Why timing is everything when it comes to effective risk management

In the second of our new #ChangingRisk ThinkTank series, Martin Pergler explains why timing is so important when applying risk insights to strategic decision-making.

There is much discussion over how institutions should do risk management. In addition to who should be doing it, what is it (risk management… even risk itself) and why it is necessary.

Much less is said about when to do risk management. And yet timing is everything. Institutions that mistime their risk efforts stumble into traps, create useless bureaucracy, miss opportunities, and even risk developing a ‘cry-wolf’ syndrome.

Let’s start with two valid but dissatisfying answers to the When question:

A periodic process, culminating in Board signoff. An efficient, just-in-time risk management process that delivers the freshest information for the Board to fulfil its risk oversight responsibilities at prescribed intervals (eg annually) sounds perfect.

In reality, such a process also encourages a compliance mindset: Preparation timelines are short, thoughtful diversions are unpopular, and surprises en route to checking the box are mostly unwelcome.

Making this the principal vehicle for explicit risk management is better than nothing, but chances are low that such an approach will result in any major “aha” moments, or that any tradeoffs will be improved as a result.

All the time. It is fashionable to opine that risk is omnipresent and that thoughtful risk-taking is crucial. And so risk ought to be on the agenda every single moment, especially in a volatile, uncertain, complex and ambiguous (VUCA) world.

That is undoubtedly true. It is important to nurture an institutional culture where everyone has the knowledge, tools, and empowerment to think about risk in everything they do.

And yet, “all the time” is an unsatisfactory answer since the intended question is probably, “When should we step back and think about risk more systematically, beyond what we try to do all the time?”

More satisfying answers to ’when’

So, let’s look at a more satisfying answer to the When question: a set of crucial moments that underpin a more strategic approach to risk-taking. We accompany each one with concrete questions to ask – by and of Boards, executives, and risk managers – to verify that risk is being considered adequately at those essential moments.

1. In anticipation of major decisions

This includes, of course, in conjunction with the regular strategic planning process, however that cascades through the organisation. Even better, risk thinking should be an integral part of it.

The most important benefit of considering risk explicitly, is that discussion naturally focuses on, “What are the risks (and opportunities) to meeting our chosen objectives going forward?”

By contrast, a periodic, oversight-focused risk process is biased towards “what could upset the apple cart right now?”

Equally, risk should be explicitly considered in anticipation of major ad-hoc decisions that involve significant uncertainty. Examples include M&A, new market entry, and major new partnerships. Often, such decisions are made ‘on the fly’ precisely because they are major and unique circumstances, and so bypass established processes.

There is always a time crunch, and confidentiality issues often arise when it comes to making major decisions. Companies correctly engage in hypothesis-driven thinking to identify and screen the opportunity, but can fail to consider alternative hypotheses or scenarios.

Only once the whole organisation is being mobilised to implement what has been decided, do the risk wrinkles start to appear. And yet, it is precisely at these major decision points that more value is at stake and with more uncertainty than anything reviewed in the “regular” annual risk process.

The latter (regular risk process) deals well with familiar risks that (one would hope) the whole organisation is aware of and trying to manage on a daily basis. But such an approach is mistimed for episodic opportunities and their uncertainties, precisely when risk insights are at their most valuable.

Ask yourself the following:

  • How does your risk process tie in with your strategic planning process? (Does it consider risks to the same objectives as your strategic plan? Does it inform the range of situations your strategic plan is purporting to help navigate?)
  • When you are making (or validating) major ad-hoc or ‘out of plan’ decisions, are you considering enough quality information about the risks (and opportunities)?
  • For the most crucial decisions, are your institution’s top risk thinkers involved? And if not, why not?

2. Embedded within the organisation’s core value-creating processes

Financial theory tells us reward is generated in return for taking risk. Both are concentrated in a few crucial junctures in the institution’s business system. These vary not only by sector, but by individual company. Usually, there is a top-of-mind primary answer.

For instance: credit decisions in a bank, flight ops at an airline, or investment decisions in a private equity firm. Typically, these number one processes tend to have risk considerations reasonably embedded, if for no other reason than the institution would have already been punished if they were not.

In my experience, the magic comes from probing a little further. What are the second, third and fourth such processes, and so on?

With a bit of introspection, the bank may conclude its second major concern is IT security, or storage and treatment of customer personal data. The airline may realise its second and third priority processes are aircraft fleet decisions and the link between fuel hedging and yield management. The private equity firm may recognise its second priority process is selection of operating partners who actually deliver value improvement.

It is easy to find examples of improved resilience and flexibility when you take a more systematic consideration of risk as part of these crucial processes, or by contrast, evidence of significant headwinds experienced by mismanaging risk in them.

Ask yourself the following:

  • What are your institution’s most important value-creating and value-preserving processes? Consider not only your stated strategy, but also think retrospectively where the biggest surprises and opportunities have actually arisen in recent years. Include your ‘secret sauce’ relative to competitors, which should be reflected in a different pecking order of processes versus what is typical in your industry.
  • How are risk considerations embedded in these processes? Is the timing of your standalone ’risk process’ matched with the tempo of these processes?
  • Do your top risk thinkers understand what happens under the hood of these processes, and do the leaders of these processes have enough risk wisdom to think systematically about risk?

3. When the ambient environment or the institution’s objectives change

When business ecosystem fundamentals change, institutions can suffer damage and miss opportunities by not reassessing risks swiftly enough. Ditto during periods of high, short-term volatility.

A periodic risk review process prioritises just-in-time reassessment of risks for risk oversight by the Board, but too often locks in focus for the coming year on risks that become stale.

Some risk management systems address this by defining ’early warning indicators’, pre-determined alarms when the situation reaches a greater level of criticality. Unhelpfully, such indicators too often substitute semi-automation for thoughtfulness.

I have had better experience with considering risks’ velocity and tagging each one with its own ‘best before’ date, when it needs to be reconsidered, and a responsible individual explicitly tasked to raise the alarm when the situation evolves.

Finally, it stands to reason (but is often missed) that risks need reassessing when an institution’s objectives change. This may be a strategic or mindset change. For instance, many organisations are fundamentally revisiting their risk approach as they increase their focus on ESG.

Or it may be event driven: for instance: a change in a company’s financing, leading to changes in cash needs and/or financial covenants. Risk theoreticians might call the latter a change in risk tolerance.

I’m less concerned about how it is labelled and more that it provokes a timely reawakening of the slumbering risk engine.

Put more simply, it is the individual risks and their potential consequences which need to determine when risk management is (re)done, at least as much as any top-down imposed tempo.

Ask yourself the following:

  • Whatever are your top risks, do they each have someone explicitly watching them who knows enough about them to trigger an alarm if they change materially?
  • When objectives change, is a review of risks to those new objectives triggered?
  • In particular, if there is an unexpected change in circumstances (including a crisis successfully handled) is systematic risk consideration restarted as soon as is feasible?

* * *

The crucial moments just described aren’t intended to be a full checklist of when thinking about when risk is necessary. The original two answers, ’periodic process’ and ’all the time’ continue to play a role.

In particular, the top three to four core value-creating processes (plus strategic planning and ad-hoc decisions) involve risks. So do other processes, as well as all the glue that binds them together.

And a periodic process that aligns the whole organisation (all the way up to the Board) around what are the crucial risks and how they have changed, is highly beneficial.

However, upping your risk game to ensure timely risk consideration at the right crucial moments can mean the difference between marginally useful risk management, and much greater resilience as well as all-important opportunity capture.

Martin Pergler is Founder and Principal at Balanced Risk Strategies, Ltd. and was previously Senior Risk Expert at McKinsey & Company