Home > Risk > An Interesting Paper on Risk Management

An Interesting Paper on Risk Management

December 2, 2013 Leave a comment Go to comments

The firm of Arthur J. Gallagher & Co. has published an interesting and challenging paper, Collaborative Risk Management: “Risk Management” vs. “Managing Risk”. While it is targeted at organization s in higher education, its message is relevant for all.

The firm is an insurance broker that provides consulting services related to risk management. One of their principals, Dorothy Gjerdrum, was one of the individuals involved in the paper. She is their Executive Director for the Public Entity & Scholastic Division; the leader of the committee (the Technical Advisory Group of which I am a member) that represents the US standards agency (ANSI) in risk management related standards (especially the global risk management standard, ISO 31000:2004); and a friend.

I am putting that friendship and my respect for her as a risk management practitioner aside to review this paper.

Let’s get the main criticism out of the way: this whole idea of Collaborative Risk Management (CRM) is a repackaging of proven and long-established principles. The authors say that they are writing the paper because too many organizations are treating risk management as a project instead of a continuing management process. However, I don’t think they need to provide a new name for established best practices.

Yet, I agree with many of the statements in the paper and we should focus on those instead of the name the authors put to risk management. Here are some excerpts with my comments:

“There can be a tremendous difference between institutions that have risk managers and institu­tions that manage risks. One end of the spectrum is represented by the often-overworked individual with an overstuffed portfolio. At the other end…will be found… multiple integrative teams and a culture that rewards risk ownership and builds risk assessment into every initiative. These teams take into account an appropriate stratification of risk, assuring that board-level, administration-level, and operational-level risks all have proper owners and teams working on them. Support and a structure are established whether or not, and long before, exhaustive “risk registers” are created. Rather than slogging through a cumbersome catalog of many and unequal risks, a strategic, carefully selected few have coalesced and become the main focus. “Risk” has become a category incorporated in the planning process, like staffing and budget, for every enterprise of the in­stitution—woven into the culture not by the efforts of one employee, but by many teams.”

The paper restates the  argument more simply: “the key is an understanding of the difference between ‘risk management’—per­haps assigned to one harried Director of Risk Man­agement (or Chief Risk Officer, or Audit, Compli­ance, Legal, or Finance)—and ‘managing risk,’ which top-flight institutions realize is a collaborative, distributed, networked assignment for everyone.”

Comment: It is indeed time to move to the management of risk, where the risk manager neither owns the fish nor gives them to executives and the board. Instead the CRO teaches the organization how to fish and assesses his own performance by the number who can fish without help. The CRO counts the fish harvested by others and provides the board with consolidated reporting.

The paper continues:” Much positive collaboration can take place when teams are utilized, and the team leader sees the job of the team as ‘managing risk’ for the institution as a whole. On such teams, the risk manager may be a frequent participant but may be the leader on only a select few, if any.”

I don’t know why, but the refrain I have been using the past few years seems to becoming popular. I use it for both risk management and internal audit, saying that they “have to stop being the department of ‘no’, and become the department of ‘how’. Gallagher says it well:

“Operational risk managers have long bemoaned the fact that, like a James Bond villain, we are oc­casionally nicknamed “Dr. ‘No!’” Internal clients sometimes feel they have exciting ideas for programs and opportunities with great institutional benefits, but when they run those ideas past risk manage­ment, all they hear is “No!” because operational risk management focuses on the negatives. Admittedly, part of this is defensive: someone needs to point out the risks and possible downfalls of ideas for which the proponents only see the positive. But this role may cast operational risk managers in an unpleasant light. No one wants to talk with risk management if it only means their ideas will be shot down.

The new landscape of risk management is bringing a simple, one-word change: risk management is now the process of trying to help others get to “Yes!”

