Tag Archives: strategic risk management

4 Steps to Integrate Risk Management

Let me start by saying that integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy-setting meeting; it is so much more.

Kevin W. Knight, during his first visit to Russia a few years ago, said, “Risk management is a journey… not a destination.” Risk practitioners are free to start their integration journey at any process or point in time, but I believe that evaluating strategic objectives at risk can be a good starting point. The evaluation is relatively simple to implement yet has an immediate, significant impact on senior management decision making.

Step 1 – Strategic Objectives Decomposition

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives, it is important to follow the McKinsey MECE principle (ME – mutually exclusive, CE – collectively exhaustive) to avoid unnecessary duplication and overlapping. Most of the time, strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, saving the risk manager a lot of time.

This breakdown is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Important note: While it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead. 

Example: Risk Management Implementation

VMZ is an airline engine manufacturing business in Russia. The product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012, a controlling stake (75%) was bought by an investment company, Aviarus.

During the last strategic board meeting, Aviarus decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales, and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.

See also: What Gets Missed in Risk Management  

The board signed off on a strategic objective to reach an EBT (earnings before tax) of 3,000 million rubles by 2018.

Step 2 – Identifying Factors, Associated With Uncertainty

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:

  • Whether the assumption is associated with high uncertainty.
  • Whether the assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
  • Whether the organization has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
  • Whether there are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections and interviews with key employees.

By the end of this step, risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners and internal auditors and use internal and external information sources to determine the ranges of possible values and their likely distribution shape.

Example: Risk Management Implementation (Continued)

The assessment would look into:

Macroeconomic assumptions

  • Foreign exchange
  • Inflation
  • Interest rates (rubles)
  • Interest rates (USD)

Materials

  • DV30 materials
  • DV40 materials

Debt

  • Current debt
  • New debt

Engines sales

  • New DV30 sales volume
  • New DV40 sales volume
  • DV30 repairs volume
  • DV40 repairs volume
  • DV30 price
  • DV40 price

Other expenses

  • Current equipment and investments in new
  • Operating personnel
  • General and administrative costs

Based on the management assumptions, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3,013 million rubles, which means the strategic objective will be achieved.

We will review what will happen to management projections after the risk analysis is performed in the next section.

See also: A New Paradigm for Risk Management?  

Step 3 – Performing Risk Analysis

The next step includes performing a scenario analysis or Monte Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.

When modeling risks, it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk and improves the modeling of them as well as identifying the correlations between different management assumptions and events.

The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.

Example: Risk Management Implementation (Continued)

The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3,000 million rubles is 4.6%. This analysis means:

  • The risks to achieving the strategy are significant and need to be managed
  • Strategic objectives may need to change unless most significant risks can be managed effectively

Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.

Management should focus on mitigating these and other risks to improve the likelihood of achieving the strategic objective.

Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact that risks have on objectives.

This simple example shows how management’s decision making process will change with the introduction of basic risk modelling.

Step 4 – Turning Risk Analysis Into Actions 

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then management, with help from the risk manager, may need to:

  • Revise the assumptions used in the strategy.
  • Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
  • Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
  • Accept risk and develop a business continuity/disaster recovery plan to minimize the impact of risks should they eventuate.
  • Change the strategy altogether (the most likely option in our case)

Based on the risk analysis outcomes, it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalized.

See also: A Revolution in Risk Management  

At a later stage, the risk manager should work with the internal auditor to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.

Join our free webinar to find out more (click the link to see available dates and times). Read the full book from which this is adapted. You can download it for free here.

The Right Way to Enumerate Risks

In my experience, there are a number of traps that organizations fall into when they are identifying the risks they face. The traps make it very difficult to manage the risks.

#1 – The Broad Statement

Some organizations fall into the trap of capturing “risks” that are broad statements as opposed to events or incidents. Examples include:

• Reputation damage;
• Compliance failure;
• Fraud
• Environment damage

These terms tell us nothing and cannot be managed – even at a strategic level. Knowing that you might face, say, reputation damage doesn’t help you understand what might hurt your reputation or how you prevent those incidents from happening.

