Should we take this risk?
- Who takes risk?
- Who decides whether the risk should be taken?
- How do they know what the desired level of risk is?
- How do senior management and the board obtain assurance that the right risks, at the right level, are and will be taken?
These are important questions and every risk (and audit) practitioner should understand the answers.
Richard Anderson and I will be taking these on in April and May, and you are invited to join us. Details are at riskreimagined.com.
Taking the first one first: Who takes risk? The correct answer is ‘everybody’; everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.
In general, the organization’s structure and delegation of authorities dictates who should be making which decision, who should review and approve that decision, and any limitations on the ‘value’ or magnitude of that decision.
In other words, the normal approval hierarchy established in any organization typically determines who makes which decision – and therefore who takes which risk.
Some people consider risk as static, the possibility of an event or situation that could affect an objective or two. But, our world is anything but static; the environment in which we operate changes all the time, as regulators, markets, customers, vendors, and other factors change – dynamically. Our own organization also changes, as employees leave or join, get promoted, change their minds or intentions, feel differently about their or the company’s prospects, develop new products, retire old products, change pricing, and so on.
So, risks are being taken all the time in an environment that is changing all the time.
The normal approval structure will also dictate who decides whether the risk should be taken. The decision maker is the person charged with making that decision, subject to review and approval.
The decision-maker will normally weigh all the options, given the information available to him/her, and try to make an informed, intelligent, decision. If there are risk-reward trade-offs, they will be considered in the decision-making process.
But how does the decision-maker know how much risk he/she should be taking? How do they know whether the risk level for the organization as a whole will now exceed the levels approved by more senior management and the board?
In fact, how do people know how their decisions will affect others, which objectives at the enterprise level might be affected, and what the desired levels of risk to those objectives are?
For example, if you consider a recruiter in the HR department who is vetting candidates, prior to their being considered by the hiring manager, does he really know how his/her decisions on which to take forward will affect the organization?
Do they realize how much value and impact an individual with additional experience will bring to the sales operation, or how their lack of familiarity with ethical practices could increase compliance risk?
Do they understand that a major IT initiative might suffer if they delay their decision on which IT specialist candidates to consider? The risk may be to objectives in IT and in the objectives of the IT function’s customer – the one impacted by the delay in completion of the project, or even the possibility of a failure of the project.
There are ways to address this that center around communication and collaboration. In the recruiting example, it is incumbent on both IT and HR to ensure the hiring urgency is understood and the value of different levels of experience and technical talent is appreciated and informs the recruiter’s decisions. Similarly, it is up to the IT customer to convey to the IT team the value of the IT project and the various risks (i.e., the effect on their and others’ objectives) should the project fail or be delayed.
Setting acceptable levels at board or top management is not the answer; it may be part of the answer, maybe even a significant part of the answer, but every decision-maker needs to know what is desired at his/her level, and it is impractical to believe that the enterprise risk appetite statement can be translated and cascaded down in an useful and actionable way to every individual actually taking the risks.
In addition, in a dynamic world, desired levels of risk are (or at least should be) changing dynamically.
In some cases, more granular risk criteria can be defined – but, again, not for every single decision.
No, risk is taken and must be taken by individuals at all levels across the entire enterprise. If you want them to take the right risk at the right level, they must be informed and trained in the consideration of risk – and not just the risk to their personal or team objectives, but the effect on others and, eventually, how that can affect enterprise objectives.
Senior management should help by ensuring the people on their team get that decision-making training, with the help as needed of the risk officers.
How, then, do the board and senior management know that the right risks at the right levels are and will be taken? It’s not possible to be certain that they will be taken. Perfect assurance is not possible, as decision-makers are human and they will make mistakes even when all the information is available and they have taken all the required training.
Only reasonable assurance can be obtained.
A few things contribute to obtaining that reasonable assurance:
- Care and attention to the decision-making process, ensuring that decision-makers consider what might happen as an integral element in that process: what needs to go right as well as what could go wrong.
- Care and attention to the ‘risk management process/framework/whatever-you-want-to-call-it’, thinking through how desired levels of risk are defined and communicated, the appropriate review and approval process, how people are provided the information they need to make risk-informed decisions, and so on.
- The objective assessment by management (and the CRO) of that risk management process – an honest assessment of whether it provides the necessary assurance and whether it is delivering the value to the organization it should by improving the quality of decisions. I think this assessment should be shared formally with the board.
- Careful monitoring, after-the-fact, of actual risk levels, and determining what failed when risks exceed desired levels.