The paper tackles the need to remember that risk management is not only about navigating the possible adverse effects of uncertainty; it is also about seizing opportunities:

“[Effective] risk management specifi­cally aims to incorporate positive risks. That is, [it] means to consider opportunities and the cost of not being able to leap at them—such as letting other schools gain a competitive advantage, or missing out on a clear demographic shift. While operational risk management has historically weighed the cost of a course of action, [effective risk management] also considers the potential costs of not acting—the “carpe diem!” failures…..ERM is about… achieving success as much as avoiding failure.

The authors have suggestions for bringing the disciplines of risk management to the decisions and actions of the board and top executives:

“One significant challenge with integrating risk man­agement throughout the institution is determining whose job it should be. Strategy is traditionally the province of the Board. A healthy Board asks stra­tegic questions: “Where should the institution go next? What major initiatives should we undertake? What societal and demographic forces may threaten our success, or propel us to further greatness?” Few operational risk managers are asked to consider these high-level issues, or to report on them to the Board, much less to manage them. Since ERM incorporates consideration of strategic issues (along with any issues that keep the institution from reaching its objectives), there is a common disconnect between it and what institutional risk managers have tradition­ally done each day.”

They continue: “Certain types of risk should be managed directly by the Board, through the use of Board commit­tees. On the other hand, the Board does not run many aspects of the ERM process—the Board is not in a position to drive ERM initiatives through the institution on a daily basis. The way forward is to delineate carefully the respective roles of the Board, senior administrators, and operational risk manag­ers. Stratification is key—some risks, such as strategic questions, major initiatives, and general societal and demographic shifts, are the role of the Board. We might call this true “strategic risk.” Senior adminis­trators, by contrast, are responsible for implement­ing the decisions of the Board as operations of the institution, and minding specific risks facing the institution as a whole (“institutional risk”). Likewise, operational risk management will likely be aware of, and in a position to address, risks that may be below the sight lines of the Board or senior administrators, but nevertheless might affect the eventual success of the institution in achieving its objectives (“unit risk”). These different risk types should be handled by different groups across the institution. Success­ful [risk management] must incorporate the perspectives of all of these participants, in their proper strata. Thus risks, besides having aspects such as frequency and sever­ity, have an altitude, a level at which they are best managed. A Board thus manages risk via linkage between various levels of stratification: committees report up to certain senior-level administrators, who may report to Board committees and thus to the full Board.”

Comment: this idea of altitude is intriguing. It may work for some and not for others. They key is to understand who owns and is responsible for managing risk (typically the individuals who own and manage performance and achievement of the related objectives). This requires that top-level objectives and risks are cascaded down across the enterprise and that people take ownership of that slice of the objective and risk that is in their area of responsibility.

The authors spend a lot of time reviewing what causes risk management initiatives and programs to fail. I will let you read through these, just excerpting one point. This talks to a feature of many risk management programs where management (and the CRO) may feel, in error, that they have effective risk management.

“The biggest problem……… was that once a board committee or senior administra­tor indicated an ERM program was wanted, the institution often plunged at once into a process of risk identification. Long lists of risks—risk registers— were created, some with hundreds of entries. Risk managers, and ERM teams, are getting stuck at this risk register phase and are having difficulty moving on to actual management of the risks. There seems to be an 80/20 problem: 80% of scarce ERM time is spent on identification and assessment (frequency, severity, velocity and the like), and only 20% is applied to strategic thinking.”

Comment: I frequently lament (such a good word) two things: 1. There is too much emphasis on identifying the risk and not enough on taking action to optimize outcomes, and 2. People are managing a relatively static list of risks instead of implementing a risk management program that is “dynamic, iterative, and responsive to change” and embedded into organizational processes (ISO and COSO both say this). As I said earlier, the CRO must teach managers and executives to fish.

The document also provides advice for getting risk management right. Again, I won’t go into detail: it repeats many of the suggestions others have made about support from the top, ensuring the right risk culture, selective appropriate guidance (they prefer the ISO 31000:2009 risk management standard), and more.

There is one important point that they infer but don’t state directly.

