At the core of organisational risk management lies the question of what risks to run. You know the organisation cannot achieve its purpose with certainty. You know you can take steps to control risk – to some extent. You know that your chance of success will be improved if you seek out and grasp opportunities. And you think that a systematic approach to uncertainty can help.
Sounds good, and if you listen to the snake oil (sorry, ERM) salesmen you will see a picture in which you need only develop a risk appetite and tell your people how much risk to eat, implement this with risk registers, likelihood-impact matrices, risk escalation, risk review meetings and the like, and the future is assured. It’s all good.
But if you’ve got any sense you will recognise that this is naive. The problem is too difficult, the clouds of uncertainty are swirling too densely, unknown black swans are paddling in your direction. And if you read Clouds of Vagueness you will know that much of this tempting edifice is built on sloppily-defined and unrealistic foundations hidden by the delphic utterances of standards and guidance and resulting in unworkable ‘best practice’ processes. The closer you look and, in my case, the longer you look, the more you realise it has to change.
What should we do? That’s a big topic and one that we will return to time and again. In this article I want to start off from the ‘risk appetite’ concept that I have criticised in another article and see how the parts might be reconstituted. How do we decide what risk to run?
I mentioned in the other article that a good paradigm for organisational risk taking is risk and reward, familiar from economics and finance. Here the idea is that your available options for action will result in a cloud of points in the risk reward diagram, but that there is an efficient frontier: a minimum level of risk which must be taken in order to gain a given reward. There would be no point in selecting any of the points off the frontier as they would be ‘inefficient’ in that for a given level of reward, there is a lower risk option. This underlines the point that we do not take risk because we like it.
The extent to which you can control risk is limited to selecting among the options which lie along the efficient frontier. You can see that risk increases rapidly as reward increases. All of this is naturally understandable in a natural way without the specific financial illustration and, indeed, in the business context the analysis can be a lot more complicated than the straightforward Markowitz bullet shown above. Actually it is in finance as well. The market crashes of 2008 resulted in part from an oversimplified understanding and models similar to what is illustrated here.
But to return to non-financial examples, the chart illustrates how the probability of two nasty events might change as a construction company changes the price of a bid to do a project. One, in blue, is the probability of losing the bid and therefore not making any money. This probability increases as the price increases. The other – brown – is the probability that you win the bid but because you have priced it too low you lose significant amounts of money. How to choose. One solution is to price at P80, ie there is a 80% chance that you will better your normal profit margins. This is marked on the chart and shows that the chance of losing money is quite low, but there is also a good chance of not getting the job.
This discussion also reveals another simplifying point about risk management. At any point in time you are faced with a range of options for the way forward: you select among the options. Most risk standards do not properly represent the decision process: they tend to focus on ‘current’ levels and ‘inherent’ risk in a complicating way.
Thus organisational risk taking is about understanding the risks you will be exposed to under the range of options available. There are two main types of decision which are dependent on your business perspective:
- Business as usual – Are we doing OK? Do we need to change anything? If so, what?
- Business change (or project, or strategic) – Shall we take on this new activity? If so, how?
The business as usual perspective puts an emphasis on indicators of risk (aka KRIs) and setting thresholds for intervention. An excellent example is provided by Steve Townsend’s account, presented at an IRM North West meeting on Risk Appetite, of how Tesco Bank does this. It is, I think, a hidden assumption that options are available to bring the risk back within the thresholds. Whilst the set of thresholds is usually regarded as representing the risk appetite, in reality it is just a set of KRIs. Incidentally Steve’s presentation indicated that there are multiple levels of intervention. This could be interpreted as risk appetite and risk tolerance, but I don’t think this is very helpful.
The change perspective puts an emphasis on the assessed risk from new activities: reducing headcount, bidding for a job, or whatever. As Mike Robertson’s and my talk at the same session as Steve Townsend’s illustrated, the emphasis will be on the new risks and assumptions about the way they are controlled. The total level of risk (however this might be defined) may change in some way as we move along the hypothetical efficient frontier.
But in fact the business-as-usual and project perspectives must come together for any organisation and what is key is understanding your risk now and under any future strategy. This understanding comes from the types of risk inherent to your business and the controls you have in place or are intending to put in place. The point here is that you understand your risk profile firstly though the system of controls and only secondarily through some form of residual risk estimate.
So a statement of organisational risk taking would cover the following areas:
- this is the nature of the risk we face currently
- the extent of this risk is limited by the following controls
- this is what we measure to check the controls are working as planned
- this is how the nature of the risk might change as we implement our strategy
- this is how our controls will change to limit the extent
- these are the further measures we will employ to check these controls
- there is no lower risk approach consistent with our strategic objectives
This is basic stuff which does not need descriptions of the risk appetite (effectively covered by the last bullet), risk attitude, risk propensity or whatever. You do need to decide where you are going to be on the efficient frontier – how you weigh the risks of being in business against the risk of not being in business. But this is a conceptually straightforward tradeoff decision which will be taken at a senior level in most companies.
Basic or straightforward it may be, but easy it ain’t, as you might expect. The primary difficulties are:
- measuring risk (ie using probabilities) is profoundly subjective
- overconfidence in the controls (or worse, failing to implement them)
- defining KRIs which provide a real indication of the likelihood that a risk will materialise.
On the probability point, whilst there are methods to assess individual subjective probabilities, there is no corresponding means for organisations – see Uncertainty by Dennis Lindley. In practice this does not appear to be a major problem, as a million risk workshops testify.
Improved Influence Diagrams
The following charts provide a better view of risk management processes which address all these points and contain a number of novel features.
They comprise three linked management cycles: risk monitoring, risk decisions and risk governance. Each cycle comprises a review and planning process (top right), a set of actions to be implemented (top left) and metrics to feed back into the review (bottom). These cycles have been kept simple; there are numerous ways they could be enriched.
Risk monitoring is the basic loop of comparing a set of risk indicators with present values, similar to the example of Tesco Bank noted previously. If triggers are met, the risk review identifies the need for a decision. This highlights the role of risk indicators and shows the importance of further work on KRIs as opposed to KPIs. This is quite well understood in the financial sector but is less well developed in other environments. There is however a clear distinction between the risk indicators and risk itself. This cycle does not actually involve any estimate of risk. So to characterise the trigger levels as the risk appetite is not very useful. What’s more, as the focus is on risk control this cycle neatly reflects Matthew Leitch’s view of risk management expressed through his Working with Uncertainty approach (something for a future review).
The cycle shows that the review has to account for the external environment, or external events. It’s not just the metrics that have to be monitored: managers have to keep an eye on the risk environment and if it changes there is a need for a review. The risk monitoring cycle represents a natural activity for all managers. It is not in itself very dependent on risk estimation and the rest of the ERM panoply, but it does need a good level of risk awareness.
Risk decisions is a higher level (and slower?) cycle. The need for a decision is flagged by the risk review. The idea is that it identifies a situation where there may be a need to do something different, either because the risk indicators indicate it or something changes, such as a new opportunity reveals itself. In this situation options have to be identified, possibly including ‘do nothing’ (or ‘do the minimum’), ‘wait and see’ and so on, as in classic decision thinking. The options are assessed (including risk assessed) and a decision on the way forward is taken. As a result the current risk profile emerges, and this is an estimate of risk, totally subjective of course. This cycle is much more the domain of risk experts and a higher level of management compared with the monitoring cycle.
These first two cycles provide an improved view of risk monitoring and decision making compared with that found in the standards. Separating the cycles clearly separates the risk from the performance, which addresses a shortcoming identified in our article on risk appetite thinking.
Risk governanceis the final cycle. Although it too is represented by a management cycle, it is much more complex and has a richer interaction with the two inner process cycles. As well as dealing with what risk to take, it covers the risk management process to be used and also the organisation’s risk culture. The starting point is the risk governance review and this creates the risk policy. The risk policy addresses a number of matters: the nature and extent of the risks the organisation expects to take (the ‘risk taking statement’ – in line with the UK Corporate Governance Code which states that ‘the Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives’), the risk processes it expects to see implemented (as in the first two cycles), and the risk culture expected, including any actions to address perceived shortcomings. Risk culture is a separate topic which we shall address in depth in due course.
Each of these three areas needs to be measured: through the current risk profile, the results of process audits and behaviour respectively. This feeds back into the governance review.
Perhaps the most important influence (for this article) between this cycle and the process cycles is the influence of the risk taking statement on risk decision making. The following concepts are not relevant: risk appetite, risk attitude, risk seeking, risk averse, risk propensity, the triple strand, etc, etc. What are relevant are: a recognition that certain types of risk are inherent to an industry, an expectation that certain forms and levels of control will be in place, and an acceptance that some residual risk will exist. This site will aim to dig out examples of good practice along these lines.