Home > Risk > Dynamic Risk Management for Uncertain Times

Dynamic Risk Management for Uncertain Times

December 5, 2020 Leave a comment Go to comments

I always find articles by McKinsey worth reading – and I strongly recommend subscribing.

One that merits our attention is Managing the Future: Dynamic Risk Management for Uncertain Times.

It has one major flaw that I will mention and then we will look past: it imagines risk management as something you do to avoid failure rather than achieve success. It only considers downside risks and ignores upside opportunities. It certainly doesn’t help you determine which risks to take!

The minor flaw is that all times are uncertain!

Having said that, here are some interesting comments from the paper:

  • The digital revolution has increased the availability of data, degree of connectivity, and speed at which decisions are made. Those changes offer transformational promise but also come with the potential for large-scale failure and security breaches, together with a rapid cascading of consequences. At the same time, fueled by digital connectivity and social media, reputational damage can spark and spread quickly.

Comment: let’s not downplay the enormous upside, not only in detecting and addressing ‘risk’ but in upgrading processes and identifying and seizing opportunities.

Comment: the point about the speed of decision-making is very important. Information about what might happen (a) must be rapidly available, and (b) perfection can be the enemy of success. Periodic assessments are clearly unlikely to be sufficient when the situation is changing fast.

  • Stakeholder expectations for corporate behavior are higher than ever. Firms are expected to act lawfully but also with a sense of social responsibility. Consumers expect companies to take a stand on social issues, such as those fueling the #MeToo and Black Lives Matter movements. Employees are increasingly vocal about company policies and actions. Regulator and government attention is reflecting societal concerns in areas ranging from data privacy to climate.

Comment: this is very true and organizations should look into semantic analytics and other tools to address it. This can actually be turned to advantage!

  • Companies require dynamic and flexible risk management to navigate an unpredictable future in which change comes quickly. The level of risk-management maturity varies across industries and across companies. In general, banks have the most mature approach, followed by companies in industries in which safety is paramount, including oil and gas, advanced manufacturing, and pharmaceuticals. However, we believe that nearly all organizations need to refresh and strengthen their approach to risk management to be better prepared for the next normal.

Comment: very few indeed have what I would call mature systems of risk management. Some believe they do, but even those are scarce according to studies by the ERM Institute and others.

Comment: there needs to be a constant questioning of risk management processes to confirm that they continue to meet the needs of decision-makers.

Comment: can we please change from managing risk to managing the likelihood of success?

  • Institutions need both to predict new threats and to detect changes in existing ones. Today, many companies maintain a static and formulaic view of risks, with limited linkages to business decision making.

Comment: this last part is especially true and the article really doesn’t help with constructive suggestions. (It’s a major aspect of my new book.)

Comment: there is talk about objective-based risk management; how about decision-based risk management?

  • Some risks are slow moving, while others can change and escalate rapidly.

Comment: true and risk-related processes have to operate at the speed of risk – and the speed of decision-making.

  • Traditional risk-identification approaches based on ex post facto reviews and assessments will not suffice.

Comment: they have never been sufficient to inform decisions and enable success.

  • Companies need a systematic way to decide which risks to take and which to avoid. Today, many institutions think about their appetite for risk in purely static, financial terms. They can fall into the simultaneous traps of being both inflexible and imprudent. For example, companies that do not take sufficient risk in innovating can lose out to more nimble competitors.

Comment: I love their use of the idea that you need to take risks; so much more savvy and appropriate than accepting risks.

Comment: as with many suggestions from consultants and even risk frameworks and standards, there is little help here in determining which risks to take given the reward and the need to achieve objectives. It’s more than when the reward exceeds the risk. Factors like ROI and how the likelihood of achieving objectives need to be considered.

  • In the next normal, however, institutions will need to make risk decisions rapidly and flexibly, laying out and executing responses, whether immediate or prolonged, about how to avoid, control, or accept each risk.

Comment: having switched to taking risks, now the authors turn back to the passive act of accepting risks. When you start laying in the idea of seizing opportunities you start to align with the reality of business decision-making.

  • Today, the art of the possible in defending against adverse outcomes is rapidly evolving. Automated control systems are built into processes and detect anomalies in real time. Behavioral nudges influence people to act in the right ways. Controls guided by advanced analytics simultaneously guard against risks and minimize false-positive results.

Comment: they also help identify and seize opportunities.

  • Companies should maintain and periodically update detailed crisis playbooks. Their strategies should include details on when and how to escalate issues, preselected crisis-leadership teams, resource plans, and road maps for communications and broader stakeholder stabilization.

Comment: I agree, but let’s also make sure that the organization is agile and flexible enough to take advantage of opportunities.

