Risk agility and resilience
An April 2016 publication by PwC should kick-start an interesting conversation.
Risk in review: going the distance makes some interesting points.
“We live in turbulent times. In recent years, widespread business disruption has spurred companies to focus on acquiring the agility to quickly identify and seize new opportunities”.
This is absolutely right. Organizations everywhere need to become more agile. They need to understand change before it hits them between the eyes, adapt at speed, and ensure the corporate vehicle doesn’t tip over in the process.
PwC starts with definitions that merit thought.
- Risk agility: The ability to alter and adapt risk management infrastructure to respond quickly to changing markets, customer preferences or market dynamics.
- Risk resiliency: The ability to withstand business disruption by relying on solid processes, controls and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.
I have an issue with their definition of agility. As PwC themselves say, organizations need to build “agile and flexible risk management frameworks that can anticipate and prepare for the shifts that bring long-term success”.
Note the word, “anticipate”.
As an attendee at the Chicago Risk ReImagined event pointed out, we can’t wait and respond. We have to find a way to anticipate what might happen. Let’s change the definition of agility to:
“The ability of management to alter and adapt its strategies, plans, and decisions in anticipation of the potential for markets, customer preferences, market dynamics, regulations, or other factors (both internal and external) to change.”
Note that it is not sufficient for the risk management framework and process to change. The organization as a whole needs to be prepared and able to change its direction – and that requires a nimble risk management capability.
I also have an issue with the definition of resiliency. Again, the whole organization needs to have resiliency, not just the risk management activity – and its ability should not be limited to respond to adverse events and situations. Let me see if I can put a more positive spin on this.
“The ability of the organization, its systems, processes, organization, and people, to respond promptly and effectively to both threats and opportunities should they arise.”
Note that I was able to avoid using the ‘R’ word. This helps the discussion with management and the board. Risk management provides valuable information to anticipate what might happen, analyze and evaluate potential effects, and identify the best response.
Leaving that aside, there are some nuggets to be mined in the PwC publication. (Emphasis added by me.)
- Our analysis shows that risk-agile companies are far more likely to say they expect significant revenue and profit-margin growth than those that are not risk agile.
- Risk management should be leveraged as a defensive tactic as well as an offensive catalyst. It comes down to how a company manages the upside combined with the downside of each business risk.
- Comment: so much for the idea that it’s all about defense! See the next quote.
- “Historically, risk management has been about preventing losses, protecting the downside,” says Kimberly Johnson, Senior Vice President and Chief Risk Officer at Fannie Mae. “But that’s all playing defense. We think about risk also in terms of how to create opportunities because you find ways that you can make the right risk trade-off: where there are returns.”
- Technology firms excel at identifying opportunities ahead of the competition: 56% of technology firms say they are good at this, compared with only 45% of total respondents.
- Comment: if tech firms lead at 56%, the rest are true laggards – overly focused on defense and resilience.
- Overall, our survey results tell us that for near-term revenue and profit margin growth, risk agility trumps risk resiliency.
- Companies that are able to truly align their risk management activities with their strategic planning process and/or strategic priorities are moving the needle from enterprise risk management to strategic risk management.
- Comment: sorry, PwC, but this is pure consultant b******t. They are defining ERM in terms of the traditional practice of periodic reviews of top risks, when true ERM today is far more dynamic and part of the rhythm of the business. True ERM is what they describe as strategic risk management. Remember that risk management helps an organization achieve its objectives. By definition, when applied to the enterprise, those are enterprise objectives. I will let you decide why PwC is coming up with a new name.
- There are too many examples of companies across sectors that allow their growth to outpace their infrastructure. The unfortunate result is that their vulnerability peaks, and risk events become more crippling to their brands.
- Everyone at the firm—whether you’re an analyst, in operations, on the risk team, the CEO, or the CIO [chief information officer]—everyone is asked to think about risk as part of their business… so there’s constant back-and-forth in a constructive manner. It’s not like we meet only once a week at 7 A.M. and ‘Don’t bother me until then.’ It’s very interactive.
- Within high performing companies, 63% of Chief Risk Officers (CROs) say they are seen as catalysts for growth compared with 36% of CROs overall.
I will close with that last point.
Only 36% of respondents (it not clear whether PwC limited their survey to risk, compliance, and audit leaders, but it appears so) see risk management as a catalyst for growth. While this is higher for ‘high performing companies’, and higher than the results of the Deloitte study that found very few risk functions were seen as enabling the setting and execution of strategy, it reflects a continuing failure of CROs.
Business leaders, in the executive suite and on the board, are focused on performance. While CROs can see hazards and threats as obstacles to performance, they must broaden their gaze – and their language – to speak and act in alignment with their leaders in the organization.
How can we best achieve our objectives of growth, profits, value to our stakeholders, while avoiding stumbles and remaining in compliance?
How can we all help our organizations be nimble and quick?
I welcome your thoughts on this study and what it means.