Risk management red flags

No organisation on the planet is ever “just” starting to implement risk management or “starting from scratch”. Organisations have been making risk-based decisions since the inception. Often poorly, but that’s another point altogether. And yet, far too many job advertisements I see are looking risk specialists to build risk management from scratch.

Mistake one: Too much focus on RM1

One of biggest mistakes a risk manager can make when implementing risk management is to focus too much on ’RM1’. What is RM1? Basically, it is the formal, compliance side of risk management that is promoted by international standards and guidelines, risk management associations and consulting companies.

None of the practices they promote have any real foundation in decision science or probability theory, often even contradict them. And there is compelling evidence to suggest those “best practices” do not add value to organisations beyond just a pretty wrapping.

This may come as a surprise, but we don’t need a risk management framework, a risk appetite statement or risk owners to perform quantitative risk analysis and help companies better risk-based decisions.

RM1 is sometimes the necessary evil and may need to be done at some stage, but definitely not the first priority.

Mistake two: Ignoring existing risk practices

Another grave mistake is to think that risk management is somehow new or unique. While an organisation may have never had a risk appetite statement or done an enterprise-wide risk assessment before, all of those things are RM1.

Any company on the planet has been doing RM2 forever. Can you think of examples where good quantitative risk analysis has been applied by your company long before you joined? Here are just some:

• running scenarios on the budget
• performing sensitivity analysis on investment projects
• simulations when designing new products
• diversifying project portfolio
• keeping money in solid banks
• credit rating and credit limits
• different pricing for different markets/risks

So risk management is not about building something from scratch, it’s about improving existing decision making practices. 

Mistake three: Implementing RM2 as an add-on

It’s so much easier and more appealing a build a new process, it is so much harder to improve something existing. And yet, it is my strong believe, that risk managers should be focusing more on improving existing processes and decisions.

For example, implementing quant risk analysis into investment decisions seems like the obvious place to start. But sometimes it is necessary to fix the investment decision making process before any kind of sensible risk analysis can be implemented.

Often, for example, risk managers need to collaborate with the investment team to change the financial model template itself to make for later risk analysis possible. Most financial models are unsuitable for Monte Carlo simulations - something that surprised me, for example.

Mistake four: Holding onto RM2 for too long

Sooner or later, risk analysis will need to be handed over to the business units. While risk teams can perform quant risk analysis on any decision, at some stage the volume of decisions would be too much for any risk team to handle. For example I never had a risk team with more than three people. So our capacity is quite limited and we are actively preparing for the time when we will need to handover the risk analysis to the strategy team, investment team, financial controllers, commercial division, project management office and so on.

Mistake five: Implementing what you know… not what the company needs

This is a tough one because there is much noise in the risk profession and so little agreement on what works and what doesn’t. For example, every “best practice” recommends using heat maps but they never did and never will work. How are risk professionals supposed to know this? Multiplying ordinal scales for likelihood and consequences to calculate risk levels is insane, but who are we to promote proper science when even legislation forces us to do just that.

I don’t think I have an answer but I have a story. In my new role as a CRO I started with the kind of quant risk analysis I know and have done many times before but through a lot of iterations with the CFO and the Board we settled on a new mandate. Under this mandate, what I thought would be my main tasks are not only 30% of the overall responsibilities. That’s right, 70% of my current role involves what the company needs and not what I feel comfortable doing. Don’t worry, still RM2. I hope this is powerful reminder to everyone in the risk profession.

Alex Sidorenko is chief risk officer, Eurochem, Switzerland