Buzz words and lack of competencies are killing risk management, writes Alex Sidorenko, chief executive of Risk Academy. His vision for #ChangingRisk? Get back to basics and turn risk management back into a tool that helps strategic decision-making and makes money
First there was science…
Some sources suggest probability theory started in gambling and maritime insurance. In both cases the science was primarily used to help people and companies make better decision and hence make money. Risk management used mathematical tools available at the time to quantity effect of uncertainty on decisions and their application was quite pragmatic.
Banks and investment funds started applying risk management and they too were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. H. Markowitz, M. Miller, W. Sharpe won a Noble prize in 1990 for CAPM, a tool also used for risk management. This doesn’t mean risk management was always accurate or tools managed to eradicate human biases, just see the case of LTCM, but one thing for certain risk managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).
Then risk management became art…
Then came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than science.
Some of the reasons behind the shift were arguably:
- Lack of reliable data to quantify risks (Douglas W. Hubbard in his books actually proved this to be not true). Today, there is literally no excuse for not quantifying risks in any type of an organisation.
- Lack of demand from the business. Many non-financial organisations at the time were less sophisticated in terms of planning, budgeting and decision making. So many executives didn’t even ask risk managers to provide quantifiable risk analysis to help them make decisions. And who can blame them, when external auditors, Auditor General, rating agencies and regulators were asking for risk appetite statements (useless when it comes to practical application), risk reports (often disconnected from decision making and performance management) and risk management framework documents instead of checking how business decisions were made.
- Lack of competent risk managers. As a result, many risk managers became “soft” and “cuddly”, not having the skills or background required to quantify risks and measure their impact on business objectives and decisions. For example, it is still surprising to many that apparently multiplying impact and probability scores makes no sense whatsoever and leads to bad decisions. On top of this, many risk managers kind of drifted into the career from either audit, accounting or other areas.
This was fine for the time, it was part of the learning curve, I guess, and many of the non-financial companies quickly learned which risks to quantify and how. Other companies that failed to mature usually lost interest in risk management, or should I say never saw the real value.
Today it’s just a mess…
What I am seeing today however is nothing short of remarkable
Instead of being pragmatic, simple and focused on making money, risk management moved into the “land of buzz-words”. If you are reading this and thinking: “Hold on, Alex, risk velocity is important, organisations should be risk resilient, risk management is about both opportunities and risks, risk appetite, capacity and tolerances should be quantified and discussed at the Board level and inherent risk is useful.” Congratulations! You may have lost touch with business reality and could be contributing to the problem.
I have grouped my thinking into four problem areas:
A. There is literally no link between modern science and business risk management
Today, even the most advanced non-financial organisations use the same risk management tools (decision trees, Monte Carlo, stress testing, scenario analysis) created in the 40s and the 60s. Yet this decades-old research, together with the tools that have been trialed and tested for years are mainly ignored by majority of risk managers in non-financial sector.
Ironically, many organisations do use tools like scenarios, decision trees and Monte Carlo simulations (developed in 1946 by the way) for forecasting and research, but it’s not the risk manager who does that. Same can be said about the research into decision making and decision quality. Almost 50 years old, yet pretty much ignored by risk managers.
It’s also been years since I last saw a scientist present at any risk management event sharing new ways or tools to quantify risks associated with business objectives. This event being a refreshing exception to the rule https://www.probabilitymanagement.org/annual-conference. Same can be said about the overall poor quality of postgraduate research published in the field of risk management.
B. Modern risk management is detached from day to day business operations and decision making
Unless we are talking about non-for-profit or a government entity, the objective is simple – make money. And while making money every organisation is faced with a lot of uncertainty. Luckily business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, pricing analysis, budgeting, investment analysis, performance management and so on.
Yet, instead of integrating into all of the above risk managers often choose to go they own separate way, create a parallel universe, specifically dedicated to risks (very naive I think). Some of the common examples include:
- Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2018
- Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings
- Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models
- Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs
- Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk
- Creating separate risk reports instead of integrating risk information into normal management reporting, and so on…
Risk management has become an objective in itself. Executives in non-financial sector stopped, or maybe never have, viewing risk management as tool to make money. Risk managers don’t talk, many don’t even understand, business language or how decisions are being made in the organisation. Risk analysis is often outdated and by the time risk managers capture it, important business decisions are long done. If decisions are made every day, what good is quarterly risk assessment does?
C. Risk managers continue to ignore human nature
Despite the extensive research conducted by Noble-prize winner D.Kanehmman, his colleague A.Tversky and others, risk managers continue to use expert judgement, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (mildly put), they never have and never will. Just stop using them. There are better tools for integrating risk analysis into decision making. Heatmaps on top of it have huge design flaws which make their output lucky guess at best, misleading nonsense at worst. Just google “the risk of using risk matrices” if you don’t believe me.
Building the culture of risk awareness is critical to any organisation’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases and how to integrate risk analysis into their day to day activities and decision making. Both Douglas Hubbard and Gerd Gigerenzer provide simple, yet effective solutions to account for biases and sometimes use them to our advantage.
D. Risk managers are too busy chasing the unicorn
Instead of sticking to the basics and getting them to work, many are too busy chasing the latest “buzz words” and “innovations”. Remember, how “resilience” was a big thing few years ago, before that was the “emerging risks”, also “risk intelligence”, “agility”, “cyber risk”, the list goes on and on. It seems we are so busy finding the new enemy every year that we forgot to get the basics right. As of now, cyber risk is apparently the scariest thing on the planet. Not poor decision making, which leads to increased cyber exposure as well as other implications, no, cyber risk itself which, apparently, we need to measure and mitigate.
Consultants and some software vendors seem to be dominating the risk management agenda. Wouldn’t you be just a little bit concerned if the pharma company was diagnosing us and prescribing the pills?
#ChangingRisk. What’s next?
I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money. Here are some suggestions:
- Identify risk management practices that can be classified as RM1 (RM1 explanation is here https://riskacademy.blog/2018/05/02/rm1-vs-rm2-which-side-will-you-choose/
- Minimise the effort spent to RM1
- Start changing the way important business decisions are made to include an element of risk management
- At every opportunity integrate risk management into existing processes, meetings, committees, reports and so on, instead of creating separate risk universe.