Home > Risk > How do we fix risk management?

How do we fix risk management?

I want to commend Tim Leech for his passion, consistency, and his recent posts on LinkedIn.

His first post sets the stage for today’s discussion. He asked:

How did the world go so wrong interpreting what the term ‘risk management’ means?

I agree with most of his comments. Please read his first post before considering my following thoughts.

XX

First, let’s consider why the regulators (in particular, the US Securities and Exchange Commission) want ‘risk’ discussed in corporate disclosures. Tim traces it back to 2008 and the financial crisis, but it is older. If you are familiar with the regulations, I suggest skipping to the next section of this post.

XX

US Compliance Requirements

This is from a 2013 SEC Report on Review of Disclosure Requirements in Regulation S-K:

The requirement for disclosure of a summary of risk factors relating to an offering was first set forth in 1968 in Guide 6.251 Item 503(c) was added to Regulation S-K in 1982 as part of the adoption of the integrated disclosure system, combining the provisions of Guide 6 with the provisions of Guide 5 calling for disclosure of risks arising out of a lack of a trading market.

In 1995, this provision was amended to add a requirement that the risk factors section of a prospectus be captioned with the heading “Risk Factors” and that the section be presented following the summary. In 1998, in connection with the plain English disclosure amendments, this provision was revised to include guidance on presenting risk factors. In 2005, the Commission added risk factor disclosure requirements to annual reports and quarterly reports.

Item 105 of the SEC’s Regulation S-K requires that registrants “provide under the caption “Risk Factors” a discussion of the material factors that make an investment in the registrant or offering speculative or risky”.

The requirements in Regulation S-K were updated in 2020, but there was no change to the overall requirement that registrants disclose “the material factors that make an investment in the registrant or offering speculative or risky”.

XX

The SEC has additional requirements for registrants in some but not all sectors. They seem to have focused on companies in the financial sector.

For example, in 2017 the SEC published Self-Regulatory Organizations; The Options Clearing Corporation (OCC); Notice of Filing of Proposed Rule Change Related to a Comprehensive Risk Management Framework. They said:

This [sic] purpose of the proposed rule change is to adopt a comprehensive Risk Management Framework Policy, which would describe OCC’s framework for comprehensive risk management, including OCC’s framework to identify, measure, monitor, and manage all risks faced by OCC in the provision of clearing, settlement and risk management services.

The SEC notice referenced rule changes in 2016[1]. The updated rules require that covered clearing agencies:

“[E]stablish, implement, maintain and enforce written policies and procedures reasonably designed to … [m]aintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency, which … [i]ncludes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency, that are subject to review on a specified periodic basis and approved by the board of directors annually . . .”

In the SEC document, there is a sentence that makes clear the purpose of the regulations by the SEC:  while the OCC requires “a sound framework for comprehensively managing risks”, they are primarily concerned with “potential clearing member default scenarios”. Those could be the result of either “financial exposures [or] service disruptions”.

XX

Other US regulators are concerned with risk management, notably the Office of the Comptroller of the Currency[2] (a different OCC than above) and the Federal Reserve. The OCC regulates banks and is concerned broadly with “the safety and soundness of the national banking system” and specifically to “protect the national bank charter.” Deloitte has a good explanation of the OCC requirements here.

One of the OCC mandates is that the risk function is independent of management and provides the board with its own aggregation and assessment of risk. It seems to view the risk officer as being the sheriff in town to make sure the cowboys in management don’t threaten the health of the town and its citizens. However, when the risk practitioner sees him or herself as the sheriff instead of a partner to management, they will find themselves behind (less visible) bars.

Sheriff

XX

In other parts of the world, the regulators have gone further in requiring an effective risk management activity, including it in their corporate governance framework. When I was with SAP, the company engaged EY to perform a mandated audit of their risk management activity.

X

Should we get the regulators to change?

There is nothing wrong, IMHO, with the regulators wanting current and potential investors to understand what might happen that would threaten the results or even the viability of the organization. (Although a list of risks without any indication of the likelihood of a severe effect, or of management’s ability to manage any threat, is of dubious value.)

