Stop, collaborate and listen, Hans Læssøe is back with a brand new lesson. In his latest opinion piece, the principal consultant at AKTUS and former risk manager of The LEGO Group explains why things will never be the same again for risk managers.
Risk management as a concept is undergoing changes, like almost everything else. New developments and an ever-increasing speed of change adds and changes the demands for risk management – both in terms of what to do, and how to do it.
The world is changing faster than ever before – and anxiety as to the speed of change is becoming increasingly prominent. However, one must be aware that this development also means that:
The world will never again change as slowly as it does today.
For business managers and risk managers alike, this means that past approaches of identifying, analysing and mitigating risks based on current operations and defined strategies are at high risk of being too little too late. Furthermore, as long as everybody is following this approach, it does not provide any competitive or business advantage.
A new and more active approach is needed, leading to a number of significant changes for most organisations … leading companies, some of which may be your competitors, are doing this already.
Change 1 … It is not about managing risks, but about optimising performance
This does not mean that risks should not be mitigated … naturally, they should in two instances:Risk management functions have, for decades, focused hard on defining smart and efficient methods to manage, i.e. minimise risk taking … for the sake of minimizing the negative effects of risks. However, this has meant that resources (people, attention, money, time) have been spent on mitigating risks which had limited impact on business performance and perhaps also limited likelihoods. Perhaps, the same resources could have been more effectively used to develop and pursue opportunities in which case the risk management has essentially depleted business value.
- The potential impact of the risk is beyond the company’s risk capacity and would – if it materializes – “kill” the company or drive this into bankruptcy. Board and executives may opt to define/apply a lower level of risk tolerance, but be careful about doing that … no-one wins a race giving 80% of their best effort.
- Mitigation makes sense from a cost/benefit viewpoint when comparing the effort/resources needed for mitigation vs the impact/likelihood of the risk in question.
The above is NOT just to be seen from a fiscal/financial viewpoint. It could be based on reputation, environmental impact, legislative breach, or any other key parameter. For example, some companies may be at risk of losing a needed business license.
For almost any other risk taken, it is essentially a waste of company resources to mitigate the risk.
As a challenge, look at the risks your company is allocating resources to mitigate and ask yourself/analyse whether or not it is actually value creating or value depleting.
Change 2 … Focus on decisions
You and your organisation will live the rest of your lives in the future. Decisions made are all related to the future which is known to be increasingly volatile. As risk managers, we have to stand up for that and add value.
“Prevention is better than cure”, and attempting to manage risks already taken through decisions made and strategies set is ineffective and at best inefficient. ISO 31000 advocates on literally every page, that risk management must be integrated with decision making.
So … instead of looking at a defined strategy, and identify, analyse and mitigate the risks invoked by this – risk managers should be part of preparing the decision material, often some finance-based business case spreadsheet model - add uncertainties to this both in terms of general uncertainties and of explicit risks and opportunities. With this in hand, the proficient risk manager can:
- Monte Carlo simulate the likelihood of meeting strategic objectives
- Pinpoint key risks to address by adjusting strategic action/implementation plans
- Pinpoint key opportunities which, with an adaptation of the strategic measures/plans, can be effectively pursued and add value
Furthermore, the risk manager will often be a good facilitator for scenario discussions where key strategic assumptions are challenged and addressed, leading to a more resilient strategy. A strategy which will add value if/when the world changes in a way that differs from the one expected.
In short – the risk manager can be a highly beneficial support in the process of defining a strategy which is resilient as well as optimized in terms of intelligent risk taking.
Change 3 … Collaborate
For decades risk managers have been acting and seen as corporate specialists who “did their thing” more or less without deep business interface. Insurance programs were designed and procured with no other cross-company collaboration than executive/board approval, Business continuity plans were developed and documented without much more than basic training of the people involved. Risk registers were updated and risk reports issued without having major impact.
These days have to be over. To stay relevant and valuable, the risk manager has to network and collaborate across the company. With a professional risk and uncertainty mindset and competence, the risk manager collaborates across the company to add value:
- How are budgets made … and how will they be strengthened by adding a risk perspective recognizing that the single number revenue or ROS number will never materialize as is. The risk manager can add value by increasing the understanding of business uncertainties.
- How valid are sales and operation plans … the risk manager can analyse data from a risk and uncertainty perspective and enhance understanding and planning efforts … all the way to equipment investment decisions.
- How are projects approved … the risk manager can consolidate the project portfolio and direct attention to those issues where value is most effectively added … across a portfolio of projects.
Perhaps/in some instances, the metric of timing is more important than that of money. The risk manager should be able to direct focus to where the most value is added. There are multiple such value-adding opportunities for the proficient risk manager. This also means that top management can ask more of the risk manager than the current ERM reporting and insurance programs they are spending time preparing.
Consequence … new risk manager profile
None of this comes from nowhere. The person/team assigned to be risk manager(s) must have the appropriate skillset and mindset to meet the above agenda. Beyond basic statistic and analytical skills which are not new to risk managers, a set of skills are needed for the risk manager of the future:
- Strong business understanding. This is an internal skill as all business systems differ. The risk manager must understand the business system and the money-making logic of the company to be able to add value.
- Insight into human biases. Decisions are made by human beings who are susceptible to a range of biases which essentially deplete the factual quality of decisions made. The risk manager must have insight into this and how decisions are made within the company to be able to work with this and enhance the quality of decisions. Carl Spetzler has written a great book on decision quality (named Decision Quality).
- Collaborative skills. It is time to leave the office and meet people. Talk to executives about their concerns and more importantly, to specialists about their concerns. Get the insight – which will also add to the insight of the company’s business system. Listen and support, and build on their support to enhance overall company performance.
This includes knowing how to work with executives and make them trust you above their immediate gut feeling.
Growing these skills builds trustworthiness and hence impact on company performance. Impact, when applied well, adds value … and now the risk manager earns his/her pay to a much higher extent than what is seen in many organisations.
It is by no means a 100-meter sprint, rather a Tour de France … but the alternative for the risk manager is irrelevance. The best a risk manager can do is to plan and communicate tangible steps on the way, and deliver on these, step by step – and grow the role and the competencies.
Risk management is all about preparing to dare.