Saturday, April 20, 2013

What is Greatest Risk in Risk Management

Doing things better, faster, and smarter, risk management is like the brake pad, not just for stopping the car, but for making car running faster with safety control.

In many organizations, risk management is still running in silos, so what is the greatest risk in risk management The risk that the risk management program is insufficient to identify, evaluate and assess, and respond to all the potential effects of uncertainty as business strive to achieve its goals and objectives.

1. What are the Great Risks in Risk Management?

The major risk overlooked by Risk Practitioners arises from a fundamental misunderstanding of human behavior and human nature (the Social Element). Though people believe that by default most humans are rational, but many studies, the recent financial crisis, and major failures show that humans are "Predictably Irrational". 

  • What are the root causes? What are the risk management blind spots? Is it because of your ERM program immature and shortsighted?  The more interesting question is: What to do with this risk even when an ERM program is neither immature nor shortsighted. (Since obvious signs of shortcomings in an ERM program can be fixed if wanted to). But why do you think that most risk management has not been doing effectively and why do you think that most internal auditors have not been providing the necessary reviews of the risk management system. What do you think needs to change so that the kinds of things suggested can actually occur? Isn't it important to understand why something so basic has not been done or if it has been done, has been done so poorly? The greatest risk will be a real business/reputation issue that is not being properly identified/managed.
  • This is actually a very thorny issue where judgment still trumps any prescriptive RM standard: Identifying all possible risks is casting such a wide net that it is essentially an elusive goal. Any attempts to refine the scope to make it more manageable end up introducing the potential for the risk you have raised (even if an ERM program is NOT immature nor shortsighted). Self-checks for any biases can only go so far since we are still all subject to human limitations to see all. Having a committee process improves the odds further, but then again introduces 'group think' issues. The Paradox is: Trying to identify (assessment comes later) all possible risks...... One may end up in a huge list that may not be practical to assess. What is done is then low risks (judgment of group/ committee....) are ignored by accepting them.  
  • The major source of limitation in any risk management is because of the (knowledge) risk of the unknown. Assuming that in any risk management program, all the known and potential risks would have been covered and managed, and over a period of time the ERM program would be making continuous improvement based on the feedback from the risk management process and what would be left is what is unknown.
  • The reputational damage that is self-inflicted as a result of the consistent failure to (1) recognize the shortcomings of competing sets of guidelines (2) measure, manage or model risk (3) embrace tools to prepare (clients) for uncertainty. Reputational risk is that of the blindness of conventional risk management practitioners to the shortcomings of the incomplete and overpriced solutions.  Reputation is a key consideration. When there is a legal or compliance battle, the reputational damage often means that even if the business doesn't get hit with a judgment or other sanction they still lose. 

2. The Human Factors in Effective Risk Management 

People are still the weakest link in Risk Management, people _are_ the greatest source of risk (both classical downside risk and "upside" risk). However, you can't remove them from the equation without making the equation a nullity.

  • There are "human factors" such as irrational, cognitive, or behavioral aspects. We can't and won't be able to manage or predict BUT by mapping and measuring complex interactions in real-time can gain early warning (anticipatory awareness) of possible/plausible negative impact...NOT reflexive or post-loss. 
  • Individual Trust and Collective Trust and thus collective human risk (in Enterprises) can be very different. If looking at Risk from a different dimension of "Trust" .. Trust has an element of uncertainty involving the RISK of failure or harm to the trustor. If the trustee will not behave as desired. So when looking at Enterprise Risk Management, look at Trust in Humans, Trust in Processes, Trust in Technology, and when we think of Trust in Humans.. we kind of assume that we are all predictably rational.     
  • Many of the difficulties come from subtle psychological factors ~ The difficulty with assessing the effectiveness of the risk management system by the risk management team themselves is the problem that it is ~ effectively ~ self-assessment, discounting risks that are seen as the day to day irritants ("we've never had a problem with that in 5 years") as well as the much more talked about black swans.  
  • High-Risk Appetite at Top: In addition, a really high-quality risk appetite discussion between executive members and the board is often a common failing ~ even if the risk management system picks up a risk, a major issue can be a poor judgment about the risk appetite to take. That said, Risk Management is both for top-line business growth and bottom-line compliance, the greatest risk is the weakest link of your organization, usually people 

3. Next Practice in Risk Management 

 Develop a set of next practices to better manage risks, these respective disciplines will converge through best practices, etc. But that is not to say they will become universal, what works well for one industry may not work for another as far as structure or reporting.

1) The first step that is often overlooked is the review. How effective are the mitigants, what has changed both internally and externally, are you satisfied with what you have done and do you then re-prioritize project. Risk Management can ensure that all such risks are revisited and reaccepted as to minimize the risk raised. There has to be a reasonable level of proficiency presumed in risk identification by the RM program

2) Embed RM into Business Processes: Embed risk identification and assessment in operational processes including project management. Just how integrated is the risk management system in the running of the operation, so that if the risk management system doesn't spot it, the business won't either. Often a big risk is that the risk management system is detached from the real management of the business.

3) GRC framework is essential to an effective RM program. Governance Risk and Compliance are coming under one umbrella of GRC. The revenue leaders in cross-industrial sectors are the best practitioner for risk intelligence. Security, Risk, Compliance, and Governance will be converged into more cohesive management discipline and well-integrated into the key component of business strategy.

4) Cultivate Risk Intelligence Enforcement Culture: from board level to front-line customer service, the culture will always trump strategy and even leadership in innovation practices, how to enhance risk intelligence culture will enable business for both top-line and bottom-line growth.

5) Reap what you sow: The next stage should surely be to define the organization’s appetite for risk, then to identify whether the risks identified are above or below risk appetite which gives a priority list. Once the risks have been prioritized, you can then look to mitigate the most important risks to bring them within appetite. While the appetite for risk can reap rewards in the enterprise, it can come with an unforeseen downside. Reap what you sow. Too few business enterprises have appropriately aligned or devoted sufficient resources to their respective risk/compliance/ethics/governance efforts, and they should be or need to be appropriately integrated, with decent reporting structuring and streamlined processes.

6).  Business Resilience -The business capability to make the organization more resilient: not just controlling risk, but fail faster, fail forward, fail cheaper and recover more promptly, even become stronger than beforethus,  the 'greatest challenge' is how to, objectively, quantify the entity (complex system) and how to make key processes more resilient.

7) Business Agility & flexibility: Doing things better, faster, and smarter, risk management is like the brake pad, not just for stopping the car, but for making car running faster with safety control. Digitalization provides the business multitude of choices to serve customers, engage employees, develop products/services, risk intelligence with business flexibility will balance such paradox of choices via next practice.

Genuinely intelligence-led operations (meaning all dimensions, from risk to marketing to logistics), has to be embedded into both processes, and more importantly mindsets, but too much time is spent on the theory rather than the practice of risk management. The key is to use risk management to prioritize daily tasks regardless of whether you call it ERM or GRC or which standard framework you prefer.


Post a Comment