  • Today, many firms see enterprise risk management as a dreary necessity but hardly a source of dynamism or competitive advantage. It can suffer from being static, siloed, and separate from the business.

Comment: what do you expect when you only review a list of risks instead of talk about how to achieve success?

  • To meet the needs of the future, companies need to elevate risk management from mere prevention and mitigation to dynamic strategic enablement and value creation.

Comment: Finally!

  • Companies can embrace the digital revolution to improve risk management.

Comment: true.

  • …we believe companies need to rethink their approach to risk management, to make it a dynamic source of competitive advantage.

Comment: transform it from something you have to do to something you want to do – somewhat of a theme in my book.

What do you think?

  1. Roger Estall
    December 5, 2020 at 4:41 PM

    “Comment: can we please change from managing risk to managing the likelihood of success?”
    My comment: Actually, the activity is just called ‘managing’ which has an ordinary meaning and involves making and monitoring decisions in order to make best use of opportunities to advance the organisation’s purpose …. nothing else. The outcomes of decisions – once implemented – are more likely to be those desired if one follows the advice in Grant Purdy’s and my recent book “Deciding” (which you kindly reviewed in an earlier blog). Aside from the inconvenient fact (as illustrated here by both McKinsey and your responses to their comments): the word ‘risk” has no consistent meaning. Decision-making, therefore, is nothing to do with ‘taking’ or ‘accepting’ risks (refer https//sufficientcertainty.com). As we explain in one of the appendices of our book, trying to insert a belief system based wholly on a word which, although widely used, has no agreed or consistent meaning is to simply assume a millstone which impedes rather than helps decision-making.

    “Comment: I love their use of the idea that you need to take risks; much more savvy and appropriate than accepting risks.”
    My comment: Actually, neither expression means anything (see above). All one can do is make decisions – each decision will have the potential to deliver different outcomes (both desirable and undesirable). The challenge is to understand what influences which outcome is most likely to occur, and adjust the decision so that there is sufficient certainty that the actual outcome will be as intended rather than something less desirable.
    Kind regards

    • Norman Marks
      December 5, 2020 at 5:20 PM

      Thank you for your comment, and I can see you are very consistent each time you write.

      I do not agree with your assertion that people have no idea what “taking risk” means.

      But that won’t surprise you.

      Be safe – may all your decisions be informed and intelligent

      • Roger Estall
        December 7, 2020 at 3:28 AM

        But Norman….here’s the conundrum. You’ve long acknowledged in these columns ….many times….. (and understandably so) that there is no agreement about what the word ‘risk’ means.
        So, that being so (and there is an enormous amount of evidence beyond your and my views to demonstrate this …..think of ISO’s suite of 20,000 or so standards using the label ‘risk’ for 40+ different meanings) it is axiomatic, surely, that there is not, and cannot be, any shared idea as to what ‘risk taking’ means.
        I mean, examined forensically, even this article and several of your responses (both in support and in disagreement) demonstrates this to be so.

  2. December 6, 2020 at 3:47 AM

    Why does life have to so complex?
    *Organisations need to achieve their objectives.
    * The achievement of objectives is benefitted by opportunities and threatened by risks.
    *Decisions are required which balance the benefits against the risks.
    *The best decisions are made by constantly monitoring relevant information from within the organisation, competitors and external events in order to predict outcomes.
    *Decisions are translated into actions, the progress of which are monitored.

    • Norman Marks
      December 7, 2020 at 7:09 AM

      Roger, I realize there will be no persuading you. But for those who are confused by your comments, there are really only two interpretations of the word “risk”. One (the common English parlance version) relates to something bad happening. The other (the ISO 31000 variation) includes both positive and negative potential effects under the umbrella of “risk”

      So, everybody (including you and Grant) knows what “taking a risk means”. It means accepting the possibility of something going wrong – but in a more active sense than the passive “accepting a risk’ implies.

      You and Grant have suggested simply discarding any notion or practice of risk management. I think that is neither wise nor practical. There are compliance requirements, of course, but it is quite possible (as I explain in my book) to transform risk management so that it goes beyond compliance to helping the organization achieve success.

  3. December 7, 2020 at 2:58 AM

    Norman. I read the McKinsey article, and we must be of the same mind. I could not possibly agree more with you.

    The caveat/hardship to overcome is the part about affecting decision making. Many executives believe they are excellent and swift decision makers – based on their gut feeling and the (subsequent) efforts of their teams to implement their decisions successfully. I am sure some of these are correct, but also that most are not.

    We need humble executives who embrace the opportunity to improve the way they define and make decisions – but humble and executive is a rare combination. As risk managers we need to “sell” the idea of enhancing decision processes – first with the systematic reporting on “likelihood of meeting targets”.

  1. December 8, 2020 at 12:50 AM
  2. December 8, 2020 at 6:44 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: