In the article on Risk Culture Building I described the concept of Risk Culture Building and we looked at the bigger picture for context and structure; risk maturity levels and brief descriptions of the five levels of risk culture maturity. We also looked at the six operational areas within risk management; these do not only provide structure to risk strategy, policies and maturity assessments, but they can also be used at the six top-level risk categories within any risk management framework. The marketplace is Global, all the information is available, only those who can out-think their competitors will survive.
1. Policies
The main objective of a Risk Management Policy is to ensure sustainable business growth with stability and to promote a pro-active approach in evaluating, reporting, and optimizing risks associated with the business. In order to achieve the key objective, a Risk Management Policy establishes a structured and disciplined approach to Risk Management in order to guide all business decisions to build an effective Risk Management Culture. Policies direct business processes and support sustainable business practices; however, no policy and replace the hearts and minds of the people. In this operational area we will focus on the 5 levels of maturity from having no formal policies in place; to having these fully integrated and directing all business processes. Having the right policies in place is also a key pillar in the five pillar framework for the mitigation of people risk. (More on this framework in a future post) The best policies, procedures and great looking risk dashboards in a bad risk culture is just a waste of time.
2. Processes
Risk Management and other business processes flow from the directives set in the policies. Ultimately risk control and risk mitigation principles and requirements must be built into all such processes to achieve the ultimate Risk Culture. Any process older than 5 years is outdated; we live in a world of dynamic change, the pace of which is ever increasing and with it, the levels of Risk Exposure. The basic Risk Management Cycle is one of these outdated processes.
Let us look at Risk Identification: We tried in many different ways to identify all the risks—until a volcano sneezed and we realized that we have not; and can never, identify all the risks. Let us accept that and move on. The size of your risk register is not related to, nor is it an indication of the effectiveness of your risk management process.
Next we get to Assessment and Analysis: Those who thought they were good at risk identification moved on to quantification. Sadly, many are still stuck there, thinking that models can control and mitigate risk. Some in the alternative movement is trying to justify the great cost of their models by using the results for good purposes, like calculating economic capital etc.
Most organisations have taken the easy way out (note: not the cheapest) and they built impressive risk management processes, but failed to address the fundamental issue of people. All risk management processes are worthless without a risk nervous system—and only humans can add that.
In this operational area we will focus on the 5 levels of maturity from having no formal documented processes; to having fully integrated business processes where all new and changed processes are subject to risk assessment and formal, organized efforts are made to mitigate risks and remove inefficiencies.
3. People and Organizational Design
Risk practitioners generally fail to address the underlying human aspects in Risk Management. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.
Addressing the aspect of people risk is the only way an organisation can improve the way their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk. The Future of Risk Management: Broader responsibilities, much stronger collaboration , better internal and external relationships and very engaged at a strategic level.
“Organizational design is the deliberate process of configuring structures, processes, reward systems, people practices and policies to create an effective organisation capable of achieving the business strategy” (Designing Dynamic Organisations, Downey, Galbraith & Kates, Jaico, 2007)
A key success driver in the process of organizational design is what they describe as a Reconfigurable Organisation, an organisation that is “able to quickly combine and re-combine skills, competencies and resources across the enterprise to respond to changes in the external environment”
Characteristics of such an organisation are:
· Active Leadership– where leaders are involved at all levels of the organisation
· Excellent Knowledge Management where all organizational intellectual capital details are recorded, protected and accounted for
· Dedicated and well-structured organizational Learning, not just learning from their own mistakes, but primarily learning from the mistakes of others (it’s cheaper that way)
· Organizational Flexibility where the organisation can change with changing times, internal developments and respond quickly to changes in the operational environment
· Total Employee Commitment where all employees know the purpose, strategy and the goals & objectives of the organisation
· An excellent level of Change Readiness– time is money!
In this operational area we will focus on the 5 levels of maturity from having individual “risk heroes” and a business environment where all managers are always “firefighting” because individual risks are managed in silos; to a level where every employee is a risk manager and knowledge and skills are upgraded continuously.
4. Reporting
The purpose of risk reporting is to provide users with information that will allow them to make their own assessment of risk and support them in taking the right business decisions. The overall aim of any risk reporting process must focus on helping all employees to take better risk-informed decisions.
How wrong did we get red, amber, and green! Now everybody wants every risk to be green, because green is good. Green on a risk report is perceived to mean it is all OK; “do nothing”, but that is the quickest way for those risks to shoot to red. Then we get to amber, what a nice place to be- all risks are under control and we choose to overlook the fact that those controls might not be efficient or can be completely ineffective.
