Risk managers need to change the way they view, approach and act on risk. There are no quick fixes, just a hard process for #ChangingRisk, writes Hans Læssøe, principal consultant at AKTUS and former risk manager of The LEGO Group

Risk management is an industry/profession undergoing change – as are all other professions. It appears three things are happening in concert:

  • Some risk management individuals, some risk fora and the two global standards (ISO 31000 and COSO) are discussing and calling (shouting) for more influential, proactive and pre-decision risk management
  • Yet most, I am sad to say, risk managers still keep on trucking. Doing what they have always done, the way, they have always done it. They are ignoring the limited and diminishing value add they are perceived to deliver
  • More and more management teams increasingly ignore risk managers as these are seen as nay-sayers and administrative burdens with little or no perceived value add, and no experienced help to the executives

The world is changing faster than ever before … and hence is changing slower that it will be in the future. The requirements to be competitive and value adding in everything that you do becomes increasingly in-focus, and executives reduce, outsource or even cut functional areas that are seen/ perceived not to add value to the company. They have to, in order to maintain a sustainable business.

This leads me to two observations:

  • Something has to happen if the risk profession is going to be a profession going forward – and we cannot rely on the risk profession being maintained for compliance reasons. After all – it will not take much for an Artificial Intelligent system to do better, faster and cheaper just a few years into the future
  • Risk managers have to drive the change themselves. No one else will do it for them – why should they. This also means, risk managers have the “freedom” to define how to change

This may all be true – but that does not help the individual risk manager much. Where is the direction, aspiration and strategy for what has to happen?

I see the need for a paradigm shift based on four steps to be taken by the risk manager. These may be easy to describe, but paradigm shifts are hard to grasp, even harder to internalise and harder yet to execute in real life. So – what we are looking at is not a quick fix, but a hard process of change. Change in the way the risk manager sees things, changes in what and in the way risk managers act on things, and changes in the way risk managers are perceived by the rest of the organisation.

Change 1 – risk is good

And no, I am not talking about “positive” risks.

Traditionally, the focus of a risk manager has been to control/minimize and eliminate risk taking. To a business executive this is nonsense. There is no such thing as making a decision without taking risks – and if there were no risks, there would be no profit/benefit to be gained.

So – drop the notion of minimizing risk taking, and start looking at what is intelligent risk taking. When is it prudent and valuable to take, even big, risks? Racing icon Mario Andretti stated “If everything is under control, you are moving to slow”. This statement is very true in business as well, and also applies to governmental and non-profit organisations that need to develop based on other parameters than necessarily money and earnings. They all have to “move” on something.

If/when an industry becomes too predictable and slow – the way some companies succeed compared to the bulk of the industry is to change – change the rules, the products, the marketing, the business model – something/anything in order to establish a competitive advantage.

So – change and hence risk is good. Learn to love risk taking – intelligent risk taking.

Change 2 – focus on performance

Traditionally, the risk manager focuses on the risks and (helps) manage risks to minimize the level of exposure the company may face. By and large, within the organisation, the risk manager is the only one who cares about risks in that respect.

Start learning, if you have not done so already, the language of the business. Measure (risk) in terms of business performance metrics and replace impact, likelihood, velocity, vulnerability etc. with net present value, profit, return on sales, or whatever performance parameters the company is using. Be aware, any business will have a “battery” of performance measures.

Start looking at your risk portfolio and measure/analyse how these risks affect performance on business metrics. ISO 31000 states that “risk is the effect of uncertainty on objectives”. Learn to measure in performance scales and communicate performance rather than risk centric metrics. This way – you can more easily communicate with executives in a way they find meaningful.

Change 3 – influence decisions

Sad to say, but most risk managers around the world are busy saving the performance of projects, actions and decisions already made. This way they are, rightly, seen as somewhat reactive. In an increasingly volatile world – being reactive means being too slow.

ISO 31000 and with somewhat lesser tenacity, COSO states that risk management must be integrated with decision making. Instead of deciding (implicitly or unknowingly) to take a risk and then trying to manage this – companies need to deploy intelligent (aware, analysed and deliberate) risk taking.

Risk managers have to look at “how are decisions made and based on what”. The good news, the risk manager may not need direct access to the C-suite or Board of Directors to succeed. They may be very well off by liaising with the specialists and analysts who prepare the decision material based on which the decision is made. Collaborate with these people to ensure risk (positive or negative) are duly and validly embedded in the decision material.

The competent risk manager knows the needed analytical tools and can support the material with Monte Carlo simulations and outcomes in ranges rather than some fixed numbers which will never materialize in real life anyway.

The risk manager should then reiterate change 1 of risk is good, and focus on “what will we have to do/how do we execute to meet our targets”. All of this in close collaboration with the people making the decision material and the execution planning. Stop the nay-saying and become part of the solution. Be an active, positive and hence valued member of the team that effectively designs decisions made by those in power to make these.

This way, you will earn your right to be heard, and earn your right to influence decisions and actively and tangibly add value to the business. It will not be a quick fix – so the sooner you get started – the sooner you will finish.

  • Start small focusing on a decision process/project/initiative where you most easily and effectively can make a tangible positive impact.
  • Learn and adjust your approach to match next step, and the next and … adaptability is king
  • Scale fast, you will not have the time/luxury to “stroll” along, the business around you is moving/changing too fast

Now you, as a risk manager, can build/create your opportunity to have impact on decision making, and to establish intelligent risk taking in the company. This way you become valuable. You will also gradually build your network across the company as well as your understanding/insight into the company’s business system and money-making logic. This is a vital expansion of your professional competency.

Change 4 – influence strategies

Once you have “earned your wings” on tactical/operational decision processes and projects – you may start looking at the more evasive decision processes such as strategic design and strategy definition. You will not be granted access to discuss “strategy with risk mind” with executives before you have proven the value of your approach and efforts.

Not to worry – you do not have to. Instead, liaise closely with the strategy specialist/analyst team that drives the strategy definition process – and together with them, leverage e.g. scenario thinking, war gaming, pre-mortems or like tools to push for a strategy definition/description/planning which will be (more) resilient in a volatile future.

This may not give you a Chief Officer title, but it will make you trusted and highly regarded amongst those who have it. If you do have top management aspirations – you will need to look across and get leadership experience from different parts of the organisation. But that’s another story.

Now – gradually and increasingly, you will be adding tangible and significant value to your business and will be “pulling above your weight”, which is a pre-requisite for being truly valued as a professional in your company. Your leverage is the increasing volatility – so the need for your competency is also increasing, you “just” have to show you have this competency.