Better ERM: de-risking risk management

Risk management can be as susceptible as other areas (I.T. anyone?) to approaches and organisations that over-promise and under-deliver.

Delivering Enterprise Risk Management (ERM) is one example. Fittingly, why not de-risk risk management, using two approaches:

  1. Cheap / free resources and thinking: Insights 1-5 are thought experiments, planning and "what ifs" rather than big uncertain investments.
  2. Smaller actions rather than big projects: Insights 6-10 are a step-by-step action plan; the agile development of risk management.

Insight 1: Start being honest about risk management

The point

Often risk management seems to have little to do with the core business. This leaves risk managers isolated, business managers unsure of how risk management fits and, especially, how it might create value. Risk management gets done because someone says you have to do it.

In September 2014 the Financial Reporting Council updated its guidance on risk management and internal control, stating that "risk management ... should be incorporated within the company's normal management and governance processes, not treated as a separate compliance exercise". The reality is that, even if we don't believe that risk management is central to our organisation, we will increasingly have to be seen to behave as though it is – UK FTSE350 companies right now.

The practice

  • Let's be honest: Risk management is only the third most important thing for an organisation but it can be an extra (and unseen) competitive weapon.
  • That weapon deals with the fact that almost every material aspect of your organisation's role and objectives has corresponding uncertainty.
  • Link the uncertainty to what you do – see the 6Ps of risk management for a heads up on the various areas.
  • Uncertainty is broader than you think – not just "bad things that might happen". Recognising this will lead to risk management breakthroughs.

Further related reading

  1. Risk management honesty : the most basic thing of all.
  2. 4As of risk management : setting the initial objectives for risk management.
  3. 6Ps of risk management : integrating risk management in an organisation from day-1.
  4. Believe that risk is more than bad things that might happen : a hack later in this document.

Insight 2: Take advantage of plentiful cheap / free resources

The point

Sometimes things are too good to be true. But today so much material is available very cheaply or only for the cost of our time. It's almost like "free money". Capturing the key insights can be the equivalent of the investment "ten-bagger": low price, big return. There are two potential downsides: the time investment and the chance of going wrong by powering ahead with a substandard approach. That's where your intelligent comes in. Perhaps humility is the real constraint.

The practice

  • Keep a list of useful resources; good material is often a function of the author, so discover the reliable ones.
  • Drag "favourites" to Windows folders. This makes your content syncable, searchable and avoids multiple browsers and devices (thanks Tom).
  • Look to improve your early assessments. Score yourself on how useful the material really is: early judgment versus eventual judgement.

Further related reading: books

Enterprise risk management: from incentives to controls is more expensive, but comprehensive, engaging and very readable. By the world's first "official" CRO.

Further related reading: historic texts

Further related reading: risk gurus

Insight 3: Believe that risk is more than "bad things that might happen"

The point

Different types of risk need different types of management. That's the main reason for classifying types of risk (defining risk itself is more ambitious).

To demonstrate this, consider the following "risks":

  1. An earthquake destroying your head office
  2. A new competitor entering the market
  3. The breakdown of a certain machine
  4. The uncertainty surrounding a life insurer's claim rate
  5. Interest rates not being what you expected

The risks are fundamentally different in their nature; 1-3 are things which may or may not happen. They can be associated with some (unknown) probability. In contrast, for 4 and 5 the only certainty is that reality will be different to our expectation. 4 and 5 are not naturally "event-like".

For 4 and 5 we can define a more narrow event. For 4 the event might be that the actual claim rate is more than 120% of that expected. Whether this is helpful will depend on the context, but the narrower event should not point away from better ways to management the underlying uncertainty – that would be unhelpful.

One of the most fundamental risk management errors you can make is to believe that risk is simply bad things that might happen, especially suddenly and as a result of factors outside your organisation. All-too-often this is an excuse for avoidable management failure. Stakeholders should be doubly concerned where management claims credit for upside (even short term factors) while steadfastly contending that failures had little to do with them and couldn't be predicted.

Insight: risk is more than the bad things that might happens as a result of future, uncertain, sudden and external events. You can be exceptionally good at managing these while still missing out on much of the value of risk management. Instead solve problems with multiple perspectives on risk.

The practice

Better risk classification proposes a risk classification to replace the tired type-probability-imapct paradigm:

ItemTraditionalProposedComment
KnowledgeFar from unknown in e.g. decision analysis. Ranges from certainty through risk, uncertainty, ambiguity and chaos.
TypeUse with care. Credit risk, operational risk etc.
ProbabilityReplaced by source
ImpactReplaced by source
SourceInternal versus external: a more helpful replacement for probability and impact
VelocityThe speed at which risk crystallises or uncertainty emerages.

How does that help? The probability-impact classification leads all-too-often to thinking of risk mainly in terms of "operational events" and fails to acknowledge multiple potential impacts. Instead the proposed classification uses:

  • Knowledge to show that risk is about our lack of certainty over e.g. the future course of interest rates, not just sudden events.
  • Velocity to show that many things emerge slowly over time, rather than suddenly – and those things can be particularly important, if rarely urgent.

Further related reading: articles

  1. Better risk classification
  2. Risk management honesty
  3. Defining risk and the helpfulness principle
  4. Risk is more than future uncertain events

Further related reading: books on estimation and decision making

  1. Estimating risk: a management approach by Andy Garlick
  2. Hubbard: How to measure anything by Douglas Hubbard
  3. Risk Savvy: How To Make Good Decisions by Gerd Gigernzer

Insight 4: Actively seek value from risk management

The point

If you can't see the value of risk management almost any effort will seem like a distraction and "hard slog". But seeing and getting value from risk management can be difficult; how do you quantify the value of something, whose purpose is to ensure bad things don't happen? Here are some ways forward.

The practice

  1. Link to objectives and core purposes and processes of your organisation. Bringing risk thinking to core business areas is the easy way to make the "soft value" of risk management evident. Its influence is felt on the organisation's main activities, rather than being perceived as esoteric. c.f. "hard value" below.
  2. Don't be obsessive about capital. One for financial services companies. With a focus on solvency, capital-centric approaches are blind to off balance sheet risks such as strategic risk and (some) operational risks. While understandable from a regulatory perspective, survival is just one aspect of risk management.
  3. Emphasize decisions. Risk management is all-too-easily seen as a back office activity. In fact the biggest decisions often come with the most uncertainty. Good risk management is one of the best commercial levers available; its lack of external visibility makes it a less easily replicable competitive advantage.
  4. Focus on a value metric. An ambitious organisation (and risk manager) should seek to place a measurable value on risk management. The most obvious way of doing this is to seek a risk-adjusted version of the company's preferred value metrics. Or project long term results with and without risk management.

Taking (4) further, a value-based approach can covers all risks and risk types and will make significant use of models. These could be company value models (e.g. projection and discounted cash flow models), models of one particular area of uncertainty or models of operational processes.

The purpose of risk management becomes contributing to the maximisation of risk-adjusted value, possibly subject to some additional constraints.

Further related reading

  1. The two key areas of value
  2. Value from opportunity selection
  3. Value from risk modification

Insight 5: Recognise that risk management "standards" are not always your friends

The point

It seems sensible to incorporate so-called risk management standards into our risk management work. Documents such as COSO guidance on internal control offer the "benefit" of originally been written by the big consulting firms. Those firms are, of course, on hand to guide you through their implementation. But the benefits of such standards are far from clear in the mind of some risk experts.

Despite claims for the strategic importance of COSO documents, use in practice seem to have a heavy financial focus. Documents are written with highly generic wording, so that (e.g.) items which should lead to action – such as the risk process diagram – lack "edge". This leads to difficulty in interpretation and application.

The practice

Simply obtain and read the British risk management guidance BS 31100. Unlike ISO 31000 (and its identical UK version BS 311000) BS 31100 gives practical guidance on how to do risk management. Read this and, among other things, any confusion over the risk management process will disappear.

Implement your own, simplified, risk management process. Fewer arrows and a real connection to your business. Hopefully "Design a common sense risk process" below has just enough edge to be useful for you.

Further related reading

  1. A better risk process – as described by Elvis
  2. British Standard 31100
  3. ISO 31000: Dr Rorschach meets Humpty Dumpty Professor John Adams (Feb 2012)
  4. ISO 31000: the debate warms up Professor John Adams (May 2012)
  5. ISO 31000: an update Professor John Adams (Feb 2012)
  6. Conflicting views: Adams and Purdy
  7. An Open Letter to COSO about Enterprise Risk Management by Norman Marks

Insight 6: Design a common sense risk process

The point

The core risk management process, as set out in the diagrams associated with most risk management standards, is at best confusing and potentially misleading. You're more likely to go round in circles than make progress and genuinely manage risk. The "control cycle"-like diagram also reinforces the ideas that:

  • our main focus should be balance sheet uncertainties
  • ongoing monitoring is the most important aspect of risk management

This in turn leads to a focus on monitoring and reporting rather than on decision making, and looking backwards to risk already taken on.

The practice

  • Rationalise your risk management process, for example by adopting one of the diagrams in the references rather than copying and pasting generic material.
  • Recognise that the key feature is the action to which the process leads. These could be:
    1. A "business decision": e.g. to write some business, close a business unit etc.
    2. A "risk decision": e.g. to introduce, improve or remove a control.
  • Ensure your system and process doesn't become the Xbox of risk management

Further related reading

  1. A better risk process – as described by Elvis
  2. Fixing the 'risk management' process diagram
  3. Less risk, more management

Insight 7: Upgrade your risk registers

The point

A risk register is "only" one tool of risk management, but it is arguably a central tool. The best designed risk registers are far more than a list of risks; a good register brings together all risk-related information, whatever the source. It emphasises much more than risks – what about the methods of management?

There are two basic requirements of risk registers:

  • Effectiveness: This driven strongly by the information we collect. Not all risk registers are equal in using this flexibility – some are "just software".
  • Efficiency: We require administrative simplicity, support and power. Things which take us from Excel and beyond in terms of inbuilt risk intelligence.

The practice

We can place significant requirements on risk registers, among which are:

Effectiveness requirements

  • Multiple dimensions. A flexible risk classification system, with defaults which are able to deal with the multiple dimensions and sources of uncertainty
  • Robust risk assessment. Be aware of the serious flaws of probability-impact risk analysis: improve your risk assessment instead of using this approach
  • More than "risk this, risk that". Give as much emphasis to controls as you do to risks; we need less risk and more management
  • Helpful presentation. Great insights come from a two-dimensional presentation of risks and controls: risk-control matrices
  • Events. Sometimes risk management is about "events" – both losses and near misses – so track these against risks to rate your effectiveness
  • Action focus. Keep a careful track on actions; don't let your system and process become the Xbox of risk management
  • Health checks are advanced and automated monitoring tools keep risk information tuned, including:
    1. Scoring errors and warnings: Errors relating to assessment of gross risk, warnings relating to assessment of (a) net risk, (b) generic controls and (c) controls
    2. Date warnings: Generic controls or detailed controls past target review date, events or actions past target date
    3. Synchronisation errors: Events, controls or actions with with no corresponding risk

Efficiency requirements

  • Find things fast e.g. sort (and rank) columns, filter columns, freeze first column
  • Change things fast including the ability to create, update and delete
  • Robust data storage via a single central database, not lots of spreadsheets
  • Security within and outside your organisation
  • A mass of other technical features including setting the content and appearance of reports permanently or temporarily

If your risk register does not support these effectiveness and efficiency requirements upgrade it step by step.

Further related reading

  1. Risk management is more than risk registers
  2. RECAL: business benefits
  3. RECAL versions: demo, free and paid
  4. Better risk registers
  5. Better risk identification
  6. Improving risk assessment
  7. Probability: magic without mystery
  8. Less risk, more management
  9. The Xbox of risk management

Insight 8: Smarten up your models

The point

There are substantial opportunities to improve most risk management programmes, through the introduction of more rigorous but nonetheless practical models. This approach has a rich scientific heritage and this should be exploited. In recent years the value of models has been called into question. Perhaps this is because their use (or description of their use) has been naive. Better risk classification sets out the full spectrum of uncertainty as follows:

  1. Certainty: this rarely exists, but in many situations non-risk factors dominate – this is not always apparent from risk material.
  2. Risk: known probabilities (dice cards etc). Rarely directly relevant, but sometimes more data means uncertainty moves closer to risk.
  3. Uncertainty: unknown probabilities for key variables – this is the norm for organisations.
  4. Ambiguity: not only are probabilities unknown, the presence and effect of contributing factors and the potential outcome are also unknown.
  5. Chaos: nothing is known and "black swans" seem to be frequent.

Risk insight

The closer we are to (1) above – certainty – the more complex our model can (justifiably) be. Indeed complexity in (1) and (2) the corresponding complex models may be necessary for competitive advantage. Although management cannot abdicate responsibility, this is classic ground for technicians.

The closer we are to (5) above – chaos – the simpler our models should be. In extremis they should be no more than heuristics; complexity is a false and misleading friend in such circumstances. What we need is the experience and judgement of senior management, rather than trusting "business as usual" models.

Good risk management includes the search for enhanced understanding – and action – in the face of the unknown. Many organisations must face (3) and (4) as a matter of routine. A rewarding challenge is, without being naive, to work to move towards (2) – at best temporary success before things change again!

The practice

There are at least four different types of model which a company could introduce:

  1. A conceptual model: A useful thinking tool, such as an improved risk process or better risk classification.
  2. A process model: We model (e.g.) an internal operational process from start to end, investigating the causes of failure and the potential effect of controls.
  3. A probability distribution model: We model the uncertainty around the value of some parameter, initially using the simplest probability distributions.
  4. A corporate financial model: The projected and discounted cash flow model which a company uses to calculate an internal risk-adjusted company value.

