Home > Risk > How many risks should be managed and often should you do so?

How many risks should be managed and often should you do so?

An experienced practitioner made an interesting comment in a discussion group to which I belong. He said that “a focus on too many risks has diluted risk management’s effectiveness”.

I am quite concerned at the belief by so many that you only need to monitor 10-20 risks, and then only once a quarter or perhaps at most monthly. Just as my colleague is concerned with managing more than you can handle or that add value, I am concerned with managing too few!

I think you need to monitor the risks that:

  1. might have a significant effect on your ability to achieve your strategies and objectives, and
  2. affect your ability to make decisions and how you run the business.

Those risks need to be managed “at the speed of business” (see related blog).

What does this mean?  I suggest that companies assess certain attributes of each risk (in addition to likelihood and impact) to determine how often they should monitor it. These attributes include:

  • Volatility: how often risk levels change to a significant degree
  • Velocity: the speed at which risk levels change
  • Clockspeed: the speed with which risk is identified, and the time available to respond (Keith Smith). For example, the speed at which an earthquake is noticed and the time until the tsunami hits)
  • The speed of the business: if decisions are made rapidly and action has to be taken quickly, they will benefit from more timely, current, reliable, and useful risk information
  • The ability to respond quickly: the longer it takes to respond, the more notice you need

Once these attributes are known, management can determine how often they want and need risk information to enable better decisions and management of the business. It then becomes a matter of designing ways to obtain that information.

Comments?

About these ads
  1. ARNOLD SCHANFIELD
    July 28, 2011 at 10:44 AM

    tell your friend that he does not know what he is talking about and that you do- I agree with you

  2. Neil
    July 28, 2011 at 10:54 AM

    I agree with your concern at the thought process behind “a focus on too many risks has diluted risk management’s effectiveness”.

    Based on the statement alone, I see a lack of understanding the risk associated with their business; risk is dynamic and is different for every business and evolves as companies grow, change their strategies, etc. It goes beyond simple compliance, and has to map to the business, and vision of the business as a whole. Trying to maintain a static list of risks that you test on a periodic basis the same way year after year loses its effect as you’re basing your approach on the assumption that the business will never change.

    If you have “too many” risks to monitor and concerned with diluting the impact of your risk management process, maybe it’s because you don’t know really know where your risks are, or may not understand your business as well as you’d like to think.

  3. Ck6
    July 28, 2011 at 1:21 PM

    All risks have to be monitored. The question is how and what are the successive thresholds for elevated monitoring. (Can you imagine the results with response in a deposition, “.. yes we knew that was a risk, but it was a risk not worth monitoring”?)

    Each risk should have an internal value generated from a standard set of factors. Along with input from the board and senior management, the risk manager’s job is to monitor and advise when agreed thresholds are exceeded.

  4. Norman Marks
    July 28, 2011 at 1:23 PM

    Ck6, can you really monitor all risks – from significant to trivial? Surely there has to be a cut-off at some level otherwise you are monitoring the risk of leaves falling in the parking lot causing maintenance costs to rise.

  5. Ck6
    July 28, 2011 at 1:56 PM

    Norman, it is not a question of can you – you have no choice. The question is how to do it in a financially responsible manner.

    I refer you back to the deposition discussion. I am aware of two instances where this question was asked in depositions involving massive loss of life and property damage. In each case the defendant was hung with that answer. Even if the “system” failed, had they been able to say “we review all of our risks regularly”, the punitive portion of the damages would have been measurably less.

    Any ERM process should include a matrix with scoring agreed by management and the board. The risk manager’s job is to recommend the stratification, and perform the intermediate reviews. Some reviews will be weekly; some will be quarterly; some annually. Each time there is a review the matrix and resulting dashboard are changed and circulated.

    I started in the risk management industry over thirty years ago. Back then it was a very labor intensive process, but we were on top of it. With the advances in computing, it is not only much easier today, but we are now able to convey more information in a much more user friendly manner.

  6. Neil
    July 28, 2011 at 1:59 PM

    You’ll never be able to monitor all the risks, but the key is having awareness of the risks and having a logical threshold or cut-off on what constitutes risks that are important to “your” business. The threshold should be something, broadly speaking, that should account for the qualitative and quantitative factors associated with each risk with considerations given to their impact, likelihood, pervasiveness, reputational impact, etc, etc.

    • Norman Marks
      July 29, 2011 at 5:47 AM

      Hayley, as I read your comment you assume that the risk manager is the one managing the risks. Is that correct?

