Volumes have been written on the cause of the crisis the world is in, surveys have been done and many fingers are pointing in every direction—a couple of these are pointing straight at us, the Risk Professionals.
It is time for us to accept that risk management, as we know it, failed; and for as long as we try to re-direct or break the fingers pointing at us—we will be stuck in this crisis. It is time to renovate risk management. The past is no longer a roadmap for the future.
Let us come clean and move on, the earlier the better for all. Which other industry has so many frameworks, so many different processes and so many different standards, regulations and so-called guidance documents? Which other industry has so many people claiming to be experts and trying to squeeze a quick buck out of something nobody can ever be an expert in?
Too many "somebodies" out there who are “certified” by nobodies, too much education done by non-educators.
Any process older than 5 years is outdated; we live in a world of dynamic change, the pace of which is ever increasing and with it, the levels of Risk Exposure. The basic Risk Management Cycle is one of these outdated processes.
Let us look at Risk Identification: we tried in many different ways to identify all the risks—until a volcano sneezed and we realized that we have not; and can never, identify all the risks. Let us accept that and move on. The size of your risk register is not related to, nor is it an indication of the effectiveness of your risk management process.
Next we get to Assessment and Analysis: Those who thought they were good at risk identification moved on to quantification. Sadly, many are still stuck there, thinking that models can control and mitigate risk. Some in the alternative movement is to justify the great cost of their models by using the results for good purposes, like calculating economic capital etc.
Thinking of which; the gross income of most banks dropped since 2008, so how cool is it for those using the Basic Indicator or Standardised approach for Operational Risk—in a time when their operational risks increased significantly, their capital charge has come down. Can this create a passion to improve Operational Risk Management to an AMA level?
Risk reporting, control and treatment: How wrong did we get red, amber, green!
Now everybody wants every risk to be green, because green is good.
Green on a risk report is perceived to mean “do nothing”, but that is the quickest way for those risks to shoot to red. Then we get to amber, what a
nice place to be- all risks are under control and we choose to overlook the fact that those controls might not be efficient or can be completely ineffective.
DANGER ZONE- those risks in the red zone, the bad zone. The red zone is where you make the most money, but it is also the place that requires the most effort in risk control. For as long as red is perceived as bad we will be stuck with average risk management effort (amber) or no risk management effort (green). So the red zone is the best zone with the biggest returns—if you are prepared to put in the effort.
We already know that the effectiveness of your risk management process is not linked to the size of your risk register. Similarly, it is also not linked to the thickness of your executive risk report. Anyway, we have sanctified board risk reports to the extent that the difference between what the top thinks and the bottom knows is so big that those in the middle are just slipping into the ditch. Trouble surely comes when people are working harder at keeping their jobs, than doing their jobs.
If you have a formal monthly risk report it is generally 28 days too late, frightening to think some have a quarterly risk report, or as a friend commented recently, an ANNUAL risk report! It is thus not about the size,
its all about the timing; having a risk nervous system that runs accurate risk information from all points inside the organisation (and outside) and having "live" dashboard reporting on the company intranet. The earlier people know, the better the decisions and the smaller the losses.
Secondly, the sole purpose of many risk management processes is to produce the risk report, often that is the sole purpose of the risk management department. The outcomes of a risk management process are much more than models and risk reports. What do you do with the information you have? If your risk management department cannot show a Return on Investment—get rid of them!
Processes and Systems: Most organisations have taken the easy way out
(note: not the cheapest) and they built impressive risk management systems worth millions of dollars; but failing to address the fundamental issue of people. All risk management efforts are worthless without a risk nervous system—and only humans can add that.
We already know that there are no risk management experts; and in fact, we do not need any risk management experts! All we need is for each and every employee to know the basic risk management skills and principles; use them to evaluate the risks associated with his/her job and do something on a daily basis to mitigate and control those risks. Risk Management success lies in embedding an effective risk management culture!
Prevent your business from crash-landing, change the way you see and approach risk management and execute that transformation; put in the effort and embed an effective risk management culture in your business, delivering good risk governance and building sustainable competitive advantage.
Welcome to transformation, be the change to want to see!
