Risk and Strategy Entwined
I want to tell you a couple of stories about four people, two sets of twins.
The first two people are O and P; the second pair is SR and RS.
O and P are executives at the same company. The CEO, C, is considering a new venture, so he calls a meeting of his executive team. O and P sit opposite each other and just glare with clear disdain for the other.
C outlines the opportunity and asks for comments from the team. The general counsel and CFO look thoughtful, but before they can say anything O jumps in.
“I think that’s great! I already looked into this with my team and we project an 80% success rate, where we either hit or exceed the targets you outlined. There are a few things we need to prepare before launching, but I am very optimistic (no pun intended) that everything will be set for a launch in just a few months. [The “pun intended” comment was because his real name is Optimist, although his position within the company is Vice President for Strategy and Planning.]
“Oh, O, you are always quick to see the upside without thinking about the many risks involved”, retorts P. “My team also thought the scheme would come up and we have worked with the appropriate departments to compile this list of risks”.
O comments quietly but everyone hears him, “P, you always live up to your name – a Pessimist who sees a cloud in every silver lining”.
P looks quickly at O and says “My job as Vice President and Chief Risk Officer is to make sure everybody is aware of the risks at all times. O, you constantly ignore them.”
Meanwhile, P is passing around a 5-page document describing about 30 areas assessed as ‘major’ risks to the company that exceed its risk appetite, as defined by the Risk Framework and Policy.
C responds to all of this as you might expect – frustration and annoyance. He doesn’t say anything, but he is thinking along the lines of “why did I hire these bozos, who can’t get along with each other and give me the advice and insight I need? One is always ‘full speed ahead’, perhaps to please me, while the other is always quick to point out why we should never do anything. But, if I fire either of them, especially P, I will hear from the board and the regulators.”
Out loud, C puts the list face down after glancing at it and asks his CFO and general counsel, “So, what do you think.”
I am sharing this story because when I write about the risk officer considering both the potential positive and the negative effects of events, situations, and decisions, several people have commented that the risk officer should focus only on the potential adverse effects because others, like the strategy people, are looking at the opportunity side.
I disagree with this perspective for a few reasons.
- Any event, situation, or decision can have multiple effects. Some may be adverse, some positive. Often, there will be multiple effects. In my Monopoly blog, I talked about the decision whether or not to buy a property. The purchase would create an opportunity to earn rent, but it would also reduce the cash reserves and increase the significance of having to pay rent, a fine, or so on. The smart manager has to decide whether the potential outweighs the risk. Both sides have to be considered, not just one.
- When anybody only explains why you shouldn’t do something, they should expect to be increasingly ignored. How would you react if every time you started to leave home you were greeted with a list of all the bad things that might happen?
- Every potential positive effect needs to be assessed with the same disciplined and structured process as an adverse effect.
- If you want to be perceived as a partner to the business, behave like a partner to the business! Behave like a top executive who has to make an informed and intelligent decision about whether to move forward, change direction, stand still, or even retreat – based on reliable information about all potential consequences under every option. Behave like an executive and talk like an executive, in the language of the business.
In our second story, which is at another company, the CEO (CE) is also considering a new venture and asks his executive team for input.
SR looks at RS, gets a nod, and answers.
“RS and I have been working together to integrate the consideration of risk into the strategic planning and performance monitoring processes. I am pleased to tell you that our Risk and Strategy teams have been looking at this opportunity together. Strategy [ndm: whose middle name is Risk} and I have this joint assessment for you and the team to review”.
Risk, whose middle name is Strategy, passes around a 2-page document that outlines the results of the two team’s assessment. It includes both the potential upsides, their extent and likelihood, as well as the more significant risks, also with extent and likelihood. There is a Summary section that provides an overview of the most likely net effect of each strategic option.
CE beams with satisfaction. What a change this is from his last company! Here, he has two partners that he can trust to provide him with the information he needs as well as a balanced perspective on the options. He has a strategic advantage over his old friend, C.
He congratulates SR and RS for working together to provide a joint assessment. SR looks to RS before replying that they have agreed on a common framework going forward; both teams are cross-trained so that they always look at an event or situation with a balanced view. The Risk team will assess the full range of potential effects on all issues that come to them, and the Strategy team will include an assessment of both positive and negative effects when proposing new or updated strategies, and when reporting on progress towards objectives.
Let me close with a thought.
Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives.
They need to put themselves in the shoes of the CEO and board members. They cannot afford only to concern themselves with reasons not to pursue ventures – implying a desire to stay home and vegetate.
Think like a CEO, act like a CEO, and talk like a CEO. Provide leadership with the information, process, systems, and so on to make effective decisions that lead to success.
I welcome your thoughts.
PS – Do you ‘get’ the pun about ‘entwined’?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
The picture painted is spot on and could not have been better presented! The risk team must partner business to ensure the company’s strategic objectives are met without of course, compromising its independence.
1. Suspect most risk practitioners would agree that information relating to both upside and downside should be provided when assessing something. The issue is how it is done. At my company we typically “leverage” information from others eg Strategy particularly when it involves something new, because we are only a very small department and are unfortunately often only given limited time to assess.The practical realities of a real life situation. Not a story.
2. In terms of presentation of data, in regard to investment proposals they typically have a set format with the risk assessment part a specific section. It follows after the strategic rationale which outlines “why” we are doing it etc ie the opportunity..which is prepared by Strategy. Putting down the opportunities again in the risk assessment section….duplication?. Absolutely. Can we change the investment proposal format? Unlikely. So for these assessments we focus on downside risk as other parts of the paper are focusing on the upside. Are they on 2 separate bits of paper like in your story. No. They are together in one proposal document like I imagine how most other companies do it. At the end of the proposal document, there is an overall conclusion reached by management taking into consideration both the opportunity and the downside risks. Real life situation not a story.
3. Do the preceding aspects lead to a situation or perception where Risk is viewed as only focusing on the downside. Probably. But I would like to think the people reading the proposals are not stupid and look at the document as a whole when evaluating it and therefore there are no serious implications flowing from Risk only focusing on the downside with the Board making the right overall decision.
4. You are right though in terms of what most people think a Risk function should focus on. ie downside risk. My real life situation above reinforces this perception unfortunately. As mentioned in my previous post, I am not going to be dismissed because I did not identify an opportunity. Does the perception matter in terms of moving the risk management discpline forward in terms of being seen as a business tool instead of simply being a corporate governance defence mechanism?. To some extent yes. There are some other aspects of importance to me. Getting risk practitioners to tailor an enterprise risk management program to their company’s specific cirumstances and needs ranks pretty highly. Too much of the one size fits all approach prevails….whilst a safe approach in terms of ticking boxes to meet governance requirements, it has got the discipline into bad shape….can envisage the next tick a box to be incorporated into some corporate governance guideline or regulatory requirement (if you are a bank) will be “Have you identified opportunities”… .which potentially may end up further alienating the discipline from being a business tool given the specific circumstances of a company. As I mentioned in my previous comments to you, identifying opportunities at a time of high commodity prices is not a problem. Identifying downside risk and getting serious evaluation can be given the overwhelming feeling of optimism and growth that prevails. Focus on what is important. If it needs to be downside risk, so be it. However, I will conclude with this observation….what is the reason for me being concerned about serious risk evaluation….because the downside risk is typically being raised by Risk….and what is the reaction from management….”your always negative”….maybe the perception does matter afterall! Rgs Glenn
Wow! This indeed is thought provoking. I learnt something just from reading your article
Good stories. Risk is about threats to meeting corporate objectives – if nothing is ever done because it is too risky we fail before we even start.
The whole point of this and other posts is to say that risk management is not about just threats to meeting objectives. We need to understand the potential good stuff that can happen, along with the bad, and make better decisions.
Mr P ,the Risk Officer is the gate keeper of the Company. His role -responsibilities in the company envisage him to see risk in proper perspective in the light of risk appetite and flag them to the Risk Management Committee and the Board for further action. The Risk Officer should encourage Companies to entertain /accept risks.for survival in competitive uncertain environment