Hans Læssøe
Based on 35 years of business and risk management experience, I have created AKTUS (A merge of the Danish words for Active Uncertainty) consulting based on the idea that as risks are a fact of life - you may as well learn to leverage these as a competitive strategic advantage.
52 comments By Hans Læssøe
Stop looking at (all) risk management as a separate process. Some of it is, insurance programs being the most predominant. For other risk management remember:
- The purpose is to enhance performance (despite whatever happens)
Hence, focus on performance, and address how to optimize this with a diligent look at what may happen (good and bad) - and decide on what to do and how based on that.The problem of enhancing the value of risk management is (largely) not one of software and data accuracy, nor one of compliance monitoring and "beating" executives to be aware.
The problem is that the risk specialists have been unable to demonstrate added value to the individual executive of intelligent risk taking where uncertainties, levers and risks are leveraged.
You may have the worlds best risk data in the worlds best risk management software. If this is not actively and consistently leveraged when making decisions - it is essentially useless.
Even mediocre data and simplistic modelling which is understood by executives will be more valuable than any refinements.
So be sure to find the right tree to barking up at.Bullying - and addressing this is NOT a risk management issue, but a leadership issue to be dealt with by leadership.
Deliberate bad (e.g. indecent, bullying, illegal, immoral, ...) behaviour is not a risk, but a deliberate action. Accepting this, including not acting against it, is a approval and builds a toxic culture. PLEASE do not ask the risk manager to be the custodian of such issues.First and foremost - almost as a framework/paradigm. Do not manage risks, but focus on enhancing/supporting performance. That means affecting decision making and especially, supporting bold decisions with solid and value-adding insights.
Credit Suisse (and Silicon Valley Bank) obviously took on too much risk in their operations. The financial industry is regulated and it is hence unforeseen that they could bring themselves in such a position without being noted by regulators, auditors or governors. Some (i.e. all) of these must have been "sleeping in class" and not done their job properly.
The article can it happen again. NO - it WILL happen again. In a volatile world driven by greed and short-term-ism, such events are inevitable. Our job as risk professionals is to keep our management team aware of which consequences such events may have on our business and suggest actions to take to pre-empt or even leverage these if/when they happen.In my view, it is not as much the short term turmoil which threatens the long term "net zero" ambition as it is the approach of "short termism". Too many of todays leaders are more focused on the result so f next quarter than of the organizations prospects a decade from now .
Exacerbating this is the tendency to remunerate and incentivise short term results rather than long term aspirations.
It is said, that every journey starts with a single step - but if you keep focusing on every step to be "successful" (often = profitable), you may never really choose the complex path leading to a net zero.All models are wrong, some are useful to quote statistician George Box. If/when you want high precision forecasts you quickly get into complex and advanced modelling.
This is not where you start, and the story told is not to be an excuse for avoiding to quantify risks. Your quantification may be simple and rough, but as there is no quality in qualitative measures - it will (and has been proven) to be the better option.How very true. A valid risk assessment requires proper analyses. Multiple approaches/entry points needs to be taken into consideration to get the "full" picture. Furthermore, spin-off effects needs to be identified - also leveraging the insights of multiple disciplines. All of this requires one does not apply a risk-centric approach, but a target focus, i.e., ensuring food security rather than looking at individual risks which may affects food secirity.
This is, or should be, standard approaches for risk management:
1) Target/performance focused
2) Leveraging all relevant insights
3) Leveraging bow-tie analyses
and then of course
4) Quantification based on facts to enable proper prioritization.The tougher the business conditions become, the less likely becomes the inclination to behave decently and with integrity. An old quote goes "Truth is the first casualty in war".
On top of that is in growth of short termism and greed which entices some executives and leaders to set aside ethics, integrity and even compliance for the sake of short term gains.Risk (list) management and heatmaps never provided any real value to organisations. Some consulting companies just made a lot of money making people believe it did.
What is needed is intelligent risk taking, where uncertainties, risks and levers are taken into due account and addressed when making and implementing decisions.Technology will always change. In sheer numbers, most of all the scientists who ever walked the earth is at work today. Hence, let us as risk managers contribute to leveraging this rather than fearing it.
https://aktus.dk/onewebmedia/How%20can%20risk%20management%20help%20us%20harness%20new%20technology.pdfPeoples ranking and perceptions are often just that - perceptions. Whereas it cannot be surprise that cyber and climate top the list, these are - in the survey - unfounded by facts and science.
I am dead certain that to some companies, cyber risks are more important than any other risk they are facing. I am also certain that to many companies cyber risks are secondary at best. The same goes for climate related risks - important for some, "irrelevant" for others.
Perceptions are biased and flawed as demonstrated by Nobel laureates Kahneman and Tversky, and later Taylor. Look at terrorism as an example. Many Americans are very worried about terrorism, yet only very few know of anyone who have actually been "hit" in a terrorist attack. Few people actually worry about traffic safety, yet most Americans have, or know of some who have been hit, even severely, in a traffic accident (US statistics indicate the number of traffic fatalities are the level of the 9/11 fatalities ... monthly). And Americans are not alone - we are all biased.
Facts are needed - and need in in a valid context. When analysing a risk in/for your company you have to look at what impact it may have on your business in its pursuit of targets and aspirations - not what is generally perceived as a risk.Public sentiment, and spearheading this, NGO's are making it impossible to "sit back" and "do as we have always done" for businesses. Companies must be prepared to:
- Take tangible and visible action
- Document real progress
- Have their performance "scrutinized" by e.g. NGO's
... or lose business
The progressive risk manager can be a good partner in this, understanding that there is no such thing as not taking risks, and push the agenda of "how (what do we need to do) do we make this a competitive advantage" rather than honing in on the potential downsides.
The inadequate risk manager will (only) suggest you buy some insurance policy.The role of risk managers has to change from the role of "how do we transfer/minimize the risks we have already taken" to the role of "how do we leverage intelligent risk taking to optimise our performance".
Some of this will be ensuring an updated set of business continuity/crisis planning approaches which can be deployed rapidly and effectively should the need arise.
Some of it will also be through ensuring we address our business environment and company purpose/mission and consider how we can drive change rather than being victimised by change driven by others.The tools for ESG are available. What Supply Chain leaders need is a change of mindset and look beyond cost savings and efficiencies.
Supply chain performance should be measured on other parameters than immediate speed and short term costs:
- Certainty of delivery
- Product/service quality
- Ethical collaboration with partners
- Ability to meet changing needs and circumstances
It is irresponsible to drive a business without some insurance policies., assuming nothing "bad" will happen. It is likewise irresponsible to drive a supply chain based on an assumption of predictability.There sis little doubt the 4th industrial revolution will bring disruptions no-one saw coming. Based on past disruptions, these are however, less likely to come out of entirely new technology and more likely to come from current technology applied in new ways (the iPod was just a known solid memory to store music and avoid flutter, AirBnb/Uber is using a social media approach to rent rooms or get transport, just to mention a few.
For someone in a company to predict how they can be disrupted is next to impossible. That is not the same, as you cannot do something. Starts from within and work outside:
- What is our purpose (what benefit do we provide) and what would it take to do that entirely different?
- What is our key competency/methodology and what could make that obsolete?
- What is our business/money making logic and what could make that unsustainable?
In short - what is the worst anyone could to do your business?
These are NOT easy discussions. The fun starts afterwards. Once you have identified potential disruptions, you start asking yourself:
- Why do we not develop/introduce this disruption before anyone else get the idea?
- How can we defend our market/business should it happen?
No need to discuss likelihoods etc., just a base for a strategic discussion and development of the company. The trick is to avoid being the:
- Kodak who didn't want to give up their cash-cow film manufacture
- Nokia who "slept in class" when smartphones emerged
Good huntingI my view a company need to have a purpose of how it will serve the world in order to stay relevant. If they are only in business to make (short term) profits and make their decisions based on that, when:
- Why should I as a consumer wish to buy their products/services?
- Why should, a conscientious leader wish to do business with you?
- Why should I as employee wish to work for you?
- Why should I as regulator wish to do anything to support you?
when you competitor is demonstrated to have a positive impact on the world and you do not.
Greed is probably the biggest single risk in business today. As risk managers, we must speak up against it to truly reduce company exposure.
Most important executive/bard question to contemplate is "Why is the world a better place with us in it, than without?".Fine article. Note, that being prepared for the unknown unknowns cannot practically be built on defining a vast amount of potential scenarios and then set up mitigating strategies for each of these. Such an approach is cumbersome and costly, and will not be unlikely to miss the scenario that actually pans out.
Instead, start from within:
- What is our prose/why are we here - and what has to be true if that is no longer relevant to customers
- What is our product/service - and how can that be made obsolete and/or replaced by something else which is cheaper and/or better. If/when you find that, consider pursuing that opportunity before some competitor does
- What are our key competencies - and what would have to be true for these to become obsolete. Then how do we address that
- What are or key vulnerabilities - and what would it take to "lose" on these. What do we do about these
On top of all - which indicators will we monitor to ensure adequately early identification of one of the above materializing - and enable invoking the planned activities (which may just be form a task force to define actions to be taken)
These, rather strategic, considerations supports your development of a resilient business model and business system - and even one which may support your company being the disrupter rather than the disrupted.Fine article with a lot of valid points. However, I also have a few comments to this:
- ERM discussions of a systematic risk register will add fatigue rather than value. ERM is the risk managers tool/database from where he/she reports on issues when managerial attention is required - and only then.
- It is mentioned that the risk management function has proven resilience. I am, alas, not that dead certain executives see it that way. They are possibly more likely to claim that 1) they were not adequately warned in time, 2) handling processes and decision teams were inadequate if formed at all, 3) contingencies were, if defined, inadequate, 4) insurance policies have not helped except marginally, etc.
Based on that, I actually doubt that risk managers will be called upon for strategic sparring in very many companies. To get called upon, risk managers have to learn to work on the premise of the business and focus on the business meeting its objectives rather than focus on managing risks.Whereas risk managers can be asked to define key risk indicators on reputation (in close collaboration with the organisation), they cannot be responsible for the management of reputational risks unless they are given a right of veto/demand on managerial and employee behaviour as well as on all key decisions.
Being actively responsible for managing reputational risk may means that you:
- Turn down management/executive hires/promotions given to people with "skeletons in the closet"
- Turn down customers/vendors/partner which may affect your reputation negatively
- Veto strategies that will put your reputation at risk
- Demand deployment of actions/strategies which improve your reputation
... and that is not going to happen, is it.
Commented on: 25 September 2023
Why risk management must not be totally embedded in operations