If the c-suite care about decision-making, opportunity and strategy, why do risk managers focus on compliance data and backward facing risk analysis? This will eventually make us obsolete, writes Adrian Clements, international enterprise risk manager and former risk manager at ArcelorMittal
Decision making, opportunity management and strategy. The role of all management. All are forward looking. All levels of management need to be aligned. So why are many risk managers still providing information, compliance data and backward-facing risk analysis (risks associated with the current business environment rather than the future business world)? And why typically upwards reporting and not up, down and transversal guiding?
I guess for many it’s because of business pressure today. Reduce costs, blend short- and long-term strategies and be effective and efficient. But I believe that chief executives and chief finance officers need insight to create and manage opportunity. Backing a new business plan that will be obsolete tomorrow is not good. The points mentioned above are a positive consequence of this insight. Not driving it.
Keeping it simple there are three steps to follow to leverage insight and create opportunity and ultimately value?
First: - there is a time axis to risk. This time axis has a direction. This is aligned to the strategy of the company and answers the question, “Where do we need to be next year?”
To put opportunity into this, management need to understand three types of risk exposure:
- The company level – looking inside
- The enterprise – looking outside (what I think is what most people understand as enterprise risk management)
- The world (Matrix) – where my enterprise fits in the big picture. It’s this big picture that is moving. A company focusing only on compliance will stand still and become eventually obsolete.
The analogy here is the iceberg. Below the water level are the company risks, above the water level the enterprise. But the iceberg is moving. If it goes south it gets smaller, if it goes north it can remain stable or even grow. Too many internal risks can prevent us from moving forward.
Second: most people use severity and likelihood as the key drivers of risk and over a 12-month time period. By establishing these criteria for each risk element or scenario, they level the playing field and enable comparisons to be made. But time and direction are not reflected in these two axes?
Information on velocity, fragility, vulnerability can give information as to the company’s level of agility and susceptibility to these risks. Ultimately creating insight into the likelihood of achieving opportunities or even identifying new windows of opportunity. Using different measurement criteria, we make risk tolerance dynamic. “I will tolerate this risk as its creating opportunities!”
Is this type of information available? When holding your risk workshops ask, “When do you think will happen?” And if we cut costs on, say maintenance, then it could happen faster.
Bottom up analysis can give insight into the level of vulnerability you have to certain elements of risk and the achievability of opportunities.
Third: risk visualisation. Budgets are traditionally based on an extension/interpretation of last year’s results. In order to give a prioritisation to funding so that the opportunity remains achievable and sustainable we need to use a risk visualisation technique that is dynamic, i.e. dynamic budgets.
What is actually driving/influencing our levels of vulnerability? If we don’t know this, what are we actually budgeting for and how can we set performance targets? We need vulnerability drivers for each project or risk category. No point in spending all our money in mitigating a massive risk which we are not vulnerable to or that will happen 2 years into the future. A multitude of smaller risks can occur before that and cause irreputable damage. Vulnerability increases along each axis, so each manager can base decisions on the same mapping. All managers can then see where they need to act, what’s in the pipeline and where no actions needed now, but maybe later.
Vulnerability drivers can help identify synergies and so establish risk efficient investments that have multiple consequences throughout the entire risk world of that company.
Insight and value in one, as both top management and line management understand the picture and consequences. Reducing maintenance costs for example will potentially affect all categories or we can target some areas to reduce as needed, if the risk appetite of that area is not compromised.