The typical risk process has too much "risk talk" and not enough focus on action and decision making. Let us demonstrate how to implement advice from Elvis.
The risk process: a little less conversation, a little more action
In a splendid article Dave Ingram suggests that, in some firms, the risk management comes close to being a gigantic risk management entertainment system. An entertainment system simply provides a way to enjoy non-productive time. That is what it is designed for. Or you could have a risk process like this:
What's wrong with this risk process? Quite a bit!
It's certainly a "pretty" diagram. And it comes from a risk management standard. It must surely be trustworthy – perhaps it's even "best practice"? Look again.
All entertainment, no action
Try to spot any action in the diagram. Action in the sense that it will create value, or engage with or even affect the organisation's core business or reason for being.
Look harder. It's just not there is it? There is little possibility that all this "risk talk" will change any decision to be made: how could it? Why should anyone care?
I tried, I really did. I spotted that the central region – including risk identification, risk analysis and risk evaluation – had an overall "risk assessment" heading. So perhaps the "risk assessment" in the dark blue box should be "risk treatment"?
Inserting risk treatment would at least show a little (downside-focused) action. But no, the overall result is a "documented risk assessment". And it's unlikely to be a typo – the diagram is from the Australian risk management standard!
Others improve on this, but the decision making is limited to "risk treatment".
- Make the ultimate focus – the light blue box at the bottom – decision making.
- Cut the excessive "risk talk" – start with the organisation and its objectives.
- Ask whether 10 arrows for communication supports the right focus.
- Consider the feedback loops carefully: some decisions need this, some don't.
It's really not that difficult. Elvis was right.
Improving the risk process: a simple approach
How do we go beyond the words above? Is there a helpful replacement diagram? Here's one possibility (the top left piece should be "tweaked" for your company):
- Emphasises uncertainty around core opportunities
- Action and decision making is the ultimate target
- "Real life" issues, not just credit risk, market risk etc
- A clear path through, with fewer arrows
- Appropriate communication, in the right place
- Feedback loop for when business goes "on the books"
There is a role for "context", both external (e.g. economy) and internal (e.g. attitude to risk, other uncertainties, balance sheet). We can wrap these around the diagram.
There's really no need to make risk management harder or more complex than it needs to be.
Application: balance sheets, profits and decisions
Reinforcing the lack of action focus, it's not obvious where to apply the first risk process diagram. It's too generic and needs adaptation to be useful. Should it be applied to an individual "risk" (the office burning down), a "risk type" (e.g. credit risk), a specific project subject to a range of uncertainties, a corporate business plan, a business unit etc? Perhaps the answer is "all of the above", but we'll have to decide that for ourselves.
In contrast the second diagram is much more helpful: it is clear from the top left "opportunity selection: up front" that this process includes decisions and profitability. Having applied the "risk process" in this way it seems clear that it can also be applied to consider and manage uncertainty within other processes and decisions – projects and business plans included. One application would be management of the uncertain causal links postulated in the Balanced Scorecard tool.
But it's not all about up front decisions and profitability. I have a friend who is very focused on applying risk management to decisions. He detests, for example, risk registers that only manage uncertainty after the "real decisions" have been taken. In this context the feedback loop provides balance:
- For all companies the "existing processes" can be important.
- For banks and insurers the "existing business" and balance sheet need careful management; some have suggested that the financial crisis was made worse by financial institutions' difficulty in moving from "risk on" to "capital preservation" mode.
A balanced view acknowledges that there are a range of risk management techniques that (e.g.) insurers can, should and do use to manage their balance sheet and solvency position. These include reinsurance (for mortality, longevity and health risks) and derivatives for market risks, including interest rate risks.
It's not all about downside; these balance sheet management techniques can have a positive value effect.
It is all too easy for risk managers to retreat into their own specialist areas. Ironically the introduction of more "enterprise" risk management, with its consistent administration and measurement of the various "risk types" driven by a central department, may have exacerbated this. In seeking to get rid of some silos we may have introduced others. The gap between a central risk function and other business functions can increase complexity and weaken links with the core purpose.
We have seen this play out in a diagram. But we can fix it, making it simultaneously simpler and more effective.