Home > Risk > The Barriers to Effective Risk Management

The Barriers to Effective Risk Management

Earlier this year, an interesting article on CFO.com considered the risk management practices at 10 major global banks. While they found that each of the banks considered risk management (or, ERM in the words of the author) a strategic priority and recognized that “risks of all kinds — not just credit, market, and liquidity risks — can threaten their performance and even their viability”, translating the intent into practice ran into several significant barriers:

  • Operating in default mode. By this, the author refers to the board deferring to the CEO, who in turn defers to the CRO (chief risk officer). While the author seems more concerned that the board is not actively involved, I am more concerned that risk management is left to the CRO rather than being seen as the responsibility of every manager at every level of the organization. The responsibility for managing performance should not be separated from the responsibility for managing risk, and this is exactly what is likely to happen when the CRO is seen as responsible for risk management
  • Ambiguous mandates and limited resources. Budgets are allocated for operational activities, with no time left for holistic risk management. Again, my point is that operational activities must include risk management
  • Risk is siloed in functional and business verticals. The article expresses this well: “Below the level of CRO, risk officers oversee tightly defined areas of an organization’s risk — and lack the authority and credibility to influence the wider organization. In fact, the risk function itself is often a silo, largely devoted to setting and monitoring quantitative risk parameters and leaving holistic risks, such as reputational risk, to others”
  • There is no mechanism for addressing risk holistically. This is a continuation of the prior point: nobody is considering the interrelationship and potential aggregation of risk across the organization

As a result, says the author, risk management “remains fragmented and provides poor visibility of risks”.

I like the point that appointing a CRO is just consolidating the risk silo into one organization, still separated from operating management’s responsibility.

Although I differ from the author’s opinion that risk management should be driven from a board perspective down, I wholeheartedly support the article’s ideal:

Everyone comes to own enterprise risk individually. Over time, the institution creates — and continually refreshes — a culture in which it becomes second nature to strive for the ultimate goal of ERM: an enhanced capacity to increase stakeholder value by more effectively dealing with the risks and opportunities offered by uncertainty”

My opinion is that while the article has detailed some important obstacles, the most important is that those who direct and manage the organization, including the risk officers, have not fully appreciated the true value of risk management. It lies in these two statements:

  1. Risk management informs and enables better decisions, not only at the board and executive levels but every day by operating management
  2. Risk management helps you take the right risks

I welcome your views.

  1. April 1, 2013 at 4:17 AM

    I think that you have focused the discussion in the right direction. I look at the blending of strategy, competitive intelligence, business continuity and risk management as critical to creating a robust enterprise capable of withstanding and, in some events, actually benefiting from risk realization (disruptive events). As strategy sets the goals, objectives and direction, it is incumbent upon the other three areas to support achievement of the goals and objectives in such manner as to provide early warning of impediments to achieving the goals and objectives of the enterprise and to crafting solutions that reduce resistance, or buffer the enterprise when risk materializes.

  2. April 1, 2013 at 7:34 AM

    The Board authorizes; Management implements; and the Chief Risk Executive facilitates.

    Your two statements are true. While risk management is a bottom-up process, without specific Board authority and participation, the process will not only be fragmented, but also creates the CRO as the point of real or perceived failure. Our only question before we accept a consultation appointment is how engaged is the Board? The answer will determine the amount of work we will be facing.

  3. :::_India_Nudge_Network_:::
    April 1, 2013 at 7:44 AM

    One of the main issues with Risk Management is ducked in this article. All risk management is completely personal first and then corporate. How it preserves the individual taking decision is considered first. That is why Risk Management differes between companies and banks. Once you get to know how personal de3cisons effect corporate outcomes, you get a handle on everything

    • April 1, 2013 at 7:53 AM

      This get us in to a discussion of decision analysis, biases and related topics (Thinking Fast and Slow).

  4. April 1, 2013 at 7:47 AM

    I would agree. This has to be a part of the way the entity does business, not an adjunct to the business of the entity. I often ask the question, “Is (risk management, business continuity, etc.) a way of doing business at your organization; or is it an adjunct to the business of the organization?” You perspective on board engagement is critical.

  5. james
    April 1, 2013 at 12:51 PM

    v2rotate :
    The Board authorizes; Management implements; and the Chief Risk Executive facilitates.

    I totally agree with this comments. Without Board’s endorsement and fully supports, the CRO/CRE will find himself/herself in a very difficult situation to carry out the risk management works. While, another important messages I would like to add at the atop is that in order to make Management to implement the company’s risk management policy in a more effective manner, the managers have to be trained to be aware, to understand and to appreciate the risk management approaches, which at most circumstances you will see, the risk management scheme stands at a different perspective with objective runs against the operational objective. This will make operational manager to observe the risk management approach as kind of barrier, not value-added.

  6. April 2, 2013 at 5:39 AM

    To be honest, I’ve pretty much had it up to here listening to and reading about “Risk Assessment” or “Risk Analysis.” There is no lack of guidance. There is no lack of frameworks, or methods or toolkits or programs, etc. So, given the tsunami of information, tools and guidance, why is it that, based on the daily news, risk controls at the corporate level across the globe continue to appear to be an abject failure across the board?

