Will a redirection of our basic principles of risk management add the value we need? Jonathan Blackhurst, head of risk management at Capita, boils it down into five key steps
In introducing ISO 31000 in 2009 and enhancing the standard in 2018, the International Organization for Standardization (ISO) intended to provide a guide for the design, implementation and maintenance of risk management. But it is my claim that it is this precise type of systematic and logical process, designed to lead organisations through identifying, analysing and evaluating risk, that is flawed. To this end, below I propose alternative interpretations of the steps set out by ISO 31000 (and most other risk framework processes).
My suggested rethink of the principles is not intended to prescribe specific risk practices, but to offer a redirection for using the risk process to improve the substance of available decision-making information.
Principle 1: Establishing scope, context, criteria think strategy
Use risk management to advance dialogue around strategy. A winning corporate strategy is one that can exploit areas the organisation excels at relevant to its competitors. Risk management must therefore serve as a guidepost for when a new opportunity or significant risk emerges.
Dialogue around this often turns to the phrase ‘risk appetite’, but this falls back into the trap of a risk language not necessarily aligned to a strategic conversation. The better focus should be on executive management and the board agreeing on the strategic, operational and financial parameters and drivers around their opportunity-seeking behaviour – all in ‘business’, not in risk, language. The resulting risk conversation (whether it is called risk appetite or not) then becomes a strategic level reminder of the thresholds in the strategy-setting process. The context of risk management is therefore realigned in order to call attention to the level of risk the organisation is facing, directly corresponding to the decisions it is making in pursuit of value creation.
Continue the focus on strategy, but add line of sight to the external environment. A valuable decision-making approach via risk management should be designed to provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations and other external factors remain valid. Dialogue about risk management should be on whether changes in these external environmental factors are expected and whether they could alter the fundamentals underlying the business strategy – in short, a highly valuable early warning capability.
Reinvigorate focus on critical and emerging risks. Most companies will be operating the list and classification of risk around the operational success of an organisation, looking to provide valuable assurance that exposures can be tracked and, over time, resolved. In this context, any sort of debate about risk can be positive, because at the very least, it gets the conversation out in the open.
However, for risk management to add value in a core decision-making setting, the focus needs to be on the areas that will impact the core decision-making setting. The critical risks represent the exposures that can threaten the strategy, business model and the viability of the business, and should consequently warrant the most attention from decision makers.
Senior management also need to be mindful of emerging trends triggered by unanticipated events of varying significance, ranging from catastrophic new events to existing risks accelerating in their impact.
Context is key to understanding
If we accept the redefining of the first principle, what does the change look like? How do we join the dots with coherence and calibration across the business? Many examples of risk context are built from the bottom up, with each business unit naming and classifying things in its own context. Centrally, this will usually be aggregated into something that will claim to resemble a company-wide context, in which risks that report to be of the same type will be forced into an aggregated statement.
But in reality, as business units may not be using the same language, the ease of visualising the real risk context to the organisation at a corporate decision-making level is severely reduced as things can be missed or misunderstood. This can lead to risks being considered in the abstract, and not collectively, with links between them overlooked, leading to a business failing to recognise consistent and endemic points of weakness.
Honest, intelligent, informed contextualisation is also a challenge. As different risk contexts are calibrated from within the operational level of an organisation, how do decision makers successfully set some perspective? The need to develop a consistent and transparent context across seemingly different risks from widely different business areas is a challenge requiring significant insight into the day-to-day operating of the business.
So is this really the best approach to contextualising risk in a decision-making setting, when there are so many moving parts and when it is reliant on a perfect alignment of several facets of analysis? In my view, it is half the answer, and the other half is the part that is vital for establishing decision-making value. Such ‘bottom-up’ contextualisation can only influence decision-making if it is dovetailed into a strategic top-down context that goes beyond senior management lip service – the priority for ‘establishing the context’ must therefore be top down.
The building blocks for changing the focus of risk context to top down include:
Speak up Establish risk context through dialogue amongst the senior management team. Creating this risk dialogue needs to be as simple as the corporate structure allows, with nothing more sophisticated than ensuring dedicated time in regular executive meetings. What is key is ensuring time is given front and centre to avoid the dialogue being crowded out by other corporate discussion points.
Be honest Top-down risk context needs to focus on actionable debate. This is not the place to provide executive management with assurance that material risks are under control. The goal needs to be to set the context around the ‘what actions do we need to take’ debate already in place amongst senior management as they run the business.
Allow for risk Top-down risk context needs an indicative understanding of the level of risk an organisation can afford to live with, without getting too engrossed in a cottage industry around risk appetite/threshold/tolerances. Ideally, this needs to be contextualised around areas of strategy where the organisation believes it has a competitive advantage, e.g. emerging technology risk where the company has strong R&D credentials.
Principles 2,3,4: risk assessment be prepared, be brave
Follow the full path of impact assessment. When it comes to assessing risk, it is easy for organisations to just look at the high-level impacts and sensitivities (high level in terms of amount of detail). This is insufficient to add value in decision-making and therefore needs a rethink. Risk assessment in this context needs to consider not just the short-term business-as-usual conditions affected by such things as market changes, but also the affect these have on the overarching strategic drivers in the company.
Tell the whole story. The bottom-up risk context focuses assessment on the likelihood/frequency/probability of a potential risk and its impact. This is important. But it should not be the whole story for the decision-making process to fully embrace in seeking value from risk information. It’s also key to answer how ready is the company to respond to the risk if it occurs, and how far ahead can the company forecast the risk event coming. These two concepts of preparedness and lead time are vital in order to turn the assessment of risk into a tool that supports decision-making.
Be brave and address ongoing business management risks on an outlier basis. Every business will face a myriad of operational risks (technology, financial, service delivery, HR, security and so on) and most of the effort and resource around assessment are focused on these. The point is that the focus on these day-to-day risks is not the right one when it comes to decision-making. This area of assessment and board communication should not be at the heart of a company’s risk methodology, but instead, things should be highlighted only by the escalation of unusual indicators (such as exceeding an established staff attrition limit).
Principle 5: risk treatment don’t focus on the obvious
Focus risk treatment on the strategic big assumptions. As mentioned, the risks identified as high priority as a result of bottom-up assessment are not, in my opinion, the most valuable to a decision-making context. They are often self-evident, along the lines of ‘if a major supply disruption occurred, unfortunate things will follow in our own service delivery’. Focusing risk treatment on this obvious information only further undermines the decision-making value of risk information, because management treatment of these risks is seen as rubber stamping what is already known.
A far more useful exercise for supporting decision makers is for risk treatment to play out the full scenario of the big strategic assumptions that the company depends upon. These risk-based scenarios are the conceivable descriptions of the future and are built so that decision makers can embrace uncertainty.
Instead of reducing risk treatment to a single most likely outcome, these big assumption scenarios attempt to identify the major forces driving external change and the key uncertainties that lead to a wide range of possible outcomes. The parameters and boundaries of our uncertainties are mapped out and provide a risk-based context for treatment and evaluating future strategic options.
While this approach is not designed to implicitly remove hard decisions around risk treatment, and it certainly won’t prevent risk from crystallising, it does mean that decision makers can use the risk process with a broader understanding of the risk and rewards.