Be risk aware, not risk averse!
By Horst Simon, The Risk Culture Builder
Volumes have been written on the cause of the crisis the world is in, surveys have been done and many fingers are pointing in every direction—a couple of these are pointing straight at us, the Risk Practitioners.
It is time for us to accept that risk management, as we know it, failed; and for if we try to re-direct or break the fingers pointing at us—we remain stuck in this bad cycle. It is time to renovate risk management. The past is no longer a road-map for the future.
Let us come clean and move on, the earlier the better for all. Which other discipline has so many frameworks, so many different processes and so many different standards, regulations and so-called guidance documents? Which other discipline has so many people claiming to be experts (some after doing a 3 or 5-Day training program with a “certification” and trying to squeeze a quick buck out of something nobody can ever be an expert in? Too many “somebodies” out there who are “certified” by nobodies, too much education done by non-educators.
We live in a world of dynamic change, the pace of which is ever increasing and with it, the levels of Risk Exposure; any process older than 5 years is outdated. The basic Risk Management Cycle is one of these outdated processes.
Let us look at Risk Identification: we tried in many ways to identify all the risks—until a volcano sneezed and we realized that we have not; and can never, identify all the risks. Let us accept that and move on. The size of your risk register is not related to, nor is it an indication of the effectiveness of your risk management process.
Next, we get to Assessment and Analysis: Those who thought they were good at risk identification moved on to quantification. Sadly, many are still stuck there, thinking that models can control and mitigate risk. Some in the alternative movement is trying to justify the great cost of their models by using the results for good purposes, like calculating economic capital etc.
Even sadder is that in my risk survey on LinkedIn, only 26% of the respondents said they have no problems with the data in their systems. Does that mean that 74% of corporate risk reports and many regulatory compliance calculations are sucked out of useless data of varied degrees? The quantity of data is often so impressive that people forget that the underlying quality might be bad. (or is confirmed bad like the 74% of recent survey respondents).
Risk reporting, control and treatment: How wrong did we get red, amber, green! Now everybody wants every risk to be green, because green is good. Green on a risk report is perceived to mean “do nothing”, but that is the quickest way for those risks to shoot to red. Then we get to amber, what a nice place to be- all risks are under control and we choose to overlook the fact that those controls might not be efficient or can be completely ineffective.
DANGER ZONE – those risks in the red zone, the bad zone. The red zone is where you make the most money, but it is also the place that requires the most effort in risk control. For if red is perceived as bad we will be stuck with average risk management effort (amber) or no risk management effort (green). So, the red zone is the best zone with the biggest returns—if you are prepared to put in the effort.
We already know that the effectiveness of your risk management process is not linked to the size of your risk register. Similarly, it is also not linked to the thickness of your executive risk report. Anyway, we have sanctified board risk reports to the extent that the difference between what the top thinks and the bottom knows is so big that those in the middle are just slipping into the ditch.
Trouble surely comes when people are working harder at keeping their jobs, than doing their jobs.
If you have a formal monthly risk report it is generally 28 days too late, frightening to think some have a quarterly risk report, or as a friend commented recently, an ANNUAL risk report! It is thus not about the size, it’s all about the timing; having a risk nervous system that runs accurate risk information from all points inside the organisation (and outside) and having “live” dashboard reporting on the company intranet. The earlier people know, the better the decisions and the smaller the losses.
Secondly, the sole purpose of many risk management processes is to produce the risk report, often that is the sole purpose of the risk management department. The outcomes of a risk management process are much more than models and risk reports. What do you do with the information you have? If your risk management department cannot show a positive Return on Investment—get rid of them!
Processes and Systems: Most organisations have taken the easy way out (note: not the cheapest) and they built impressive risk management systems worth millions of dollars; but failing to address the fundamental issue of people. All risk management efforts are worthless without a risk nervous system—and only humans can add that.
Be risk aware, not risk averse!
Getting used to the transparency of a risk management framework is the first stepping stone in building an effective Risk Culture. Within the context of having a Risk Profile, learning to not focus on the risk, rather the treatment of it, is the next step.
Having an accurate risk profile for each business area and a consolidated picture of the main risks creates a valuable opportunity to reconnect with your business, build trust amongst your people, will improve decision-making and provide transparency to your stakeholders.
Being risk aware rather risk averse will show commitment in due diligent business practices and allow the business to grow through the commitment of each employee.
Learn to thrive on bad news, and don’t accept surprises. Bad news must travel faster than good news. Doing a Risk Assessment Workshop and a risk profile will reduce the surprise factor of risks popping out from nowhere. Getting Bad news in Good time is always better than a surprise when it comes to risk management A key factor to mitigate the risk (or containing the impact) is having time to find an effective solution to the bad news.
Risk management must be dynamic to achieve success and build value. It serves no purpose to just do a risk profile, evaluate the associated controls in terms of design and effectiveness and then claim to have a risk management process.
Internal and external changes are the biggest drivers for re-assessment of risk and the pace and intensity of change is not slowing down. Your carefully “workshopped” risk profile could be out of date at the end of the next business day.
We have lived with risk profiling as a result of the impact (severity) x likelihood (frequency) and we have completely missed the other two dimensions of risk profiling. Looking at risk in these two dimensions, as we have done for years; give us a risk profile that is a snapshot in time and on its own it is not of great value. It is at most a subjective quantification at that point in time. Many companies can produce these in a flash, but do they practice risk management?
We must look at risk profiling in four dimensions to practice risk management. We need to add direction and speed to these snapshots to really drive value. We need to compare all these snapshots over a period to see in which direction risks are moving and at what speed they are moving; that is when the value is added, moving away from just profiling to predicting—one step closer to forward-looking risk management.
This is also when things become a bit more complicated; the past is not always a roadmap to the future and with the pace and intensity of change ever increasing, we can safely say that the past can no longer predict the future.
So now that you are changing to 4-Dimensional Predictive Risk Profiling, keep in mind that many internal and external factors will influence the speed and direction and these would also need to be incorporated in your outcomes and action plans.
Risk profiling, done correctly, will highlight not only the negative side by exposing the challenges; it will also help to identify the hidden opportunities to optimise risk and build sustainable competitive advantage. Risk profiling is the first step to “looking through the windscreen and not only in the rear-view mirror”; it is proactive in its approach and practice.
“Business managers using the traditional ERM approach to managing risk are assuming that the status quo hasn’t or isn’t changing. Companies need better foresight and change agility management strategies to effectively mitigate emerging risks. By anticipating change and extremely adverse events that cause rapid change, an enterprise places itself in a better position to capitalize on rare opportunities“ CHRIS MASSEY
Success: You know that you have influenced your organisation’s risk culture when people raise risk implications early in strategy discussions and throughout the decision-making process!
Remember cultures do not just form from nothing– you never start with a blank page. Cultures build on existing cultures— in most cases you will need to “fix” the existing corporate culture before you can build an effective risk culture
We already know that there are no risk management experts; and in fact, we do not need any risk management experts! All we need is for each employee to know the basic risk management skills and principles; use them to evaluate the risks associated with his/her job and do something daily to mitigate and control those risks. Risk Management success lies in embedding an effective risk management culture!
Prevent your business from crash-landing, change the way you see and approach risk management and execute that transformation; put in the effort and embed an effective risk management culture in your business, delivering good risk governance and building sustainable competitive advantage.
Welcome to transformation, be the change you want to see!
Horst Simon is the Director, Risk at Strong Advice FZC and an Advisor to the Risk Centre in the British University in Dubai. Horst Simon is a… Click to Read More