Organisations are working hard to put the financial crisis behind them, but with a new year must come a new approach for companies and their risk managers, says Andrew Leslie

What, exactly, is going on? After the near melt-down of the global finance system, massive intervention by governments, wailings and gnashings of teeth over the sins of the bankers and the prospect of mass unemployment and the ruin of enterprise, things seem to have gone very quiet.

On 16 November, the European Union’s statistics office, Eurostat, announced that the Eurozone’s exports had risen 5.5% in September, having slumped by 4.1% in August, while the Eurozone’s economy shook off the recession tag by achieving growth of 0.4% in the third quarter, and the US economy grew by 3.5% in the same period. Meanwhile, the World Bank predicted that China would grow by 8.4%. But despite the flurry of favourable statistics, confidence that the worst is past and that life can return to normal is precious hard to come by.

Partly this may be due to the knowledge that financial stability has been achieved only at the price of heavy indebtedness, with the Frankfurter Allgemeine Zeitung in July forecasting the overall indebtedness of EU member states as a percentage of GDP to be running at 79% by 2010 – well above the Maastricht Treaty’s definition of ‘excessive debt’ as 60% of GDP.

Business knows full well – better than politicians are perhaps prepared to admit – that there will be a heavy price to pay in time, in the shape of higher taxes, spending cutbacks, rising inflation and possibly rising interest rates. Meanwhile, the fate of Iceland – caught in the grip of severe IMF strictures, with a devalued currency and a broken banking system, is enough to make the most sanguine organisation wonder whether there will be further victims before the recession is truly over.

Whether or not there is worse to come, it is clear that risk management is being looked at critically, but not entirely unfavourably, in the light of the events of the last 18 months. As Paul Hopkin, technical director of AIRMIC, puts it “There has been a realisation that risk management does not get you out of trouble once you are in.” But it is equally obvious that risk management has not always managed to steer organisations clear of trouble in the first place.

The failure of the Icelandic banks, for example, revealed not just the well known failures in correctly assessing risk in the banking fraternity, but also the imprudence of many organisations, from local authorities to charities. Drawn by the lure of high interest rates, they failed to ask the obvious risk management questions, and suffered the consequences.

In the light of this, the results of Accenture’s 2009 Global Risk Management Study make interesting reading. It surveyed more than 250 risk executives from a range of industries and countries, and concluded that:

“The surveyed executives were close to unanimous in their belief that current risk management practices must be substantially improved both to correct deficiencies and to capitalise on emerging opportunities. One widespread perception that can be seen in survey responses is that an organisation’s risk management capability has been overly isolated and not fully a part of the rest of the organisation. Risk executives believe risk management must be better aligned with the company’s strategy and goal-setting process, and more fully integrated into the company’s business units, culture and performance management processes.”

Hopkin echoes this when he says: “There’s a positive view of how organisations perceive risk management. The challenge is that organisations are uncertain how to achieve building better risk management into their strategy. Organisations want to take risk management more seriously.”

A degree of hope is being pinned on the latest review by the UK’s Financial Reporting Council (FRC) of the Turnbull guidance, which is due to be completed in 2010. Hopkin is not clear about whether the review will confine itself to matters already covered by the combined code, such as the role of internal audit, or whether it will go further and cover more by way of the strategic and forward-thinking role of risk management. He recognises that there is a problem: “Do you beef up the Turnbull guidance, or come up with a separate document? Once you get on to matters such as risk appetite or risk aware culture – well, what do they mean, precisely?”

Yet, the Accenture survey shows that it is precisely in these strategic areas that risk professionals feel that change is most needed. 89% of respondents thought that strategic decision making had to integrate risk, return and capital management views more effectively. 86% thought that enterprise-wide awareness for risk culture had to improve. 89% thought the strategic alignment between business strategy and risk appetite had to be improved. These, together with lack of clarity in responsibility for risk between the corporate and business units, were the areas where respondents felt that risk management had failed.

It is encouraging that the same survey reports that 70% of respondents were either intending to invest in improving their risk management or had already done so. The temptation to cut back on the resources devoted to the function or force it to do more with less, seems to have been avoided in the majority of cases. Nevertheless, the challenges for risk management are imposing ones. One of them is to keep their organisations connected to reality.

There is an argument that the failures in the financial markets occurred because the financial services industry had lost touch with the nature of the thing they deal in. Money is merely something that facilitates a transaction between two or more people. But once it becomes a commodity in its own right and is engineered so that it can be traded in huge amounts that are beyond the comprehension of most people who actually use the stuff, risk creeps in.

The same phenomenon of detachment from reality occurs in most speculative bubbles – the most popular example being the tulip mania which occurred in Holland in 1636. On a smaller scale, the continuing scandals surrounding the leakage of personal data may well have something to do with the fact that once such details are aggregated and stored on massive databases, they become depersonalised – and hence at risk of not being treated with sufficient care.

Risk consultant Tim Yeates considers that the question of how risk managers get to grips with such intangible risks, many of which stem from human nature rather than from systems, is central to the role of the profession. “It’s not so much about the failure of risk management as about the change in the nature of the risks,” he says. “Risk managers are good at the tangible. The failures are to be found in information and finance and reputation. These areas are immeasurably more difficult to deal with than tangible things like safety measures or physical security. And the solutions currently at the risk manager’s disposal don’t yet provide the answers.”

He further cautions that complacency is the enemy of good management. It is always worth remembering that probability does not equal certainty, he says, especially in an environment where senior managers are constantly trying to extract certainty from uncertainty. ‘The risk never goes away,’ says Yeates. “It may displaced in time, but if you assume it continues to exist – that way you are encouraged to keep an eye on it.”

So if and when the recession comes to an end, how can the risk manager redefine his role in the organisation to have a better chance of avoiding the kind of failures we have witnessed during the last two years? A clue may be found in a paper produced by the Wharton School of the University of Pennsylvania called Re-thinking risk management: why the mindset matters more than the model (held on the IRM’s website as part of their ‘Recession watch’ resource package). The paper’s thesis, very much in accordance with the findings of the Accenture survey, suggests there is a pressing need to move away from traditional thinking about risk.

"What I see now is a new risk architecture emerging for organisations," says Erwann Michel-Kerjan, managing director of Wharton's Risk Management and Decision Processes Center. "We were trained to solve problems with clear questions and clear scientific knowledge. Knowing the historic risk profile, we made investment decisions. But historic data does not shape the future any more, given how rapidly the world is changing. We usually look at the known issues and make a nice diagram with probability on one axis and impact on the other. That's Risk Management 1.0. Risk Management 2.0 is [going] beyond the known issues to look at the links and interdependencies. You can no longer look at the risks independently of each other.”

In other words, risk management has to be integral to every aspect of an organisation’s life. Of course, this has long been the driving force behind the idea of enterprise-wide risk management, but the depth of the recession and the failures exhibited by confining risk management to silos labelled internal audit, insurance buying, or compliance, is increasing the pressure to move away from traditional thinking. As one of the conclusions to the Accenture survey puts it: “Effective risk management departs from the fragmented and compartmentalised solutions usually in place at many companies. It offers a holistic view of the enterprise designed to identify and understand a variety of risks, and then feed that understanding into the growth engine of the company’. However, separate Accenture research uncovered the fact that only eight per cent of companies surveyed considered that they had a fully integrated risk management framework.

So how does risk management get from here to there, especially in times which remain full of hazard on the economic front? As ever, the key has to be the recognition at the top of the organisation that a new approach is needed, and that looking at risks in isolation is not the way forward. Thereafter risk management teams need to be synthesists as well as analysts. People who are good at making connections between apparently unrelated events ought to be as valuable as those whose skills lie in analysis of complex data

It is possible that the whole idea of a ‘risk culture’ will need to be re-thought in new terms to embrace the idea of getting the total risk exposure to balance – it is little use one segment of an organisation adopting an approach to risk which is at variance with that of other segments, as we have seen in the financial services sector. Like a good defensive general, risk management should seek the best strategy to prepare the organisation for anything the enemy may throw at it – and to exploit any opportunities that may arise.

Finally, there is the need to recognise that most risk is human in origin, and that thinking too much in terms of system and process, and not enough in terms of human behaviour, can actually increase risk, not diminish it.