"Step-by-step" rather than "all-or-nothing" model development is the best approach. You could initially adopt just one of 1-4 above, or you could implement some process and probability distribution models, but limit this to a small number of risks while experience was gained. This fits well alongside risk registers.

Further related reading

  1. Better risk classification : gives a little more on "the full spectrum of risk" and other ways of slicing up risk(s)
  2. Probability: magic without mystery : how to talk about modelling and probability without mentioning the P word
  3. Risk savvy: how to make good decisions : this book by Professor Gerd Gigerenzer includes material on simple versus complex models, heuristics etc

Insight 9: Improve your risk assessment

The point

A rigorous approach to risk assessment can seem intimidating compared to the single valued probability-impact approach. But there are ways to implement a more rigorous risk assessment process, using very simple maths. Good risk assessment enables the two key areas of value: opportunity selection and risk modification. Without a good risk assessment – best estimates and uncertainties – the basis for decision making is at best unclear.

The practice

Risk assessment should incorporate both probability and impact, where impact is a distribution of values rather than a single value. There are three significant ways in which the burden of risk assessment can be eased, while making risk assessment more rigorous:

  • Distributions. The distributions used in risk assessment can be simplified. At least to start with, risk assessors need not even think of distributions, but can concentrate on things such as the best case result, most likely result and a worst case result. "Risk experts" might help take this further.
  • Financial risks. Many financial risks can be assessed using models which are based on huge amounts of data. While these models are far from infallible, they are usually an improvement on an individual's estimate or judgement. For many organisations genuine risk management rather than assessment comes to the fore.
  • Inputs and outputs. Some requests for impact assessments are unnecessarily complex. Example: rather than assessing the financial impact of industrial action, a risk owner might instead assess how many days of production would be lost. A model converts from lost production to lost revenue and profits.

Further related reading

  1. Improving risk assessment
  2. Probability: magic without mystery

Insight 10: Act!

The point

The value of some risk management is hard to gauge; it lacks connection with the real world that organisations face. In particular decision making.

At one level improving this is easy; we should link risk management to objectives and processes which:

  • Have significant uncertainty: When we think about about there are probably quite a few of these.
  • Need decisions: Even if this is simply to continue with the status quo.

This is more than a risk management solution looking for a problem. And more than a risk management land grab. The truth is that uncertainty – over things and values that matter – is all around us. There's a strong argument that the taking on of fundamental uncertainty is a requirement for adding long term value. In a competitive world even when things seem stable other companies and organisations are deliberately introducing changes to change the status quo.

In the face of that we certainly need more than passive monitoring and reporting. We even need more than active assessment. We sometimes need to take action.

The practice: a better process

The risk world is awash with risk management process diagrams which have lots of arrows, monitoring and reporting but little action. Perhaps because they are written generically it can be hard to see how these diagrams should be applied to us. That's why I suggest you use and adjust a simpler approach:

Isn't that clearer? It's apparent that:

  1. Risk management is motivated by the requirement to select from uncertain opportunities (top left of diagram, with examples).
  2. That this should be grounded in the assessment of relative upsides and downside ("assess").
  3. That good risk assessment takes into account views and expertise from various parties ("consult").
  4. The need for action is clear. The decision to go ahead may itself be based on assumptions about how people will act in the future (e.g. monitoring and controls).
  5. The result of the decision: if everything goes ahead there may be changes to the financial and operational balance sheets.
  6. The resulting business and commitments can persist for many years: think of an insurer issuing life insurance.

Risk insight

One of the issues with much risk management, especially in the financial sector, is that it is backward looking; it has too much emphasis on (6) – after the "real decisions" have been made. Much more value can be created – and much more risk exists – around forward-looking strategy and decision processes.

The practice: up front decisions

  • Ensure your risk management includes quantifying uncertainty around key decision variables.
  • Ensure you have support tools for trading off risk and return – will management heuristics result in long term success?
  • Do not disregard the benefit of experience; the bad feelings which are difficult to quantify. Better to walk away when something smells badly wrong.
  • Gradually increase your decision competency, including the use of intelligent controls to support decision making.

The practice: ongoing decisions

  • Include a "post win review"; a year later are we glad we took the opportunity on the terms on offer?
  • Document the controls that were assumed as part of the "deal" – benefit from the recurring patterns this entails.
  • Ensure controls are delivered in line with expectations on "day 1". Can we make controls more effective (not necessarily more onerous) than this?
  • Make your controls more than wish lists. Ask more of them. By all means start with a 4Ts classification of risk control.

Further related reading

  1. Intelligent Internal Control and Risk Management
  2. Less risk, more management
  3. Better risk assessment
  4. Probability: magic without mystery
  5. 4Ts classification of risk control

Where next?

© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited