There is something even more basic than setting aims for your risk management work – the first step in the 4As framework. Honesty.
Risk management dishonesty – or just lack of clarity – about risk management's value proposition and limitations leads to ineffective risk management.
Board members are faced with insistence from regulators on what must be done to manage risk. Promises from advisers on risk management – including the commercial value at the end of the risk management rainbow – are plentiful. How should Board members respond?
Does risk management like I.T. with atheists, agnostics and "true believers" in its value? Being honest, risk management...
- is only the third most important thing for an organisation (we can speak up the importance of risk management, especially for external audiences)
- can offer more than protection against complete failure or bad things that happen (although this is a common perspective and good first step)
Risk drives everything we do
I don't think I'd have to look too hard to find sentiments such as this in the public-facing risk-related material of many financial companies such as banks and insurers. It's the sort of reassuring comment that some shareholders and (all) regulators, credit rating agencies want to hear. "We're safe, we're prudent" it says. The problem is it probably isn't true – and probably shouldn't be. And when we make statements like that a little more credibility disappears.
As I write Apple has just become the world's first $700bn company. It didn't get there driven by risk management.
Risk management is only the third most important thing
Put risk management in its right place: take 1
Dave Ingram's article (the) Hierarchy of corporate needs and ERM explains what should be obvious to those of us who want risk management to ascend to its true role of adding measurable value to organisations, and to be seen to do so:
- First, a successful organisation needs products that the market wants. we're using market in a broad sense.
- Next, it must be able to sell those products profitably. Or, more generally, supply good and services on terms that work for all stakeholders.
- Finally the successful organisation survives – doing 1 and 2 over the long term. For this reason – at least – it needs risk management.
So risk management is (only) the third priority of successful organisations. But wait, good risk management is more important than that suggests.
More than bad events: the link to strategic risk
First it's more important in limiting downside. Let's consider only strategic risk. Strategic risk usually get less attention than financial risk or operational risk. The following evidence suggest that risk management could make a much bigger strategic contribution:
Several studies have looked at the "share" of risk between risk categories.
|Research||Coverage||Strategic (%)||Operational (%)||Financial (%)|
|IMPACT study 2009||Public companies: negative events||64||35||1|
|Oliver Wyman 2000||Biggest share price falls||61||33||6|
Though the majority of companies' efforts in enterprise risk management programs focus on financial risks, the bulk of risk exposure lies in strategic and operational risks. Impact study, 2009: first major finding
Stretching to obtain the upside
Risk management is important in reaching for the upside. People can get quite emotive when talking about "upside risk", or (understandably) when someone claims a commercial value for risk management. But here's one reason I believe risk management has more to offer than survival.
All profit-driven companies need successful products. Unsuccessful products – enough of which ultimately lead to the failure of the firm – fail across a range of factors: product quality, price, distribution or failure to get the "message" out. Having identified the factors necessary for success and the failure level – both tasks for "ordinary" management – we research the detailed things (products, processes and long term learnings) which prevent failure.
Failure is just a very important baseline. Other benchmarks could be minimum profitability, "stretch targets" etc. Identifying the routes to success, the challenges and uncertainties with the attainment of objectives etc follows the same path. At's all about good decision making in the face of uncertainty.
Risk management is about being able to identify, assess and manage the full spectrum of uncertainty, rather than the area to the left of a line which one person defines as success. Of course success about having good product(s) and being able to supply them profitably. But in a competitive world where product design rapidly becomes public knowledge and expertise can be bought in, wouldn't you prefer to have risk management as a less visible competitive weapon?
Frank Knight believed that profit goes to companies who take on and manage uncertainty best. Almost 100 years later, I wholeheartedly agree.
The "helpful thinking" series:
- 4As of risk management : setting the initial objectives for risk management.
- 6Ps of risk management : integrating risk management in an organisation from day-1.