In the fast moving, complex business environment of 2018, the imperative for change has never been greater.
Businesses are reviewing every policy and procedure, and risk management is no exception. Gone are the days when risk management merely meant managing insurance policies and claims. Gone also are the days when risk registers and risk matrices enabled business leader to feel comfortable that risks are managed and mitigated within the business. We have also past the time when businesses could rely only on the three lines of defense (business management, risk oversight, internal audit) as sound risk management.
“The world hates change, yet it is the only thing that has brought progress.” – Charles Kettering
Effective risk management for the next decade, includes 4 important principles:
- Most risk is not insured. Please continue to focus on insurance and claim management, but also focus at least as much time of the risk function on people, process, technology, and strategic risks.
- Business leaders manage risk, not risk managers. Risk evaluation is fully integrated into daily strategic and operational decision making.
- Risk evaluations should be quantitative. The likely impact on profitability should be understood. Monte Carlo simulations can turn the unknown into informed uncertainly.
- Aspire for more than compliance. Compliance is a critical component of effective risk management. It should be a basic foundational function, not an aspiration.
Let’s explore each of these in a bit more detail.
Most risk is not insured. Many business leaders equate risk management with insurance. Insured risks often include worker injury, automobile accidents, product failure, and fire. It is true, the risks that are covered by insurance are part of a robust risk function, however, they only scratch the surface. In fact, since those risks are mitigated through insurance, almost all impact on a company’s profitability comes from risks that are not insured (excluding an evaluation of indirect costs). Most risk that impacts company profitability, resides in the people, process, technology, and strategy of an organization.
Business leaders manage risk, not risk managers. Traditional job descriptions for risk managers (or those responsible for risk on a part time basis) often read as if the individual in that role is responsible for the outcomes of the management of the risk. The flaw here is that the risk manager is not the person responsible for the strategic or operational decision or the outcome of the decision that includes the risk. That individual is the business leader with strategic or operational responsibilities. Those individuals ought to understand how to evaluate risk within decisions, and risk managers can certainly provide guidance, procedures, and structure in that area. Risk managers can also impact risk culture through consistent processes to help business owners make informed, risk-based business decisions. However, business decision makers can’t eliminate ownership of assumed risk by counting on a risk manager or risk management partner.
Risk evaluations should be quantitative. It is easy to fall into the trap that suggests not all risks can be quantified. That statement is probably true, but it discounts the 99 out of 100 that can be quantified. Monte Carlo simulation tools allow decision makers to utilize historic data or subject matter expert evaluations to predict the likelihood of a certain event occurring. These tools also can quantify the total cost of risk embedded in a given decision or project which allows the business leaders to make an informed decision based upon risk tolerance. In some cases, these tools may even suggest that the best decision involves taking more risk, not less. The adage that what gets measured, gets done; is very true in the context of risk management. It is easy to identify risks. Some are easy to quantify and others are more challenging. Quantifying them does not have to always be precise to the second decimal point, but it can, and should be consistent. Only after quantifying the impact of risk on profit, can businesses make informed decisions about how best to address them and maximize profit opportunity.
Risk management can’t be compliance driven. There are many important functions related to compliance including regulations, banking requirements, safety guidelines, and insurance company expectations. These are all important and every good risk manager should understand the compliance requirements and make certain the organization is grounded in values that don’t waiver from them. However, risk management that stops with this goal in mind, misses the opportunity to maximize company profitability through informed uncertainty. By all means, risk management should make certain that all employees act in an ethical and compliant matter. This should be a basic objective and expectation, not an aspirational goal.
Change is hard. It is especially hard when it falls into the category of managing uncertainty. However, profit levels rise and fall based upon the organization’s ability to understand uncertainty and make risk based business decisions. We have the tools and structure to create that effective risk culture and add certainty to profitability. Now challenge yourself to tackle the change needed around risk management to bring process.