Risk management is not a quarterly exercise. It should be a way of life
The Institute of Risk Management is developing a paper on risk appetite and risk tolerance (I am privileged to be a reviewer). I am confident this will be a great addition to the available, practical guidance on risk management.
It prompted me to think about what really matters, what makes an organization effective in managing risk.
The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a ‘check-the-box’ activity. Used well, it can help an organization achieve and sustain optimal long-term performance.
To be effective in managing risks, an organization needs not only to understand and assess its risks, but it needs to have a culture that embraces the active consideration of risk in:
- Establishing the (short and longer-term) strategy, organizational goals and objectives
- Developing, executing, and monitoring its execution of strategy and achievement of goals and objectives
- Everyday decisions
I have seen too many organizations focus on identifying and assessing risks every quarter, maybe even talking in terms of a high level risk response (e.g., accept the risk, or hedge it using currency swaps) at the expense of actually managing the risks day-to-day.
Let’s we take a mundane example: my commute to work. One approach is to perform a quarterly assessment of the risks: (a) that I will be in an accident, or (b) be delayed and miss important meetings. Since I am assigned to SAP’s Palo Alto office, which is about 18 miles and 25-30 minutes away (by freeway), to a certain extent I must accept the risk. I believe the risk of accidents to be low, and my response is to train myself to drive carefully. The risk of traffic delays is higher, especially if I leave during the morning rush hour, so my response is to schedule meetings for later in the day.
I assess these [residual] risks, compare them to my risk tolerance, and am satisfied. But should I be?
The other approach is to embed risk in my daily decisions. Each day, I review the next day’s schedule and plan ahead. If I have an early morning meeting, I will decide to leave home very early to avoid most of the traffic. (I will also check to confirm that I have to be in the office, in case I can reduce my risks by calling in). I also check the weather forecast and take that into consideration. When I wake, I again check the weather to see if I need to leave earlier (for example, if there is rain I should expect driving times to be longer). As I am driving, I am making more risk decisions. If the freeway is clogged up with traffic, I may elect to take side streets – taking into account the risk they are also slow due to increased traffic. I am certainly making a number of accident risk decisions as I drive. For example, I will stay further behind the car in front of me when it is raining.
Let’s take a second example, this time from corporate life. Years ago, I worked for a company that owned several oil refineries. One of its most significant risk areas was safety, not only of its employees, but also of the many employees of contractors (“contract staff”). At any time, there could be hundreds of these workers within a refinery. While it would have been easy to rely on the contract we had with the contractors, which had multiple stipulations regarding safety (including training and equipment), our Health and Safety department had performed a risk assessment and identified a number of actions it would take to ensure the safety of everybody working at a company location. These included mandatory safety training and orientation for all contract staff, close supervision by our employees, and more.
But, a periodic assessment of risk was not enough. The Health & Safety department also monitored safety training attendance records to confirm that all contract staff were attending and passing the tests. A drop in attendance would indicate a higher level of risk, triggering calls to the contractor and a higher level of monitoring of the work site by management. If a supervisor reported one of the contract staff was not following safe operating procedures, this would raise a risk red flag and actions would be taken – not only with respect to that individual, but to all workers from the contractor.
Assessing safety risk “every so often” was not enough. Risks levels change all the time, and my company needed to understand current risk and take appropriate actions.
It’s not enough to understand risks in your daily decisions; you need to actively manage them. Do you and your management team embed risk into your daily activities and decisions – and manage those risks constantly? Do you:
- Consider risks in setting strategy – and assign responsibilities and tasks for minimizing the likelihood and adverse effects of those risks?
- Include risk mitigation activities in project plans, etc?
- Consider the risks to achieving your objectives every time you make a hiring or purchasing decision – and identify what you can do to manage the risks?
- Do you continue to manage risks by taking actions every day?
- Are you monitoring risks, so that you are not surprised? Or do you wait until the official risk assessment time?
Is your risk management program a quarterly exercise or a way of life in the business?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
A way of life. Each strata of the risk management process is reviewed as prescribed by the Board of Directors. However a risk management snapshot is provided the Board Risk Management Committee quarterly.
Very good article. Wish it could be sent to some of our firm’s clients but they don’t speak English!
Thanks, Karen. There’s always Google translator….
Really Nice One , We had risk associated with every task ,no doubt, in personekl or professional Life but with better monitoring and effective Startegy Planning we can minimise it to somehow ..
BR’s ,
Premraj
I agree with the concept, but the question I have is what role and value does a formal ERM process have if managment has effectively embedded risk management into it practices on a daily/regular basis. I expect alot of management teams will say that they do this but in reality it may be far from the truth.
Barry, If risk management is effectively embedded into daily practices, then I see the risk management team helping with:
– periodic ‘stock taking’ and reporting of risk and performance status to executive management and the board
– mentoring and coaching of new people, refreshing the skills of others
– facilitating cross-functional or more complex risk workshops
– advising when opportunities to improve processes arise, such as using new technology
– consulting on major new initiatives
Couldn’t agree more. Managing project risk is probably another category. The level of risk should determine the level of documentation required.
Very good article! Managing the risks, whatever they may be, can of course only really effectively be done if you truly understand these in depth and have the competence and capacity within the organisation to regularly analyse and monitor these. Then of course, you also need the management culture to want to listen to potentially bad news and take action accordingly. I agree, risk management is more than just a job, it is a philosophy which the risk manager needs to have and share with their senior management.
Nigel, as I was reminded by my friend John Fraser, when you are embedding risk management into daily activities it is not really about the risk manager – its about the operational manager. The risk manager moves to a role I described in my comment to Barry, above.
Hi Norman, excellent article…we would like to have your permission to translate and post it in our blig…we would add a direct link to this original.
Bes Regrads,
Juan Barham
Sorry, I mean our blog not blig….regards, Juan
Blig, blog, not a problem. 🙂 Please send me a link.
Ian, i tend to agree with your explanation, however although it makes business sense not to comply if the cost/benefit is in favor of not complying one needs to think long term about this. And yes the risk is regulatoy intervention and or even sanctioning wrt not granting your business an operating licence in future for growth initiatives due to the regularity of non-compliance. Appearing to comply is like a driver slowing down when ever he sees the traffic police which make him appear to comply with road regulations and never gets fined, but is at tend of the day not a good driver.
The potential effect of non-compliance can be complex to estimate, because there is not only the potential for fines but:
– reputation risk
– additional inspections that disrupt the business
– escalation of fines and inspections over time
– the potential for this to infect the corporate culture, so that risks in other areas increase
etc
Excellent post, Norman. I quote you and provide a link in my latest post on Operational Risk: http://bit.ly/ptPc99. I’m curious to hear your view on how companies differ in their abilities to deal with major unanticipated events; not only the risks we can anticipate. While we put Controls in place to mitigate the “known” risks, how well organizations respond to major threats seems something that is commonly overlooked. I look forward to your viewpoint.
Thanks – and appreciate the link and quote. The issue of crisis communications and response has been a concern of mine for a long time, going back to when I had responsibility for BCP and DRP. It is not possible to anticipate every possible event, but it is possible to improve your capability to learn quickly what is happening, inform the right people, get the people and other resources involved as quickly as possible, and handle both external and internal communications.
Some have focused only on what they can anticipate. But those are not necessarily the surprises that cause the most damage. A crisis response program is essential.
Note that, according to one board member, a board director may be asked to respond to the media within 5 minutes of a fire or explosion at a distant factory.
Great to see this topic described with laymen examples. I have used this approach myself when communicating to others the risk management concepts. I felt for a long time that the disconnect between Risk Managers, Auditors, and Managers was mostly a language barrier. Through tial and error, I learned a long time ago, that describing risks using a common language goes a long way towards educating and getting managers to understand their accountability and responsibility for managing risks.
As Mr. Dougals Barlow once said, “All management is risk management”.
Mr. Barlow was a risk management pioneer whose career spanned decades as a risk manager and educator. He is credited with creating the first global insurance and risk management program at Massey-Ferguson, a Toronto-based farm equipment manufacturer, where he spent much of his career. Mr. Barlow was also the first risk professional to hold the title of risk manager and is credited with coining the now-pervasive phrase, “cost of risk.”
Mr Barlow was a member of the initial class inducted into the Risk Management Hall of Fame.
http://www.claimsjournal.com/news/national/2011/05/04/185325.htm