Last year I published an article on Governance and a number of people wrote to me, critiquing the article over its failure to adequately include risk as a separate item in the frameworks I was using. Their point was that while risk management is an integral and mandatory discipline for executive management and company directors, it is sufficiently important for it to be addressed as an item in its own right.
I agree with this point of view but am not convinced that risk management is something separate from the day to day running of the business. To be fair I don’t think the people critiquing my article intended that risk be separated from the business; rather their view was that it is a specific discipline and it requires special emphasis in the business. This is particularly true as the operational time horizon shifts from tactical to strategic for the more senior levels of management in the organisation. This includes directors.
At the senior levels, the strength of the focus on risk is so strong that risk is frequently governed through a stand-alone committee (risk or risk and audit committee) or through a specialised role such as chief/senior/global risk manager.
The problem is that best practice (of any sort) embraced at senior levels, frequently does not filter down to the operational level. And when it comes to risk management this schism remains unchecked by the advisory community (consultants etc) and tactical risk plans seldom, if ever, adequately reference the strategic risk frameworks that are used at the senior levels in the organisation.
The majority of the tactical risk management plans comprise of the same elements; Identify and Assess, Evaluate, Manage and Measure.
While the verbs may change from model to model and author to author, the intent remains consistent between the various models.
The standard approach at the tactical level is to hold workshops to identify and assess and evaluate the risks facing the business or project. Comprehensive lists of risks are produced.
My view is that these workshops fall foul of the principle that – you don’t know what you don’t know – and it should be expected that important risks will be missed. This is the risk of risk management.
It is impossible to remove the problem of, you don’t know what you don’t know, but it is possible to mitigate it if you change where you start, and you don’t start with Identify.
My recommendation is that the preparation of a tactical risk management plan should start with an articulation of company culture and a reaffirmation of the risk appetite of the business. Risk appetite can be defined, as the nature and extent of risk a company is willing to take in order to meet its medium to long-term strategic objectives. To have clarity on risk appetite, demands that the business understand exactly what business it is in and whether the business strategy is aligned to the business itself. For example, the major food retailers are not really in the business of selling food. Rather they are in the treasury business. Every day they collect millions in cash deposits and therefore have no problems with accounts receivable. On the other ‘side’ they pay suppliers slowly. Their true business is to invest and grow the funds in between.
Confirming there is a common understanding of the company culture is important. The simple definition of culture is – the way we do things around here and the risk appetite should be aligned to the culture. Obviously a high risk appetite will not fit a company with a highly conservative culture.
Risk appetite is different to risk tolerance in that risk tolerance defines how much of each risk type the business will accept. It is the risk parameter for each risk type. Risk tolerance allows the risk appetite to be broken down into measurable components.
I am not suggesting that the team preparing a tactical risk management plan should start with redefining the culture in the company. Rather they should make sure that everyone agrees what the culture is and make sure they fully understand the risk appetite and associated tolerances for the business.
At the tactical level, the ‘Identify’ activity then becomes an exercise in aligning identified tactical risks to the short-term tolerance levels. This will ensure the tactical risk management plan is aligned to types and areas of risk the company is willing to embrace as risk tolerance is informed by risk appetite. It also encourages the completeness of thought around tactical risks. A quick review for ‘widows and orphans’, between the tolerances and the tactical risk plan, should quickly identify missed or non-aligned risks.
Using risk tolerance means that you already have the parameters for your risk model. This does not mean that the parameters at the tactical mirror those of the strategic level, but there should be some obvious alignment.
From a risk management point of view you are now in a strong position to identify and assess, evaluate and manage risks.
The manage step can be complex and the title is misleading. A more fitting title would be ‘Protect’ as in how does the company protect itself against risk. There are three primary defences:
- Transfer risk – external insurance
- Reduce it. Operational response
These three choices should be used concurrently. The weighting between each ‘protection’ option is determined by the risk appetite, the specific risk under consideration and the time horizon associated with that risk.
By way of example, consider reputational risk. There is little point taking internal or external insurance against reputational risk as once it manifests you can’t undo it. You can’t un-sink a cruise liner or un-crash a crashed IT server. Insurance money will help pay for the PR campaign required to rebuild the reputation and other associated costs such as liability payouts or consequential legal fees. But these are different risks, not reputational risk. When it comes to reputational risk, prevention is the preferred option. The same applies for employee safety.
The concept of risk prevention is also a misnomer. You do not want to prevent risk as to achieve anything in business requires a certain amount of risk. To prevent a cruise liner sinking you would not go to sea. Rather the intent of risk management is to reduce risk in terms of frequency, likelihood, and consequence. That is, reduce the frequency of having to face the risk, the likelihood of the risk materialising and the impact to the business should it materialise.
Self-insure and risk transfer are predominately financial decisions and will not discussed further.
Effective risk reduction comes from using an appropriate risk framework and relating it to the business processes and to the control points within the processes.
This model extends to reference the process manager and the process owner should these roles be different.
The importance of relating risk to process cannot be overstated. The definition of risk appetite is ‘the nature and extent of risk a company is willing to take in order to meet its medium to long-term strategic objectives’. You have to take risks to be in business and the products and services of the business are delivered through the business processes. Therefore risk and business process can never be separated.