Comments
I have shared this post into Linkedin hoping to get some interesting and intelligent response from proponents of ISO 31000, PMI/PMBOK/RMP, AACE/DRM, CPCU Underwriters, RIMS, PRIMA, and various Risk Professionals in the last four days in addition to your comments. Unfortunately, the article did not get any additional response. Posted the same question on ISO31000 discussion board but the piece was rejected by the facilitator, reason being not on their alley.
As one Linkedin member said, “Who can disagree with the need to evolve?.” I agree to a certain extent. However, I think that one needs to evolve only when presented with a new challenge that a current risk process or combination of processes cannot effectively resolve or respond to. If today’s approaches and methodologies proves sufficient to manage and bring risk under control, then it must be a good process. Why change it? There’s no need to evolve. Apparently, the author sees a complete and dismal failure of current processes.
Rufran (070815)
Thank you for all the great comments here, I appreciate them.
The Future of Risk Management is just: “Risk Management through people” You can have the best systems, great models and scenario analysis with elaborate dashboards; at the end of the day a person will take a decision.
Are your employees aiming at more than one target; or do you have a clearly defined risk for reward strategy and risk appetite statement to guide them? Business strategy and Risk Culture are parts of an interdependent system.
Start working on your success by training every employee some basic risk management skills.
As my Moody's colleague, Sarah Tennyson wrote last year: “Enterprise-wide risk management requires a shift in the behavior and mindset of employees across an organization. To realize the full benefits of improved systems, tools, and analytical skills, people need to learn new ways of perceiving situations, interpreting data, making decisions, influencing, and negotiating”
Read Sarah's article at Moodys.com: https://www.moodysanalytics.com/Publications/Risk-Perspectives/2014...
An effective Risk Management department does not react to issues but takes proactive steps to mitigate risks. It is also no longer a 'support' function that churns out various internal and external risk reports but a business division by itself. Risk inputs are very important in all strategic and business development decisions. It is also a matter of spreading the risk culture across an organization to ensure that risks are recognized, understood and managed by business units. When that happens, one can say that risk management has actually evolved in the organization. There are, of course, challenges in implementation; however, they can be overcome so long as the Board of Directors and CEO are supportive of promoting such a culture.
Risk practitioners generally fail to address the underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.
Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk
The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.
Every business decision is a RISK decision; what is your level of risk intelligence and how is your Risk Culture?
Excellent article, I am in full support of this new transformation in Risk Management. Culture is a very hot topic in the Australian Financial landscape at this very moment and is an area I will be looking at very closely to embed an effective risk management culture right across the organization.
When I read the title of this essay I was hooked. I thought there was going to be a serious revelation about where all the major risks are coming from and how to deal with that - alas, no.
For that you really have to read my own Home page
http://macro-economic-desogn.blogspot.com
And maybe some of my 43 essays at www.fin24.com, (search for my name there), and also the GlobalRisk Community Almanac where my contribution used to head the list - and maybe still does.
If all those actions are taken then maybe risk managers will be able to manage the risks which remain. As long as they avoid adding layers of complexity to their organisation - well the Board decides that of course.
If anyone would like to join my campaign alongside two other organisations which are now swimming alongside in support, just let me know.
You cannot have - and do not want as it is counter-productive - the perfect, all-singing, all-dancing risk management process.
What you do want are world-class practices (i.e. embedded behaviours) which are defined and measured by challenging (but achievable!) standards ond outcomes.
The risk management process as king is dead! Long live risk managment as king!
Boris, I must not fail to tell you this. You have interesting article here. In fact, every chief executive should read and digest this. I agree with you that risk management needs renovation because the basic risk management processes currently in use are outdated. The world is in a state of flux ie changing continuously and this brings about increase in risk exposure. Hence, there is need to upgrade risk management models and processes. I have jotted some interesting facts that will be useful for my organization. I now know that an organization may build impressive risk management systems but it should not forget to address people issue. I equally noted that risk management efforts are worthless without a risk nervous system and it is only humans can add that. I have always known that for organizations to achieve enhanced corporate performance they must get it right with their employees. I also noted that the concept of experts in risk management should be disregarded. Hence, every staff in an organization is expected to know about basic risk management techniques and these should be applied as one is doing his or her work so as to mitigate and control risks.
-
1
-
2
of 2 Next