Home > Risk > A leading risk practitioner and thought leader shares his thoughts

A leading risk practitioner and thought leader shares his thoughts

I enjoyed this 30 minute recording of my good friend Alex Sidorenko interviewing Hans Læssøe, formerly CRO at Lego. I encourage you to dedicate some time to listening and thinking about what they have to say.

I have never met Hans, but after listening to the discussion I am very much looking forward to an opportunity to share and debate views.

Not only did I find myself agreeing with much of what he had to say, but I heard him use very similar language to mine to explain his views on a number of topics.

For example, we both believe:

  • The key to success for the risk practitioner is helping management succeed
  • It’s not about avoiding failure, it’s about achieving objectives
  • The effective CRO uses the language of the business. He does not try to get management to learn the language of risk. (I like the way Hans describes a conversation between two people, one speaking Russian and the other Danish.)
  • Providing reports that assure the board that management is taking the desired level of risk is useful. However, that is only a small part (IMHO) of effective risk management. The major part (again, IMHO) is helping management make informed decisions and take the right risks
  • The CRO can be highly valuable as a facilitator

We differ to a degree on one point. Hans says that you cannot have a risk appetite for something like compliance or safety risk. While I agree that no company would ever say they have any appetite other than zero, there is a limit to how much they will spend to ensure compliance and safety. Regulators around the world are saying that the measures management puts in place should be risk-based, and a reasonable level of controls and other precautions put in place. The only way to have zero compliance risk is to not be in the business.

There is a point in the discussion where Hans talks about the value of risk appetite or tolerance (however you want to define it). He describes a real life situation where his company was not going to hit its financial goals. He sent a note to the CEO saying that the company was operating below its risk appetite; more risk could be taken to improve results.

I like the idea that the CRO is not limited to suppressing risk, but should help the organization achieve its objectives – and taking more risk to do so when appropriate.

But the concept of a risk appetite does not, IMHO, work well for all sources of risk. It works very well for financial portfolio and similar risks, but not as well for cyber and reputation risk.

Where it does work, I agree that the CRO should be a partner with operating management to identify opportunities where the potential for reward justifies taking additional downside risk.

What struck you as interesting? With what did you agree and with what opinions did you disagree?

  1. January 6, 2018 at 10:58 AM

    Reblogged this on RISK-ACADEMY Blog and commented:
    Great summary from Norman Marks

  2. January 6, 2018 at 1:58 PM

    Good discussion on risk appetite and role of good information in effective risk management.

  3. January 8, 2018 at 1:53 AM

    Hi Mark,

    First of all. Thank you for your positive comments. They are highly appreciated. We have actually met, at an IRM event several years ago. However, You were a risk icon already then, and I was an upstart nobody, so – not wonder you do not remember and I do.

    On the issue of risk appetite on compliance/safety – my statement is based on [my] use of the ISO definitions, were risk tolerance is the level you accept (even if you are not necessarily happy about it), whereas risk appetite is the level you are willing to take, i.e. will not bother mitigating further.

    Based on that – you will have a risk tolerance for safety and compliance risks (implicitly or explicitly) – but you may/should also have some level of “zero failure philosophy” where you address the (few) incidents you do have and use these to improve your risk management – rather than implicitly stating “OK. So we have 10 severe accidents, and one or two fatalities annually – this is a dangerous industry (eg. logging), so who cares”

    • Norman Marks
      January 8, 2018 at 7:00 AM

      Hans, my apologies. I have a poor memory – my only excuse.

      I worked in the oil refining business for a decade and my experience was that nobody was willing to accept even one safety incident. It was never “ok” just because it is an inherently dangerous industry. However, there was discussion all the time about how much money and other resources it was reasonable to spend on safety issues.

  1. January 6, 2018 at 1:36 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: