Misunderstanding what is effective risk management
I want to commend Tim Leech for his persistence in pointing out how few organizations understand, let alone practice effective risk management.
In his latest post Tim reviews an EY publication, The Board Imperative: Is now the time to reframe. He comments:
New EY survey reports 84% of board directors don’t think companies they oversee have highly effective risk management….. EY has identified a big performance gap and a huge opportunity, but, in my view, not how to fix the problem/the way forward.
I agree.
But I have a somewhat different view from Tim (which may be more language than anything else).
Here are some good points made by EY:
- A new survey of board members reveals that decisive action is required to optimize risk oversight and seize new strategic opportunities.
- In the current uncertain environment, risk management has become essential to strengthen resilience and create sustainable value.
- Boards have an opportunity to reframe their organization’s approach to risk management, but first they need to reconsider how the board itself thinks and acts.
- Enhanced risk management has become a top priority for boards: 79% believe that improved risk management will be critical in enabling their organizations to protect and build value in the next five years. CEOs share this view. When asked which areas of the enterprise they expect will change most in the next three years, they ranked risk management first.
- …boards [sic] members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
- “Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”
The problem I have with the EY perspective is that despite these comments they are still focused on managing or mitigating harms, and harms alone. They end the article with:
As the risk landscape around their organizations becomes more and more complex, board members need to ensure that their organizations are doing all they can to effectively identify, mitigate, manage and even predict new threats. That means getting proactive.
While it is clearly necessary to address potential harms, there has to be a balancing between the possibilities for harm and those for reward. Risk management should ensure people have the necessary information to make the informed and intelligent decisions necessary for success, knowing which risks and opportunities to take if they are to achieve their business objectives.
That requires that comparable information be available for both upside and downside effects of what might happen (which some refer to as uncertainty and others as ‘risk’).
Unfortunately, EY’s criteria for effective risk management don’t do this. So we have to consider their numbers on high performers overly optimistic.
To repeat two salient points from EY’s own publication:
- …boards [sic] members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
- “Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”
What do you think? I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman, looking at the first of the two salient points above, aren’t the board ultimately responsible for risk, and opportunity, management? The second point seems to reinforce this.
So shouldn’t boards be telling their management what the board, and business, requires?
Yes, David – if the members understand what effective risk management is – and they have been led to believe it is about avoiding harm.
Richard – I appreciate your thoughts and fundamentally agree with what you’re saying. I concur that many firms exhibit fundamental inconsistencies in their approach to risk. I will also say that much of what many large consulting firms have to say about risk management is so fundamentally flawed that it’s difficult to address individual misstatements that logically flow from those flaws. Just to pick one – ” risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.” I think it’s troubling to complain that risk and compliance teams need to better drive growth. Have they bled all authority from their product managers? Their marketing groups? Their sales executives? If an organization has ceded fundamental mission responsibility to risk and compliance groups, that’s a strategic problem. Risk, compliance and other mitigation groups exist to help managers consider better-informed strategies, not to dominate strategy.
“84% of board directors don’t think companies they oversee have highly effective risk management…”, what are these board members doing about it, aren’t they the ones in charge that can drive the change?
Would be interesting to know what the risk management teams think about how boards perceive risk management. I doubt they see evidence of boards pushing for major changes in the risk management domain.
The article shows a graph “Leading companies have effective risk management across a range of activities”. I would not be surprised if the companies claiming to be leading in certain activities can’t provide evidence or measurements to substantiate why they believe they are leading.
These surveys mainly reflect perception but draw conclusions that largely are just a nice story.
“Increasingly, it is critical to consider a longer time horizon when assessing strategy and risk – ideally more than five years.” This conclusion clashes with what we are learning now, namely that we live in a VUCA world and long time strategic thinking is becoming less valuable.
I was about to post something similar to Osama. The survey results are similar to prior years. I would like the survey to ask those who are dissatisfied what are they doing about it. What specifically is missing? How have they communicated their concerns?
Having made these comments, I also believe the expectations placed on board members are unrealistic. The last study that I could find indicated outside board members spend around 30 days in a year on their board duties. So much has been added to their plate in the last 10-20 years.
Survey is confirming what we already know and have heard before. The current set of risk management practices being applied broadly are limited in the overall value they can provide and need to be updated to deal with the current dynamic business environment. The survey indicates Boards want risk management more balanced to growth vs downside. It would be even more interesting to know what Boards want out of their risk management functions in supporting their role in the current environment. Aside from supporting the Boards, risk management needs to serve management and operational needs.
Thanks for this Norman. “Those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth”. I am 100% aligned with your views on how risk management should be applied i.e. “Risk management should ensure people have the necessary information to make the informed and intelligent decisions necessary for success, knowing which risks and opportunities to take if they are to achieve their business objectives”.
I however had a discussion yesterday with someone who suggested a segregated approach in respect of downside and upside. The stance taken was that businesses in high hazard environments e.g. mining, should avoid blurring the focus on critical downsides such as material safety/environmental/production consequence risks. The suggestion to address this was to keep ‘risk management’ as a managing downside initiative. Upsides could then be considered as part of the business planning process, with initiatives and monitoring strategies built into the performance management process. (I do acknowledge that this is still risk management). I can see that this has obvious potential flaws in terms of integration, but is in an interesting concept. It does also raise the question about whether the risk management methods/activities applied to downside and upside categories should be different. Your thoughts?
Ian, thanks for the question.
If we want to eliminate safety risk, we need to exit the business.
If we want to know whether we should expand or limit production, we need to see the big picture.
If we want to know how much to invest in safety, we need to see the big picture.
Your friend is assuming that the rewards justify continued operation and resources are unlimited.
When I was with Tosco Corporation, they decided to sell a profitable refinery because the rewards did not justify keeping it. The saw the big picture.