Amplify the Risk Management Process to Manage Fast Changing External Vulnerabilities

Introduction:

Think of BP’s gulf of Mexico well blowout incident which nearly drove BP to bankruptcy, think of the credit crisis in 2008 that nearly drove many banks to failure.

How come these big corporations staffed by the best in the world didn’t see any of these coming? Was it that their risk management was bad, ignored or at worst non-existent. ?

Why do we see many large corporations bad at identifying and mitigating risks – is it because as people we are optimists and assume nothing bad will happen, is it because we have no benchmarks to go by for new risks – it has never happened to us before, or is it because we are rewarded for maximizing the upside, or is it that we don’t have the skills, processes and tools to effectively identify and manage risks or is it all of the above.

Types of Risks:

There are two broad categories of risks:

a)?????? Internal risks – these are risks created through the decisions we make daily on the direction of the organization (types of markets to enter, engineering designs, investments, …..), people we hire (not following rules, incompetence, ….), etc.

b)????? External risks – are those that are given to us by the environment that we choose to operate in – country, economy, political, policy, etc risks.

Identifying risks:

This is the most important but also the most difficult. As humans we don’t know what we don’t know and hence we over emphasize what we know and under play what we don't know.

I have been in too many organizations where basic failures have led to huge consequences, but the risk was never in the risk register – how come?

Risk identification and more importantly coordination of the risk identification process needs experience and out of the box thinking, particularly in the current environment where external factors are changing faster than ever.

Since it is not natural for us to identify risks, particularly when we are involved in the decisions, it is advisable to have an independent committee of experts to review all risks and follow up on mitigations. This also ensures that we avoid a checklist approach to risk management.

It is also important to identify trigger events or leading indicators that would signal that a risk is about to materialize, and mitigations need to kick in before it is too late. E.g. in the construction industry, keep an eye on the timelines of the pre-fabrication activity that might be happening several thousand kilometers away.

The risk management should start with objectives of the organization – production, revenues, costs, people, reputation. What risks are likely to impact the achievement of above objectives?

For each area – there should be a small team set up with knowledge of the area to review and catalogue risks.

Once all the risks are catalogued the central risk management team, together with an external experts can categorize the risks along probability and consequences. When categorizing risks, it is good to use external benchmarks of actual occurrences if available.

Next step is to look at the picture of the integrated risks – i.e. which risks offset or magnify each other.

In the same industry there is enough already catalogued, but it is also good to look at adjoining industries and similar industries to help in the risk identification process.

Scenario planning for out of the ordinary risks can help – asking the “what if” question on even the most mundane activities and activities that we take for granted.

?Mitigations:

Mitigations fall into two categories:

a)?????? How to mitigate the risk from happening in the first place. You need to consider the cost of this prior to trying to mitigate because not all risks are worth mitigating depending on the cost and the impact if the risk takes place.

b)????? How to manage the damage if the risk were to take place. The robustness of this mitigation or damage controls depends on how strong the “avoid” mitigation is.

All risks that do not lead to a strategic advantage to the organization should be mitigated away as long as the cost of mitigation is reasonable, and the damage, if unmitigated, is unbearable.

Even if a risk is accepted due to the strategic advantage, there has to be certain checks and balances in place to ensure that if it were to happen a) the entire organization is not at risk, b) there are early warning signs for the mitigations to kick in and b) that mitigations are robust and regularly reviewed and updated.

Some internal risks can be managed by policies and procedures, but requires continuous proactive monitoring. E.g. a rogue trader can be given procedures to follow but there is no guarantee that he will follow the rules or has the competence to follow the rules. ?

External risks need proactive mitigations and regular monitoring of leading indicators to ensure that mitigations can kick in before the damage is done. Lending – watch the credit rating of the clients regularly, interest rate movements, policy changes – intelligence on the key messages from regulators, etc.

In many organizations and for majority of the risks, the mitigation are focused around managing the damage vs avoiding the damage.

On all risks – the key question is how much of the risks do you mitigate away – there is a cost to zero tolerance and hence carrying a certain amount of risk is okay depending on the size of the balance sheet and as long as it does not cause reputational damage to the organization even if balance sheet can take it.

Every decision we take on a daily basis has risks – some risks we can calculate intuitively almost at the same time that we make the decision and we know the consequences and we know if we can live with it.

But there are risks, in more complex decisions, that needs deliberate effort to analyze and mitigate. These are the risks that go un-noticed.

The rigor of the risk management process, of course, depends on the type of industry, the maturity of the organization in that industry, the extent of external interactions and dependencies, quality of its people, maturity of the country in which they operate, size of the balance sheet, etc. New organizations, new industries, new technologies, developing countries carry higher risks and hence need more robust processes.

When evaluating which risks to mitigate the most important thing is to review the impact or consequence and not so much the probability. The fact that the risk has been identified means it is real however small the probability but if the consequence is high (e.g. BP gulf of Mexico incident – nearly drove the company to bankruptcy), then it has got to get managed.

It is also un-necessary to overreact and put multiple mitigations in place unless they are layered on top of each other – i.e. they are multiple barriers and not base level mitigations.

Next step is to evaluate the cost of mitigation and value the mitigated and the unmitigated risk. Can the organization take on the unmitigated risk on its balance sheet, the low/low risks probably the organization can insure it on its own balance sheet.

Ultimately, it is also important to set company objectives and resource allocations based on the risk matrix. In many organizations, the risks are a separate exercise that are not linked to resource allocations. E.g. instead of providing shareholders a point estimate of earnings or production, it is more prudent, in managing expectations, to consider providing a range estimate taking into account the risks.?

Above requires sophisticated systems and processes and competence to execute.

Risk Management Organization:

A fundamental question that is on every CEOs mind is - where should the risk managers sit within the organization? Should they be embedded within the line organization or should they be an independent central function. If they are part of the business lines they are better able to understand the business and hence identify risks versus if they were a separate function. However, if it is an embedded function within the business lines, you run the risk of independence.

I would propose a hybrid – the Chief Risk Officer should be a separate function whilst having direct line reports embedded in the business to support the business regularly.

The type of industry, maturity of the organization, etc would determine the risk management structure – risk management in a dynamic financial industry would greatly differ from a car manufacturer.

As always, thoughts and suggestions welcome.