An Interesting Paper on Risk Management
The firm of Arthur J. Gallagher & Co. has published an interesting and challenging paper, Collaborative Risk Management: “Risk Management” vs. “Managing Risk”. While it is targeted at organization s in higher education, its message is relevant for all.
The firm is an insurance broker that provides consulting services related to risk management. One of their principals, Dorothy Gjerdrum, was one of the individuals involved in the paper. She is their Executive Director for the Public Entity & Scholastic Division; the leader of the committee (the Technical Advisory Group of which I am a member) that represents the US standards agency (ANSI) in risk management related standards (especially the global risk management standard, ISO 31000:2004); and a friend.
I am putting that friendship and my respect for her as a risk management practitioner aside to review this paper.
Let’s get the main criticism out of the way: this whole idea of Collaborative Risk Management (CRM) is a repackaging of proven and long-established principles. The authors say that they are writing the paper because too many organizations are treating risk management as a project instead of a continuing management process. However, I don’t think they need to provide a new name for established best practices.
Yet, I agree with many of the statements in the paper and we should focus on those instead of the name the authors put to risk management. Here are some excerpts with my comments:
“There can be a tremendous difference between institutions that have risk managers and institutions that manage risks. One end of the spectrum is represented by the often-overworked individual with an overstuffed portfolio. At the other end…will be found… multiple integrative teams and a culture that rewards risk ownership and builds risk assessment into every initiative. These teams take into account an appropriate stratification of risk, assuring that board-level, administration-level, and operational-level risks all have proper owners and teams working on them. Support and a structure are established whether or not, and long before, exhaustive “risk registers” are created. Rather than slogging through a cumbersome catalog of many and unequal risks, a strategic, carefully selected few have coalesced and become the main focus. “Risk” has become a category incorporated in the planning process, like staffing and budget, for every enterprise of the institution—woven into the culture not by the efforts of one employee, but by many teams.”
The paper restates the argument more simply: “the key is an understanding of the difference between ‘risk management’—perhaps assigned to one harried Director of Risk Management (or Chief Risk Officer, or Audit, Compliance, Legal, or Finance)—and ‘managing risk,’ which top-flight institutions realize is a collaborative, distributed, networked assignment for everyone.”
Comment: It is indeed time to move to the management of risk, where the risk manager neither owns the fish nor gives them to executives and the board. Instead the CRO teaches the organization how to fish and assesses his own performance by the number who can fish without help. The CRO counts the fish harvested by others and provides the board with consolidated reporting.
The paper continues:” Much positive collaboration can take place when teams are utilized, and the team leader sees the job of the team as ‘managing risk’ for the institution as a whole. On such teams, the risk manager may be a frequent participant but may be the leader on only a select few, if any.”
I don’t know why, but the refrain I have been using the past few years seems to becoming popular. I use it for both risk management and internal audit, saying that they “have to stop being the department of ‘no’, and become the department of ‘how’. Gallagher says it well:
“Operational risk managers have long bemoaned the fact that, like a James Bond villain, we are occasionally nicknamed “Dr. ‘No!’” Internal clients sometimes feel they have exciting ideas for programs and opportunities with great institutional benefits, but when they run those ideas past risk management, all they hear is “No!” because operational risk management focuses on the negatives. Admittedly, part of this is defensive: someone needs to point out the risks and possible downfalls of ideas for which the proponents only see the positive. But this role may cast operational risk managers in an unpleasant light. No one wants to talk with risk management if it only means their ideas will be shot down.
The new landscape of risk management is bringing a simple, one-word change: risk management is now the process of trying to help others get to “Yes!”
The paper tackles the need to remember that risk management is not only about navigating the possible adverse effects of uncertainty; it is also about seizing opportunities:
“[Effective] risk management specifically aims to incorporate positive risks. That is, [it] means to consider opportunities and the cost of not being able to leap at them—such as letting other schools gain a competitive advantage, or missing out on a clear demographic shift. While operational risk management has historically weighed the cost of a course of action, [effective risk management] also considers the potential costs of not acting—the “carpe diem!” failures…..ERM is about… achieving success as much as avoiding failure.”
The authors have suggestions for bringing the disciplines of risk management to the decisions and actions of the board and top executives:
“One significant challenge with integrating risk management throughout the institution is determining whose job it should be. Strategy is traditionally the province of the Board. A healthy Board asks strategic questions: “Where should the institution go next? What major initiatives should we undertake? What societal and demographic forces may threaten our success, or propel us to further greatness?” Few operational risk managers are asked to consider these high-level issues, or to report on them to the Board, much less to manage them. Since ERM incorporates consideration of strategic issues (along with any issues that keep the institution from reaching its objectives), there is a common disconnect between it and what institutional risk managers have traditionally done each day.”
They continue: “Certain types of risk should be managed directly by the Board, through the use of Board committees. On the other hand, the Board does not run many aspects of the ERM process—the Board is not in a position to drive ERM initiatives through the institution on a daily basis. The way forward is to delineate carefully the respective roles of the Board, senior administrators, and operational risk managers. Stratification is key—some risks, such as strategic questions, major initiatives, and general societal and demographic shifts, are the role of the Board. We might call this true “strategic risk.” Senior administrators, by contrast, are responsible for implementing the decisions of the Board as operations of the institution, and minding specific risks facing the institution as a whole (“institutional risk”). Likewise, operational risk management will likely be aware of, and in a position to address, risks that may be below the sight lines of the Board or senior administrators, but nevertheless might affect the eventual success of the institution in achieving its objectives (“unit risk”). These different risk types should be handled by different groups across the institution. Successful [risk management] must incorporate the perspectives of all of these participants, in their proper strata. Thus risks, besides having aspects such as frequency and severity, have an altitude, a level at which they are best managed. A Board thus manages risk via linkage between various levels of stratification: committees report up to certain senior-level administrators, who may report to Board committees and thus to the full Board.”
Comment: this idea of altitude is intriguing. It may work for some and not for others. They key is to understand who owns and is responsible for managing risk (typically the individuals who own and manage performance and achievement of the related objectives). This requires that top-level objectives and risks are cascaded down across the enterprise and that people take ownership of that slice of the objective and risk that is in their area of responsibility.
The authors spend a lot of time reviewing what causes risk management initiatives and programs to fail. I will let you read through these, just excerpting one point. This talks to a feature of many risk management programs where management (and the CRO) may feel, in error, that they have effective risk management.
“The biggest problem……… was that once a board committee or senior administrator indicated an ERM program was wanted, the institution often plunged at once into a process of risk identification. Long lists of risks—risk registers— were created, some with hundreds of entries. Risk managers, and ERM teams, are getting stuck at this risk register phase and are having difficulty moving on to actual management of the risks. There seems to be an 80/20 problem: 80% of scarce ERM time is spent on identification and assessment (frequency, severity, velocity and the like), and only 20% is applied to strategic thinking.”
Comment: I frequently lament (such a good word) two things: 1. There is too much emphasis on identifying the risk and not enough on taking action to optimize outcomes, and 2. People are managing a relatively static list of risks instead of implementing a risk management program that is “dynamic, iterative, and responsive to change” and embedded into organizational processes (ISO and COSO both say this). As I said earlier, the CRO must teach managers and executives to fish.
The document also provides advice for getting risk management right. Again, I won’t go into detail: it repeats many of the suggestions others have made about support from the top, ensuring the right risk culture, selective appropriate guidance (they prefer the ISO 31000:2009 risk management standard), and more.
There is one important point that they infer but don’t state directly.
Risk managers have used workshops as an effective technique for identifying, assessing, and treating risk. But we should ask whether it makes sense to have a team (for that is what this is) that is only responsible for the risk aspect of the decision-making process. There are probably teams (if not in name) that come together to address the performance side of the decision-making process, and it would be better to have them include the risk side rather than set up and run a separate risk workshop.
I welcome your thoughts on this and the other aspects of this interesting paper. It is worth downloading and reading.