Risk Management. A multi-facetted profession … that should not exist.

Risk management is, like any other profession, discussed widely among practitioners, consultants and academics as well as among leaders/executives and others who do not see themselves working as risk managers.

Some tend to claim “this is risk management” , some even state “this or that is not risk management”. I tend to use the ISO definition where risk management is defined as:

“Coordinated activities to direct and control an organisation with respect to risk” (ISO 31.000 and Guide 73).

Activities must be coordinated as uncoordinated/spontaneous activities can hardly be classified as “management”, and risk management encompasses a range of activities.

Note, that the ISO definition of risk may lead to positive as well as negative outcomes as compared to planned/expected outcomes. Hence, risk management addresses uncertainties (which may go either way) as well as opportunities (good things) and (negative) risks.

 A multi-facetted profession …

In real life this means there are many activities which are within the scope of risk management.

• Design for quality processes in product development addresses the risks of faulty products.
• Vendor selection criteria addresses the risks of relying on vendors who potentially cannot or will not deliver as agreed.
• Employee Health and Safety addresses the risks of employees or associates being injured on the worksite.
• Currency hedging addresses the risks related to currency volatility.
• Credit limits addresses the risks of customer defaults on payments.
• Legal risk management addresses contractual issues between business partners as well as legislative risks.
• Project risk management addresses the issues which may affect meeting project targets.
• Decision risk management addresses decision optimisation.
• Enterprise risk management addresses cross-company overall risks which are not catered for by individual entities or departments.
• Risk management in its most traditional form drives insurance programs to mitigate/transfer risks on a number of different types.
• Strategic risk management addresses risks to meeting strategic objectives.

Investment risks, Reputational risks, political risks, competitive risks, … the list of uncertainties, risks and opportunities being addressed is extensive, and in many companies, something is being done on most of these issues simply because it makes good business sense.

Risk management is “everywhere” in the organisation. Some of this is explicitly managed by specialists/people who are assigned as x-risk managers and focus on optimising cost/value on their respective areas.

Other areas are also managed deliberately and systematically, but they are seen as elements of quality assurance more than risk management.

Finally, in some companies, some of the above is blatantly ignored and whatever is done is uncoordinated and not figments of any managerial process. This may be perfectly fine if/when the issue is not generally relevant for the organisation or potential consequences are insignificant. However, I do know of companies, where defining a strategy or initiating a major initiative is done without any explicit approach to identifying and addressing risks, uncertainties or opportunities. To me as a risk professional, this is worrisome.

Taken the many facets of risk management to extremes means the Chief Risk Officer should be de facto involved in everything that goes on in the company. This is rarely the case, albeit investor Warren Buffet is quoted to state that “As CEO, I am the chief risk officer” – which is probably the closest one can get to articulating awareness of the widespread nature of risk management.

However, this does provide one finding. “Risk management is multi-facetted and permeates any organisation, whether by organisational design or not”.

The ISO definition of risk management as “coordinated activities” may be seen to advocate an organisational set-up where a risk management entity is involved in and responsible for systematically addressing risks, uncertainties and opportunities throughout the organisation. The COSO definition of Enterprise Risk Management (ERM) also indicates the head of ERM should be involved in and essentially responsible for “almost everything”.

I do not know of any organisation or company who has even remotely attempted to establish such an organisation. The best performing, I do know operate with a series of risk management areas, each handled by competent specialists – who collaborate to ensure overall alignment and coordination.

 … that should not exist

The future, where we all have to spend the rest of our lives, is uncertain, filled with risks and opportunities. Furthermore, the speed of change increases as it always has and hence volatilities will not be smaller in any foreseeable future.

The world is just about recovering from a Corona virus “bump on the road”. The subsequent new normal will not be a smooth ride – but will be affected by:

• Climate change
• Political unrest
• Disruptions
• Fourth (and soon to come, fifth) industrial revolution

etc.

To an extent we cannot imagine today.

Organisations will need strong, adaptable and effective means and ways to address and leverage the risks, uncertainties and opportunities of the future. Trying to accomplish this by defining one single risk management organisation, framework and policy as a guide to managing everything throughout the organisation is na?ve at best, ludicrous at worst.

However, no company is defined with the purpose of managing risks. Companies and organisations are managed to fulfil a defined purpose and in practical terms, meet objectives despite any effect of risks, uncertainties and opportunities.

Albert Einstein defined that insanity is “doing the same thing over and over again and expecting a different result”. Hence, keep creating new and more sophisticated risk management functions is surely not improving risk management. The “solution”, I claim, is going in the opposite direction and abandon risk management as a profession, title and organisational entity all together.

 Risk management as a process element

Instead of looking at risk management as a profession driven by professionals in some organisational entity, risk management should be catered for by establishing approaches for decision, planning and handling which explicitly and adequately effectively:

• Identifies relevant risks, uncertainties and opportunities.
• Analyse these with respect to impact range and for risks and opportunities, likelihood they will materialize at all.
• Define and prioritise means to optimise risk taking.
• Report on current status as well as likelihood of meeting objectives.

Not as an add-on, but as a built-in to already established processes.

Unless trained, human beings are notoriously bad at guessing/estimating. Douglas Hubbard, Daniel Kahneman and others have written extensively about this and it is well documented. Hence, to be truly effective, analyses must be data/fact based and use sufficient mathematics.

Monte Carlo simulation is an indispensable approach which should be leveraged throughout the organisation. The good news is, that for anyone with a mathematical degree or understanding, it is easy to grasp, learn and use. It is puzzling to me that whereas basic statistics is on the curriculum of many business and engineering degrees – Monte Carlo simulation is not. It ought to be.

 The risk manager free organisation

Having risk management as a process element embedded in managerial and decision processes throughout the organisation means there is no need for risk managers.

• Product risks are catered for by the quality management approaches of product development and manufacturing.
• Legal risks are addressed by the legal team as part of their doing business.
• Insurance programs are purchased by a qualified lead buyer in the purchasing organisation just like any other specialised product is being purchased.
• Fire safety etc. risks, which today are often within the scope of a risk manager, are handled by Building/Asset management, quite possibly supported by the specialists of insurance companies.
• Market and competitive risks and opportunities are handled by the marketing organisation as part of their marketing planning.
• Credit limit handling is embedded in Customer Relationship Management.
• Market/sales uncertainties are addressed in the Sales and Operation Planning process.
• Decision risk management is embedded in the decision support processes.
• Strategic risks are identified and addressed as an integral part of strategic planning.

etc.

Each company defines how to embed the different elements of risk management into their current processes and organisation. There is no one way fits all, even within a single company, different elements of risk management may be addressed differently.

Employees throughout any organisation are taught and made aware that whatever they do, there are risks, uncertainties and opportunities involved – and know how to address these.

Zero risk management function, no silos, no add-on processes, no risk focused (quarterly) reporting. Instead, a tailored and naturally integrated approach to managing whatever risk or opportunity the company may face or create, and which continuously focus and reports on the likelihood of meeting objectives.

With this, the focus of risk management automatically changes from being risk centric and risk averse to being objective centric and focused on optimised/intelligent risk taking. Effectively addressing risks, uncertainties and opportunities becomes company culture as everyone is involved.

I am in no doubt that effectively applying such an approach will be a significant competitive advantage, at least until competitors catch up. I am also in no doubt that continuous relying on old-school traditional responsive risk management in an ever faster changing world will leave company sustainability at significant risk.