Risk Management Success: The Things That Matter Most
Risk practitioners are always trying to get a better read on the keys to success in risk management. Considering the way risk management has evolved as a discipline over the last 15 years in particular, some might say the question is a bit of a moving target. And yet, it really shouldn’t be. Risk and its effective management have been a perennial necessity to enterprises around the globe for centuries. The big sea change has been not so much in the fundamentals as in the recognition that approaching it in a more aligned, integrated or holistic way, is a minimum more efficient and most often more effective.
Traditionally, success in risk management has been measured in dollars, most frequently in Total Cost of Risk (TCOR). The goal: reduce component risk costs so that the total, measured against some common exposure base like payroll or gross revenue, allowed for comparison and benchmarking with peer organizations, typically from the same or similar industries. Yet this approach relates more to the hazard risks typically subject to insurance as a primary “treatment” method and equally common prevention and post loss control techniques that further impacted final and then total costs.
Now, while TCOR is still commonly used and is meaningful, the challenge for understanding success in risk management is made more complicated by the need to ensure that all risks, most not subject to insurance treatment, require effective management. Among others, strategic risks rise to the front of the pack as those that have the most chance of destroying the most value in organizations and have been shown to do so in objectively verifiable research in recent years. One recent study showed that 68 percent of all loss in enterprise value over one 12 month period was due to strategic risks. Hazard risk, a part of the operational risk category, impacted value by only 13 percent. Surprisingly, even during the financial crisis of 2008, financial risks were only 12 percent (legal and compliance risks a mere 6 percent). These data points elevate the need to address all risks more effectively with special emphasis on strategic risks.
Unfortunately, strategic risks don’t lend themselves to traditional measures like TCOR. In fact, these risks are often not well managed, often not even well understood. Sometimes they are not even effectively identified, leaving management and governance without the key information they need to complete their roles as owners/managers of risks and overseers of risk and risk management effectiveness, respectively. Success measurement is a key opportunity though some might say that organizations that meet or exceed their strategic plans are by inference, effectively managing all key risks to mission accomplishment. Sadly, this is not always true.
While much work needs to be done to bring risk management success measurement to needed levels of sophistication and comprehensiveness, there are many risk experts and consultants hard at work on this very issue. As their techniques and solutions emerge in the market, there is another more broad based view into risk management success that I believe is directionally correct and if practiced consistently, will lead to greater effectiveness across all risk types, all risk organizational styles and all approaches regardless of frameworks used or metrics employed.
To that end, here are some thoughts that I often include in my presentations and teaching on risk management. Suffice it to say, no two practitioners are doing exactly the same thing nor following a template based strategy if they’re having much success. Two things of significance stand out. First, there is no one right way to practice risk management and second, the best risk strategies are those that are aligned with, if not custom designed to fit, the needs and priorities of the organizations for which they are intended.
“The best risk strategies are those that are aligned with, if not custom designed to fit, the needs and priorities of the organization”
One thing is nearly certain; a risk strategy can’t be successfully executed without a risk framework to make actionable those strategies that inform success. A framework might best be guided by one of the risk standards that are increasingly informing how the work can best be done with rigor and discipline, but it is not a prerequisite to success. By contrast, a risk culture is prerequisite to long term risk management success. In fact, your corporate culture reflects the ways in which management and governance prefer employees to behave. It is typically tied to a set of “values” such as honesty, integrity and excellence. But do you realize that you also have a risk culture, even if you haven’t purposely defined and implemented one? Whether your organization is risk adverse, risk assumptive or somewhere in between these two extremes, your employees have risk taking and managing behaviors that, without a specific design and strategy for the risk culture you desire, will unlikely be the behaviors or culture you most need and ideally desire. Therefore, effectively communicating on this issue can be most valuable to your long term risk management success.
So what matters most in achieving this desired state? Well, at the risk of producing another list of top 10 items, here are 10 things that, in my opinion, matter the most in effectively managing risk. If you operate with these elements in place, you will be more likely to have an effective strategy that other risk stakeholder leaders will both contribute to and enable through resources.
1] Downside Protection Job 1: The first priority is to make sure reasonably preventable loss is addressed through both mitigations and financing tactics. Management and governance rightly assume this gets the appropriate attention and priority.
2] Influence and Gumption: Every senior risk leader must have the respect and reputational gravitas to be heard and the gumption to push back on risk owners and stakeholders with whom they may disagree.
3] Consistency: With risk process and sub-processes being the way in which the work gets executed, it is essential that their use be consistently applied by all users.
4] Process Rigor: Processes that produce results and have impact require a rigorous approach to how they are designed, measured for effectiveness and continuously improved. Risk leaders must practice process rigor on a consistent basis.
5] Data Interpretability: Reporting timely, reliable, meaningful and actionable information to management is a must for showing results and impact. It is also critical to enabling management to make the best informed decisions.
6] Communication Clarity: Beginning with a clear definition of risk itself, an entire sub-strategy for communicating your messages will ensure you reach the “right recipients at the right time with the right message.” From this will flow the right level of risk awareness every organization must have.
7] Value Creation: Recognizing and leveraging risk for gain is the necessary evolution of the discipline and is critical for practitioners to engage in, if they ever hope to move beyond the tactical.
8] Embedded Risk Culture: Driving consistent and aligned risk taking behaviors and decisions across the enterprise can only be achieved by embedding a well-defined and disciplined risk culture that is well aligned with the overall corporate culture.
9] Managing to Appetite and Capacity: Risk cannot be effectively managed without a clear view into how much risk you are taking, need to take, want to take and have the capacity to take or assume.
10] Aligning Risk and Performance: The ultimate outcome for risk professionals is that they manage risk relative to performance. Alignment, if not integration, between these two disciplines is essential to achieving short and long term goals.
So there you have it; the 10 things that I believe matter most in managing risk effectively. Sure there are many other tactical elements of a good risk strategy and effective use of a risk framework, but I believe they will naturally flow out of these ten elements when put into practice with the proper senior level mandate and regular reinforcement.
When CIO Means Chief Insight Officer
Implementing a Cyber-Security Program - The Journey of True Partnership with IT
Collaborative Comprehensive Information Technology Risk Management
ERM for All
By Chris Tjotjos, VP, Cisco Solutions Practice, Black Box...
By Laura Jackson, Sr. Manager-Risk Management, ABS Consulting
By Jason Cradit, VP of Information Systems, Willbros Group
By Steve Garske, Ph.D., Senior Vice President & Chief...
By Roman Trakhtenberg, CEO, Luxoft
By Renee P Wynn, CIO, NASA
By Mike Morris, CIO, Legends
By Louis Carr, Jr., CIO, Clark County
By Andrew Macaulay, CTO, Topgolf Entertainment Group
By Dominic Casserley, President and Deputy CEO, Willis...
By Dave Nelson, SVP-Portfolio Lead, Avanade, Inc.
By Michael Cross, SVP & CIO, CommScope Holding Company Inc.
By Pauly Comtois, VP DevOps, Hearst Business Media
By Dan Adam, CIO, Extreme Networks
By Matt Schlabig, CIO, Worthington Industries
By David Tamayo, CIO, DCS Corporation
By Scott Cardenas, CIO, City and County of Denver
By Marc Kermisch, VP & CIO, Red Wing Shoe Co.
By Brian Drozdowicz, VP, Digital Services, Siemens...
By Les Ottolenghi, EVP and CIO, Caesars Entertainment