July 25, 2016
Risk Management: Off the Rails?
Risk management began as science, became an art and is now a mess, the author argues.
First, there was science…
Some sources suggest probability theory started in gambling and maritime insurance. In both cases, the science was primarily used to help people and companies make better decisions and, hence, make money. Risk management used the mathematical tools available at the time to quantity risk, and their application was quite pragmatic.
Banks and investment funds started applying risk management, and they, too, were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. In 1990, Harry M. Markowitz, Merton H. Miller and William F. Sharpe won a Noble Prize for the capital asset pricing model (CAPM), a tool also used for risk management. This doesn’t mean risk management was always always accurate — just see the case of LTCM — but managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).
Then, risk management became an art…
Next came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than a science.
Some of the reasons behind the shift were, arguably:
- Lack of reliable data to quantify risks — Today, certainly, there is no excuse for not quantifying risks in any type of an organization.
- Lack of demand from the business — Many non-financial organizations of the time were less sophisticated in terms of planning, budgeting and decision making. So, many executives didn’t even ask risk managers to provide quantifiable risk analysis.
- Lack of qualified risk managers — As a result, many risk managers became “soft” and “cuddly,” not having the skills or background required to quantify risks and measure their impact on business objectives and decisions.
Many non-financial companies quickly learned which risks to quantify and how. Other companies lost interest in risk management or, should I say, never saw the real value.
Today, it’s just a mess…
What I am seeing today, however, is nothing short of remarkable.
Instead of being pragmatic, simple and focused on making money, risk management has moved into the “land of buzz words.” If you are reading this and thinking, “Hold on, Alex. Risk velocity is important; organizations should be risk resilient; risk management is about both opportunities and risks; risk appetite, capacity and tolerances should be quantified and discussed at the board level; and inherent risk is useful,” then, congratulations! You may have lost touch with business reality and could be contributing to the problem.
See also: Risk Management, in Plain English
I have grouped my thinking into four problem areas:
These days, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis, etc.) created in the ’40s and the ’60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by the majority of risk managers in the non-financial sector.
Ironically, many organizations do use tools such as Monte Carlo simulations (developed in 1946, by the way) for forecasting and research, but it’s not the risk manager who does that. The same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counterparty risk management. Yet blockchain is pretty much ignored by risk managers.
It has been years since I saw a scientist present at any risk management event, sharing new ways or tools to quantify risks associated with business objectives. That can also be said about the overall poor quality of postgraduate research published in the field of risk management.
Unless we are talking about a not-for-profit or government entity, the objective is simple: Make money. While making money, every organization is faced with a lot of uncertainty. Luckily, business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on.
Yet, instead of integrating all the tools, risk managers often choose to go their separate ways, creating a parallel universe that is specifically dedicated to risks (which is very naive, I think). Examples include:
- Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2009;
- Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings;
- Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models;
- Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs;
- Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk; and
- Creating separate risk reports instead of integrating risk information into normal management reporting.
Risk management has become an objective in itself. Executives in the non-financial sector stopped viewing risk management as a tool to make money. Risk managers don’t talk, many don’t even understand business language or how decisions are being made in the organization. Risk analysis is often outdated, and by the time risk managers capture it, important business decisions are long done.
Despite the extensive research conducted by Noble Prize winners Daniel Kahneman and Amos Tversky (psychologists who established a cognitive basis for human errors that are the result of biases) and others, risk managers continue to use expert judgment, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (to put it mildly). They never have, and they never will. Just stop using them. There are better tools for integrating risk analysis into decision making.
Building a culture of risk awareness is critical to any organization’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into day-to-day activities and decision making.
Instead of sticking to the basics and getting them to work, many are busy chasing the latest buzzwords and innovations. Remember how “resilience” was a big thing a few years ago? Before that, there was “emerging risks,” “risk intelligence,” “agility,” “cyber risk” — the list goes on and on. It seems we are so busy finding a new enemy every year that we forget to get the basics right.
See also: Key Misunderstanding on Risk Management
Lately , consultants seem to have too much say in how modern risk management evolves. The latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June. The authors sure did “innovate” — among other “useful ideas,” they came up with a new way to capture risk profiles. That is nice, if risk profiling was the objective of risk management. Sadly, it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM, click here.
To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants who have a very limited understanding about risk management application in day-to-day decisions and in helping organizations make money.
I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money.
I am interested to hear your thoughts. Please share and like the article and comment below.