    One thought that seems apparent to me is that everyone uses the same word, risk, and everyone has a completely different interpretation as to what it means. The CEO and senior executives think it means not getting caught until they have a chance to grab as much cash as they can and escape, or retire or avoid prosecution. The day trader sees it reflected in the daily fluctuation of the stock price. The major vendors see it in their quarterly sales quotas. The pension managers are looking to ride the next long groundswell, regardless of its nature. The employees are looking for long term security in retirement (sorry about that thing with Enron, WorldCom, Arthur Andersen, etc., etc.) The CRE or CAE is concerned with personal ethics and doing the right thing. Frankly, I can’t figure out what board members have in mind. Perhaps their next tee time.

    Jaded? Sure. But how many times to we have to see the same lame stories of the failures of corporate governance before real and effective reform and change takes place? We are like abused spouses eternally returning after the abuser promises to make amends. I couldn’t be more serious in saying that until we start to see these crooks and idiots doing the perp walk to some manner of real punishment, there will be no deterrence.

    • Richard Fowler
      April 3, 2013 at 5:54 AM

      I can appreciate your jaded view of risk management. You must realize, however, that the risk failures are newsworthy while the risk successes are not. And for every Lehman Brothers or JPMorgan Chase that was found to have accepted too much risk, there are hundreds of companies that are succeeding by taking less risk. Not zero risk, of course, because some risk is needed for a company to improve against the competition.

      As for Norman’s point that the CRO is taking the lead on risk, I think that’s misleading. The CRO may be taking the lead on risk assessment and risk mitigation, but the decisions are still made at the executive and Board levels. They determine that the company;s new goal is to make a new widget, the COO detmines how the widget will be made, and the CRO figures out what could go wrong and works toward insuring against that risk.

      • April 3, 2013 at 6:25 AM

        I was confident that the point of me not acknowledging the successes would be highlighted. Certainly, there are well run organizations out there. For such an organization, I think, the basic principles of risk management are simply extensions of the well managed organization. For these that inculcate this up and down the chain on multiple operational levels, the significance of formal and scientific risk assessment is minimized. They already do it in their day-to-day culture. It doesn’t really make a lot of difference what framework or flavor they use.

        I think it’s the average and marginal organizations that need to pay attention, and where the success of risk management should be judged. These are the organizations that need help. It just seems, and this is completely subjective, that these marginal organizations ARE marginal because they are successful in dodging, avoiding, manipulating and otherwise failing to embrace, all these RM principles, along with many other internal control and sound management principles. It seems the RM profession spends too much time refining and changing and adjusting the mechanics and not enough time on implementing SOMETHING, regardless of any broad-based acceptance of the underlying academic basis.

  7. Jerry Stultz
    April 2, 2013 at 2:21 PM

    Let’s put this question in the lap of the rank and file. Right or wrong, the typical employee arrives each day with a couple of expectations. First, they expect to have far more to deal with than they could hope to manage. The typical organization is far better at asking for more from its staff than they are at aligning leadership and eliminating waste. The second expectation is that they will have conflicting priorities fall to them to resolve, leadership having failed them. In a truly progressive organization, the impact of this condition is minimized as those most impacted see evidence of a committed improvement culture at some favorable state of maturity. The vertical separation within the organization gives way to growing trust and collaboration. Unless, this environment, where the vast majority of staff believe in the leadership’s competence and trust prevails, RM will be DOA. It will never have the potential that implementing effective, aligned leadership has and therefore will never be regarded as a legitimate initiative. What is the biggest obstacle to RM implementation? Poor organizational culture resulting from a lack of sound leadership

  8. AS
    April 4, 2013 at 12:04 AM

    re “There is no mechanism for addressing risk holistically” – maybe ask enterprise architecure (EA) to help? For example – http://improving-bpm-systems.blogspot.com/2011/10/ea-view-on-enterprise-risk-management.html


  9. April 11, 2013 at 8:20 PM

    Great conversation starter. What this really flags to me is there’s no uniformly adopted view of what good risk management looks like. These are four important attributes (which I agree with) but they’re only four of many.

    IIA recently released a new qualification – CRMA to recognise that internal auditors need to be able to assess this, and the first batch (myself included) have received their post-nominals based on recognition of prior learning and experience rather than their ability to perform a rigorous assessment of the adequacy of risk management.

    Tools abound to do this, but they’re fragmented and often proprietary. I find myself as a CRMA developing my own maturity model (initially using a scale of good, bad, ugly & great) to focus the mind.

    The question for me is whether the IIA should develop some tools in this area, or whether we leave it to the free market to develop their own. Normal, assuming you’re still involved actively with the IIA Professional Practices Council, perhaps this is a question you’d like to raise with them.

  1. March 31, 2013 at 8:21 PM
  2. April 5, 2013 at 2:06 AM
  3. April 6, 2013 at 3:39 AM
  4. April 10, 2013 at 5:36 AM
  5. May 3, 2013 at 6:39 AM
  6. May 8, 2014 at 3:02 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: