A Risk Management Challenge for You
I hope I have been consistent in my message: that risk appetite and other top-level guidance only enables an after-the-fact answer to the question of “did we take the right risks”.
They don’t provide the guidance people need when they make decisions as part of running the business on a daily basis.
I am in the middle of an email discussion with a leader of one of the Big 4 CPA firms’ risk management consulting practices. He is one of the few from the Big 4 that I have heard say the same thing I do – that risk is taken every time you make (or decide not to make) a decision, and that those making decisions need guidance on which are the right ones to take.
This gentleman has developed a somewhat complex process that takes the organizations’ objectives, identifies the type and general source of risks to each of those objectives, determines at a high level the aggregate level of risk to each objective that would be acceptable, and then drives this down to the decision-makers whose actions create or modify those risks – and finally determines what would constitute an acceptable level of risk at their level.
It’s a valiant attempt to deliver guidance to those taking or modifying risk every day.
But is it enough?
I asked him this question, to which he has not yet replied:
“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”
We say that risk is the effect of uncertainty on objectives and that you have to assess each risk within the context of objectives.
But what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?
In practice, the HR manager has his own objectives, as does the HR department. For example, he probably believes that one of his primary objectives is staying within budget. Can he achieve that without adversely affecting another department’s objectives to an unacceptable extent?
It’s not only that delaying hiring or hiring somebody with insufficient experience may adversely affect the operation of the new service center, but problems at the new service center might result in failures to bill customers accurately, pay critical vendors on time, produce accurate financial and operational reporting, and more. The ripple effect could be substantial and affect multiple organizational objectives.
A (COSO) risk appetite statement or framework set by the top management team and approved by the board is of no help.
Are (ISO 31000) risk criteria any better?
Management decisions like this are made every day.
Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?
Which is the right risk to take? How can she know?
I welcome your comments.
Isn’t this the core, the heart of risk management?