|
 What would a truly effective risk culture look like? Bill Sharon, CEO and Founder, SORMS, explores the subject.
At the recent World Economic Forum in Davos, Switzerland, William J. Parrett, CEO of Deloitte Touche Tohmatsu, lamented the narrow focus of risk management efforts to the area of financial risk. He went on to state that there were physical risks that were not being adequately addressed; the primary example he cited was the impact of a potential bird ‘flu pandemic. A white paper referenced in the press release on the Deloitte site goes on to encourage those involved in risk management to ‘imagine the unimaginable’ when assessing potential risk to an organization. The key requirement for the success of this effort is the fostering of ‘a holistic and integrated risk management culture’.
Certainly the world can be perceived as a frightening place. In the United States there are major earthquake zones – the well known fault running down the coast of California and a less publicized one in the Mid-West. Less than 200 years ago there was a quake in Missouri ten times stronger than the one that destroyed San Francisco in 1906. Recently New Yorkers were made aware of the possibility of a tsunami that could destroy the island of Manhattan. From a global perspective, we know that a large meteor hit the earth 65 million years ago and was likely the cause of the extinction of 70 percent of the species on the planet.
The list of potential catastrophes goes on and on. Some are well known, others lie just beneath the surface awaiting a particular confluence of events. It is hard to argue that bad things don’t happen. But the problem with the current state of thinking about risk management is the context in which every imaginable (and, from Deloitte’s perspective, unimaginable) hazard deserves consideration by the business community. Certainly if an organization provides products or services in the areas of pharmaceuticals or emergency services or other fields directly related to dealing with a pandemic it is useful and probable that they plan to leverage that expertise in the event of an outbreak. But extending that effort to unrelated businesses begs the question as to whether bird flu is the right physical threat to address. This is a conversation without end and one that, regardless of protests to the contrary, engenders a very dangerous human emotion in the process of rational decision making: fear.
Addressing the damaging effect of this focus on all manner of hazards in risk management is dangerous ground. An environment has been created where executives and board members are bombarded with a laundry list of risks and then essentially challenged to ignore them at their peril. Certainly there are activities that all businesses should take to maintain security, contain fraud, achieve transparency in their financial records, etc., but we (SORMS) would argue that these activities should be the natural result of the execution of business strategy rather than some exceptional effort that assumes that business managers don’t have the sense or the ethics to act in the interest of their stockholders (yes, some don’t, but the vast majority do).
“There is no security on this earth. Only opportunity.” Douglas MacArthur
While McArthur’s quote may not bring comfort to some, it is an accurate statement when applied to the business environment under the capitalist economic system. Chasing security is a fruitless effort unless it is pursued as an element of exploiting an opportunity.
Much of the literature and many of the consulting firms admonish organizations to develop a ‘risk management culture’. Apparently this culture would be developed through the education of all members in the organization to be aware of identified hazards and to be on the lookout for potential problems that are likely to have negative consequences. The problem with this approach is that there seems to be an assumption that the organization does not have a culture to begin with that already intuitively understands risk; one that only needs to be leveraged through a structured effort. The decisions about the response to financial, physical, operational (or any of the other categories of risk) need to be made within the context of what the organization is trying to accomplish.
People understand risk, they manage it every day. This understanding, however, tends to be defined by their responsibilities in the organization. Therein lays the central task for risk management. Business managers have a depth of knowledge and understanding of the products or services they want to offer, but are likely to have little understanding of the operational environment necessary to deliver them. Operational managers (Legal, Tax, IT, HR, Facilities, etc.) have knowledge of their area of expertise but may lack an understanding of how it specifically applies to the desired product or service. The element that unites their efforts is the business strategy.
Regrettably, there are many organizations where this strategy is rarely understood outside of the executive suite. Simply focusing on growth as defined by quarterly financial statements is not sufficient. Management teams must understand the priorities of the organization, the rationale for funding certain projects and not others and the results that are expected in a variety of metrics form customer satisfaction, market penetration, efficiency and transparency, etc. It is only when these conditions exist that an awareness of risk (risk defined as not only hazards but also opportunities and uncertainties) can be added to the existing culture.
Cultures exist. The task is to add a more conscious awareness of risk
In this environment, risk and the management of it can be understood as essential to the growth of the business. The risk management function becomes an element that unites the various disciplines in a common effort. In this context, mangers can be motivated to not only describe and report threats and hazards to the strategy, but also opportunities and uncertainties that, if embraced can have a positive effect. Position this view of risk and the development of an awareness of risk in an existing business culture against an effort that admonishes everyone to worry about what might go wrong.
The difference is stark and very real. The role of the risk manager in the hazard-only environment is confined to delivering bad news about risks that have a negative impact along with the cost of avoiding them. It is difficult to sustain an audience over time for this kind of information. Unless a negative event can be proven to loom in the near future, it is unlikely that it will get much attention or funding. Using the hazard/uncertainty/opportunity risk continuum in the context of the business strategy, the risk manager is the coordinator of information from both business and operational managers. There is a natural tendency to participate in the risk management process because it is part and parcel of executing the strategy. Risk management becomes a communications vehicle for furthering that strategy and a source for innovative ideas.
| Criteria |
Risk as a negative |
Risk as an essential element of strategy |
| Definition of Risk |
Hazards |
Hazards, uncertainties, opportunities |
| Context for identifying risks |
The imaginable and the unimaginable |
The business strategy |
| Owner of the information |
Risk management organization |
Business and Operational Managers |
| Response to Risk |
Avoiding/Mitigating |
Mitigating/Exploiting |
This, we believe is the real role of risk management; the generation of the business intelligence (BI) necessary to align the resources of the organization with its strategy. It is dynamic and process driven and has the ability to shift the perception of risk with any change in the strategy of the organization. Instead of creating a ‘risk culture’ the risk management function leverages existing expertise, adding a dimension to the existing organizational culture.
Risk management: a coordinating and communications function
The effort to establish a risk management organization in the manner described above is not a trivial exercise, particularly in light of the drumbeat of harsh consequences for failing to anticipate negative events that is so much in the literature. That said, we believe that to be effective a risk management organization needs to be relatively small and nimble as it primarily relies on information that already exists in the organization. This is a coordinating function; risk managers should be responsible for ensuring the participation of the organization rather than defining the meaning of risk and demanding that the organization respond. The skill required to make this happen requires the ability to synthesize information from a variety of sources, establish a framework that is understood and acceptable across the organization and develop channels to communicate relevant information. While this does not exclude identifying some high impact/low probability events in the course of developing a risk profile for a product or service, it certainly does not use that exercise as a starting point.
In addition to the coordinating function, the risk management group also has the charge to develop metrics to track identified risks and the efforts made toward their resolution. Some of these metrics will be defined by measuring the progress in mitigating hazards but these are likely to be confined to specific operational disciplines. Uncertainty and opportunity risk management generally crosses operational disciplines and business units and can combine information on the progress of discrete projects with the achievement of higher level business goals.
Expectations need to be managed in the implementation of this kind of risk management effort. It is not unusual in the early days to find that managers will define risk in terms of their own agendas rather than on the strategy of the organization. Risk is in the eye of the beholder; reframing perceptions of risk to align with the business strategy usually takes a little time.
Certainly Deloitte and all of the other auditing firms perform an invaluable service to companies and their investors. We might ask however, that instead of focusing on the unimaginable risks to an organization that audit firms assess the viability of the business strategies of the corporations they serve and demand an accounting of how risks are being embraced to achieve those strategies. It would not be surprising to learn that many strategies are poorly defined, barely communicated and rarely measured. Therein lays a more significant risk than all of the high impact/low probability events combined.
Bill Sharon, CEO and Founder of Strategic Operational Risk Management Solutions (SORMS) has 25 years of experience in the financial services and marketing/communications industry in a variety of “C” level positions and consultancies. The consistent thread throughout his career is a focus on streamlining operational environments in the service of the business strategy.
Bill can be contacted at bsharon@sorms.com
www.sorms.com
Article Copyright SORMS 2006, all rights reserved
Risk management: What should be, what is and what could be
Operational risk management: the difference between risk management and compliance
Emotion rules: ignoring it won’t change anything…
Seeing the big picture…
Belts and braces…
•Date: 23rd Feb 2006 • Region: US/World • Type: Article •Topic: BC general
Rate this article or make a comment - click here |