Equally, there is nothing wrong with management and the board wanting a reliable process underlying their risk disclosure.

However, management and the board should require a risk management activity (whatever you call it, which I will come back to later) that not only manages the risk of failure (meeting any compliance requirement), but actively and significantly contributes to the achievement of enterprise success.

If risk management is to be accepted and valued for its contribution to success, it cannot be seen as the sheriff out to lasso the bad guys into acceptable behavior. Please see my post from last month, How to build credibility with management.

If I had the ability to influence the regulators, it would be to tone down their emphasis on positional independence and make it clear that management is responsible for the identification, assessment, and reporting of risks – with the assistance of the risk function. The latter should have the ability to escalate within the management team and then to the board, if absolutely necessary, any inappropriate cattle-taking (ok, risk-taking).

But let’s recognize that the regulators have a different focus and set of responsibilities than management, or rather that management and the board have interests that extend beyond those of the regulators.

XX

What does the word ‘risk’ mean?

Tim makes a good point, that ISO 31000 and COSO ERM (at least in their executive summary) define risk as including not only bad things that might happen, but good things too (a.k.a. opportunities).

But, while this may be understood by (many but not most) risk practitioners, the general use of the four-letter ‘r’ word is limited to the downside.

  • Merriam Webster defines risk as

1: possibility of loss or injury

2: someone or something that creates or suggests a hazard

3a: the chance of loss or the perils to the subject matter of an insurance contract, also: the degree of probability of such loss

b: a person or thing that is a specified hazard to an insurer

c: an insurance hazard from a specified cause or source

4: the chance that an investment (such as a stock or commodity) will lose value

    • MacMillan Dictionary:
      • to do something that makes it possible for something important or valuable to be destroyed, damaged, or lost
      • to be in a situation in which something unpleasant or dangerous could happen to you
      • to do something although you know that something bad could happen as a result
    • Investopedia:

Risk is defined in financial terms as the chance that an outcome or investment’s actual gains will differ from an expected outcome or return. Risk includes the possibility of losing some or all of an original investment.

The great majority of businesspeople understand the ‘R’ word as relating to threats and their effects.

Do we get them to change, to learn the technobabble of the practitioner, or do we get practitioners to use better, common business language? Now I appreciate that in some companies, especially financial services organizations, practitioners believe that their management team “get it” – that ‘risk’ is not limited to the downside. But I wouldn’t rely on that myself. It’s easy to use common English rather than technical terms. See this.

Grant Purdy talks about the language issue in his book, Deciding, which I reviewed last year. He and his co-author, Roger Estall, allocated an entire chapter to its discussion. I think he summarizes their position well in a comment on my blog in January:

… no one can agree on what the ‘r’ word means – and it is used variously as a noun, verb and adjective – with none of the uses consistent.

In fact, the word ‘risk’ has become a nonsense as, of course are any compounds like ‘risk management’ that are based on it.

If I was facetious, I might suggest that it’s just too risky to use the word ‘risk’. But I wouldn’t say that, because that statement would mean nothing sensible at all.

XX

As I have said many times in the past, I prefer to use the expression “what might happen” as it is easier to have a shared understanding of that and a constructive conversation with management using plain English.

How about ‘risk management’?

XX

When did risk management start?

It predates the 2008 Great Recession that Tim mentions.

The second edition of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (which I recommend) has a chapter on a Brief History of Risk Management. Authors John Fraser and Felix Kloman trace back the origins of risk management hundreds of years They identify several milestones starting in 1914 with the formation of what later (in 2000) became the Risk Management Association.

The focus of all the early standards, books, etc. was on managing the downside. Grant Purdy, also in January in a blog comment, shares the history of risk registers (a list of risks that you manage or mitigate, recently renamed a risk profile by COSO):

Risk registers came into being during the 1970s. In the UK under successive editions of the Factories [Act] (including the 1961 version that I enforced) there was a requirement for a factory occupier to maintain a ‘general register’. This was standard form that contained information such as when the walls were last painted, a list of lifting tackle, steam boilers and air receivers together, in some cases with list of women whom the factory owner had “good reason to believe” were pregnant!

