Home > Risk > Finally some good advice on risk for boards

Finally some good advice on risk for boards

November 9, 2019 Leave a comment Go to comments

While I still disagree in some areas, I applaud Jim DeLoach for his latest piece for the (US) National Association of Corporate Directors, Revamping Risk in the Digital Age.

Please read the entire piece, but here are points I especially like, with my highlights:

  • It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return. Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns—it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.
  • In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity, and digital thinking so critical to success.
  • Over three decades, best-of-class [in Jim’s opinion] risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks, to an enterprise-wide approach focused on the most critical business risks and integrated with strategy-setting and performance management
  • In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value.
  • Digital leaders proactively take risk, whereas digital skeptics do not. 
  • a traditional approach to risk management might be the biggest risk that an organization faces. 

There are so many key points here that I encourage you to reflect on each.

I strongly agree that the traditional approach of focusing on the possibility of harm instead of the likelihood of success is itself a great source of risk to the organization.

You simply have to understand all the things that might happen, the big picture where you can see and weigh them all, if you are to make the informed and intelligent decisions necessary for success.

Focusing on harms, especially one at a time, outside the context of performance and strategy execution, is not the same as making sure you are taking the right level of the right risks – and that, as Jim rightly says, is essential if you are to prosper.

Jim and I agree on one word change in the risk management discussion. Rather than the passive expression of accepting risk, he and I both talk about the active form of taking risk.

I believe it is important to use that word and focus on informed and intelligent decisions as part of how any organization sets and then executes on its strategies for achieving its objectives.

I also agree with the idea of integrating the consideration of what might happen (a.k.a risk) with strategy management and performance management and reporting.

  1. Making quality decisions, both setting and then executing on strategy, requires an understanding of what might happen and their effects. It’s integral to the decision-making process, not something that needs to be integrated as if it were a separate activity.
  2. Effective management requires that you understand where you are (performance management), where you want to go (strategy management), and the likelihood of getting there (which should be a combination of performance, strategy, and risk management).

In fact, I have suggested many times that instead of talking about risk appetite as the amount of risk you are willing to take in pursuit of objectives (i.e., ignoring the reason to take risk, the potential upsides), we should redefine risk appetite (although I would prefer a different term) as the likelihood of achieving objectives that you would consider acceptable.

I depart from Jim in some less important areas.

  1. I don’t like the talk about risk culture. It’s an amorphous term that I don’t believe has a great deal of merit. For a start, there is no single risk culture in any organization. Then there’s the point that culture is multi-dimensional, with attitudes towards taking risk just one; others include ethics and moral behavior, entrepreneurship and creativity, teamwork, and so on.

Do you want the same attitude towards risk-taking from accounting, safety, marketing, and sales? I certainly hope not!

It would have been better to just talk about the ability to make intelligent and informed decisions, taking the right risk.

  1. I’m also not a fan of the idea that some risks are compensated and others are not. For a start, the organization may not be able to sustain a huge loss even if there is an equal possibility of a huge gain.

It would have been better to recognize that in any situation there is a variety of things that might happen and you need to assess and weigh them all together.

  1. I’m not sure whether Jim is saying that this is world-class, but if so I disagree: “an enterprise-wide approach focused on the most critical business risks”. World-class is focusing on success, not managing specific risks, especially not one at a time.
  2. Finally, I still have a problem with talking about risk appetite, as explained above. It’s not something that considers the totality of what might happen, plus it is pretty impossible to define for some issues, such as compliance and safety.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.

 

As always, I welcome your comments.

  1. Gary Lim
    November 10, 2019 at 4:13 AM

    Personally I believe there are the Static and Dynamic aspects of risks in an enterprise. Static I refer to established processes, etc where the likelihood of harm must be address then the success of these processes, maybe it is the same as traditional approach. Dynamic relates to the business where everyday the scenario changes hence the strategies must be addressed quickly to ensure success hence no formal documentation is required. Take the trade war between USA and China there seems to be no end to it and its in such a dynamic stage that the announcements differs daily. In this respect, Static aspects must be addressed meaning the backroom is in order, at least one frontier under control. Gary

    • Norman Marks
      November 10, 2019 at 6:38 AM

      Gary, why limit the information provided to decision-makers to harms? How can they weigh harms and benefits if only one side is presented analytically?

  2. November 10, 2019 at 9:19 AM

    Risk is defined as the ‘Effect of uncertainty on objectives’ (ISO31000). So, although we write about ‘taking risks’ (in English) it’s meaningless. We really mean ‘perusing the achievement of an objective which has risks (which threaten the achievement) and opportunities (which benefit the achievement).
    Life in the animal kingdom is simpler; one objective is to survive and this is achieved by eating, which involves risks and benefits. Set the risk appetite too low, and the animal starves; set the risk appetite too high, and the animal is eaten. The most successful animals are those who set their risk appetite where the benefits are highest, which is usually just below the point at which they are likely to be eaten.
    Business isn’t much different….
    David Griffiths (www.internalaudit.biz)

    • Morgan
      November 11, 2019 at 10:18 AM

      ‘Taking risks’ is shorthand for all the activities including setting objectives, determining variance of uncertainty, applying controls to modify or move the uncertainty, so in that respect it is useful and a far better term than ‘acceptance.’ (Ugh, the problems I have had with that term…)

      Susan Cain’s book Quiet describes studies in which survival depends on a blend of adventurous and cautious animals within the same species since the variability of a food source is more dynamic than the inability of genetics to adjust to said source. While I enjoy your analogy, ‘successful animals are those who set their risk appetite…” may not be an accurate reflection of how it works in the natural world. Cain’s advice might be: we should ensure a mix of risk averse and risk seeking among our group of advocates.

      I believe applying lessons of the natural world to decision-making is a good idea, since any decision is emotional, and not one of higher order intelligence. Ultimately all the thinking about risk only goes to reinforce or hinder an emotional response during the decision action (risk is more useful when it comes time to deploy the objectives and controls, explain and communicate, or to reflect on why decisions were made in retrospect. They are critical activities in aligning an organization to its risk-taking-achievement-seeking.)

  3. Ian Clegg
    November 15, 2019 at 1:38 AM

    “In fact, I have suggested many times that instead of talking about risk appetite as the amount of risk you are willing to take in pursuit of objectives (i.e., ignoring the reason to take risk, the potential upsides), we should redefine risk appetite (although I would prefer a different term) as the likelihood of achieving objectives that you would consider acceptable.”

    I really like the above. Also relates to how Alex Sidorenko connects strategy and risk: what assumptions underpin strategy? –> how reliable are they? –> how much uncertainty does this introduce into desired business outcomes? –> is this level of uncertainty acceptable?

  1. November 11, 2019 at 4:42 AM

Leave a Reply to dmgriff Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: