Q. What does decision-focused risk management really mean and what are your top three tips for applying it?

First, we have to ensure that those making the strategic decisions fully internalise that they do not know the future in which the strategy is going to be in full effect – but that this does not mean we cannot prepare for it

Second, run a (risk management facilitated) scenario workshop to limit the range of unknown unknowns

Third, identify and prioritize key issues and decide how to embed appropriate actions into the strategy deployment planning

 

Q. From your experience, what are the main challenges that risk managers have in influencing strategic decision making?

Based on past tasks solved by risk managers, these are seen as safeguarding the company using specific tools (like buying insurances or hedging currencies) and are not seen as relevant for a strategic decision – which management is not sure they are even able to take.

The task of facilitating a strategic discussion and/or be relevant in a decision requires both the courage to do so and adequate understanding of the business system and money making logic. A lot of risk managers do not have this skill

By influencing, you cannot avoid challenging the quality/prudence/value of executive decisions. Many risk managers are untrained and unwilling to do so – and even more executives are humble enough to listen

How can things like risk tolerance truly help strategic decision making?

Risk tolerance is a risk management element which tries to be explicit about what risks to take, and which to leave. Most people have some implicit sense of “no, thank you – this is too dangerous” (and each have their own) – for an organisation to operate and develop optimally, they need some consensus of

1. How much risk can we take (one any one of more parameters)
2. How much risk are we taking already

The risk community strongly advocates taking a ‘holistic’ approach to risk management. But what does ‘holistic and effective risk identification’ really mean in practice?

Too often, when risks are identified for some process, project or decision – the identification is focused on this topic exactly. As nothing happens in a vacuum, this is inadequate and holistic risk identification means ensuring that we ask “if we do this, which risks and opportunities do we see

• From the processes/activities happening “upstream” and feeding this project
• From processes/activities happening “downstream” i.e. those receiving and working what out outcome
• From supporting processes/activities – which often may be IT, HR, Finance, if the project/activity in question is in the core value chain. Too often these have been missed
• From external business conditions, be it competitors, legislators, customers or the general public

In some instances, some of these are not relevant – but we need to consider this before we discard it.

Effective risk identification is about making sure you are addressing (i.e. assessing, and mitigating) the right risk. This is where the use of e.g. 5 Why’s comes into play – which they too rarely are in real life. To be effective the risk description must be specific enough to enable some measurement and monitoring of this as well as defining explicit actions to handle the risk

Q. We’ve spoken about the differences between “execution” and “decision” focused risk management – how would you sum up the differences in two or three sentences?

Companies execute and make decisions every day – and these are essentially risk managed even when we do not think of it that way. Quality assurance in production, credit handling In sales, currency hedging in finance, employee safety/health efforts and the like. These are characterized by being highly repetitive and highly systematic – and to embed some element of risk management whether explicitly named that or not.

Companies make decisions on projects, strategies, investments, resource allocation etc. on a less frequent, but continuous rate. I have found that few of these, even major, decisions are supported by active, quantitative and systematic risk management.

Execution includes making decisions and decisions drives execution, so it is not either or … every day in a company have elements of both