Seeing the big picture…
There has been an increased dissatisfaction with many efforts that have been initiated under the rubric of ‘risk management’ over the past several years. One of the drivers of this dissatisfaction has been the cost of compliance with Sarbanes Oxley legislation (according to the FEI in a survey of 217 companies with revenues in excess of $5 billion, the average cost in the first year of implantation was $4.36 million; 39 percent more than was anticipated). However, the more fundamental complaint is that for all the focus on categorization of and mitigation against issues identified as ‘risks’ there has been very little tangible positive impact on the bottom line. The response to this criticism has been to point to the control issues that have been uncovered in the SOX process and the potential civil and criminal penalties that have been avoided through the identification and documentation of those issues along with the required remediation actions. While there is no question that the provision of accurate financial information and the compliance with the provisions of the SOX legislation as well as PCAOB standards is essential, it is reasonable to question whether this activity should be defined as the primary focus of risk management. Achieving basic processes involving adequate financial controls is a fundamental requirement of being in business. Another dimension to the complaints about the risk management effort comes from those who are charged with implementation. They often point to a lack of sustained sponsorship from the executive suite. Senior managers are clearly concerned about adhering to the requirements of the law and established compliance standards, but they are charged with growing the enterprise and generating profits for their shareholders. Activities that do not contribute to that goal are generally viewed as a cost of business, certainly necessary, but not central to the myriad of tasks essential for growth. On an operational level there is also a growing adversarial trend in the relationship between risk managers and the businesses and operational managers. In financial services there is a new set of requirements to manage operational risk set out in the Basel II accord. While the language of the accord is broad in terms of the need for a comprehensive approach to operational risk, the primary focus has been on the provision that requires capital allocations based on negative events that have occurred in the operational environments of similar businesses in the past. This has led to intense efforts to establish ‘loss databases’ to catalog these events and develop actuarial tables to determine the allocations. Essentially an insurance model, business managers are being put in the position of arguing that their premiums are too high and based on events that are not germane to their particular business model. Other industries are also experiencing significant constraints on their operating environments resulting from control procedures that impact their ability to execute in a timely manner. The definition of risk Risk needs to be understood across a continuum from those events that present the potential for damage to the business strategy to those that compose the uncertainties implicit in the execution of that strategy to those that must be embraced in order to achieve the goals of the organization. Expanding the definition of risk management in this manner has the potential to engage the entire organization as it requires collaboration between business and operational managers to gather and assess the risks that are not only to be avoided but also embraced in the service of achieving the goals of the organization. The current definition of risk as a negative is the result of the corporate abuses of the recent past and the regulatory response to those abuses. Certainly these issues needed to be addressed, but we all appear to be concentrating on worrying about all the things that can go wrong. The attention to this narrow perception of risk is driven by fear. Anyone who suggests that we may have become excessive in our focus on controls is often shouted down as the purveyor of, at best irresponsibility and, at worst malfeasance. Insurance in its many forms is an essential component of prudent business practices and for many years was the primary focus of managing risk. The level of sophistication of actuarial models that will be developed over the next several years in the operational area will be useful in mitigating the losses in new and/or established high risk opportunities in the financial services industry and will also have application in many other industries. These insurance models will not, however, win a new client, close a deal, integrate an acquisition or contribute to the reputation and image of a company. All of those efforts will require the management of risk from a different perspective. It will require an understanding of and management of “all the things that need to go right”. An historical example This historical example is interesting from several perspectives. First, a clear goal was established with little or no immediate prospects for its achievement. The underlying perspective at the time was that it would be unacceptable for the Soviets to beat the US to the moon. From a risk perspective, all other concerns would have to be addressed within the context of that goal. Second, the historical record tells us that Kennedy did not just make his pronouncement and move on to other things. He was challenged by the agency that had the responsibility to achieve his goal. From the recently released recordings of the meetings between Kennedy and Webb it becomes clear that Webb was concerned that there was a lack of information about the surface and environment of the moon as well as information on the composition of space. He was arguing for a delay to gather more information. Kennedy listened to and evaluated the objections to the singular dedication of funding to the lunar landing and then reaffirmed his strategy. He is quite candid about his lack of interest in space; he just wanted to get to the moon before the Russians. The science was a tool to achieve that goal. Here we have an engaged executive leveraging his operational environment to attain an objective that he deemed important in the larger picture. Certainly the risk from a technical perspective was immeasurable but the political risk was clearly quantifiable. Third, the only way to achieve Kennedy’s goal was to “worry about all the things that needed to go right”. This meant accepting the lack of information about certain aspects of the mission and making the best possible judgments. In the words of Arthur Rudolph, the scientist responsible for the development of the Saturn 5 rocket that sent the first Apollo mission to the moon those judgments were considered in the following manner: “You want a valve that doesn’t leak and you try everything possible to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate.” The only way to determine the acceptable level of leaking was to understand the goal of the mission – of which the greater understanding of space and the engineering required to explore it, was only a component. The political context was the driving force. Implicitly, this meant accepting tactical and potentially catastrophic risks to avoid what had been described as the greater risk of being second to the moon. (A subject for another time is the insidious risks that occur when an organization relies on past success to rationalize current and future performance). The Swing of the Pendulum The problem with the vast majority of risk management programs is that they do not engage the organization in the process of identifying and assessing risks, whether they are hazards or opportunities. Instead, we have developed a cottage industry of “risk experts” who impose seemingly abstract standards on the business process. We feel constrained to emphasize again that defensive policies, whether they be insurance models or control frameworks are an important component of prudent business practices, but making them the centerpiece of a risk management function in a complex global organization is inappropriate. Growth is driven by the execution of strategy and that execution requires an understanding of the risks that must be undertaken to be successful. Too often organizations focus on the control function frankly because it is easier to achieve. Relevant risk management requires engagement with the senior operational and business managers to understand what they are trying to accomplish and then providing them with information that will contribute to their success. Risk managers need to be skilled in not only the technical aspects of risk assessment, but also in the interpersonal and organizational areas to be successful. There is also concern about a more insidious problem with the current focus of risk management. Reactive change is almost never resilient change. Without the context of the business objectives, control procedures can be instituted that appear to reduce risk by defending against abuse, but actually create risk to the organization’s ability to compete and enhance efficiency. Over time, these procedures are often ignored, further weakening the legitimacy of the risk management process. Controls only survive when they are perceived as central to the mission. Obviously, there are precious few organizations today that have the clarity of mission that NASA had in the 1960’s. However, given the acceleration of global competition, we would argue that the urgency of managing risk has never been greater. The struggle for relevancy in the day to day process of the organization is key to the evolution of risk management from a compliance function to a discipline that develops business intelligence to further the strategy. Perhaps out of necessity, the pendulum has swung toward the implementation of internal and external controls to address the recent abuses. It is now time for movement back toward the center where these controls can be balanced by risk information that contributes to the bottom line. References John F. Kennedy Library and Museum Sarbanes Oxley Act Bill Sharon, CEO and Founder of Strategic Operational Risk Management Solutions (SORMS) has 25 years of experience in the financial services and marketing/communications industry in a variety of “C” level positions and consultancies. The consistent thread throughout his career is a focus on streamlining operational environments in the service of the business strategy. Bill can be contacted at bsharon@sorms.com
•Date: 6th Jan 2006 • Region: US/World • Type: Article •Topic: BC general |
