Is our current thinking of risk management ineffective and flawed?

Risk management and its effectiveness in companies has been hotly discussed all over the world. I dare say that the problem is more inside the risk management field than outside it. 

My concerns are connected to two issues: the polarisation of risk professionals; and how we are becoming ‘boring’, both in terms of how others outside of our field perceive us, but also how we feel about ourselves.

Quantitative vs. Qualitative

It has become a sad routine to see so many great and amazing professionals criticise risk management concepts instead of delivering ideas, good practices, and new concepts.

These professionals want to prove that they have the right answer as a priority. I see this especially in the risk professionals who tend to use quantitative approaches versus qualitative approaches.

But my answer is to approach risk as if you are a researcher. This doesn’t mean that when risk managers carry out their analysis, that they must define themselves this way, and say, “I am a quantitative researcher and I don’t believe in qualitative methods.”

The most effective form of analysis is to use both methods.

As stated perfectly by the HEC (Université de Lausanne) professor, Annette Mikes, in her speech upon receiving the ACA Prize Laurate 2017 regarding values at risk:

“I found further evidence for the culture of calculative enthusiasm, which sought to model risks and put a lot of faith in the power of quantitative models to capture the underlying economic reality, and also discovered additional places of calculative scepticism, which regarded models as trend indicators at best and which relied instead on judgment and intuition to understand the underlying risks. The polarisation of quantitative enthusiasts and quantitative sceptics ultimately hurt both camps. In the end, I found that both styles are justified and helpful if applied to the right type of risk and if deployed judiciously. ” [1]

More of the same

Those who work within the risk management field has at least heard or has said one of these statements below:

“It is important to provide support and communicate clearly with all stakeholders to

implement an effective risk management.”

“Risk managers need to be aware and take into account the views of all stakeholders. Develop good governance.”

“ERM needs to be aligned with the organisation’s strategy.”

First of all, I do not suggest that these statements are wrong. Actually, they are completely right. I cannot agree more with them. But it is getting boring to see and listen to this all the time.

From seminars and interviews to articles within the field – we don’t say more. We don’t create more. We don’t aim to be multidisciplinary professionals or thinkers.

Recently, General Motors decided to think “out of the box” with its risk management process [2]. It adopts traditional risk approaches, but it is also using ‘design thinking’ to better understand the risks and how to mitigate them.

Additionally, it is using gamification to understand different perspectives of a given risk scenarios. People are assigned roles, as the regulatory agency, for example, and then he/she would decide how they would act depending on the scenario.

Thus, the company could be prepared for a wide range of variables and possible outcomes within a context.

The essence of risk management

In short, such issues have been leading us to the bigger question, why do we conduct risk management? For sure, we can answer this question in different ways, but they all lead to the same idea: to help institutions, companies, and people to become prepared and feel more secure towards uncertainties and provide the necessary support to make companies evolve in a complex world.

This is our why, [3].

You can create a beautiful Monte Carlo simulation or Tornado graphic to help mitigate or eliminate risk. Or a detailed risk library and a “beautiful” heat map, which exposes all risks. But this is the same result as doing nothing.

Risks are not reduced because of a presentation or a high-technological GRC system.

The only thing that reduces or eliminates risks and/or creates opportunities for companies is action. No more, no less.

And about the boredom: we need to think in a multidisciplinary way and understanding the context in which we operate.

The world is changing and with it, there are huge technological and political challenges that are changing the way we perceive things, and consequently business models. It is no longer sufficient to simply discuss risks related to strategy and decisions.

We need to discuss the structural changes that can disrupt a business from one day to another; how to integrate risks with new emerging technologies like blockchain, AI and virtual reality. In general, how risk management can generate solutions to a fast-evolving world.

To conclude, risk management cannot be perceived anymore as a “line” in the 3 lines of defence or just a regulatory issue that needs to be addressed. Risks must change from a compliance perspective to innovation. It is a new mindset or even a business model that can lead us not only to navigate through uncertainty but to new territories that are yet to be explored.

[1] https://www.linkedin.com/pulse/values-risk-need-ethical-turn-management-anette-mikes/

[2] Fresh Insights from the Spring 2018 NCSU ERM Roundtable Summit

[3] Simon Sinek - The Golden Circle