Risk exists everywhere – the problem is knowing what to focus on. ISO 31000 definition of risk as “the measure of uncertainty in a situation” hasn’t done a lot to clarify what corporate risk means for Directors providing “good corporate governance”.
In this article I address the challenge we face as Directors in dealing with the vast array of risk in a typical large organisation. I explain how to cut through the noise to ensure that corporate risk management actually protects and enhances the business, rather than obscuring critical reality in a fog of detail or a haze of misleading simplification.
Even the ISO 31000 definition of risk as “the measure of uncertainty in a situation” hasn’t done a lot to clarify what corporate risk means for Directors. A stock of all risks affecting the business will typically run to a risk inventory in the tens of thousands. Comprehension of this amount of data is impossible, resulting in the Risk Committee being in no better situation than having nothing.
SOME RISKS MATTER – OTHERS DON’T
Just as a builder does not count individual nuts, bolts and screws, as they are insignificant, so too do we need to identify what risks are genuinely significant and those that only need to be managed broadly. Unfortunately too many organisations fail to understand the significance issue and waste time and money administering everything.
So how do we identify what is relevant?
LEVEL 1: BEGIN WITH THE END IN MIND – STRATEGIC IMPERATIVES
To understand risk significance we must start with the 7 strategic imperatives of business – these drive the context and value at risk:
- Shareholder Value: Purpose for the organisation existence is to return an intended benefit to the owners of the organisation whether a company, government body or non-profit organisation.
- Profitability: Even not-for-profit organisations will not exist long if their expenditure continues to exceed funding.
- Capital: A board is not only responsible that there is adequate Capital to meet its objectives but how it is employed. Lazy capital not only makes an organisation a target for a predatory competitor or cash strapped government (eg BBC or ABC/SBS ‘reorganisations’), but also invariably engenders a less agile organisation.
- Security: Although historically treated as an aspect of Sustainability, for some time now Security has developed to occupy a large amount of board deliberations. As prevention is better than cure, it now needs to be treated as its own strategic imperative.
- Capability: People, process, data and systems are too often responsible for burning a lot of an organisation’s capital, both financial and human. Multi-million computer system upgrades and pretty dashboard aren’t a solution unless they meet a strategic objective.
- Reputation: Market share, customer loyalty, and staff commitment are all underpinned by this nebulous and little managed imperative. Loss of it though, will spell doom to any organisation.
- Sustainability: The much neglected hand maiden of strategic imperatives, it is the stabilizing influence on excesses in the other imperatives. (see my previous article on Shareholder Value).
LEVEL 2: STRATEGIC OBJECTIVES
Within each Strategic Imperative an organisation will have a series of Strategic Objectives that are perceived by the Board as fulfilling that impetrative. Commonly, shareholder value objectives will include share price, dividend yield, and business growth; Profitability: revenue ratios, gross and net profit, etc.; and Capital with ROE, asset ratios, etc.
LEVEL 3: TACTICAL OBJECTIVES AND OPERATIONAL KPIs
Breaking down strategic objective into tactical objectives and operational KPIs gives us a method of focusing and structuring our risk management systems. This brings us back to the concept of risk. Extending our definition of risk to “the uncertainty in achieving our corporate objectives”, all the risks in our vast risk inventory should then be “attached” to a corporate objective to give each one its relevance.
The 80/20 rule can then be applied, and we gain a very clear picture of the 20% of risks that are corporately significant and should command the bulk of our attention.
We also have a clear statement how to measure each Risk in terms of the specific impact that would occur on the related Corporate Objective if that Risk became reality – in real world units that can be valued, such as tonnes, man days or dollars.
LEVEL 4: RISK SCENARIOS – SPOTTING TRENDS THAT TRIGGER ALARM BELLS
Risk is not a discrete value because uncertainty cannot be discrete. Unfortunately risk is commonly incorrectly portrayed as a discrete value in a “Risk Matrix” or “Heat Map”. Rather, it is a range of possibilities best represented as a Normal Distribution (or similar) curve.
However, more important than its current position on the curve is its direction, either improving or worsening.
Once a “Risk Matrix” or “Heat Map” is showing RED the damage is done, and you are already coughing up blood. To be able to identify direction a risk is developing, we need to know the influences and drivers of each risk and how their movement affects the risk.
Commonly there is a time delay between a movement in a risk driver and the effect felt on the organisation – and this is our opportunity to act – to mitigate the risk impact rather than mourn the consequences.
We must avoid being like the man who fell from a 10 story building who was heard to say, as he passed a 3rd floor window, “so far so good”…
We do this by preparing a number of scenario analyses for each corporately significant risk event, resulting in the best case, most likely, and worst case scenarios. Better still also include ‘getting better’ and ‘getting worse’ scenarios.
A PROACTIVE, PREDICTIVE RISK MANAGEMENT SYSTEM
Following this approach you are now in a situation where you can truly manage your risk exposure. By regularly monitoring the movements in risk influences and drivers (Key Risk Indicators or KRIs) and reporting on their direction based on the scenarios prepared, you will know what risks require preventive action. Additionally, knowing the Value at Risk due to the risks being subordinate to your corporate objectives, both the criticality and whether action is cost effective can be easily determined to produce a measured and appropriate response.
Unfortunately, until organisations discard their Excel spreadsheets as their method of “managing” risk they will be confined to producing “Risk Matrix” or “Heat Map” charts. While such charts may give the impression of “doing something”, these 20th century relics no longer protect Directors facing legal challenge. The sobering reality is that with the technology now available, a “reasonable person” has a right to expect far more from Directors in our duty to manage and mitigate risk.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Previously published on his blog.
Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.