- Background
Private and public companies, financial institutions, individuals and even states are living in a risky world. This makes risk management an important and responsible function in every organization. However, is risk management also a “risky” task? Are there factors and shortcomings which may affect our work and our ability to provide a reasonable assurance to our Boards, stakeholders, owners and management? Can we, risk managers, mislead our organizations? Can we ignore or underestimate our risks?
2. What is expected from us?
FERMAs (Federation of European Risk Management Associations) last benchmarking survey from 2012 shows that risk management objectives for companies’ top management are unchanged compared to 2010.[1] Traditional objectives remain on the top of the list: provide a reasonable assurance that major risks are identified, prioritized, managed and monitored (76%) and minimize operational surprises and losses (63%). However, several factors may affect our efforts to meet these expectations. It is important that we also identify the risks involved in our risk management task.
Some factors which may affect our work :
Following are some of the factors we should be aware of and take into account:
a. The “maturity” trap
Depending on an organization’s size, culture and priorities, the risk management function can consist of a single champion, a part-time manager or a full-scale department. Risk management, internal audit and quality assurance/continuous improvement functions may be well-integrated and complementary in some organizations, whereas in others they may be competitive.
The FERMA survey shows[2] that there is correlation between the maturity of the risk management function and the risk manager’s close and regular relationship with the Board. Only 7% of companies with an “emerging” risk management function can refer to such relationship. Whereas in 42 % of companies with an “advanced” risk management function the risk management topic is completely embedded in reporting to the Board.
The risks manager’s ability to influence the company’s risk appetite may be limited by the risk management function’s maturity, its standing and its place in the organization. The degree of powers guaranteed to the risk manager is affected further by the legislation of the country in question. The risk appetite is derived from the combination of risk exposure and risk capacity. The risk team in collaboration with management team and the Board can arrive at an appetite level that is realistic. However, the degree of said collaboration will be decisive for the success.
b. “Endogenity vs. exogenity” trap
Risk assessment processes are pragmatic and result-oriented. The aim is to identify the risks and define actions, which give the organization reasonable assurance for a satisfactory monitoring. While identifying these risks, the management often gives highest priority to the endogenous factors, which may be influenced by the company. This is generally a correct strategy. However, the risk manager should also give “exogenous factors” some attention and try to find out how the legal environment, competitors, political actors and other environmental factors can influence the company. This effort will reduce operational surprises and losses and will contribute to the identification of “gray” swans, which might in the absence of such effort, wrongly be classified as “black swans”.[3]
c. ““ Simple tools” trap
Even in Europe today, the risk management tools employed by the managers are not sophisticated. FERMA’s benchmarking analysis show that[4] risk assessment workshops are now used by 60 % of European companies. This trend is now followed by all industries except automotive sector which considers databases as primary tools to manage risks. (71%). Results reveal that only a few countries (Italy, Russia, Spain) are building their risk approach based on databases. Benchmarking is moderately used, especially in Italy (36%), Germany(33%) and UK (33%). Advanced quantification is still poorly used among European countries. Stochastic aggregation models of business unit- level risk mappings are used by only 11 % of the companies. Value at risk simulation models are used by less than 25 % of the companies.
To my experience the most common approach to risk assessment is employing a 2-dimentional matrix, where impact and likelihood
are the two dimensions at a risk assessment work-shop. The participants rank and quantify the impact and likelihood by votes.
2 – dimentional matrices are good starting points for discussions. However this analysis alone does not give the risk manager information about
– risk categories
– interdependencies and correlations between risks
– risk ownership
– risk dynamics
The risk monitoring measures a company will choose, the expertise it will need and the actions it will initiate will depend on the risk categories it is confronted with. A risk manager should have a clear overview about these.
Interdependencies between risks are not visible on a 2-dimentional risk matrix. It is important that the risk manager is aware of the correlations between different risks, when assigning priorities to monitoring actions. Some actions will have multiple win-win effects depending on these correlations.
Identifying and quantifying risks alone will not create results, if each risk cannot be assigned an owner.
Defining and quantifying the risks at a point of time does not tell much about their development over time. When actions are subject to lead and lag effects, it is crucial to know the development over time.
One should also remember that votes in risk assessment work-shops are highly affected by the perceptions of the participants. On the other hand, being risk averse or fond of risk depend highly on the company culture.
d. “Focus on the negative”trap
ISO 31000 represents a change in how risk is conceptualized. The standard defines the “risk” no longer as the “chance or probability of loss”, but “the effect of uncertainty on objectives”, thus causing the word “risk” to refer to positive possibilities as well as negative ones.
Every organization has to take some risks. To identify “upsides” will necessitate an analysis.
Conclusion:
Risk managers, all over the world try to do their best to understand, assess and quantify the risks, to be able provide their Boards, shareholders and management crucial information for their strategic choices and decisions.
Therefore it is important that we from time to time stop and evaluate the risks involved in our own work.
[1] FERMA European Risk Management Benchmarking Survey, Keys to Understanding the Diversity of Risk Management in a Riskier World, p.18
[2] Loc. cit. p.28
[3] For general reference: Geary W. Sikich, When a black swan not a black swan”
[4] Loc.cit p.33