Positioning Risk management at the C-Level

In 2010 it's not uncommon for a Board to give their management team a mandate to implement a risk management capability.  I'm seeing it more and more.  In this situation the internal or external consulting team engaged to implement the mandate will need to approach the management team in a very specific way.

Firstly, expect that the CEO or CFO may not fully understand the benefits of risk management and may interpret this as a challenge to their corporate governance.  It is important to communicate the benefits of an ongoing risk management process upfront.  Clarifying to management that this is a value sustaining or value creation activity is critical. Here are several key benefits:

• Increase the likelihood that your organization will achieve its objectives (by integrating risk management with the strategic plan)
• Lowering business volatility by increasing visibility on events that can derail your performance
• Treating risk as "neutral" so that opportunities can also be identified and pursued
• Creating a centralized view or risks and creating efficiencies in risk identification and treatment
• Closing the gap between risk management and capital allocation
• Etc...

Secondly, position it as a process, as opposed to a project.  Processes get dedicated resources, projects don't!

Thirdly, demonstrate how a well run risk management program creates a culture of accountability across the organization for identifying and managing risk.  This will result in higher product/service quality, fewer incidents, and better planning overall.

Finally, show your CEO how the market rewards companies with sound risk management practices.  Ratings agencies, capital markets, and creditors are all starting to differentiate risk-informed companies from the rest of the competition.

These are just some of the tangible benefits that you should communicate to your management team to ensure they are supportive of your risk management program.

[Rich]
richard.m.wilson@ca.pwc.com

Don't Confuse Risk Assessment with Risk Management

Let me overstate the obvious.  Risk management is about managing risk. But if it is so obvious, why do many risk management professionals focus primarily on the assessment side of the equation?

Perhaps they are treating it as a project, as opposed to implementing an ongoing process. It could result because the consulting resources engaged to help with the up front risk identification and assessment often don't participate in the follow-on risk treatments.  Or finally it could result from the challenge of harnessing the necessary internal resources to treat risks thoroughly.

Remember that all the work that leads up to the risk treatment phase, albeit important, is only providing you with business insights which you will use to prioritize your risks.  Schedule the appropriate time and resources to develop and execute your risk treatments.  Only once your risks are addressed will you derive the desired link between risk management and corporate performance.

[Rich]
richard.m.wilson@ca.pwc.com

Risk Appetite - more than just a concept

I recently met with a senior management team to establish a risk appetite statement.  It was the first time they had been through this type of exercise.  I drafted a proposed statement in advance that in 2 sentences described how much risk the company should typically take on in any transaction.  Once confirmed by management, this simple statement could be communicated to everyone in the company as another way of to heighten consistency of risk taking.

For example your a risk appetite statement for a bank could state that every transaction in the bank must follow standard procedures governed by internal controls to ensure the risk is minimized and to protect shareholder value.  Whereas a more risk-oriented company might state that to ensure aggressive growth in new markets risk-informed decisions will guide decision making to maximize return to shareholders.

At the beginning of our meeting the exercise was met with some skepticism - it felt too academic for some.  But when I asked each participant to state what the company's risk appetite on a scale of 1-5 (1 being highly risk adverse and 5 being risk accepting), their answers ranged from 1 to 4.  A 2 hour discussion followed where a great deal of consensus was created around how the company considers and manages risk.  in the end the skeptics became the greatest supporters of the process as it aligned a myriad of opposing opinions about the company's approach to risk.

In short, if management isn't aligned on how much risk to adopt and how to manage it, then the same will follow for front line management as well.  As one participant stated, "If we aren't in agreement about managing risk can you imagine how confused our employees will be?"

The simple act of drafting a risk appetite statement can be very effective in aligning everyone in the company to manage risk in a consistent manner.  Later it can tactically translate into specific risk tolerances for each area of risk.  It's simple and very effective.

[Rich]
richard.m.wilson@ca.pwc.com

The "Management" in Risk Management

Once your risks have been assessed and prioritized, how do you develop your risk treatment plan?

A company can do an excellent job of identifying and assessing risk, but ultimately, if the organization doesn’t do anything with what you’ve learned, it isn’t actually risk management yet.

There are many different ways that an organization can respond to risk. For instance you can terminate the risk area if you decide that the risk is higher than your company would prefer to tolerate.

Another response is to transfer the risk. Most commonly companies accomplish this through insurance —you pay another organization to assume their risk. Alternatively, you can contractually transfer or outsource some of those activities to a third party and have them assume both the activity and much of the risk as well.

A third response is the approach many people think of first mitigate risk. In this situation, you apply controls to lower the likelihood of the risk occurring, or lower the impact if it does occur. There are a few different ways to mitigate a risk. First, there are preventative controls which attempt to prevent the situation from happening in the first place. There are also detective controls which alert you that a risk has occurred. If the magnitude of a risk is lower, a detective control can be a fine solution if the impact of the risk is lower.

Another response is to exploit the upside of a risk by capitalizing on new opportunities. By embracing and adopting risk, a company may find that there is a larger business opportunity there than was previously considered.

A final response is to tolerate the risk as it currently exists because it fits within predefined tolerance levels. It is important that management publish within its risk management policy a statement about the company’s risk appetite. The risk tolerances should be aligned with the corporate risk appetite.

These risk treatments constitute the “management” in risk management. Engage risk owners to develop their risk treatments so that they take responsibility for the execution of them as well. Finally, make sure these treatments are reported upon to celebrate successes and ensure accountability.

[Rich]
richard.m.wilson@ca.pwc.com

Ask the people on the ground first

Over the past few years I have uncovered a terrific approach to operational risk assessments. There are a few ways in which to gather risk assessment data. The first source of good information can be gathered through online risk assessments with key process owners. This information enables you to look for risk trends across the organization. Try aggregating all of the risk scores from all departments to create a risk profile at the corporate level. Then drill down to see the risk profile of each department. Finally, segment your data by level to see how senior managers score risks versus middle management.

Once you have the broad risk assessment picture conduct an executive-level risk self-assessment (RSA) workshop. Use software, such as Resolver*Ballot, to anonymously gather the impact and likelihood scores for each risk. This risk assessment software allows you to gather that information free from the typical peer pressure and politics that naturally exist in senior level meetings since the results are anonymous.

In the executive workshop gather their first set of risk scores. Then show them how the rest of the organization scored the risks in the online risk assessment. Typically about 75% of the scores will be similar, but there are often a few surprises. If the executive team scored a risk lower than the online assessors then it tells them that they need to take it more seriously than previously expected.

The result of this two tiered assessment is a higher confidence by senior management that they understand the risk profile in the company. It also creates wider buy-in to the risk treatment phase outside of the C-suite.

[Rich]
richard.m.wilson@ca.pwc.com

Risk: It's how you word it

One of the greatest risk management challenges I have seen over the years is wording risks properly. It sounds simple enough (and it is!). So why is there such inconsistency in wording risks? The first reason is that there is no universal standard to follow. The second is that there are too many interpretations about what risk is. Finally, risk carries a negative connotation in many organizations, (sadly), so people try to describe their risks in a positive way to position them more favourably.

Well worded risks are a cornerstone to a successful risk management program. If people across your organization end up with multiple interpretations about your risks, the credibility around your risk scores will fall. Getting the wording right is pretty important.

Allow me to suggest an easy and reliable way to word your risks. To begin with, remember that a risk is an event. Secondly, it is an event that may prevent you from achieving your objectives. Therefore, the simplest way to word your risk is" X may happen". For example, "Sr. executives may leave the company", or "Production at the plant may fall by 20%", or "Interest rates may rise above 5%". All of these risks are clear, and since they are worded in the future, should not be threatening to newly emerging risk management cultures.

Follow each risk with "context bullet-points". These are the data points about the risk that people should consider. For example:

Production at the plant may fall by 20%

• our packaging supplier is in financial trouble
• our competitors are trying to hire away plant staff
• our plant wages are not competitive
• unpredictable weather patterns in that region are expected
• etc...

Here is a test to see if your current set of risks need rewording:

• Do any of your risks begin with "A lack of...", or "The inability to..."? (If so, they are describing situations within which a risk may occur and not the event itself.)
• Do any of your risks contain the words "and", or "or"? (If so, you have combined two events which will be difficult to score.)
• Are your risks worded as objectives in the positive? For example, "Retain our senior executives". It's a great objective but doesn't describe the effect of uncertainty on objectives.
• Is the risk tied to one or more objectives so that it is clear where the challenge to the organization lies?
• Do your risks have contextual data points attached to them?

Following this approach will clarify your risks and heighten the likelihood of a common interpretation. It's really that simple!

[Rich]
richard.m.wilson@ca.pwc.com