When the UK moved to ‘enabling legislation’ in 1974 and later adopted the European safety requirements, the general register was also used to list ‘hazards’.

In all cases, its purpose was to demonstrate that the factory occupier had thought about how his employees could be injured and also, their well-being. It was also supposed to help the Factories Inspector (of which I was one) do his or her job by giving them a ‘heads up’ what to look for on their inspection.

Of course, what was a list of hazards eventually morphed into a list of risks (because a lot of people could not tell the difference) and with the advent of spreadsheets (I first used VisiCalc) we could then play tunes on them by ascribing ratings, conducting arithmetic and sorting and ranking and even drawing graphs.

This was all well and good, but these registers were never intended to be used in any form of decision making and, as we now know, they have taken on a life of their own such that, for many organisations, ‘risk management’ (whatever that means – and I don’t know), merely involves the updating of this spreadsheet, normally on an annual basis.

Grant makes the excellent point that these lists of risks were not intended for use in decision-making.

The problem, as Tim reminds us, is that people seem to believe that the periodic review of a list of risks is not only sufficient to comply with any regulations but is all that risk management can and should be.

That belief is, IMHO, very wrong.

XX

Should we stop using the ‘R’ word entirely?

There’s a good argument that using the ‘R’ word obstructs not only common understanding and constructive discussion of business problems but what we are trying to achieve with risk management.

Risk is not only seen as being about avoiding failure, but risk management is viewed by 80% of executives (according to all the surveys I have seen) as a compliance activity.

We need to recognize that regulators (and boards) require us to manage risk and to have effective risk management. They are using plain English, not ISO or practitioner technobabble. Much as we might be inclined to do so, we can ignore the reality that regulators, investors, and boards believe they want ‘risk management’ of the downside. They are not that interested in the upside; its not their remit.

Regulators are not likely to change their requirements any time soon.

Executives and board members might be persuaded to use other terms for risk management, but that takes time we simply don’t have.

Therefore, I will continue to use the term ‘risk management’, even though I have suggested that practitioners change the name of their function to Decision Support or similar.

I just have to explain what effective risk management is.

Similarly, asking directors and executives to learn ISO technobabble is misguided, IMHO. It is far easier to have practitioners use language their leaders will completely not only understand but be able to seed how ‘risk management’ helps them individually as well as the organization be successful.

What I have done, and while this may annoy some on purist grounds, is accept the reality.

  • When I can, I use ‘what might happen’ instead of the four-letter ‘R’ word.
  • When I can’t, especially if I want to emphasize that what might happen could be either (usually both) good and bad, I talk about ‘risk and opportunities’. This is consistent with my favorite corporate governance framework, South Africa’s King IV.
  • I talk about ‘risk management’ but explain that it should refer to the ability to anticipate what might happen and then use that to enable the informed and intelligent decisions necessary to achieve objectives.
  • I explain that those informed and intelligent strategic and tactical decisions enable people to take the right level of the right risks, leading the organization to optimize the likelihood of achieving enterprise objectives.
  • If I can, I refer to ‘success management’ or even the simple idea of effective management. After all, that is what it is.

XX

Tim’s second post sets out eight suggestions for change. I encourage you to read and consider them now.

My primary issue with his suggestions is his description of effective risk management. I dislike the idea of “an acceptable level of residual risk/uncertainty”; it is hard to understand, and I can’t see CEOs or board members readily accepting more technobabble. Don’t use a term you have to define, especially if it takes time and diagrams, when you can use plain English. Personally, I have little tolerance (pun intended) for the notion of residual risk.

He also talks about “certainty management”. But you can’t manage certainty; you can only reach a level of certainty. However, you can estimate the likelihood of something happening or not happening and the range of its potential effects.

I prefer to talk about ‘an acceptable likelihood’ that enterprise objectives will be achieved – and this is what I built my Risk Management for Success around.

Boards and executives set and then are measured (and compensated) on their ability to achieve objectives for the organization. They see, in my experience, the tremendous value in being able to:

(a) understand where they are relative to those objectives (from performance reporting),

(b) what might happen to affect their achievement (from ‘risk management’), and

(c) estimate the likelihood of getting there by the end of the period (the integration of both). They can then decide whether that likelihood is acceptable or not.

XX

Tim has, as I said, eight suggestions to fix risk management.

Here are mine:

  1. Everybody should accept that there is a compliance requirement to manage the downside, but as Alexei Sidorenko suggests, this should be accomplished with the least number of resources. Obviously, that will depend on the specific regulations affecting each organization. Alex calls this Risk Management 1, or RM1.
  2. Everybody should also accept that there is more to effective risk management, whether you like my concepts, Tim’s, or somebody else’s. Each organization should work to determine what would work best for them if they are to be successful. Then they should strive to implement RM2: risk management that enables the informed and intelligent decisions necessary to achieve enterprise objectives.
  3. Those who have the ear of the regulators should ask them to refine their position on the independence of the chief risk officer, recognizing that behaving as the sheriff instead of a partner can alienate those trying to run the business for success. The CRO’s job should be to help management do the right thing, not catch them out and throw them in the hoosegow when they don’t. The regulators should also acknowledge that there is more to risk management than avoiding failure.
  4. Those responsible for the ISO and COSO standards should try to avoid the unnecessary and useless competition between them. Converge around new or updated guidance that:
    1. Uses plain English and avoids technobabble. Include board members, CEOs, and other executives in the guidance process to ensure that it will not only be clear and understood, but that leaders of the enterprise will see how it will help them and their organizations succeed.
    2. Explains clearly that events and situations almost always have multiple potential effects, or ranges of potential effects, some of which are advantageous and others are harmful.
    3. Drives risk management top down, pointing out that we are concerned with risk to objectives. Explains how objective and strategy-setting depend on an understanding of what might happen; risks are not only defined after strategies and objectives are established.
    4. Not only explains risk identification, assessment, and evaluation, but how to see the big picture – evaluating all the things that might happen, weighing the pros and cons to enable effective decision-making. They should help demolish risk silos.
    5. Clarifies the role of risk management in enabling informed and intelligent decisions.
    6. Defines effective risk management as contributing to the success of the enterprise, preferably as I have described it.
  5. The bodies responsible for corporate governance frameworks should similarly be persuaded to adapt their guidance.
  6. Each of the practitioner organizations (such as RIMS, IRM, RMA, PRMIA, IIA, ISACA, etc.) should be persuaded to bring their standards and guidance in line.
  7. The IIA in particular should, as Tim says, require internal audit teams to assess and report on the effectiveness of risk management at their organization. However, my recommendation is to assess whether it ‘meets the needs of the organization’. In other words, understand what is needed, by whom and when, so that the informed and intelligent decisions necessary for success (achieving objectives) are made. That would include risk disclosures.
  8. Board members, hopefully with the guidance of national Institutes of Directors (such as the NACD in the US), should press the CEO to report personally to the board on the effectiveness of risk management and decision-making.
  9. Everybody reading this post should share it, even if they don’t fully agree, so that we can all have a constructive discussion about the effectiveness of risk management.
  10. Finally, the consulting firms and those conducting research should modify their focus to how organizations can be successful as a result of effective risk management (anticipating what might happen). Stop promoting products and services that continue practices like heat maps, especially when isolated from what the organization is trying to achieve. The ERM Institute should define what it means by effective risk management, hopefully on the lines of what I have suggested, and only then survey organizations and their practices.

XX

This is one of the longest posts I have written. I hope it is of interest and ask that you share your thoughts and comments.

[1] Rule 17Ad-224 and Rule 17Ab2-2 5 pursuant to Section 17A of the Securities Exchange Act of 1934 and the Payment, Clearing and Settlement Supervision Act of 2010

[2] The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federally licensed branches and agencies of foreign banks in the United States

  1. August 5, 2021 at 9:51 AM

    Norman, I don’t think your comment 7 above on the IIA goes far enough. There is a need for a complete re-think of the definition, mission statement, principles and standards to make them consistent with modern auditing methodology. I have proposed this in comments sent to the IIA Foundation as an addition to their survey.

  2. Samuel Temitope Apanisile
    August 5, 2021 at 10:37 AM

    You’re so right about “anticipating what might happen”.