#2 – Causes as Risk

The most common issue I see with risk registers is that many organizations fall into the trap of capturing “risks” that are actually causes as opposed to events/incidents.

The wording that indicates a cause as opposed to a risk include:

• Lack of …. (trained staff; funding; policy direction; maintenance; planning; communication).

• Ineffective …. (staff training; internal audit; policy implementation; contract management; communication).

• Insufficient …. (time allocated for planning; resources applied).

• Inefficient …. (use of resources; procedures).

• Inadequate …. (training; procedures).

• Failure to…. (disclose conflicts; follow procedures; understand requirements).

• Poor….. (project management; inventory management; procurement practices).

• Excessive …. (reporting requirements; administration; oversight).

• Inaccurate…. (records; recording of outcomes).

These “risks” also tell us very little and, once again, cannot be managed. Knowing that you might face a lack of training, for instance, doesn’t tell you what incidents might occur as a result or help you prevent them.

#3 – Consequences as Risk

Another trap that organizations fall into when identifying risk is capturing “risks” that are actually consequences as opposed to events or incidents. Examples include:

• Project does not meet schedule;

• Department does not meet its stated objectives

• Overspending

Once again – these are not able to be managed. Having a project not meet schedule is the result of a series of problems, but understanding the potential result doesn’t help you prevent it.

So, if these are the traps that organizations fall into, then what should our list of risks look like? The answer is simple – they need to be events.

I look at it this way – when something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud .etc. it is always an event. After the event, there is analysis to determine what happened, why it happened, what could have stopped it from happening and what can be done to try to keep it from happening in the future. Risk management is no different – we are just trying to anticipate and stop the incident before it happens.

The table below shows the similarities between risk management and post-event analysis:

farrar-table

To that end, risk analysis can be viewed as post-event analysis before the event’s occurring.

The rule of thumb I use is that if the risk in your register could not have a post-event analysis conducted on it if it happened – then it is not a risk!

If you apply this approach to your list of risks events, you will:

• Reduce the number of risks in your risk register considerably; and (more importantly)

• Make it a lot easier to manage those risks.

Try it with your risk register and see what results you get.

A Risk Is a Risk

Commonly, people talk of different types of risk: strategic risk, operational risk, security risk, safety risk, project risk, etc.  Segregating these risks and managing them separately can actually diminish your risk-management efforts.

What you need to understand about risk and risk management is that a risk is a risk is a risk — the only thing that differs is the context within which you manage that risk.

All risks are events, and each has a range of consequences that need to be identified and analyzed to gain a full understanding. For example;

You have a group identifying hazard risks, isolated from the risk-management team (a common occurrence), and they tend to look at possible consequences in one dimension only – the harm that may be caused. Decisions on how to handle the risk will be made based on this assessment. What hasn’t been done, however, is to assess the consequence against all of the organizational impact areas that you find in your consequence matrix.  As a result, the assessment of that risk may not be correct; for instance, there may be significant consequences in terms of compliance that don’t show up as an issue in terms of safety.

If you only look at risk in one dimension, you may make a decision that creates a downstream risk that is worse than the event you’re trying to prevent. For instance, you may mitigate a safety-related risk but create an even greater security risk.

The moral of the story: Managing risk in silos will diminish risk management within your organization.

In about 80% of cases, you can’t do anything about the consequences of the event; what you are trying to do is stop the event from happening in the first place.

Risk and Strategy: How to Find the Links

This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF).

Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.

Paper 1: Introduction

Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk.

Some observations:

1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework.

2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing.

3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires  the time and attention of executive management and the board of directors’’1

RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned.

4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:

  • Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
  • Establishing an effective risk appetite framework,
  • Understanding, and improving, the organizational level of risk maturity,
  • Building organizational resilience,
  • Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.