DANGER ZONE- those risks in the red zone, the bad zone. The red zone is where you make the most money, but it is also the place that requires the most effort in risk control. For as long as red is perceived as bad we will be stuck with average risk management effort (amber) or no risk management effort (green). So the red zone is the best zone with the biggest returns—if you are prepared to put in the effort.
We have known for a long time that the effectiveness of your risk management process is not linked to the size of your risk register. Similarly, it is also not linked to the “thickness” of your executive risk report. Anyway, we have sanctified board risk reports to the extent that the difference between what the top thinks and the bottom knows is so big that those in the middle are just slipping into the ditch. Trouble surely comes when people are working harder at keeping their jobs, than doing their jobs.
If you have a formal monthly risk report it is generally 28 days too late, frightening to think some have a quarterly risk report, or as a friend commented recently, an annual risk report. It is thus not about the size, it is all about the timing and having a risk nervous system that runs accurate risk information from all points inside the organisation (and outside); having “live” dashboard reporting on the company intranet. The earlier people know, the quicker the opportunities are identified, the better the decisions are; and the smaller the losses. Remember that all the reports and dashboards are based on historic data, it is just information! Success in risk management is actually “looking through the windscreen”- doing something with that information.
Secondly, the sole purpose of many risk management processes is to produce the risk report, often that is the sole purpose of the risk management department. The outcomes of a risk management process are much more than models and risk reports. What do you do with the information you have? If your risk management department cannot show a positive Return on Investment—get rid of them!
In this operational area we will focus on transforming basic risk management reporting to outcomes-based “live” risk management dashboards that can really support “in-time” business decisions and help organisations to exploit those competitors who are not good at risk management.
The Future of Risk Management: A major shift away from a risk team presenting a report—- to business units taking ownership and accountability of their own risks and managing these to maximize the rewards.
5. Management and Control
Management and Control must not be seen as an activity of risk management department’s exclusive competencies, but rather as a process which involves, at the appropriate levels of responsibility, all of the organisation’s employees. Risk management concerns the whole organisation and all of its activities.
There are three key elements in this process:
- the Management & Control structure- those charged with the duty of control
- the tools- generally these are provided by the central risk management function
- the procedures- the network of human and system interfaces to coordinate information and optimize risk management decisions
In a bad risk culture there are no accurate measures. A combination of individual “best practices” make this process inconsistent with no ownership and no sanctioning process; which result in informal or no control of overrides & exceptions. Within the organisation this process should evolve and be improved to achieve consistent measures of risk management performance where losses and exposures are systematically assessed and managed.
Success is when risk quantification results are fully integrated with business decision-making and incentives are linked to risk strategies and organizational performance over time. Risk management is then optimized to exploit all opportunities to achieve sustainable competitive advantage.
The Future of Risk Management: Risk Managers become trusted counselors to business units, helping them to take better, risk-informed decisions and maximize reward.
6. Systems and Data
“Twentieth century systems are failing to manage 21st century risks; we need new networked systems to identify and address global risks before they become global crises,” said Robert Greenhill, Managing Director and Chief Business Officer at the World Economic Forum.
In my first risk survey on LinkedIn, only 26% of the respondents said they have no problems with the data in their systems. Does that mean that 74% of corporate risk reports and a large number of regulatory compliance calculations are sucked out of useless data of varied degrees? The quantity of data is often so impressive that people forget that the underlying quality might be bad. (Or is confirmed bad like the 74% of the survey respondents) We have been talking about data issues since 2003, but nobody is fixing the quality problems.
Companies spent billions of dollars to buy the latest technology and systems- but many still fail to implement procedures that reduce the risk of human error, lack of business ethics and malpractice.
The implementation of risk management systems are generally at one of two extreme points; often there is no risk management system is in place and the organisation has a large number of custom-built spreadsheets for risk information and risk control. No clear data requirements are defined and coupled with the ad-hoc data collection of data; this result in poor data quality and incorrect reporting. At the other extreme many organisations purchase expensive risk management systems and then try to rebuild their entire business operations and processes to “fit” with the risk management system. Neither of these works and neither of these approaches will contribute positively to your risk management strategy.
Success in the managemant of risk lies in building an effective risk culture in which bad news travel faster than good news and those who are good at Risk Management can exploit those who are still sitting around trying to identify all the risks they are exposed to and building a mountain of a risk register.
The Future of Risk Management: A real focus on collecting and analyzing near-miss data and learning lessons from that; it is more important than loss events!