Cost and risk Optimisation

How would you change or enhance risk management?

In today’s organisations there is a good level of risk assessment practices – risk identification and quantification for example – but the awareness of risk management strategies needs to be enhanced. This is the next step and most important step. The proper identification of a risk is nothing without a timely and adequate strategy to manage it. Today, the resources invested by organisations to reduce risk exposures are still low.

What frustrates you most about how risk management is perceived by stakeholders?

There is a perception that risk managers can solve any problems in the company without understanding (or ignoring) how important it is to adopt proper mitigation strategies. We must remember that the risk owner is the business/function manager responsible for that activity.

Additionally, through risk management, we can do the best assessment of business risks, but these will remain ‘just a good exercise’ if the management is not ready to put adequate resources in place to manage risks.

If you were to write a risk manifesto for the future, what would be the number one point you’d push?

In the context that cost optimisation is one of the main business targets, I would like to push the principle of “cost & risk-optimisation”. Analysis of business risk is the key driver to address resources allocation.

If you could relaunch risk management what operating model would you adopt?

The ERM model based on a top-down, value-driven and business-oriented approach is a good model on which we can continue to invest. Basic risk management principles are still valid. For instance, the three lines of defence represents a good practice of work. I’d suggest we leave out all the theoretical risk exercises that in some cases evaluate the gross risk before the calculation of the residual ones. What is important for the business is to understand effective risk exposure and if there is further room for mitigation. What value is added by the gross exposure? In my experience it is minimal.

Are risk maps and matrices fit for purpose?

The traditional approaches facilitate the discussion with the management about the risk results. It is important to preserve a common language of risk management to avoid confusion and misunderstandings. But this language must be business oriented and as concrete as possible. For example, I don’t like the risk catalogue listing more than 100 risks without really qualifying them and providing key and clear information on the related exposure and the potential opportunities to mitigate them. I prefer to have a shorter list of risks (5 or 10), each one analysed in detail, providing a clear picture of the related context and scenario.

Second, the traditional methodology should not be a constraint. For certain risks it is impossible to assign a score of impact and likelihood or it can be done only as theoretical exercise without adding value. Think about the risks related to the contract management, where the assessment is focused on the risks that could potentially occur during each process phase (e.g. the risk of contractual conditions not favourable for the companies; the risk of contractual liabilities in case of underperforming). In this case, it can be more useful to understand the existing weaknesses and how to reinforce the process instead of forcing a score definition.

The focus must always be to preserve the key value of the analysis to facilitate the internal discussions and decisions.

Tell me one key thing you’d say to convince business leaders of the value of risk management?

I’d say the following: “Think about the main risk for your business – that one risk where you are aware of the high impact. Now ask your risk manager to quantify this risk, using an ERM methodology. You may discover that the financial impact of this risk is significantly higher than your expectations.”

This risk management approach helps management to materialise a qualitative perception of such risks, reducing scepticism of this kind of analysis, and helps define, consciously, how much resource to invest in mitigating the resulting exposure.