Tag Archives: strategic risk

The Right Way to Enumerate Risks

In my experience, there are a number of traps that organizations fall into when they are identifying the risks they face. The traps make it very difficult to manage the risks.

#1 – The Broad Statement

Some organizations fall into the trap of capturing “risks” that are broad statements as opposed to events or incidents. Examples include:

• Reputation damage;
• Compliance failure;
• Fraud
• Environment damage

These terms tell us nothing and cannot be managed – even at a strategic level. Knowing that you might face, say, reputation damage doesn’t help you understand what might hurt your reputation or how you prevent those incidents from happening.

#2 – Causes as Risk

The most common issue I see with risk registers is that many organizations fall into the trap of capturing “risks” that are actually causes as opposed to events/incidents.

The wording that indicates a cause as opposed to a risk include:

• Lack of …. (trained staff; funding; policy direction; maintenance; planning; communication).

• Ineffective …. (staff training; internal audit; policy implementation; contract management; communication).

• Insufficient …. (time allocated for planning; resources applied).

• Inefficient …. (use of resources; procedures).

• Inadequate …. (training; procedures).

• Failure to…. (disclose conflicts; follow procedures; understand requirements).

• Poor….. (project management; inventory management; procurement practices).

• Excessive …. (reporting requirements; administration; oversight).

• Inaccurate…. (records; recording of outcomes).

These “risks” also tell us very little and, once again, cannot be managed. Knowing that you might face a lack of training, for instance, doesn’t tell you what incidents might occur as a result or help you prevent them.

#3 – Consequences as Risk

Another trap that organizations fall into when identifying risk is capturing “risks” that are actually consequences as opposed to events or incidents. Examples include:

• Project does not meet schedule;

• Department does not meet its stated objectives

• Overspending

Once again – these are not able to be managed. Having a project not meet schedule is the result of a series of problems, but understanding the potential result doesn’t help you prevent it.

So, if these are the traps that organizations fall into, then what should our list of risks look like? The answer is simple – they need to be events.

I look at it this way – when something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud .etc. it is always an event. After the event, there is analysis to determine what happened, why it happened, what could have stopped it from happening and what can be done to try to keep it from happening in the future. Risk management is no different – we are just trying to anticipate and stop the incident before it happens.

The table below shows the similarities between risk management and post-event analysis:

farrar-table

To that end, risk analysis can be viewed as post-event analysis before the event’s occurring.

The rule of thumb I use is that if the risk in your register could not have a post-event analysis conducted on it if it happened – then it is not a risk!

If you apply this approach to your list of risks events, you will:

• Reduce the number of risks in your risk register considerably; and (more importantly)

• Make it a lot easier to manage those risks.

Try it with your risk register and see what results you get.

A Risk Is a Risk

Commonly, people talk of different types of risk: strategic risk, operational risk, security risk, safety risk, project risk, etc.  Segregating these risks and managing them separately can actually diminish your risk-management efforts.

What you need to understand about risk and risk management is that a risk is a risk is a risk — the only thing that differs is the context within which you manage that risk.

All risks are events, and each has a range of consequences that need to be identified and analyzed to gain a full understanding. For example;

You have a group identifying hazard risks, isolated from the risk-management team (a common occurrence), and they tend to look at possible consequences in one dimension only – the harm that may be caused. Decisions on how to handle the risk will be made based on this assessment. What hasn’t been done, however, is to assess the consequence against all of the organizational impact areas that you find in your consequence matrix.  As a result, the assessment of that risk may not be correct; for instance, there may be significant consequences in terms of compliance that don’t show up as an issue in terms of safety.

If you only look at risk in one dimension, you may make a decision that creates a downstream risk that is worse than the event you’re trying to prevent. For instance, you may mitigate a safety-related risk but create an even greater security risk.

The moral of the story: Managing risk in silos will diminish risk management within your organization.

In about 80% of cases, you can’t do anything about the consequences of the event; what you are trying to do is stop the event from happening in the first place.

Risk and Strategy: How to Find the Links

This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF).

Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.

Paper 1: Introduction

Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk.

Some observations:

1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework.

2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing.

3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires  the time and attention of executive management and the board of directors’’1

RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned.

4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:

  • Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
  • Establishing an effective risk appetite framework,
  • Understanding, and improving, the organizational level of risk maturity,
  • Building organizational resilience,
  • Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.

5. The risk appetite framework (RAF)2 is to the board what risk management3 is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework4. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:

  • Direct CEO oversight of an integrated risk and strategy capability,
  • Board risk subcommittee oversight of:
    • The risk appetite framework,
    • Advancing and maintaining risk maturity, which can deliver value through:
      • Access to capital at lower cost than that achieved by less mature competitors,
      • More favorable credit ratings than those achieved by less mature competitors,
      • Optimization of risk transfer through both traditional and modern self-insurance methods.
  • Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
  • Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.

We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.”

References

1Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012

2The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’

3Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary

4Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout  the organization

    • NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
    • NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and  activities.
    • NOTE 3 The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.

(Source: ISO Guide 73 risk management vocabulary)