    However, it should come from being aware of what is happening, what seems to be happening and what is really happening in a quantitative way.

    I would also add that the classical probability-based risk management is weak in helping us gain requisite perspective of what is happening, what seems to be happening and what might happen to help us shape behaviour and inform decisions that are ready for uncertain tomorrow.

  3. August 5, 2021 at 11:29 AM

    I think I would take a slightly more subtle approach:
    – massive claims against big4 consultants for pushing pseudoscience and RM1
    – multimillion dollar claims against ISO and ban on operations for COSO, ban on any risk advisory for PwC for 5 years specifically for deceiving the COSO committee
    – loss of licenses for national risk management associations and refund of membership fees collected over the last X years
    – etc

    You know the mild steps :))

  4. August 5, 2021 at 5:25 PM

    Norman, Really excellent piece
    A lot in it but to me the key point is
    “Drives risk management top down, pointing out that we are concerned with risk to objectives. Explains how objective and strategy-setting depend on an understanding of what might happen; risks are not only defined after strategies and objectives are established.”
    [But WHILE strategies and objectives are being established]

    Of course, every ‘discipline’ has techno babble but that is not the issue. The underlying issue is the difficulty of communicating the concept of risk, since it is a evolutionary fact that people don’t like ‘risk’ and they run (flee) from it.

    Personally I would like to talk about Reality (another r) management because ,however defined, risk is ‘real’ and we cannot change reality but we can manage OUR response to reality. [But it is really not going to happen]

    I am always amused when people fixate about ‘risk maps’ (which I agree are terrible ).
    But just look at almost every book on strategy development – full of 2*2 or 3*3 matrices, in fact some of them are famous.
    People love simplification, the problem comes when people believe the simplification IS reality.

    Making a complex topic simple, takes genius

    • Norman Marks
      August 5, 2021 at 5:40 PM

      Thanks

  5. August 6, 2021 at 5:50 AM

    Norman – yes we need folks (such as yourself) to put in some counter-arguments to the current tick the box and overly complex approaches we can see.. Specifically:
    1. Agree that Risk management is unlikely to be a term we get rid of anytime soon: others should be prepared to let this issue lie for the moment .. This includes the notion of pushing “certainty management” – the notion of “reasonable assurance” already tries to cover this base ..
    2. Agree regulators mostly focus on negative aspects of risk – agree its unlikely to change soon but I think this may change over time as they realise that failing to meet objectives and exploit opportunities can be sometimes priced into valuations .. So the upside can matter ..
    3. Agree we have a fragmented approach at present with a lot of people / groups / consultants vested in promoting their own (often complex) approach arguably to promote their own business interests
    Convergence is interesting but could kill innovation and creativity in risk management, which would not be good .. BUT I agree we ought to have more shared principles / good practices between key parties – also there should be more explicit discussion of what differences in approach exist between different bodies and when this might be merited..
    4. Complex risk management techniques may be useful in certain circumstances but – as a rule – I agree an overly complex approach to risk can simply switch management off – it can also give risk managers a false sense of superiority, talking down to /selling to managers, rather than flexing what is needed ..
    5. More than anything we should be looking to try to MEASURE what risk management techniques work and what the limits are to where they do/don’t work .. there isn’t enough discussion of this, although I recognise gathering evidence would be hard ..
    This links to the comment that those pushing certain techniques should be asked for evidence that these techniques work and be – potentially – liable to clients for promoting techniques that don’t yield good results ..
    Regards

    • Norman Marks
      August 6, 2021 at 7:05 AM

      Well said

  6. John J Brown
    August 6, 2021 at 8:40 AM

    Norman, fantastic piece of writing! So much is problematic in the way risk management is “practiced” today — yet so much good could be achieved if we look at this as “uncertainty” management. I would add a dose of “how we perceive risks” to the mix — that perception is based on multiple internal and external factors and is highly variable over time (both near-term and long-term).

  7. August 19, 2021 at 6:13 AM

    Norman makes some great observations here and it is worth getting through the first half to the part that makes you challenge your paradigms around risk management

  1. August 8, 2021 at 9:12 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: