Three fatal mistakes corporate risk managers make

I have been in corporate risk management for more than 14 years. This is by no means a record or even mildly impressive, it is merely long enough to notice some trends. Just like many others, I like soul searching, finding out new ways to integrate risk into what is important for business, trying different tricks to improve culture and dropping risk analysis tools that simply don’t work.

The last three to four years have been quite amazing in terms of the shift in thinking we are experiencing in corporate risk management. A new paradigm is beginning to appear and take shape with more and more people writing about risk-based decision-making and culture. Somewhat ironically, this shift has also uncovered some ugly truths. I have tried to summarise them in 3 buckets:

1. Solving the wrong problem

By far, the biggest mistake many corporate risk managers make is trying to solve the wrong problem. Despite so much useful information published by Norman Marks, David Hillson, Doug Hubbard, Warren Black and others, many still believe risk management is actually about managing risks. It is not.

The irony is so steep. Risk management is not about managing risks. But it’s in the name! My opinion is, whoever coined the phrase “risk management” has made a huge mistake.

On a number of occasions I have proposed the change to be made in the upcoming version of the ISO31000, not surprisingly, with not much luck. That was a fun exercise. Some people are so precious about their risk management, it felt like Lord of the Rings.

But the house of cards falls apart very quickly, when corporate risk managers try selling better management of risks to executives and other employees. If you are being honest with yourself, you probably too have experienced something similar. No one in the organisation, except the risk manager, cares about risks or their effective management. Risks are not on their agenda. Risks don’t excite people in the office. So what do executives care about? Meeting objectives, avoiding personal prosecution and making money for the company, but most importantly making money for themselves. Risk managers are talking alien language that business doesn’t understand and doesn’t really care about.

I think it is about time we stopped treating risk management as an objective in itself. It is just another decision-making tool. And an amazing tool at that.

The very second risk managers begin talking about how they can help executives better manage risks, they’ve lost. They lose credibility, interest and attention. This is, for example, why I so passionately dislike latest COSO. It’s a huge document dedicated to better managing risks.

Risk managers need to urgently change their internal sales pitch.

So if not about managing risks, then what?

Risk management is about making better business decisions with risks in mind, helping business run better with risks in mind and helping people do whatever they do with appropriate consideration of uncertainty. Don’t talk to the CFO about better managing financial risks, instead help him improve budgeting and forecasting, help build a better business case for the investors and regulators, help him save on insurance or refinancing.

Here are just some of the ideas to move from risk management to risk-based decision making:

Change how the strategy is articulated to give proper consideration of the risks. Replace all basic scenarios with proper simulations and risk analysis.

• Challenge management assumptions that underpin the strategy.
• Change how performance is measured and budgets are allocated to account for risk.
• Change how investment decisions are made with risks in mind. Change the methodology for calculating NPV, FV or IRR to account for risks, not just using arbitrary discount rate, which barely covers country and industry risk.
• Change how internal projects are budgeted and implemented to make sure risks are actively considered not once a quarter but at every decision point.
• Change existing policies and procedures to account for risks instead of creating a separate risk management framework document.
• Stop wasting your and management’s time on quarterly risk assessments.

 

2. Ignoring the scientific research that are outside of risk management

There are 4 competencies that every corporate risk manager (or a risk management team) should have:

1. Risk management skills and knowledge of regulations and risk management standards
2. Corporate finance, statistics and risk simulation and modelling skills
3. Psychology and good knowledge of cognitive sciences
4. Industry and company specific knowledge

Find out more here

Now ask yourself, how many of these do your risk team currently have? If we are being totally honest, many risk teams and most risk consultants at best have 2 out of 4 or less. That is alarming.

It is no longer good enough to just know ISO31000 or PMBOK, this is insufficient.

Corporate risk managers simply cannot continue to ignore all the research in the fields of corporate finance, statistics and cognitive sciences.

I think it is the worst kind of negligence for risk managers to use flawed instruments like heat maps and probability x consequence risk levels, while ignoring risk management tools like decision trees, Monte Carlo, stress testing and scenario analysis, which by the way were created in the 40s and the 60s.

Ironically, many organisations do use tools like Monte Carlo simulations (developed in 1946 by the way) for forecasting and research, but it’s not the risk manager who does that. It’s usually the marketing or strategy or planning departments. Same can be said about decision quality (a concept developed in 1960s) or psychological research (studied extensively since 1970s).

Kahneman’s Noble prize in 2002 was “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty”. It has decision-making under uncertainty in the name, only for most risk managers to ignore it.

If risk management is a decision-making tool, and it is, then risk managers must learn about decision quality and about making decisions under uncertainty.

To summarise here is a set of topics risk management teams need to pay attention to:

• My favorite - risk phycology and risk perception. Extensive studies by scientists on how cognitive biases prevent people from making good decisions under uncertainty and how risk management tools can help significantly improve decision quality.
• Corporate finance – critical skill to model effect of uncertainty on schedules, financial models and budgets. A must have for any risk management team, regardless of industry or size
• Industry knowledge – you better have an engineer or a biologist on your risk team if that is what the organisation does. This is an absolute must if you want to seriously challenge executives on their decision-making and come with cost effective mitigations.

Did you notice how I went the whole article without mentioning things like communication skills or other soft skills? Because none of them will help if you have nothing valuable to contribute.

3. Forgetting to listen and learn

Our third mistake is that many risk managers unfortunately are so preoccupied with what they’re doing day to day that they forget to listen and network and communicate with the rest of the world.

The third mistake is that risk managers are pretty bad at listening. If there are five or seven people from around the world saying something that may not fit in your current mindset, it may just mean that it’s about time you rethink.

There has been a lot of debate on different forums –LinkedIn and G 31,000 that are worth paying attention to, for example. Books by Hubbard and Norman Marks really reinforce the message in my book, that it is time to start rethinking traditional risk management concepts that we have all become familiar with.