COSO (the acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which published “Internal Control—Integrated Framework” in 1992).
- “[Risk management enables] a greater likelihood of achieving business objectives [and] more informed risk-taking and decision-making.” – COSO
- “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
- “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in [and affects] everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
- “You need [risk management] to become part of the rhythm of the business — meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
- “The job of risk (management) is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved.” – Deloitte
I can tell you that the risk management programs at Hydro One and Lego do not limit their work to potential harms. They consider the potential for reward as well as harm and work to help management succeed.
See also: Moving to Real-Time Risk Management
So how is it that Kaplan and Mikes have such a narrow view? Perhaps it is because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks (enterprise list management).
That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.
How do you expect a CEO to believe risk management enables success when all the chief risk officer (CRO) gives him is a list of what could go wrong? The CEO needs help to see what might happen, both good and bad, and what to do about it. In other words, the CEO needs to see risk management as helping him or her get where he or she needs to go.
Do you share my view?
If so, how do we convince both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?
I welcome your views.
This article was originally posted here.