5. The risk appetite framework (RAF)2 is to the board what risk management3 is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework4. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:

  • Direct CEO oversight of an integrated risk and strategy capability,
  • Board risk subcommittee oversight of:
    • The risk appetite framework,
    • Advancing and maintaining risk maturity, which can deliver value through:
      • Access to capital at lower cost than that achieved by less mature competitors,
      • More favorable credit ratings than those achieved by less mature competitors,
      • Optimization of risk transfer through both traditional and modern self-insurance methods.
  • Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
  • Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.

We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.”

References

1Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012

2The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’

3Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary

4Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout  the organization

    • NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
    • NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and  activities.
    • NOTE 3 The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.

(Source: ISO Guide 73 risk management vocabulary)

 

Construction Risk Management in the Rollercoaster Recovery

Although the long-term forecast for the construction industry is robust, it is experiencing malaise as it recovers from the recession. Week after week, positive reports from the government are offset by negative industry news reports, only to be followed by yet another optimistic outlook. So goes the rollercoaster recovery.

The continuing uncertainty of the economic recovery makes strategic risk management more important than ever for contractors. Insurance and risk management — which are major expenses — can be a source of competitive advantage or disadvantage for construction firms.

Insurance is an important product, and its purchase should never be considered as a commodity. The value of having the right insurance coverage (by means of policy, endorsement or extension) and limits cannot be overstated. There are direct, indirect and opportunity costs, all of which can affect your bottom line. The intelligent buyer knows there is a difference between price and value.

Insurance is also an important service. The existing trends and emerging opportunities in the construction industry are driving specialized and customized insurance, surety and risk management solutions. The discipline of strategic risk management is one such development. It is recommended that your company partner with your insurance adviser to conduct a strategic risk analysis and to evaluate your company’sresilience and risk accountability culture.

It is important to embed a risk management mindset into strategic business planning processes. As a strategic discipline, risk management serves several important purposes, including decision making, risk and cost allocation and business-process improvement.

Contractors need to be mindful of two important concurrent developments:

1. Pressures in the construction insurance market
2. Changing nature, scope and complexity of risk in the construction industry

Pressures in the construction insurance market

The construction insurance market is experiencing pressure from various disruptive forces. Some of these occurred independent of the recession while others were made worse by the recession. In either case, these trends will continue to be disruptive:

• Growing severity of workers' compensation losses
• Escalating alternatives to traditional insurance including captives, owner- or contractor-controlled insurance programs (OCIPs/CCIPs) and subcontractor default insurance
• Increasing number of owner insolvencies and subcontractor defaults
• Increasing challenges on property and builders risk placements with coastal wind and other catastrophic loss exposures
• Rising threat of increasing general liability premiums
• Growing pressure on professional liability because of increasing frequency and severity of large design-related liability losses
• Increasing regulatory and administrative requirements for employee health benefits under the Affordable Care Act

Expanding risks in the construction industry

To further complicate matters, the level of risk in the construction industry continues to expand. A number of industry developments are continuing to change the risk profile at the individual company level and for the industry as a whole. The following representative eight industry trends illustrate the growing nature, scope and complexity of risk to be managed by contractors:

1. Expanding use of alternative construction delivery methods, including design/build and integrated project delivery
2. Growing number of accelerated fast-track projects
3. Changing project finance methods, including public/private partnerships
4. Expanding number of joint ventures to meet project capitalization and surety obligations
5. Reemerging skilled workforce shortage
6. Growing reliance on technology, and vulnerability to disruptions of business systems and networks
7. Expanding use of building information modeling (BIM) and online collaboration on construction design
8. Continuing migration of construction defect claims and litigation from residential to commercial construction

A word of caution: This list of risk trends and developments is not exhaustive. Other risk exposures and issues may be important for your company depending on your scope of work, industry sector and geographic region.

Conclusion

Risk is inherent to the construction industry. Risk management is the bedrock of the construction industry. There is opportunity in risk. Strategic risk management is not about saying no to opportunity. Rather, strategic risk management is focused on protecting your business from being blindsided by hidden risks and cascading costs.

Strategic risk management will help you remain calm and composed during the rollercoaster economic recovery. More importantly, strategic risk management helps contractors identify factors and make decisions that improve their competitiveness, growth, profitability and reputation.