- An independent and objective assessment of the enterprise’s management of risk by the internal audit function.
This is a quick ‘essay’ on the topic, which is complex and tough to achieve in practice.
I welcome your thoughts and hope to discuss it further with you in April or May.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Some very good points. Queries. In relation to who takes risk, true everyone takes risk however only a select few take risk in relation to for example whick markets we enter, which countries we will do business in, etc. In other words there are some strategic type risks where perhaps formal risk appetite statements, strategic plans, delegation of authorities or whatever have a better or more realistic chance of defining the actionable level of risk that should be taken. Whilst it can rightly be argued that such levels may need to change in response to the changing risk environment, which nowadays may not fit in with a fixed type of annual update of plans, delegation of authorities etc, in this particular case I see this as a problem with the fact that organisations have not made their updating process more dynamic. Who says the annual strategic plan can only be updated once per year? Who days the delegation of authorities are only updated once per year? Who says investments are only reviewed at the point the decision to enter a market is made, rather than whenever a significant shift in risk occurs?. Change in thinking on making the updating process of such documents more dynamic potentially will mean such documents as you point out can have a more”significant” part in defining the right level of risk for specific strategic type risks, which are often the boards main preoccupation or priority. Rgs
Good points, Glenn. But while only a few are authorized to take the major, strategic risks, the actions of many can change the level of those risks. Risks in a new market can be influenced by individuals on the ground, or even through social media posts that are poorly received by foreign governments.
Then, what are the decisions and actions that most threaten success? Are they the big ones, or ones that appear small – think Deep Water Horizon.
Norman. I see your point and certainly do not disagree with the thrust of what you are saying. I suppose what I was using your very good comments to get at was this, an organisation can help define the level risk it should be taking by actually adopting more dynamic updating processes associated with strategy, delegations of authorities etc. The once a year thing may have been OK in the past, but nowadays circumstances (as you are highlighting) are constantly changing. Many organisations are locked into a mindset that these updating processes only occur for good governance purposes once per year. For them to be more than tick a box value they need to perhaps be more agile in nature to be useful. Maybe in your part of the world this happens but in the regions where I work sometimes (if it does happen at all) it tends to occur on an annual basis to keep the board happy. Another example of tick a box type risk management? In lieu of thinking through why you have these things (as highlighted by your excellent questions in your previous post) Rgs
One problem that I have found in a number of organizations is the understanding of value of risk tolerance or risk acceptance. In almost every instance, risks are assessed as High-Medium-Low while the “appropriate level of risk” is often more quantitative. The Board may not want to risk more than $1M in new processes, products or markets in a quarter, yet this may not easily translate into risk avoidance decisions at the operational level. While I agree that good communication up and down the line is essential for effective decision making, the incorporation of ERM practices in that communication stream may need more maturity to add to that effectiveness.
Richard, I think you have hit on a number of key points – IMHO. But my interpretation may differ from yours.
How does risk appetite/tolerance/acceptance figure into how managers think and act? Should we train them in a new language, or should we find another way to talk to help them understand and consider risk?
I vote that we stop talking about risk and start talking about optimizing outcomes, increasing the likelihood and scale of success, and so on. We should stop focusing on the barriers and start focusing on the best path forward.
They are focused on performance, and so should we,
What does it mean to say that “The Board may not want to risk more than $1M in new processes, products or markets in a quarter”? Are we talking about not investing more than $1M, or not creating (or increasing) related risks that are ‘valued’ at more than $1M? How do we do the latter, when there is no probability indicated? What types of risk are aggregated in calculating the $1M?
So, I am trying and I think we all need to try to help managers improve their decision-making, to include the consideration of risk, without talking in risk techno-babble. We need to talk in their language if we are to reach them.
Norman, great article. In the end, complexity is indeed a formidable opponent. I think one of the most difficult tasks in the process you adequately outline, is how do we know what the financial impact would be of taking any decision.
You can establish your financial risk appetite is, say $1,000,000. That’s OK. Now, whenever you are faced with a certain decision, how can you measure the impact of that decision in financial terms, to acknowledge the decision is within that limit. I understand the process by which we can assign a probability and impact to every risk, but there are risks in which these measures are inside a very gray area.
So on top of all the problems you mention, there would still be the very complex problem of expressing uncertainty in dollar terms, to see if it fits our appetite limits. That by itself is a daunting task.
Keep up the good work!
Simply the best short and exciting essay, i am well impressed by the broadness of the presenter