Tag Archives: lego

Key Misunderstanding on Risk Management

Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now senior fellow and Marvin Bower professor of leadership development, emeritus at the Harvard Business School. (I have never had the privilege of meeting him.)

His colleague, Anette Mikes, was with him at Harvard, and she is now professor of accounting and control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes her. (I have heard her speak but have never met her one-on-one.) She has made important contributions to the academic study of risk management that includes a case study of John Fraser’s Hydro One and a similar case study on Lego.

I have shared my thoughts with her on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.

Kaplan and Mikes recently published a Harvard Business School working paper, “Risk Management – the Revealing Hand.”

While there is some value in the paper — such as its insistence that risk management must be continuous as well as its discussion of overreliance on models — it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organizations to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in its 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believe risk management supports their ability to develop and execute on business strategy very well.

See also: How to Remove Fear in Risk Management

How can risk management practitioners demonstrate value and significantly contribute to the success of an organization when they:

  • Focus on a list of potential harms;
  • Don’t focus on enabling intelligent and informed decisions from strategy to tactics; and
  • Talk in technobabble instead of the language of the business?

I see risk management as about the following:

  • Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization toward its objectives.
  • Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives and what (if anything) we need to do about it.
  • Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo.
  • Knowing how to evaluate the potential for any event or situation to have good, bad or a combination of good and bad effects — and providing a structured process for making decisions about the path forward.
  • Promoting intelligent and effective management that enables the organization to succeed.

Kaplan and Mikes say there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note: EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)

Is the conclusion by Kaplan and MIkes because they don’t understand what risk management should be, that it is not about managing a list of potential harms (what Jim DeLoach calls “enterprise list management”)? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out, or, would you dismiss the pessimist with disdain?

Here are just a few quotes to support my view:

  • “Enterprise risk management helps an entity get to where it wants to go.” – COSO (the acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which published “Internal Control—Integrated Framework” in 1992).
  • “[Risk management enables] a greater likelihood of achieving business objectives [and] more informed risk-taking and decision-making.” – COSO
  • “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
  • “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in [and affects] everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
  • “You need [risk management] to become part of the rhythm of the business — meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
  • “The job of risk (management) is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved.” – Deloitte

I can tell you that the risk management programs at Hydro One and Lego do not limit their work to potential harms. They consider the potential for reward as well as harm and work to help management succeed.

See also: Moving to Real-Time Risk Management

So how is it that Kaplan and Mikes have such a narrow view? Perhaps it is because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks (enterprise list management).

That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.

How do you expect a CEO to believe risk management enables success when all the chief risk officer (CRO) gives him is a list of what could go wrong? The CEO needs help to see what might happen, both good and bad, and what to do about it. In other words, the CEO needs to see risk management as helping him or her get where he or she needs to go.

Do you share my view?

If so, how do we convince both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?

I welcome your views.

This article was originally posted here.

'Lego Blocks' for Setting Strategy and Planning Projects

Business frameworks have become a best practice to model processes, technology and organization. Frameworks help visualize the landscape of the current and future states of organizations. Whether they are called capability maps or business architecture frameworks, they are industry reference models that can be used to plan, analyze, develop, manage and maintain.

With everything that is happening in the insurance industry and with the never-ending announcements of new technologies and competitors, companies need to define their business directions and how they can differentiate themselves. This is where business frameworks become an asset.

What is an enterprise business architecture framework? It is a representation of an organization’s business composition. It describes the functions at various levels of details, including information structures and the natural dependencies found between functions. Frameworks are used as a map to describe various aspects of organizations. They are the Lego blocks of an industry.

Those Lego blocks can then be enhanced and layered with what is specific to each organization. For example, companies may add some of the following perspectives to industry business frameworks to better describe themselves:

  • Enterprise ecosystems
  • Organizational structures
  • Roles and accountabilities
  • Processes and procedures
  • Geographical map
  • Risk assessment heat map

Whether to use an existing business framework or create one is an important question to answer. There are only a handful of comprehensive business frameworks available on the market for the insurance industry. The most known ones are ACORD and Panorama 360. Yet, available industry business frameworks can serve as accelerators for organizations. For management consulting organizations or technology vendors, an existing framework can provide credibility and structure to their offerings.

The true benefits from using industry business frameworks are speed, quality and cost reduction. This is true for defining strategies, planning projects or investments, analyzing situations, developing processes, defining technology requirements and managing organizations. Frameworks can be used for situations such as:

  • Enterprise or business architecture
  • BPM or process improvement
  • Business requirements definition
  • Software evaluation
  • Application architecture
  • Data warehouse architecture
  • System integration
  • Application portfolio management
  • Operational risk management
  • Mergers and acquisitions
  • Data security management
  • Knowledge management
  • New employee training

Business frameworks can significantly leverage single projects or organizations. They provide a return on investment in the short and in the long term. They become an asset base for knowledge.