Prominent academics fail to understand effective risk management
Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School. I have never had the privilege of meeting him.
Hi colleague, Anette Mikes, was with Bob at Harvard and is now Professor of Accounting and Control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes Anette. I have heard her speak, but have never met her one-on-one. Anette has made important contributions to the academic study of risk management that include a case study of John Fraser’s Hydro One and a similar case study on LEGO.
On earlier occasions, I have shared my thoughts with Anette Mikes on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.
Kaplan and Mikes recently published a Harvard Business School Working Paper, Risk Management – the Revealing Hand.
While there is some value in the paper, such as its insistence that risk management must be continuous and its discussion of over-reliance on models, it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organization to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in their 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from the 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believing that risk management supports their ability to develop and execute on business strategy very well.
How can risk management practitioners demonstrate value and a significant contribution to the success of an organization when they:
- Focus on a list of potential harms?
- Don’t focus on enabling intelligent and informed decisions from strategy to tactics?
- Talk in technobabble instead of the language of the business?
I see risk management as about:
- Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans, and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization towards its objectives
- Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives, and what (if anything) we need to do about it
- Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo
- Knowing how to assess and evaluate the potential for any event or situation to have good, bad, or a combination of good and bad effects – and providing a structured process for making decisions about the path forward
- Intelligent and effective management that enables the organization to succeed
Kaplan and Mikes say that there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note, EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)
Is that because they don’t understand what risk management should be? That it is not about managing a list of potential harms – what Jim DeLoach calls Enterprise List Management? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out? Or, would you dismiss the pessimist with disdain?
A few quotes to support my view:
- “Enterprise risk management helps an entity get to where it wants to go” – COSO
- Risk management enables “A greater likelihood of achieving business objectives” and “More informed risk-taking and decision-making” – COSO
- “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
- “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in (and impacts) everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
- “You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
- “The job of risk [management] is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved” – Deloitte
I can tell you that the risk management programs at Hydro One and LEGO do not limit their work to potential harms. They consider the potential for reward as well as harm. They work to help management succeed.
So how is it that Kaplan and Mikes have such a narrow view? Perhaps it’s because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks – what Jim DeLoach correctly calls ‘enterprise list management’.
That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.
How do you expect a CEO to believe risk management enables success when all the CRO gives him is a list of what could go wrong? He needs help to see what might happen, both good and bad, and what to do about it – in other words, risk management needs to be seen by the CEO as helping him or her get where he or she needs to go.
Do you share my view?
If so, how do we move both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?
I welcome your views.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Bravo, Norman. Unfortunately the Kaplan and Mikes paper only reinforces existing and unhelpful language and thinking.
Fundamentally, their article seems to be based on a ‘straw man’ dichotomy that, like all straw men, they have produced solely to burn down. Who says we need to “find common ground to reconcile the two approaches”? Why is there any conflict between knowing “measurable risks” and “qualitative approaches that will better help managers in thinking about how good projects and strategies might turn bad, and how their organizations would fare under different scenarios”? Why can’t you do both?
Its not just that they think risk is just ‘bad things that can happen’, but that they seem to fail to grasp the point that risk management is just decision support – it has no other purpose.
I’m embarrassed that authors of such renown should produce an article that only takes us backwards and which adds to confusion. I would have hoped they led the way into clarity and light.
However, as we now know, that cannot occur while we keep using the ambiguous and unhelpful terms ‘risk’ and ‘risk management’. Its impossible to make headway.
Norman-
Excellent discussion. I couldn’t agree more with your premise. I would like to suggest that there are two different levels of risk management in an organization and these levels often are confused. “Operational Risk Management” (defined as the risks encountered everyday by operational units within an organization and rarely involve issues of strategy) are apt to be more about controls and preserving value. This is where the average manager and supervisor live each day. “Strategic Risk Management” is about a process to support the formation and execution of strategy. This is the “playground” of the c-suite and is more about creation of long term value for the organization than preserving it. The problem is that these two levels of risk management exist everyday in an enterprise (whether they are recognized as a process or not) and are often blurred together as a single process. I suggest that both levels are necessary in a mature risk management organization. Value must be preserved by the operational areas or the company goes backwards. In addition, risk management needs to be a part of strategic risk taking to improve the odds of successfully achieving the strategic plan. But when the c-suite asks for a list of the most important risks without integrating risk management into the strategy development and execution process, that’s when you know you have lost the battle.
Thank you, John.
However, every decision made at any level of the organization creates or modifies risk. Why should the consideration of risk when decisions are made only be about potential harms?
When you leave home, you do so because you understand what might happen, both good and bad, if you stay home, leave now, leave later, go a different way, and so on. You make your decision because “taking the risks” of accidents and so on is justified because of the gains to be achieved by working and earning a salary, getting food to eat, keeping the children safe, and so on.
We consider all the things that might happen between where we are and where we need to go and make, as best we can, informed and intelligent decisions.
If you had a CRO standing at your door with a list of all the harms, would that help you make the right decision? You need to understand all the potential consequences of your decisions.
Great, thought-provoking coverage of the topic. One remark: the HBR article is more thoughtful and encompassing than merely advocating RM as focusing on a list of harms. It mentioned about setting risk appetites to guide the decisions to assume risk (which I took as inclusive of harmful ones).
After all the debates from both sides (focusing on managing the downside v’s the upside of risk), I believe that a basic starter list of absolutely clear harmful things to avoid, which is then built upon further by a contextual, objective-based/risk upside & downside decision framework would make for a really mature RM environment. This is just My very own personal take on this topic.
Excellent piece and responses. This could also be due to academic laziness, silo-based thinking and a lack of understanding of the etymology or risk (with risk having its origins in ‘to dare’ ie. upside as well as downside as well as cultural contexts – the Chinese character for risk being opportunity as well as danger). For a better more rounded, informed and current response, see The Risk Management Handbook, A Practical Guide to Managing the Multiple Dimensions of Risk (edited by David Hillson to which I contributed a chapter on reputational risk), a useful survey of the risk management landscape covering the state of the art in today’s main application areas of risk management and identifying emerging trends (published by Kogan Page on 03 June). See https://www.koganpage.com/product/the-risk-management-handbook-9780749478827
To this ofcourse can be added Norman’s masterful book, World Class Risk Management last year.
Excellent piece and responses. This could also be due to academic laziness, silo-based thinking and a lack of understanding of the etymology of risk (with risk having its origins in ‘to dare’ ie. upside as well as downside as well as cultural contexts – the Chinese character for risk being opportunity as well as danger). For a better more rounded, informed and current response, see The Risk Management Handbook, A Practical Guide to Managing the Multiple Dimensions of Risk (edited by David Hillson to which I contributed a chapter on reputational risk), a useful survey of the risk management landscape covering the state of the art in today’s main application areas of risk management and identifying emerging trends (published by Kogan Page on 03 June). See https://www.koganpage.com/product/the-risk-management-handbook-9780749478827
To this ofcourse can be added Norman’s masterful book, World Class Risk Management last year.
After reading your book “world class risk management” it inspired me to make changes to my company’s risk reports. The first couple of quarters we had the format but not the content. In the third quarter we made a big step forward in terms of content, and for the first time we started to receive praise from board and management. What was the problem in the first 2 quarters. Our content did not reflect a deep understanding of the strategies and related kpis. In the 3rd quarter we fixed this via investing time in understanding the blueprint and kept asking ourselves the question….are we advising the board how we are progressing against the objectives. We wrote in a more narrative style without using risk jargon ie business friendly speak. We informally went around each board member to agree the risks we would do a deep dive on in the 2nd part of the report. We ignored what a typical risk report looks like ie with risk ratings and arrows going up and down etc. Our report has only 3 ratings on track, issues and serious issues for both performance and risk status to keep things simple. Each risk report has an overview of no more than 2 to 3 pages. If the reader wants more detail their are hyperlimks to supporting apoendices. If more of us make the move to this style if reporting, and have a strong desire to not be a tick a box function by getting good content, word will spread amongst board members and gradually lead to a quantum leap…assuming board members want their risk functions to be more than tick a box functions. This for me is the biggest challenge. Unfortunately, formal risk management aspects have and are being treated as a form of defence rather than as a business tool. ie it does not really matter what is on a report so long as somethimg is produced, that is all that matters.We see the same approach with COBC and the like ie boards hiding behind this to demonstrate their bone fides in relation to corruption. Until this mindset is changed, practitioners probably do not have the incentive to change because the readers of the reports are happy to leave it the way it is. Sure they complain in these silly surveys conducted by consultants, but they have the power to change it. Why is their no change?. It is obvious. Rgs Glenn
Glenn, that is fantastic! You have made my day, week, year. I love to hear about your success.
Can you write a book review that talks about this?
Can do. Give me a couple of more quarters to make even further improvements to content so I can give more comprehensive feedback from board/management. Want to go further with lead indicators and drill aporoach down to our various BUs/OUs within Divisions (hopefully allowing leveraging of more robust updates from risk champions in the business)…should lead to our reports being even more informative. A couple of thoughts on upside risk or risk opportunities or whatever people want to call it. We need to remember that a Risk function is not the only one providing info to a board/senior management. There are specific functions such as Strategy, Innovation, Sustainability and the like who have it in their DNA to highlight opportunities whether they be strategic or more operational ones via the strategic planning and innovation/ idea processes, LSS, and “war on waste” type projects. In our reports we now leverage this info where appropropriate (sometimes i read posts to forums like this one and it is as if no other function other than Risk, is providing info to the board, which of course as you know in reality is not the case). The question that arises then is what should a small resource constrained risk function in a relatively large non financial services type diversified company spread across various geographies focus on…. identifying risks or opportunities?. Ideally both, but we have to be practical (I am not going to lose my job because I did not identify an opportunity, rightly or wrongly) ….so need to leverage more from other areas when it comes to the opportunities that arise from uncertainty. Which leads me to an aspect of risk management that is probably underdone and deserving of some discussion. Identifying risks when objectives are “exceeded”. Opportunity identification in these circumstances is far from being a problem for most companies. Risk identification and serious evaluation can be. My company’s results (and therefore achievement of objectives) are significantly impacted by commodity prices…..identifying risks and getting them seriously evaluated when commodity prices are high in a climate of overwhelming optimism and growth, is far more challenging and important to me, than opportunities…there are others who can worry about the latter. With commodity prices significantly lower than during the boom times, am sure there are many companies who wish the risk side of the equation had of been emphasised more. Rgs Glenn
Great information and comments. ERM as broadly defined seems to be encroaching on strategic planning and strategy setting. The goal is integration, to make sure the risks to achieving the objectives are fully thought through. The linkage should be clear, such as a schedule that lays out the goals/metrics and the top risks/barriers to each.
I don’t think risk management should focus on the opportunity side; leave that to the strategists to determine the goals.
Another important step beyond “list management” and linking them to objectives is from Peter Drucker (see HBR-The Theory of the Business) where he says an organization should identify the underlying assumptions and test them periodically.
For example, our economy pre-crisis was based on the assumption that “Housing prices only go up.” We levered up our banks on that assumption, homeowners took out huge amounts of equity based on that assumption, etc. Drucker argues assumptions may be good for awhile, but ultimately they get outdated.
One other great nugget is from Professor Rumelt, who wrote about the kernel of strategy (diagnosis, guiding policies, action plans). Is the kernel soundly argued?
Using Kennedy’s Cuban Missile Crisis speech as an illustration:
Diagnosis: “This Government, as promised, has maintained the closest surveillance of the Soviet military buildup on the island of Cuba. Within the past week, unmistakable evidence has established the fact that a series of offensive missile sites are now in preparation on that imprisoned island. The purpose of these bases can be none other than to provide a nuclear strike capability against the Western Hemisphere.”
Guiding Policy: “Our unswerving objective, therefore, must be to prevent the use of these missiles against this or any other country, and to secure their withdrawal or elimination from the Western Hemisphere.”
Action Plans: First among seven numbered steps was the following: “To halt this offensive buildup a strict quarantine on all offensive military equipment under shipment to Cuba is being initiated. All ships of any kind bound for Cuba from whatever nation or port will, if found to contain cargoes of offensive weapons, be turned back.”
Are these clear in your organization?
Aligning the list with goals, identifying and testing underlying assumptions, and a sound kernel should help keep the organization on-track.
P.S. We could use a definition of strategic risk that is unique in kind rather than severity. To me, strategic risk is about portfolio decisions (what business are we in), so things like M&A activity, service/product line inclusion or exclusion decisions, etc. Many define it as simply any type of risk serious enough to go to the board. That causes some confusion.
Brilliant!!
Brace Norman – I agree with you on this one.
Risk is risk. If an organization is to have an “enterprise risk management” program all operations and functions have to be operating under the same definitions, measurement and reporting standards. If one tries to bifurcate risk as suggested above, decisions made by the different “risk centers” create risk which often results in competing opposite risk management solutions.
The “Practitioner v. Academia” discussion is made more difficult than it should be because the practitioner side is all over the place as to what enterprise risk management is all about due to historical organizational theory. Whether it is financial, operational or strategic risk, risk is risk and has to be treated uniformly across the enterprise.
On the academia side, different “departments” within academia teach “risk” within their subject matter without any coordination of definitions or an enterprise risk capstone course that draws everything together (it is also difficult to have a capstone course without common definitions). Risk Management needs to have its own department (like accounting, finance, etc) with at least two required semesters – a basics course in the sophomore year, and an applied course during the last semester of the senior year.
Really encouraging to hear so many voices of agreement
Risk Management (RM) vs Quantitative Risk Management (QRM)
Studies about risk, cause, assessment, response and results in project phases (studies and construction) and operations in mining companies, energy, oil and gas, show that the RM poor results are due: 1. Using methods qualitative, not quantitative estimate based on probability and severity, no impact. 2. Poor or lack of root cause analysis of the element that is at risk (person, purchase, contract, work, project, operation, etc). 3. Therefore, in workshops and others, they are often made and assess risk lists, unordered their order of occurrence. 4. Point 3 provides a list of risks with their answers, without considering costs. 5. The plan, based on the 4 points above, the little walk deviates from reporting impacts project control and credibility is lost in the plan. The RM is a very basic approach of risks (easy to implement), but their results have discredited discipline. Therefore, it is already implementing the QRM that exceeds the above, resulting in successful mining projects.
– “Despite such claims, academic studies have yet to confirm whether and how risk
management practices add value”.
– “But what these large sample surveys fail to provide is convincing evidence of the quality, depth, breadth, and impact of risk management in the adopting organizations”.
These two quotes from the paper by Kaplan and Mikes (page 9) point exactly to the problem; there is no scientifically verifiable evidence to the claims made by EY, KPMG and all the others that risk management contributes to business success. So far, these claims are nothing more than a belief.
In general, there is very little scientific evidence that risk management contributes to business success. And it will remain a though job to find such evidence. There is work to be done by the management consulting community.
In reference to the comments above. 1. Assume we are talking about the “formal” risk management discipline. 2. The surveys conducted by the consultants are nothing more than marketing exercises to sell work, hence my dismissal of them as “silly” in my previous comments above (and my previous querying of Norman as to why he persists with referencing them in his book and blogs – suspect he does it because its a convenient way to start and support a discussion…fair enough). So from this perspective agree with comments above and what is written by Kaplan and Mikes. 3. However, I do not need to be convinced by the “management consulting” fraternity that risk management adds or does not add value. 4. If the formal discpiline is executed effectively, if you are in an organisation, you can clearly see how it can add value. Unfortunately, as mentioned previously in my comments above, it is viewed by many as more as a tick a box corporate governance defence mechanism than a business tool, which significantlly limits its value. 5. How to change this?. More practitioners need to find ways to execute more effectively in their organisations (hence my respect for Nornan and others who at least provoke me to think about what I am doing). The one size fits all approach I am not a fan of….that is one of the reasons the discpiline is in the state it is in. Tailor an enterprise risk management program that works for you in your organisation. Broad principles and standards can only progress the discipline so far….hopefully all boards welcome the outcomes from an effective program. Rgs Glenn
Insightful, Glenn
Very inspiring discussion. I think the key to moving ERM forward as Norman suggests lies in attaining true integration. Case in point to Glen’s comments about other areas of the organization making recommendations and providing information to the board. In a situation with a fully integrated risk function, those groups would be responsible for identifying and assessing the risks associated with their ideas subject to established corporate ERM standards. To help advance to that type of situation, we risk professionals and leaders need to put our marketing hats on and ensure that we look at our own processes, outputs and interactions with our stakeholders with a very critical eye. We have to sell it, and believe in our products and services. We cannot have the mindset and demeanor of that risk management is a “must” even if we have a regulator or board standing behind us saying it is a requirement. Tangible quantification of the value of the risk management function is definitely a challenge. Alternatively, creating a perception and positive attitude about the risk function is something we can and should do.
Academics are experts within disciplinary silos e.g., professor in finance, professor in management etc. They work in the university under disciplinary departments e.g., department of finance, department of management, etc. In addition, they research and publish their work in academic journals and the journals are ranked under disciplinary silo. Consequently, they do not have scope to research and study from an interdisciplinary perspective. However, the type of ERM you are talking about is truly interdisciplinary where a risk manager irrespective of designations needs to understand risk from an interdisciplinary perspective. Moreover, it is important to note that risk has different level of priority in different industry. For example, the risk management approach in the banking industry is very different from construction industry (for example) . To me there are several versions of ERM and industries (and organizations) should adopt and adapt ERM on the basis of their business models, level of resources and most importantly organisational culture.
This is an interesting discussion.
Reading the Revealng Hand by Mikes and Kaplan again, I don’t see merely a “narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. For example, in my opinion, the below quotes from the paper imply an upside view of risk management and its importance to be considered in decision making.
“Lee, a principal inspiration for our formulation of the Revealing Hand principle, believed strongly that risk management should not curtail innovation and risk-taking. Rather, rigorous risk management of innovative projects should enhance the organization’s innovative capacity and its capability to accept risky projects, increasing their chance of success.”
“The concern is that top-down risk management will inhibit innovation and entrepreneurial activities. We disagree and argue that risk management should function as a Revealing Hand to identify, assess, and mitigate risks in a cost–efficient manner. Done well, the Revealing Hand of risk management adds value to firms by allowing them to take on riskier projects and strategies.”
Even though Mikes and Kaplan don’t specifically mention the upside of risk, I believe what is written above implies it.
And it doesn’t seem they are advocating “list management” and dwelling in functional silos:
“Post mortems revealed that JPL’s risk assurance function, among its other shortcomings, was focused on checklists for quality control, while overlooking many risks—such as errors stemming from engineers working in English rather than Metric units—that had “incubated” for a long time in functional silos.”
My main takeaway from the article is that risk management requires both quantitative and qualitative methods. I do not see the very narrow view discussed in this topic and if you read it again I think you will see more that you like.
Michael, thanks for the comment. I believe Kaplan and Mikes are talking about risk capacity (earlier covered well by Accenture and others). For example, if you don’t have commodity traders or a relationship with somebody to execute and manage commodity trading for you, you cannot effectively hedge commodity risk. If you don’t have early warning systems to inform you of changes in competitor or regulatory risk, it is harder to know when to introduce new products or services, how to price them, or understand how new regulations might affect them. If you have solid cash reserves, you are more able to ‘take the risk’ of an acquisition.
It is true that the better you are prepared and able to handle the adverse effects of uncertainty, the more confident management and the board will be in taking risk (see work by EY, previously referenced by me).
But, that doesn’t mean that the same structured processes used to understand and assess the potential adverse consequences and their likelihood are used to assess the potential positive consequences.
I am in the process of writing a new post on my IIA blog about new guidance from Australia. They say: “risk-taking is what organisations do — risk encompasses the opportunities
to be realised by the organisation, as well as the hazards to be avoided, with
recognition of the uncertainties attached to the opportunities and hazards alike.”
Norman wrote:
“But, that doesn’t mean that the same structured processes used to understand and assess the potential adverse consequences and their likelihood are used to assess the potential positive consequences.”
Norman, I look forward to thinking and reading more about this and trying to understand
what from downside risk management can also be applied to risk as opportunity?
Or will it mainly be about applying existing strategic management tools, such as SWOT?
Or is there something new that needs to be developed?
Or all of the above.