People love to categorize — to group things together. I think it’s one of our deepest psychological activities. I’m sure it helps us create sense in a very complex world.
Risk management is certainly prone to categorization. It’s a good idea. When you do it correctly. When you do it wrong, it simply confuses some of the essential concepts. Allow me to explain.
When I talk with business people about risk management, categories often are the first thing that jump to their minds. They don’t do it intentionally, it’s just the way we are often urged to consider risk management. For instance, when I asked a colleague (a finance and accounting professional — smart guy) about his view of the major risks to a company, he stated quickly “liquidity, credit, reputation”.
This caused me to take a mental step back. This isn’t how I identify risks. I’m sure it’s because I operate down in the trenches but I identify risks much more distinctly. To me, a risk isn’t “liquidity”, it’s “insufficient or unreliable credit relationships to assure short term funding needs”. Are they the same thing? More or less — sure. But “liquidity” is a general concept while the other is more easily understandable and actionable. In my mind, liquidity is (one of many) potential categories … but not a risk, itself.
However, I suggest going one step further. In my approach to risk management, liquidity isn’t even a category of risks. Instead, it’s a category of objectives. Let me explain.
To “do” risk management, you should start by identifying what you’re trying to accomplish. These are the objectives of the organization and, more distinctly, of each individual person within that organization. Organizations can surely have “liquidity” objectives and “credit” objectives. They also have “strategic”, “operational”, “financial reporting”, “compliance”, “legal”, “reputational”, and potentially dozens of other types of objectives. This is where the categories come in handy. They serve as a road map when brainstorming and identifying objectives. This road map helps the process by forcing the question “Hey, don’t we have compliance objectives? We haven’t identified those yet.”
You should use whatever tools are helpful, including these categories, to help you identify real and practical objectives. Once the objectives are identified, the risks are relatively easy to identify. The only question you need to ask in order to identify the risks is “For this objective, what could reasonably go wrong?” Now you’re discussing real risks, not pseudo-categories.
Here’s a very simple example of why it’s more practical to work with risks within the context of specific objectives. If you’re considering the risks for an upcoming party that you’re planning, is it easier to brainstorm “operational risks”, “financial reporting risks”, etc? Or, is it easier to come up with the risks if you consider what can go wrong relative to “invitations”, “entertainment”, “food”, etc.? Once these objectives were identified, real risks come more readily to mind, right?
My advice – use categories as a framework to help you brainstorm objectives, not risks. Identifying and understanding objectives must always be the first step in managing risks. Then, once real objectives are identified, the risks flow readily to mind. This is efficient and productive. My experience confirms, for me, that any other approach simply doesn’t work in the real world.
But this advice doesn’t really answer the question … are there categories of risk? I’ll address that in my next post.