Risk managers have used workshops as an effective technique for identifying, assessing, and treating risk. But we should ask whether it makes sense to have a team (for that is what this is) that is only responsible for the risk aspect of the decision-making process. There are probably teams (if not in name) that come together to address the performance side of the decision-making process, and it would be better to have them include the risk side rather than set up and run a separate risk workshop.

I welcome your thoughts on this and the other aspects of this interesting paper. It is worth downloading and reading.

  1. Ehtisham Syed
    December 2, 2013 at 10:15 AM

    Organizations of all types must manage their exogenous and endogenous risks effectively at all levels. Risk is the likelihood of an event occurring. The positive/negative is associated with the outcome of an event not with the risk, though op risk mostly deals with adverse events.

  2. Gary Lim
    December 2, 2013 at 2:58 PM

    When I started working in the 80s, there was no specific RM department, rather I am responsible for the performance of my area of responsibilities. If I am not able to carry out my duties hence my performance will NOT be on par then the company’s objectives will not be met. Looking back, what I did then was already RM, taking the definition of Uncertainty of Objective, I have to fulfill my objective to the best of my ability at all times.
    I agree that it should be embedded in our daily work, rather than a single department THEN we can get so engrossed with our daily work that we take things for granted or we develop higher and higher risk tolerance (..eh…it won’t happen!, one time we got away, so repeat)
    The statement of teaching the HOD how the techniques HOW to fish is the balanced approach to RM

  3. December 3, 2013 at 2:32 PM

    Wouldn’t our profession (RM) have moved on so much further by now had we applied ourselves more to holding CXO level objective setting discussions back in the early days of COSO 2?

    Now we are exclusively (professionally) focused on managing the effects of uncertainty on objectives. We are thus required to hold and positively contribute to business discussions (on threats and risks to objectives, criteria and KPIs) as distinct from ‘Dr No’ type compliance and downside management of risks discussions?

    I regard risk management in its traditional form as fulfilment of a compliance requirement and thus a sunken cost.

    Managing risks associated with mission critical objectives on the other hand is a value creating activity with direct benefits to improving competitive advantage and enhancing organisational resilience.

  4. Doug
    December 4, 2013 at 10:01 AM

    Thanks for sharing this document Norman. Useful guidance for folks in Higher Ed.

  5. John
    December 5, 2013 at 12:03 PM

    The decentralized structure and limited accountability, as seen in most US colleges and universities, presents challenges to implementation of any of the current ERM models. I agree with Doug that this document shares sound concepts that I suspect will work well within higher education institutions that profoundly cherish their academic freedom and bristle at the concept of centralized administration.

  6. Jatinkumar Modh
    December 5, 2013 at 7:54 PM

    The paper truly incorporates and imbibe the idea that “Managing Risk is not one man’s job, but it’s an collaborative effort”. With the collaborative tools available, CRM is the most efficient and effective way to manage risks, rather than just looking at the traditional way.

  7. Randy Legault
    January 8, 2014 at 9:18 AM

    Risks = uncertainty = threats AND opportunities (once identified) have to be managed.

    Objectives/targets need to be set and implementation plans of action established with performance indicators that can be tracked either as part of a systemic approach to organizational performance measurement or as part of an employee performance management system or, ideally, both. I am not sure how this is done in “the academy.”

    In short, the executive and managers of the organization must actively “manage” risk in a concrete way.

  8. February 13, 2014 at 12:52 PM

    Traditionally, risk management was thought of as mostly a matter of getting the right insurance. Insurance coverage usually came in rather standard packages, so people tended to not take risk management seriously. However, this impression of risk management has changed dramatically. With the recent increase in rules and regulations, employee-related lawsuits and reliance on key resources, risk management is becoming a management practice that is every bit as important as financial or facilities management.

  1. December 2, 2013 at 9:41 AM
  2. December 2, 2013 at 1:54 PM
  3. December 9, 2013 at 6:25 AM
  4. May 18, 2014 at 10:18 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: