Many companies are keen to highlight the fact that they have a strong risk management program that is rigidly adhered to from top to bottom throughout the organization. So why does the failure of risk management appear to be raised as a common ‘fall guy’ when management or oversight fail?
To understand why risk management programs fail we first have to look at what role the risk management program has in a company. A typical risk management program will identify and evaluate the risks faced by the firm and monitor and manage the risks in a way that ensures the firm bears only a level of risk that senior management is willing to accept. Many firms employ a risk manager to design and maintain their risk management program. It is the risk manager’s responsibility to effectively communicate these risks to senior management who bear the ultimate responsibility for what risks to accept.
Below I will describe a few areas where failures can occur.
Culture of fear
A risk management program will not be effective in an organization that does not have a culture that encourages open debate and allows individuals to highlight risks without fear of retribution. In this culture management tends to surround themselves with “yes men” rather than independent thinkers. This culture of fear can also be characterized by senior management’s belief that the threat to the organization is not the risk itself but the market perception of the risk exposure.
Many people believe that if an organization becomes too honest in expressing their risk exposure, then it is either an admission of guilt, acceptance of failure or an acknowledgement that there is doubt in the business strategy.
Bookstore company Borders is a great example of a company that failed due to rapid changes in the marketplace and technology. However, people fail to realize that the root of this lay with years of the unwillingness and/or inability of management to acknowledge and react to changes. Borders was in the business of selling books and CDs. If you look at the history of this industry it is easy to see that cars no longer use cassettes and CDs were on their way out. Senior management were simply unwilling to plan for the inevitable
Identify and define risk
Risk professionals must understand that people have varying definitions of risk. To some risk equates to an outcome of uncertainty – either positive or negative – while others believe it is about the frequency and size of a loss. Both of these interpretations are correct and the risk manager needs to be able to understand both and communicate the overall risk picture to management.
In addition to risk other terms need to be clearly defined. You will see terms like vulnerability, threat and risk being used inconsistently within an organization. If an organization cannot define the fundamental terms, they cannot communicate and build an effective risk management program. One department may view an event as a threat, another may view it as a vulnerability and another as a risk; how can you successfully analyze and manage that event with a common goal in mind?
Good risk management practices also state that all possible risks should be evaluated and that appropriate mitigating measures are put in place. In a functioning risk management system all major risks would be identified, monitored and managed on a continuous basis.
An effective risk management program does not provide a guarantee against failure. Even companies with good risk managers and systems can and likely will incur losses as long as taking the risk of the losses increases the company’s profits sufficiently for senior management to accept that risk. This is known as the company’s risk appetite, or which is the company’s willingness, also known as ‘tolerance’, to accept losses in pursuit of greater gains.
A good example of this can be seen with the recent scandals involving Paula Dean and Lance Armstrong. Many of their sponsors relied on them as their primary brand ambassadors; with the knowledge that they did not have a perfect image. They viewed the additional profits worth the risk of associating with them as each of them had a loyal following and items associated with each of their respective names were more profitable.
The opposite can be said about Tiger Woods and his sponsors after the scandal of his extra-marital affairs came out in 2009. Several sponsors who were relying solely on Tiger Woods for their brand positioning failed to identify the potential of reputational risk as a result of the tarnishing of his image. Possibly the reason this risk was not perceived is because it was considered to be an extreme risk event as he was considered to be a person with great integrity both on and off the golf course.
If the sponsors had evaluated this risk more thoroughly they could have taken appropriate steps to diversify the impact of such a risk. In short, they lacked a playbook and failed to consider ‘what is the worst that could possibly happen…and how do we react’. An example could have been to continue to use Tiger Woods but in a low profile manner. Putting all of your eggs in such a high profile basket comes at a cost, and when the damage occurs it can be greater than you bargained for.
Is management talking the talk or walking the walk?
For a risk management program to be truly effective it needs to be fully supported by management. The first area you can have a failure is when you have poor leadership and support from senior management.
Another problem is that senior management in some companies has an opaque view of risk management since it was introduced as a regulatory requirement. Some executives in these organizations appear satisfied that, having identified a few high-level risks and having a document titled “Risk Management Program,” this is sufficient to ‘tick the box’ on risk management. In some instances they may have multiple documents to satisfy different regulators which are never seen by middle management, none of which add any value to the organization and are only reviewed when the regulators require an update.
Some organizations have even gone to the point of employing a risk manager – just because the board and regulators expect to see one. The risk manager in these companies is not there to reduce risk or to create any change in the culture. They are there simply there to dress the window.
Studies have found that 55 percent of failed projects did not do a full and thorough risk assessment. In such cases a brief risk assessment is typically done when a new project is proposed and approved in concept by management. Any high risk factors identified are analyzed to determine whether actions can be taken to eliminate, reduce or mitigate the risk before the project starts.
However, once a project is approved, the risk manager should review the project for all risk factors that were not eliminated during the project proposal process. This plan includes a description of the risk, the impact of the risk on the project, what actions can be taken to assist in reducing the risk and, if necessary, a contingency plan. All stakeholders must be involved in the proactive reduction of risk.
Risk avoidance, risk mitigation and risk acceptance are the main options to deal with risk.
Avoiding risks entails organizing the project in such a way that it does not encounter a risk at all. This could mean changing a supplier adopting a different technology, or, if there is a fatal risk, terminating a project. This approach should only be adopted if the organization’s appetite for the particular risk can be classed as ‘adverse.’
Risk mitigation can be achieved by eliminating the causes of risks or decreasing the negative effects resulting from the occurred risks. In practice, the most common approach to dealing with identified risks is to alter the approach so that the potential side effects are palatable.
Risk acceptance is a final choice if the risk effects on the project are minimal or the possibilities to influence it prove to be very difficult, time consuming or too expensive.
Risk management is not a function that should be discounted. Having a risk management plan is one thing, but having a plan and making decisions based on that plan is another. If the suggestions put forward by risk management are heeded and management within the organization can be encouraged to think with risk in mind when making strategic decisions and adopt a playbook approach as opposed to pursuit of a single outcome, the long term benefits to the organization may be greatly enhanced.