Home > Risk > Risk agility and resilience

Risk agility and resilience

An April 2016 publication by PwC should kick-start an interesting conversation.

Risk in review: going the distance makes some interesting points.

“We live in turbulent times. In recent years, widespread business disruption has spurred companies to focus on acquiring the agility to quickly identify and seize new opportunities”.

This is absolutely right. Organizations everywhere need to become more agile. They need to understand change before it hits them between the eyes, adapt at speed, and ensure the corporate vehicle doesn’t tip over in the process.

PwC starts with definitions that merit thought.

  • Risk agility: The ability to alter and adapt risk management infrastructure to respond quickly to changing markets, customer preferences or market dynamics.
  • Risk resiliency: The ability to withstand business disruption by relying on solid processes, controls and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.

I have an issue with their definition of agility. As PwC themselves say, organizations need to build “agile and flexible risk management frameworks that can anticipate and prepare for the shifts that bring long-term success”.

Note the word, “anticipate”.

As an attendee at the Chicago Risk ReImagined event pointed out, we can’t wait and respond. We have to find a way to anticipate what might happen. Let’s change the definition of agility to:

“The ability of management to alter and adapt its strategies, plans, and decisions in anticipation of the potential for markets, customer preferences, market dynamics, regulations, or other factors (both internal and external) to change.”

Note that it is not sufficient for the risk management framework and process to change. The organization as a whole needs to be prepared and able to change its direction – and that requires a nimble risk management capability.

I also have an issue with the definition of resiliency. Again, the whole organization needs to have resiliency, not just the risk management activity – and its ability should not be limited to respond to adverse events and situations. Let me see if I can put a more positive spin on this.

“The ability of the organization, its systems, processes, organization, and people, to respond promptly and effectively to both threats and opportunities should they arise.”

Note that I was able to avoid using the ‘R’ word. This helps the discussion with management and the board. Risk management provides valuable information to anticipate what might happen, analyze and evaluate potential effects, and identify the best response.

Leaving that aside, there are some nuggets to be mined in the PwC publication. (Emphasis added by me.)

  • Our analysis shows that risk-agile companies are far more likely to say they expect significant revenue and profit-margin growth than those that are not risk agile.
  • Risk management should be leveraged as a defensive tactic as well as an offensive catalyst. It comes down to how a company manages the upside combined with the downside of each business risk.
    • Comment: so much for the idea that it’s all about defense! See the next quote.
  • “Historically, risk management has been about preventing losses, protecting the downside,” says Kimberly Johnson, Senior Vice President and Chief Risk Officer at Fannie Mae. “But that’s all playing defense. We think about risk also in terms of how to create opportunities because you find ways that you can make the right risk trade-off: where there are returns.”
  • Technology firms excel at identifying opportunities ahead of the competition: 56% of technology firms say they are good at this, compared with only 45% of total respondents.
    • Comment: if tech firms lead at 56%, the rest are true laggards – overly focused on defense and resilience.
  • Overall, our survey results tell us that for near-term revenue and profit margin growth, risk agility trumps risk resiliency.
  • Companies that are able to truly align their risk management activities with their strategic planning process and/or strategic priorities are moving the needle from enterprise risk management to strategic risk management.
    • Comment: sorry, PwC, but this is pure consultant b******t. They are defining ERM in terms of the traditional practice of periodic reviews of top risks, when true ERM today is far more dynamic and part of the rhythm of the business. True ERM is what they describe as strategic risk management. Remember that risk management helps an organization achieve its objectives. By definition, when applied to the enterprise, those are enterprise objectives. I will let you decide why PwC is coming up with a new name.
  • There are too many examples of companies across sectors that allow their growth to outpace their infrastructure. The unfortunate result is that their vulnerability peaks, and risk events become more crippling to their brands.
  • Everyone at the firm—whether you’re an analyst, in operations, on the risk team, the CEO, or the CIO [chief information officer]—everyone is asked to think about risk as part of their business… so there’s constant back-and-forth in a constructive manner. It’s not like we meet only once a week at 7 A.M. and ‘Don’t bother me until then.’ It’s very interactive.
  • Within high performing companies, 63% of Chief Risk Officers (CROs) say they are seen as catalysts for growth compared with 36% of CROs overall.

I will close with that last point.

Only 36% of respondents (it not clear whether PwC limited their survey to risk, compliance, and audit leaders, but it appears so) see risk management as a catalyst for growth. While this is higher for ‘high performing companies’, and higher than the results of the Deloitte study that found very few risk functions were seen as enabling the setting and execution of strategy, it reflects a continuing failure of CROs.

Business leaders, in the executive suite and on the board, are focused on performance. While CROs can see hazards and threats as obstacles to performance, they must broaden their gaze – and their language – to speak and act in alignment with their leaders in the organization.

How can we best achieve our objectives of growth, profits, value to our stakeholders, while avoiding stumbles and remaining in compliance?

How can we all help our organizations be nimble and quick?

I welcome your thoughts on this study and what it means.

  1. joanne
    May 7, 2016 at 4:22 PM

    Great post and analysis. Looking forward to doing a deep dibe on the PwC article. Agree with your emphasis and your comments associated with ERM already being a strategic catalyst to growth. There is much discussion about the defensive when it comes to risk but I do agree that growth in order to achieve objectives at the expenses of understanding the downside risk is indeed happening and causing ‘distuption’ of a negative kind…thanks for sharing..

  2. Glenn Daly
    May 7, 2016 at 8:23 PM

    A couple of thoughts. Agility and / or resiliency in practice. Whenever an organisation has strategies relating to or decides to employ v fixed term contract someone, insource v outsource, lease v acquire, invest in a particular country v another etc all these strategies and / or decisions impact agility and/ or resiliency to some extent. When economic, regulatory, competition conditions are relatively stable, having agility is perhaps not perceived as that critical when making decisions. When conditions become volatile and a business needs to adapt or respond very quickly, they obviously are very important, often when looking back “retrospectively” …but at the time, paying extra for that agility did not make financial sense or fit in with the growth plans of the organisation and so decisions are made accordingly. Making the right decisions as to how much agileness to have and resiliency to have embedded in your business model and when it will be needed is not so easy in the real world. As risk practitioners, I suppose we can assist by highlighting volatile conditions and / or try and “anticipate” them (as you point out) so that management factors them into decision making, or at least considers a range of options and the implications of decisions from an agility perspective so that resiliency is built into prooesses etc. Whether in the end this is the main factor that will dictate the final decision, is obviously subject to financial factors, how much agility and resiliency management want here and now v the future, with this being determined by how volatile they think the future will be etc and whether its worth investing now. Rgs

  3. Jai
    May 8, 2016 at 6:02 PM

    I have some difficulty in reconciling the definition of resiliency as provided by PwC and Norman. In my view agility and resiliency appear to be somewhat contradictory as applied to organisations. I agree that in this day and age organisations need to have flexible structures, systems, processes and people in order to change quickly when there is a change in the external environment. It may be possible to change the nature of risks by changing the risk management infrastructure but the organisation will not be able change if the structures, systems and processes are not able to be changed quickly.

    Many organisation, particularly government organisations, find it very difficult to change quickly because of inherent difficulties created by policies, procedures, systems, structures and people. This point is reinforced in the definition of resiliency provided by PwC. It talks about “solid processes, controls and risk management tools and techniques …………” How do we reconcile agility with solid processes! Happy to hear other views on this subject.

  4. Gregory Sosbee
    May 10, 2016 at 2:12 PM

    If I am reading Norman correctly, I agree that Agility and/or Resiliency should not be limited to just Risk Management, but to the entire organization. Thus Risk Management is no different from Finance or Legal or Operations.

    I also agree that Risk Management is handicapped by history and a perceived “role
    of defense”. I have fought to convenience organizations that Risk Management should be “offensive” and contribute to corporative advantage since 1998. It took a global collapse to highlight Risk Management, but the effort lacks sufficient steam due to the Risk Mangers themselves. Instead of featuring Risk Management as an organizational contributor, to many Risk Managers are to comfortable within their basic skills and qualifications to expand their horizons to the point that they belong on the Senior Executive level. What other part of the organization has to be conversant in all facets of the organization from operational processes to financial theory and planning to legal issues? The answer is none.

  5. Frans Kersten
    May 10, 2016 at 11:04 PM

    It seems that cyber risk / security influences the discussion. I first noticed the word ‘resilience’ within this domain stating that organisations should be able to deal with the risks of cyber security.
    Maybe it’s because English is not my native language, but I have a different view on ‘framework’. In my perception there is no agile of non-agile framework. The framework like in ISO-31000 is the combination op principles and processes tot deal with risk management. The process can be applied in a way that is either agile or non-agile.

  6. Mike Corcoran
    May 12, 2016 at 8:06 PM

    This makes no sense. It is about value creation agility and value preservation resilience with strategic objectives as the starting point. Leading with risk is a fools game.

  7. Mike Corcoran
    May 12, 2016 at 8:17 PM

    Fannie Mae comment: Are you kidding me? Your opportunistic approach on poor lending, underwriting and syndicating standards led to one of the biggest financial and economic failures in the history of mankind. To be in this article on agility and resilience insults at least my experience and suggests PwC business advisory and consulting leadership does not get it.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: