The essence of risk ownership

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk ownership.

Many organizations try to implement risk management in a way that includes the idea that individuals own risks. Examples that I’ve seen include the CFO owning “Financial Statement Reporting Risk” or the Chief Counsel owning “Compliance Risk”.

This concept of risk ownership is based a weak foundation. People really don’t understand what it means to “own” a risk.

When you say that someone owns a risk, you’re really implying that the person owns an objective. The CFO owns the objective of issuing financial statements according to professional standards. The Chief Counsel owns the objective of reasonably complying with laws and regulations. From a purely psychological sense, most people are more comfortable with the concept of owning an objective rather than owning a risk. We know how to own and embrace an objective.

Another problem with the concept of risk ownership is that real risks, rather than broad generalities, are often obviously outside the control of an individual. That’s what makes them “risks”.

For example, if an organization is planning on expanding into a new service line the strategy may depend on hiring experienced staff – a reasonable assumption. The clear risk is that it may not be possible to hire enough experienced people with a required skill set. How does the concept of “ownership” fit in here? Someone owns the objective of expanding into the new service line. That person also owns the strategy that will attempt to deliver that goal by hiring experienced staff. The risk that there might not be experienced staff to hire is simply an inherent part of the strategy; it is one of the things that can go wrong with this strategy. If the risk materializes, the strategy may need to be revisited and modified to incorporate the new, more complete, set of facts.

Here’s another illustration. Using the prior example, another risk might be that the economy will decline over the next 2 years. That would clearly impact the strategy associated with moving into the new product line. But, this same risk would also impact other strategies – perhaps dozens of other strategies. It might impact a plant expansion strategy. It might impact a compensation strategy. So – who would “own” the risk of an economic decline?

The essence of risk ownership is that no one can own a risk. People can own objectives and strategies. Risks are the things that you are not controlling within your strategy. Don’t waste your time identifying (and often negotiating) ownership of broad, general risk categories. In the end, it’s simply not actionable. Instead, spend that effort identifying which strategies are dependent upon outside factors that either you cannot, or choose not to, control – like the ability to hire experienced staff or a continuing improvement in economic conditions. Then, put a system in place to to alert you when those uncontrolled risks are taking a turn for the worse. This allows you to quickly attend to the strategies that need to be revisited and reconsidered.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).

 

 

 

The essence of key risk indicators

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about key risk indicators.

There are two common types of metrics that management might use. One is the key risk indicator (KRI) and the other is the key performance indicator (KPI).

Key performance indicators are intended to establish performance goals and then help management focus on those processes that are not delivering desired results. As an example, management might establish a KPI to limit waste materials to <.31% in a particular phase of production. Then, actual waste is periodically measured and compared to this goal. If actual measurements consistently fail to meet the KPI, then the process should be reviewed and corrected. It is intended to be a historical measurement.

Key risk indicators, on the other hand, are intended to warn management if risk levels are increasing. COSO published a thought leadership paper in 2010 on key risk indicators. It’s a pretty good document and I recommend it.

What I want to address here is how to actually put this concept into use. A challenge that I’ve run into is that management is not naturally attuned to focus on risk events. When asked to come up with a list of risk events that might impact some activity, management often responds with “Well, um, I suppose that (this or that) could happen.” You need to identify these risk events in order to then identify leading indicators (KRI) that might give advance warning of the risk event. The problem is that you’re asking management to poke holes in their own strategies. That’s not something that anyone readily wants to do.

Instead, consider asking management about the key assumptions (rather than the potential risk events) in their strategy.  I have had great success here. Management is usually much more able to talk about these assumptions. Given a few minutes of thought, they might identify assumptions like the ability to hire adequate staff for the new production facility or the general growth in consumer demand. Further, it is easy to get management to agree that these assumptions, while valid and reasonable at the moment, could decline or fail to materialize over time. We can’t be 100% sure. That’s the nature of assumptions – they are often outside of our immediate control. Management can relate to this concept.

So we turn these assumptions into KRI. We track these assumptions over time. If any significant assumption declines or fails to materialize then any strategy that relied on this assumption should be reevaluated. Management is, in essence, receiving advanced warning that the risk level (the unpredictability) of that particular strategy is increasing because the assumptions on which the strategy is based are no longer valid.

Focusing on key assumptions is attractive because management can relate to it. It’s also very transparent. The assumptions can be discussed and agreed-upon in advance of the strategy’s execution. If the external assumptions fail to materialize it’s no one’s fault – everyone had already agreed that the assumptions had been valid at the time. There is no incentive to hide the problem. Just go back and adjust the strategy to take advantage of knowledge that simply didn’t exist before. And establish newly revised assumptions that you will once again monitor.

The essence is that key risk indicators are most easily understood when tied to strategic assumptions. Keep it simple and link this concept to strategy setting in a way that is transparent and non-threatening.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).

The essence of risk and opportunities

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk and opportunities.

I often hear that risk management should help an organization find opportunities as much as control potential problems. COSO says that part of risk management is the identification of events which could have a positive impact, a negative impact, or both. This concept does not work for me on multiple levels. In a future post I’ll write more about the idea of event identification. In this post I want to address a more practical strategic problem with this approach.

One of the toughest hurdles in risk management is explaining it in a way that makes it relevant to executive management. You need their support. The more that you ask executive leadership to accept concepts that are not intuitive to them, the tougher the sell. I normally describe risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable. This usually resonates well with executive leadership. It fits their existing notion of risk management. When you start talking about risk management also being a source of strategic opportunities, I’ve found that executives start looking at you with a skeptical eye. It sounds like a salesman promising benefits that everyone knows he can’t deliver. I recommend staying away from this approach. There are other executives who are paid to identify and exploit opportunities. Maybe later you can help, but for now stay off their turf.

The essence is that linking a risk management function with the identification of strategic opportunities is a tough sell. It is hard enough to get executive management excited about risk management at its most easily understood and intuitive level. Don’t confuse the basic message with unproven claims that your executive team may find counter-intuitive.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).

The essence of operational risk and reward

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about operational risk and reward.

It’s a common understanding that you need to take on more risk in order to get greater rewards. The common context for this risk/reward tradeoff is when you’re managing a financial portfolio of investments. Highly conservative investments tend to deliver lower returns over the long run when compared to those investments that might have more risk. However, risk/reward also applies in other ways. It impacts how you manage your organization and deliver operational results.

Imagine a common operational scenario. You’re assigned a goal and you need to develop an appropriate strategy to deliver that goal. If you choose a conservative strategy you’ll get highly predictable results. It’s tried-and-true. If your assigned goal falls into the predictable results that your conservative strategy will deliver, by all means use that conservative strategy and pat yourself on the back for being eminently practical.

Conversely, if you’re handed a stretch goal then that tried-and-true strategy will not deliver it. In that situation, you need a new or revised strategy that has, at least, the potential to deliver the desired results because the conservative strategy absolutely has no chance. You must select a strategy that takes on some uncertainty; you must take on more risk. To be clear – simply taking on more risk does not in any way imply that you will automatically get greater rewards. It only means greater uncertainty. But without that uncertainty you may stand no chance of delivering desired results.

The essence is that risk and reward are definitely related. Conservative strategies deliver predictable results. If you need to provide more aggressive results, you need a less conservative strategy that has the potential to deliver those results.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).

 

The essence of risk appetite

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk appetite. It probably is the most misunderstood foundational concept of risk management. This term comes from COSO’s 2004 ERM framework. They describe it as ‘the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.’ I’m not sure how they really intended its use, but it was widely interpreted as requiring some single and specific board-level analytical component (amount of risk) that would guide management in developing strategies and activities. Many envisioned the board defining how big of a bucket of risk would be allowed. As long as the actual risk wasn’t overflowing the bucket, then everything was operating at an acceptable risk level.

The problem was that it’s impossible to come up with a single number that could represent the maximum risk that an organization is willing to take on. How can an organizationally analytically measure different types of risks and then aggregate them in some meaningful way in order to compare to an established level? It is not illogical, it is simply not practical.

I believe that COSO knew that this was a weak point in their framework. They came out with an explanatory document in 2012 called “Understanding and Communicating Risk Appetite”. This does a better job of explaining many concepts, but it’s still not very actionable.

Risk is unpredictability. In some cases, you are willing to allow unpredictable results. In other cases you are not. For instance, your culture may say that you’re willing to take on risk for product development. But you’re not willing to take on risk for product quality. How do you address the total risk in the organization and incorporate these two very different risk requirements? You can’t establish, much less aggregate across disparate objectives, a single number to indicate how much risk currently exists across the organization. Don’t bother – it’s a meaningless distraction.

Here’s a better idea. Think of risk appetite as a conversation about the extent that management is willing to accept unpredictable results for each specific type of strategy. If you’re discussing management’s attitude about product development, assure that everyone understands that some risk is allowed. If you can define a number within that context, go ahead. These would be Key Performance Indicators (KPI) for product development. These KPI would, if defined correctly, encourage an appropriate level of risk-taking.

On the other hand, if you’re talking about management’s attitude toward product quality, assure that everyone understands that little or no risk is allowed. Predictable results are required and strategies must assure that this predictability is achieved. Once again, KPIs can help describe expected results. In this case, these KPIs would emphasize predictable product quality.

The essence is that a single risk appetite number, at the board level, provides little or no actionable guidance. Don’t bother. Focus instead on conversations within the context of specific objectives. Where are people expected to experiment and sometimes fail … and where are they not allowed to fail?

You can read more about Performance Risk Management at Risk Leader (rskldr.com)

The essence of a risk management framework

In an earlier post I described risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable.

A risk management framework is a systematic way of approaching those activities. I see four main parts to an effective risk management framework:

  1. A common language. It’s important to share ideas, not just words. The words must mean the same thing to everything otherwise you’re sharing the words but not the underlying concepts. For example, when you use the word “risk” what do you mean? Are you referring to the concept of uncertainty or does your organization prefer to speak solely about specific risk events?
  2. A primary focus. A good framework can be adapted for a number of purposes, but it typically exists for one primary reason. My personal experience tells me that the highest and best purpose for a risk management framework is to help an organization achieve its goals in a more predictable manner. There are certain attributes of any good framework (see below) that will make it adaptable for a variety of purposes – but every framework must target a specific benefit. For me it’s the achievement of organizational goals.
  3. Abstraction. In order to make a risk management framework broadly applicable you need rules that describe which ideas are fundamentally similar and which are not. For example, your organization may traditionally use the term “strategy” and “process” in different ways. However, for purposes of a risk framework it may be valuable to abstract these and treat them the same because they both describe the action that will be taken to accomplish some goal. In the case of “strategy”, it may be primarily a high level plan that mostly consists of delegating to others. In the case of “process” it may be a specific activity that a single person will perform. But from an abstract view, they both represent how you will achieve a goal.
  4. Breadth and depth. A framework needs to be a road map. It should be sufficiently broad that the big picture is easily seen. But it also needs to be supported by sufficient depth and insight so that it can help us understand and take action in a detailed, complex, and often confusing real world. For example, it’s not good enough for a framework to simply define a term like “risk tolerance”. It also needs to sufficiently describe how this concept provides value in the real world to a CFO, a regional sales manager, or a production supervisor.

As I continue with these ‘essence of risk management’ posts I will share the components of a practical risk management framework. These future posts will include my recommendations for common language, abstraction, and depth in order to help everyone use this practical management tool.

You can read more about Performance Risk Management at Risk Leader (rskldr.com)

 

The essence of risk management

This is the first in a series of posts that attempt to get to the essence of risk management. I’ll touch on various topics as they occur to me. Some of these posts will be on broader topics like this one. Others will be on very specific points that help you implement these concepts. As time goes on I hope to amass a series of short thought-pieces that help bring together a rather complicated subject.

The key word, of course, is “risk”. Risk is a synonym for uncertainty. It’s unpredictability.  Risk is the uncertainty of whether you’ll safely cross a busy street. Risk is the uncertainty of your body’s reaction to medication. Risk is the uncertainty of investing your money and getting the hoped-for return. Risk is the uncertainty of a strategic initiative delivering the expected results. Risk is the uncertainty of your town’s first responders arriving at a fire in time to prevent a catastrophe. Risk is the uncertainty of your sports team winning today.

This topic – the first one – is on risk management in general. Let’s start with the big question. What is risk management?

To answer that question, I will first avoid recapping all of the authoritative descriptions. Many of the definitions and explanations lead to over-complication. I prefer to keep it simple. As a business person, my point of reference is always centered around organizational results. In that context, risk management is very simple. It is the group of organizational activities that try to improve results by making the unpredictable a little more predictable. It’s that simple.

Managing risk is simply taking steps to make each goal a little more certain. Whether it’s crossing a busy street, taking medication, or any of the other examples mentioned above – risk management consists those activities that eliminate uncertainty to help you get what you want and avoid what you don’t want.

With this understanding of risk at its simplest and most fundamental level, I will explore the essence of specific parts of risk management in future posts.