      Neil, I agree

  7. Premraj
    July 29, 2011 at 4:01 AM

    It depends on Business 2 Business and their strategies but that is sure to maintain and monitor the more risk shows that they are not up to the mark with their own Business Process..However it is near to Impossible to monitor every risk , it’s depend on the Criticality and frequency of risk , In worst we would prefer to monitor monthly …

    Premraj

  8. Hayley
    July 29, 2011 at 4:51 AM

    Agreed! It’s an exercise of prioritisation. Your organisation may have hundreds of risks facing it, but risk managers must decide what their management strategy might be for dealing with those. That could mean they manage the risk, transfer it, exploit it, monitor it, or simply accept it – depending on its likelihood and consequences. The risks you choose to manage should be aligned to organisational objectives.

    Having gone through this prioritisation exercise, it might be that the company do only decide to actively manage 10/ 20 risks, but in my view there certainly shouldn’t be a set number of risks you look at.

    As others have mentioned, there is a worry about overloading the risk manager and asking them to consider too much information for too many risks. I think at this point you need to have some faith in the managers’ ability to logically prioritise, and not get them stuck in writing down numbers for each and every possible risk or scenario.

    Being aware of risk throughout the organisation by talking to experts, communicating these risks effectively to decision makers and workers, and promoting an effective risk culture could be far more valuable than having your risk manager sat in an office filling out paperwork.

  9. July 29, 2011 at 5:15 AM

    In an ideal world all the risks need to be managed. In the real world, that is usually a near-impossible task with the resources allocated to most in charge of Risk Management for a company.

    The first thing to do is a self-audit of your management processes and look for improvements that will let you manage the most possible risks effectively. Often there is a process that is being used that is outdated and inefficient.

    Implementation of task software as opposed to a bunch of spreadsheets and binders is a common way to improve efficiency. Spreading the responsibility around IF there is good ability to manage more staff in their assigned tasks is another great help.

    These are a few examples of how to manage the most risks that you can. Is 100% realistic? I believe awareness at 100% is realistic and imperative. Management of those known risks can then be implemented, if even on a rolling basis. It might not be perfect, but in Risk management, few things ever really are so we try to get as close as we can.

    Anthony

    • N Wallace
      July 29, 2011 at 6:18 PM

      Self-auditing and assessing is key! don’t wait for the auditor or regulator to do it. Self assessing your risk allows you to be understand your threats. The issue here is the understanding of the benefits of having a risk self-assessment program. Some think it is a waste of time if they are not maintained and tested on an ongoing basis. Also getting management to certify and attest to these assessments creates more accountability and conscious.

  10. Matthew Lynch
    July 29, 2011 at 6:55 AM

    As always Norman generates interesting discussions!

    I feel as if Hayley and Anthony have the right idea. Companies are not static; even the worst of them are continually in flux. Some changes are slow, almost imperceptible and others much more dramatic and sudden. The key to managing risk is first to identify all of the risk – no matter how insignificant it appears on the surface. Second is putting into play adequate prioritization for the monitoring, review and allocation of resources to mitigate the risk. Both require input from all levels – top to bottom.

    Successful management of the risks comes with an appropriate monitoring of key events affecting the potential risks; analysis of the management/business processes effectiveness in mitigating the risks; and a periodic reassessment of the risks and their prioritization. It’s been my experience that the risk ignored is usually the one that comes back to bite you. As Ck6 noted that might happen when you least expect it, as in a deposition.

  11. Robert
    July 29, 2011 at 12:07 PM

    In my thinking risk management is akin to safety management. In our company we have safety managers and they have a role BUT the big promotion is that EVERYONE is responsible for safety. Safety of themselves and those around them. In my view the same applies to risk management. The promotion is to make everyone assess the risks in their corner of the business and to apply the normal rules of assessment and mitigation and acceptance, albeit without the burden of formality and tracking unless they are of significance at a higher level. This will happen all over the company. However what is imperative is that those risks that have major potential impact at the corporate level are on the radar at senior management and Board level. So my conclusion is that all risks should be managed, some very informally and some with a very high level of focus. Trick then is to create the ethos of risk awareness throughout the whole organisation.

  12. Norman Marks
    July 29, 2011 at 12:08 PM

    I really like the analogy, Robert (having spent 10 years in oil and gas). Thanks for sharing it.

  13. N Wallace
    July 29, 2011 at 6:14 PM

    I think depending on the type of risk you have identified in your organization depends on the frequency of how it is monitored. Developing a good risk management framework and identifying your key risk and developing a good monitoring program specific to your organizations risk is key. As someone commented previously, it can be very dynamic. knowing those that are dynamic and shifting your strategy to take those into consideration can lead to successful risk monitoring and management. For example, from a credit card perspective, over the last 2-3 years, credit risk has been dynamic. Changing your credit risk program and adjusting one’s strategy to the economic changes and being more proactive in your decisioning versus reactive can lead to better credit risk management and the impact it has on your portfolio.

  14. July 30, 2011 at 11:45 AM

    I do agree Norman. Although my background is in Programme Risk Management, this is a similar theme that I have experienced. In fact I would go ahead and even draw parallels to the financial segment. As the number of stocks in portfolio increases, the standard deviation of non-systemic risk drops but flattens. So beyond a point any addition of stocks does not reduce risk level. So if the number of project risks increases, does it necessarily mean the effectiveness of risk management increases? I think it follows a similar curve (Beta Coefficient curve). In answer to your question of how many risks, I would say a thorough analysis by 1 Risk Manager on a weekly basis cannot handle more than 30-40 risks. Glad to know views of others. Regards, Ravishankar Anantharamu

  15. July 30, 2011 at 11:47 AM

    I do agree Norman. Although my background is in Programme Risk Management, this is a similar theme that I have experienced. In fact I would go ahead and even draw parallels to the financial segment. As the number of stocks in portfolio increases, the standard deviation of non-systemic risk drops but flattens. So beyond a point any addition of stocks does not reduce risk level. So if the number of project risks increases, does it necessarily mean the effectiveness of risk management increases? I think it follows a similar curve (Beta Coefficient curve). In answer to your question of how many risks, I would say a thorough analysis by 1 Risk Manager on a weekly basis cannot handle more than 30-40 risks. Glad to know views of others. Regards, Ravishankar Anantharamu

  16. July 30, 2011 at 9:07 PM

    I see a dimension of “Risk Prioritization” in your friend’s comment / statement… May be he is coming from that angle but do not agree that management’s focus on risks should be limited to n number at x frequency basis…
    The management’s ability of effectively focus on n number of risks at x frequency level may vary from organization to organization and across geography depending upon lot of factors but risk dynamics entirely depends on how dynamic the internal and external environment is…

  17. Helen
    August 8, 2011 at 12:44 PM

    An interesting discussion. I agree with Norman and I like Robert’s analogy. Risk management is everyone’s business, it’s not a separate (and therefore optional!) exercise, it’s just how you achieve your objectives. The key consideration is at what level the risks are monitored and reported to ultimately enable the Board to have a clear picture of the overall risk portfolio of the Strategic Corporate risks (which will be informed by the operational risks), however many risks that may be. I’m inclined to say that if the Board thinks there are too many risks for it to monitor, then it should be simplifying the organisation to reduce those risks.

  18. Neil
    August 11, 2011 at 8:24 AM

    Risk is “owned” by the business. Risk Management (in a regulated financial services group) is about monitoring and reporting to senior management and the board of directors “appropriate” information to allow (force?) them to take the decisions they need in order to control their business. The dynamic nature of all companies requires a focus on the most important risks they face at a point in time, combined with an understanding of “the rest”. As a result, most financial services groups will collate the “144 risks in financial services (courtesy of E&Y several years ago) into 10 or 12 high level categories and then look at a “top 10″ (or 12 or 15….) within each category. Does that equate to following 10 risks or 100, 120 or 150….? This does require rigorous self assessment and a robust and dynamic process to prioritise what matters “now”. Market Risk (one bucket) is made up of many positions, but (as above) understanding what drives your market risk allows you to focus on how much exposure you have to specific factor (country, interest rate, whatever….).
    Fixing the number of risks “managed” or reported makes no sense. I have been as happy to report a “top ten” with 8 risks as with 15.
    What is most important is to retain management/board attention which is invariabll inversely proportionate to the length of the list…..

  19. slmaxim
    August 31, 2011 at 11:50 PM

    I think you may limit your risk base to make it more managable but you must know about all risks and monitor each of them to make a decision about risk appetite. Ultimately when we identify a risk we think about impact of not achieving of activity goals. So you may express your activity’s risk as situation of not achieving its goals. These risks are simple in managing, i think. But you must assess all causes of each situation. It will be another level of analyse, without need to be reported to senior management and any boards.

  1. August 2, 2011 at 6:44 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 5,108 other followers

%d bloggers like this: