#158 – 3 THINGS LARGE CORPORATIONS CAN LEARN FROM SME’S WHEN MANAGING RISKS – ALEXEI SIDORENKO

SIDORENKOCouple of weeks ago I was very fortunate to host one of the roundtables during the FERMA risk seminar in Malta. I am very thankful for the opportunity because the experience of brainstorming for 45 mins with the representatives from various small and medium enterprises (SMEs) really highlighted some major problems with modern day risk management and risk managers.

Here are three things that I think all of us could learn from managing risk at SMEs:

A. SMEs simply can’t afford to waste time or other resources on an activity that does not generate direct value

For SMEs time is pressures, management teams are small, margins are limited and as a result management is very pragmatic about any new, sexy activities and initiatives. Risk management is no different. It has been around for years, yet few SMEs have properly adopted it. Something’s not right…

So can risk management make companies money? Of course it can. Do modern day risk managers in non-financial companies in fact make money for their companies? Very few. Most of the modern day approaches used by the risk managers are so academic and superficial, that management has a tough job buying it. Here is a short video on showing value from risk management: https://www.youtube.com/watch?v=Cpeu0NhEMZY and it’s not what most risk managers are doing.

I think it’s about time we had an honest look at some of the activities risk managers do:

  • do risk assessments really change the way business processes work, change the manufacturing process, change the way products are sold?
  • do risk managers bring something of value to the table when any important business decision is made?
  • do risk assessments change the way executives make decisions and is risk analysis available on time to support every significant decision? do they? really?
  • are risk registers looked at by the CEO before making an important decision?
  • do risk owners check their risk mitigation actions regularly?
  • do risk appetite statements in non-financial companies change the way company operates and the way decisions are made?
  • do employees regularly read risk management framework document?
  • do managers call the risk manager before making a decision when faced with uncertainty?

I suspect the answer to most of those questions is “not quite”. This could mean one of the two things: either risk manager is not doing his job properly or he is properly doing a completely wrong thing. My bet is on the second reason. There is simply a better waythan risk profiles, risk registers, risk frameworks, risk owners and so on. Here is a short video on what does the future hold for risk management: https://www.youtube.com/watch?v=yAiRWwYItdc

B. SMEs don’t do risk management to mitigate risks, they do it to make better decisions

This I found most bizarre, we seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It’s just another management tool to help them make better decisions and hence achieve the objectives. This is a big difference between SMEs and large corporations.

SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analysed at any moment during the day, when an important decision is being made or at every milestone within the core business processes, you are probably doing something wrong.

If there is one thing I learned over the years is that no one in the company and I mean NO ONE, expect the risk manager, cares about risks. Well maybe some about-to-retire audit committee member as well, but most of them wouldn’t have the courage to deal with the real risks if you showed it to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result. You can assign risk ownership to them as much as you like, no one cares. SMEs learned it the hard way, unless an activity directly contributes to achieving objectives, it’s not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them. When instead they could be saying things like “the probability of meeting this objective is 10% unless we change things”, “there is a 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on.

C. Anyone can be a risk manager, but it’s not natural

Despite what we, within the risk management community, have been telling each other for years, managers are not really managing risks every day. Thinking about risks is not natural for humans. The way system 1 and system 2 thinking operate in our brain make it literally impossible to see most of the risks associated with making decisions, let alone analyse them or manage. Since the 1970s many scientists, including two Noble prize winners, Kahnemann and Tversky, have discovered over 200 cognitive biases that prevent managers from seeing, understanding and dealing with risks.

This basically means risk surveys, most risk workshops, any kind of qualitative risk assessments are very unlikely to produce truthful results. But then what should risk managers use? There are plenty of alternatives, much better alternatives: https://www.youtube.com/watch?v=4fRAUZ4AD0I

So how was the rest of the FERMA seminar?

My feedback to the organizers stays the same as my last post on the FERMA forum in Venice last year. In short, it’s impossible to grow if the people you talk to at conferences are people just like you, risk and insurance professionals. Someone needs to play a devil’s advocate. It would be good to hear from a CFO who says he doesn’t care about any of the work risk managers do and budgets based on his own methodology with no input from the risk manager. But then again Europe is probably way too politically correct for that :))

Bio:

lex Sidorenko is an expert with over 13 years of strategic, innovation, risk and performance management experience across Australia, Russia, Poland and Kazakhstan. In 2014 Alex was named the Risk Manager of the Year by the Russian Risk Management Association.

As a Board member of Institute for strategic risk analysis in decision making Alex is responsible for risk management training and certification (including creating exams) across Russia and CIS, running numerous risk management classroom and e-learning training programs. Alex represents Russian risk management community at the ISO Technical Committee 262 responsible for the update of ISO31000:20XX and Guide 73 since 2015.

Alex is the co-author of the global PwC risk management methodology, the author of the risk management guidelines for SME (Russian standardization organization), risk management textbook (Russian Ministry of Finance), risk management guide (Australian Stock Exchange) and the award-winning training course on risk management (best risk education program 2013, 2014 and 2015).

In 2012 Alex created Risk-academy www.risk-academy.ru a web portal dedicated to free risk management training for SME across Russia and CIS.

Alex worked as a Head of Risk Management at RUSNANO, one of the largest private equity funds in Russia, specializing in technology investment. Alex won an award for best ERM implementation at RUSNANO in 2014.

Prior to that Alex worked in senior risk roles at Skolkovo Foundation, Strategy Partners, PwC and Deloitte.

Alex recently published his second risk management book called “Effective Risk Management 2.0”. Alex also regularly presents at risk management conferences in Russia and Europe. In November 2012 Alex short a series of TV programs dedicated to risk management in start-ups. Alex teaches risk management at major Russian business schools including OpUS, Technopark Skolkovo, MIRBIS, MFUA, SKOLKOVO and USIB as well as corporate universities, like Gazprom.

He has successfully completed his double Bachelor degree in Risk Management and Econometrics at Monash University, Australia, achieving the top risk management and statistics student award two years in a row.

More information can be found here:

http://ru.linkedin.com/in/alexsidorenko

www.slideshare.net/AlexSidorenko/

https://www.youtube.com/user/alexausrisk/videos

 

Leave a Reply

Your email address will not be published. Required fields are marked *