No Risk in Collaboration

“Do you still need to convince others in the organization that risk assessment is worthwhile?”

I recently put this question to a director of enterprise risk management (ERM) and a leader in ERM implementation among insurance firms. I had met her at an ERM event, at which time she was based in Canada. She did the job so well she got called to the U.S. head office in 2009.

“We’re past that stage” she replied. “Once they see that you add value, they invite you back.” Her answer was most encouraging, especially given disheartening survey results.

SURVEY RESULTS

Canadian Underwriter reported online in July 2010 a survey that found only 6% of organizations surveyed expressed confidence their organizations were “extremely effective” at risk assessment. This finding echoes at least five other studies going back to 2008; each suggested global insurance and financial services firms, among others, showed little confidence in their ability to assess risk.

If people don’t have confidence in their risk assessment process, then clearly it is not addressing their concerns. Worse, it can be superficial and narrowly conceived.

RISK ID AND ASSESSMENT PITFALLS

Insurance firms are at different stages of ERM maturity. Auditors and risk managers who have rolled out compliance initiatives with a view to probity and sound financial reporting sometimes treat ERM as the same sort of exercise. This can result in a rather narrow view of risk — a focus purely on financial measures — while ignoring the broad spectrum of risks, both strategic and operational, that ERM should contemplate.

Senior managers characterize risk in the language of capital management. Yet it is necessary to think of risk in relation to underlying issues. The real stress test of a financial model is not to alter the input variables, but to examine the assumptions built into it. Major initiatives and the strategic direction itself are susceptible to risks identifiable in advance of material losses.

Even if a broader view of risk is sought, the risk ID process can easily be ruined. Listing “the Top 10” risks, brief keywords (e. g., “budget risk”) or, conversely, long risk descriptions are all ineffectual. Risk managers who conduct interviews and surveys with lax methods will not detect the frame of reference and assumptions shifting in the minds of respondents. They will not collect real risk, but rather perceived and alarmist risk from disparate levels and time frames. The results are not compelling.

The key question is: What kind of risk assessment process truly adds value in an enterprise risk management program?

ADDING VALUE THROUGH ASSESSMENT

The only kind of risk identification and assessment process that adds value is the one that solves business problems.

Risk assessment conducted in workshops using a rigorous process is the preferred initial method; this is what my ERM director acquaintance had done. She found that this allows multidisciplinary project teams to enter into a structured discussion to identify risk. Quantitative business intelligence can then be contextualized.

It starts with a clearly delineated context, whether strategic or operational, and includes a statement of time frame, project goals, corporate values and stakeholder views and interests. A good context statement doesn’t need to be long, but it must be authoritative. It will set the boundaries and make explicit the criteria of your risk exercise.

What constitutes a risk? Here again, conceptual difficulties hamper the process. The traditional view is that risks are exposures to assets in pre-defined insurable categories. But a firm could have its assets well in hand and secure while taking a strategic path straight over a precipice. This is because the strength, weaknesses, opportunities and threats (SWOT) discussion does not sufficiently assess social trends, geo-politics, technological innovation, market shifts and industry developments.

In an operational review, risks are indeed detectable:

• in implementation plans for a new policy;

• in next year’s HR plan;

• in the development and launch of a new product; or

• in supply chain defects affecting the credit worthiness of a potential acquisition.

Risk practitioners who lead a thorough process to discern such risks are no longer dependent upon the rating agency’s view of the world, nor upon the firm’s internal risk rating system. They are helping managers perform their own due diligence. When building a matrix, heat map or other risk profile, they rank risk in dollar terms if possible, but also in relation to goals, reputation and corporate values.

Solving business problems

In a facilitated risk ID session, participants gain insight. They start to understand one another’s view of risk, reach consensus and set priorities together — all in relation to the common context. Their conclusions are defensible as the basis for decision-making, especially when the team includes stakeholder reps.

It follows that risk mitigation will pursue many imaginative avenues. Managers proactively resolve contradictions, clear the path to implementation and safeguard key interests. This is achieved not necessarily through risk financing, but in whatever field is required — including, for example, administrative action, technical tasks, better consultation, new partnering and innovation.

People start to gain an appreciation that risk ID and assessment is actually going to help them be successful in analyzing that complex investment, implementing that program or launching that project.

Furthermore, the ERM program need not be at a loss when faced with “black swan” events, a term coined by Nassim Nicholas Taleb to describe unpredictable events that have enormous social consequences. Future scenarios planning, for example, is a good complement to the risk ID toolkit: it offers a credible way to cope with high degrees of uncertainty, develop planning options and pursue strategic resilience.

Building a risk-aware culture

A risk-aware culture truly integrates risk thinking into planning and management. The ERM director identified above insists that, apart from formal risk assessments, a “review and challenge” process is now a routine part of her firm’s committee work. She makes it sound like a friendly discussion that is all about building relationship and trust. But I detect a careful methodology: there is a defined context; there is a cross-organizational and multi-disciplinary consultation; and there is the discernment of actual risk in relation to the firm’s goals and objectives.

Perhaps you are a risk manager in charge of rolling out ERM. If you can work with program leads to explore ways in which high quality risk assessment helps solve their business problems, they’ll invite you back.

———

Risk assessment conducted in workshops using a rigorous process is the preferred initial method. This allows multi-disciplinary project teams to enter into a structured discussion to identify risk.