The scope of effective risk management
In September 2014 the Financial Reporting Council updated its guidance on risk management and internal control, stating that "risk management ... should be incorporated within the company's normal management and governance processes, not treated as a separate compliance exercise".
Our 6 Ps of risk management puts this into practice, by highlighting the uncertainty which surrounds an organisation's core activities.
As I write strategic failure is everywhere. The leading football clubs of the 1980s and 1990s – Liverpool and Manchester United respectively – have lost their crowns. Retail darlings RBS and Tesco have lost their sparkle. The likes of the Co-op and HMV will probably never again be the same.
Would better risk management have helped? Effective risk management helps you plan for business as usual, failure and success:
- Business as usual: Robust techniques such as scenario planning add to strategic awaydays.
- Failure: Competitive trends and sudden major events are inevitable. Without corporate resilience, failure in the long run is inevitable.
- Success: Not all trends and events are unhelpful. An agile organisation takes advantage, building value for its stakeholders.
It is not hard to find public projects which have had substantial cost overruns or have failed in other ways. Examples include: the £414m bill for Holyrood building where, according to the BBC, the cost was originally estimated at £10m-£40m. For balance it was 3 years late. Naturally successes such as the 2012 Olympics seem to get rather less attention.
The need for risk management of major change projects seems clear and has been recognised. The Project Management Body of Knowledge contains a chapter on risk management, while the UK actuarial profession and the Institution of Civil Engineers has published its RAMP – Risk Analysis and Management for Projects.
This P covers an organisation's core purpose and reason for being. Beyond strategy and change projects, the success of most organisations will be determined by the many day-to-day decisions which are neither "game changing" nor mundane. These decisions are usually subject to uncertainty. With the benefit of hindsight, the decision might have been a good or poor one. Example: is an insurer's decision to reduce its price from £100m to £98m good or unsound? How are we to judge?
Most important decisions – setting prices, agreeing acceptable contract terms and striking a deal (or not) – have aspects of uncertainty.
Risk management with nothing to say is just compliance. The Financial Reporting Council says this shouldn't happen. Commercial sense demands more.
Organisations are filled with processes. Some are explicit and accompanied with procedure manuals, with penalties for non-adherence. Others are much more ad-hoc and perhaps not even recognised as processes. Some are automatic – the production of widgets – while others such as new product development require significant ongoing human involvement.
Since its first incarnation in the early 1990s the Balanced scorecard strategy and performance management tool has included internal business processes as one of its four perspectives. The purpose is to identify metrics which answer "At what must our organisation excel?" Examples could be cycle time, unit costs and new product developments. Uncertainty around the achievement of those process objectives suggests they should be within the scope of risk management.
Various risk management techniques can be applied. The focus could be limiting an error rate or improving performance where there is no obvious error.
A balance sheet focus is quite right for financial firms. Historically the main concern has been solvency, but since the global financial crisis liquidity risks have received increased attention. The Sharman Inquiry, set up to address going concern and liquidity risks, extended this dual focus to non-financial firms.
A regulator's primary focus on solvency (the balance sheet) and liquidity (cash and cash-like assets) is understandable, but other stakeholders such as shareholders should also be concerned about profitability and long term economic viability. These are better measured by sales and profits. While the viability point is much less visible in Sharman, it's just as important – ask those shareholders of Tesco and HMV whether long-term economic viability should have been given more attention.
All firms can use financial and operational models, "stress and scenario testing" and other techniques from financial services – see the Corporate Governance Code.
The human aspect of risk management may be the most important. Recent years have seen press coverage of overpowering chief executives and "rainmakers" with too much influence and traders acting in their own interests. The old saying "our people are our greatest asset" may be true, but people are often an organisation's biggest risk. Will board members wield their power for good or ill? Will they act in their own interests or others?
Here's the problem: the human aspect of risk management is not so much about "tone at the top", but more about corporate and personal values and ethics, allied to competence (or lack thereof). Bad personal behaviour can range from the unwelcome negative attitudes and boorish behaviour, through exerting unacceptable pressure to "find solutions" and "deliver". Beyond this comes actions which would be widely regarded as immoral and others which are illegal.
Simple uncertainty suppression can be deliberate or inadvertent. Where are your people on the behaviour spectrum? Where are your board?