Should we abandon risk assessment, risk management, and risk appetite?
Many perform a periodic risk assessment and come up with what they consider to be the ‘level’ of a risk.
The traditional approach is to share that in a list of risks with management and perhaps the board to see whether it is acceptable (within some limit, threshold, or so-called risk appetite) and determine what to do about the risk: accept, manage, or mitigate.
Carol Williams describes this approach in an older article on her website, 4 risk response strategies you will have to consider after assessing risks. (I thank her for referencing one of my books in it.) Perhaps Carol will share with us whether she continues to believe these four risk responses, which are traditional and recommended in most frameworks and guides, remain appropriate. I suspect she has moved on.
The four traditional responses are:
- Avoid
- Reduce
- Transfer
- Accept
Her article recognizes the need for continuing monitoring to ensure that responses change should the risks and business conditions change.
XX
More and more people are recognizing that managing or mitigating a list of risks is not effective, nor of much value beyond compliance: doing what is required by the regulators rather than what is needed by the business.
XX
Let’s imagine that I am the new Minister of Defense and Q, the risk manager in the weapons development function, rushes into my office.
He tells me that we have a serious problem!
“We just updated our risk assessment and I found out that Troop A is going to deploy one of our latest night vision devices in the field for an operation 105 miles into hostile territory. We can’t afford the risk that our new technology falls into enemy hands! The risk appetite statement approved by the Defense Risk Committee prohibits it.”
Even though I am new in the position, I am very aware that the device is leading edge and could be used against us by terrorists if it fell into their hands.
I also know that the plan is to attach a gizmo so that the device can be destroyed remotely should be it be lost or captured.
Q tells me that Troop A isn’t waiting for the gizmo, still in final trials, to be attached.
They are recklessly taking it out without that precaution!
I give him a cough drop and get him to calm down, then call in the head of Operations, M.
XX
M tells me that she is very aware of Q’s concerns.
They were considered as part of their robust decision-making process.
Her team used scenario planning (see this article for a discussion of its value) to think through all the things that might happen under every reasonable option.
My response to Q’s risk assessment is to:
- Understand the context. I am not interested in ‘managing risk’ for its own sake. I am interested in making the right decision for our national security, considering both short and longer-term interests and goals.
- Understand what M is trying to achieve. After all, it is ‘risks to objectives’ that should be taken or managed.
She tells me that there is an opportunity, if a quick strike is made, to capture the top leader of a terrorist organization that has been responsible for the deaths of many of our people. The terrorists are also making it very different for the local government, a strategic ally, to function.
The strike would in addition capture important information about the terrorists’ plans, network, and capabilities.
This is in line with our overall strategic goals in fighting terrorism overseas and limiting their capability to attack us at home.
- Confirm that all the risks and opportunities were considered and assessed using a reliable process, enabling the decision-makers to see the big picture and weigh all the pros and cons.
- Have M explain what options were considered and why the team believed that the benefits of using the device outweigh the risks.
- Challenge her.
- See if we should wait for the gizmo to be attached; what would we give up, in terms of value to our objectives, by waiting? How would the likelihood of capturing the terrorist be changed?
- What would happen if we do not use the device? Would it increase other risks, such as the risk of loss of our personnel? Would it reduce the level of opportunity and the likelihood of mission success?
- Ask whether the value could be further increased to justify, if it is a close decision, taking the risk of losing the device? How could the mission be changed to increase the likelihood of capturing the leader without killing him, so we can interrogate him?
- See if using more devices (!) and deploying a larger team would improve the equation. Perhaps it would increase some risks, such as loss of the device and/or personnel, but reduce others and perhaps increase the likelihood of achieving the mission goals.
- Confirm that the decision was made using reliable, current information.
- Verify that the right people were involved and that they were neither overly risk averse nor embracing. (Was 007 involved?)
- Question whether the decision was unanimous; if not, who objected and why?
- Given that the risk seems to be high, decide whether I need to personally get involved to confirm M’s decisions – or even escalate it to the President, herself.
XX
The potential responses to this or any other risk assessment are not the four traditional ones. To start with, you usually cannot transfer a risk, you can only share it.
Before deciding on ‘risk treatment’:
- Understand the context: the nature of the problem and what we are trying to achieve.
- Determine how long we have to make the decision – considering the prima facie level of the risk and/or opportunity.
- Involve others as needed, perhaps escalating to more senior management, to make the best decision.
- Obtain all necessary information (given time constraints).
- Determine whether, looking at the big picture, the situation and plans are acceptable.
- Understand the options, which may include modifying one or more risks, one or more opportunities.
Then, and only then, decide what to do. That may involve, for each individual or combination of risks and opportunities:
- Avoiding one or more risks – but with full knowledge of what you are giving up
- Taking one or more risks – with full awareness of the risk
- Reduce the range of impacts or one or more risks and/or their likelihoods
- Increase the level of risk being taken!
- Increase the level of opportunity.
- Share one or more risks, such as with insurance.
- Change the objective(s)!!
- Change the strategy!
- Defer the decision and monitor for change.
Rather than ‘assessing’ and ‘managing’ one risk at a time, you are managing for success.
Both risks and opportunities need to be ‘assessed’ in a way that lets the decision-maker see the big picture, weighing all the things that might happen.
Rather than making a decision based on the notion of a risk appetite, make it based on the likelihood of success. Is the likelihood of success acceptable, given both risks and opportunities?
XX
This is what I consider ‘effective risk management’.
I can understand why people like Grant Purdy believe we should stop talking about risk management because the focus should be on decision-making. (That is my understanding of his position, although he and others talk about the fact that there is no common understanding of what risk and risk management actually mean.)
I believe we should focus on success management – which is possible only if we can make informed and intelligent decisions.
But the regulators insist that we have risk management, so I am not discarding the term.
Instead, we should make risk management work for us – as discussed here and in Risk Management for Success.
XX
How would you tackle the situation with Q, M, and the rest?
How can and should we change risk management?
I welcome your thoughts.
XX
PS: the way for internal audit to assess risk management is to determine whether it meets the current and future needs of the organization. Does it help leaders and those running the organization every day make the informed and intelligent decisions necessary for success? My book includes a maturity model that may help.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, I don’t disagree with what you have said but would point out that ‘traditional risk management’ identified the problem at the start: “We just updated our risk assessment and I found out that Troop A is going to deploy one of our latest night vision devices in the field for an operation 105 miles into hostile territory”
This is why I believe risk assessment in an organisation is essential, in that management have actually thought through the opportunities and risks impacting their objectives. However, as you point out, when the circumstances predicted by the assessment occur, decisions which balance opportunities and risks are required.
I would certainly agree that you cannot transfer risks. That’s one of misconceptions surrounding outsourcing.
David, is that the problem? Or is it that a terrorist is alive and planning more attacks?
It’s not the problem, but I would hope that the operation is a response to a previously identified risk of more attacks. In your example, it looks like the decision to mount the operation wasn’t properly considered in the first place.
I would hope that the scenario would be:
Objective: Assist the local government to function
Opportunity: Capture local terrorist leader
Responses: Gather information. Mount an operation to capture when possible.
When the opportunity arises (or the risk threatens):
Decision: best way to mount the operation, including new technology?
Ideally most of the factors involved in making the decision should have been discussed when the opportunity was identified, including prior approval for the use of new technology. Thus the operation could be mounted quickly.
Your example clearly indicates that any risk assessment does not finish with a list but with responses to the opportunities/risks, which will involve complex decisions.
So let’s say that we hold back use of the swifty-nifty device until the fail-safe attachment is available to assure that ‘it will never fall into the hands of the enemy’. Except for one problem that we discover in the mission: the enemy’s sponsor, more technically accomplished than the specific adversary of immediate interest, has hacked our network, knows our plans, has hacked the remote destruct technology during its development, and instead of capturing the device, hacks the battle team network and blows up the headsets and the team remotely. Did the geniuses at DOD noodle that one?
Let’s take it closer to reality. Stuxnet was supposed to be a surgical strike against the Iranian centrifuges. Supposed to be. Highly successful. But not immune from the kind of threat envisioned in Norman’s scenario. Except it got out of the cage and into the wild. The damage done was not hypothetical, or inconsequential to the many organizations affected.
Exhibit 2: Zumwalt class destroyers. We traded a $23 billion program to produce 23 conventional class destroyers for 3 Zumwalts at the same price. Great risk management, concentrate your assets, escalate your risk. But it gets worse. The Navy dropped the first Z in the water at about the same time it revealed that it couldn’t afford the GPS guided munitions for the Z’s two big guns, enabling it to shell targets from beyond the reach of today’s on-shore munitions. Each round would cost $800,000 a pop. $23 billioin spent; mission NOT accomplished.
The reason I cite these two examples from our national defense establishment is that these folks deal with deadly risks, not merely risks of product failure or being co-opted in their market. It’s life-and-death. And yet, in some of the most fundamental areas of risk management diligence, like information security, our most risk sensitive institutions appear amazingly inept, all too often, at the science of risk assessment and management in its most fundamental aspects. Do we really think that the corporate community is any better than our national security establishment, taken as a whole? Anyone who follows the news appreciates that I have posed a rhetorical question.
My point is that we have entertained the conceit of ‘managing risk’ well beyond our professional competence at doing so. The best we can do is to manage known risks. But the ones that will most likely kill us are the unknown risks that are evolving in parallel to our actions, but as yet unknown to us. How can we deal with the unknown? The answer goes back to Norman’s reference about concentrating on what are the objectives for the enterprise’s success.
But here too, there is a problem. All too often, organizations have ill defined objectives. This is provable by translating those objectives into concrete definition of performance standard by which their attainment can be measured and confirmed, or which can trigger flares indicating deviation from plan and ‘a possible disturbance in The Force’.
Weak objectives? Weak performance standards.
Weak performance standards? Weak tools for detecting the unknown risks that might sink your Zumwalt.
Mark, I fully agree . We should not manage risk, but manage performance and focus on improving the likelihood of being success. This, in my view, means the notion of risk appetite changes, but not that it is abandoned.
In you case:
– What is the likehood that Team A’s mission will be successful without the new technology and is that acceptable
– What is the likelihood Team A’s mission will be a disaster (e.g. costing team members lives, terrorist theft of new technology, …) and is that acceptable.
The very second you address (politically, managerial or otherwise) whether or not some likelihood of success/failure is acceptable, you have de facto used a risk appetite. You can do this “on the fly” with all the human biases that entails, or you can do this based on prudent and discussed decisions.
I firmly agree with you that effective risk management is not about managing risks, but about intelligent risk taking focusing on optimizing performance.
Norman, I hope this discussion is over semantics and not risk management philosophy.
To espouse not using the terms which describe “risk appetite” and “risk tolerance” of the Board of Directors’/Owner’s risk management oversight is counterproductive at best and destructive at worse. There isn’t an organization/owner in the world that tells any part of their organization to “just do whatever you want.” The Board/Owner sets the parameters of operations in all areas of the organization. You want to call these directives in regards to risk management risk boxes or risk parameters, okay. However, to those who practice enterprise risk management, this box/parameter for us is defined by risk appetite and risk tolerance. One cannot begin to design and implement an enterprise risk management program without knowing the Board set boundaries.
FYI, the Federal Reserve uses risk appetite in the first attribute of their recently released guidance on board effectiveness for banks (SR 21-3). The title of that section is “ Set Clear, Aligned, and Consistent Direction Regarding the Firm’s Strategy and Risk Appetite.”
How does one discuss organizational risk, much less provide a strategic opinion, without knowing the risks and the interplay between organizational risks and the investigative subject? Some “risk experts” think that when asked for such a risk opinion, targeted risk identification and assessments can be immediately performed. This position is incomprehensible as, generally, the risk manager will have only 24 to 48 hours to deliver their opinion. There is no way these deadlines can be met without having updated risk identification and measurement at hand.
I agree that an agreed set of risk definitions is needed, but that day is far away since some have a hard time defining risk management, much less enterprise risk management.
Gary, this response merits a discussion. Cn we do that? I’m not sure we are in agreement; my position is that risk appetite should be flexible given potential rewards.
What is the metric for ‘risk appetite’. I have always thought this was a ludicrous term.
If we accept the premise that risk is a portion of what we know and can quantify statistically to some degree, plus a portion of what we do not know and are exposed to, how much of the metric is cognitive, and how much is just ‘bat s–t crazy balls-to-the-wind’ to put it crudely but to the point. There are too many corporate gunslingers who cling to the adrenaline rush of ‘bat s– t crazy’, and too many E suite numb-nuts who think ‘risk appetite’ is sexy and daring without a clue of what they’re buying into until they’re scorched, (Crypto, anyone?) Should risk professionals be dignifying this term and pretending that it is scalable?
Just askin’
Norman, to go back to your original question, ‘Should we abandon risk assessment, risk management, and risk appetite?’ My answer would be ‘No’.
If an organisation; specifies its objectives; identifies the opportunities and risks impacting them; scores them; applies a ‘risk appetite’ to highlight the most significant; implements processes to bring them to acceptable levels then it will understand much more about its business at the end of the exercise.
The danger is that this process is considered unnecessary, to be done once and then forgotten, instead of a continuous process which highlights decisions which should be made to anticipate and deal with opportunities and risks when they arise. Covid is an excellent example; risk assessments had been done on pandemics but no decisions were made to put in place necessary controls such as PPE, research into the effectiveness of masks and policies on school and university closures.
Risk assessment, risk management, and risk appetite are crude tools, useful for the first cut, but we shouldn’t treat them as anything else.
Great question Norman! Yes, my perspective has certainly changed since the article was written. An update to this piece is currently in the works where I plan on addressing some of the things you mention. Thank you!