StrategicRISK spoke to Risk Academy chief executive officer, Alex Sidorenko, for some crystal ball gazing about what the future of risk managment might look like.
1. Risk management must transition from a stand-alone activity to a quantitative risk analysis set of tools built into the key organisational processes and material business decisions.
The sad reality is that nobody in an organization, except the risk manager, cares about risks. We think management care about risk and their management, when in reality, argues Alex Sidorenko, all management care about is making money, achieving targets and meeting KPIs. Risk management is a very unfortunate name for the discipline. As far as business is concerned, risk management may not be about risks at all. During the webinar Alex proposed an alternative, in which risk management should become a decision-making tool used by the whole business. This was a major mindset shift when Alex implemented such approach in a large sovereign fund where he was the Head of Risk.
Risk managers need to have multiple tools that can be integrated into all significant business activities, processes and decisions. For example, whenever a new vendor is selected, a mini risk assessment should be performed to identify possible risks, allocate responsibility for them in the contract and classify vendors per risk category for future reference. Similarly, whenever an investment decision is proposed, risks have to be modelled to determine their impact on the NPV, IRR or other relevant KPI.
2. Managing risks is counter intuitive to humans in the workplace. Risk managers must overcome human tendency to ignore risk by focusing on integrating risk management into the overall culture of the organisation.
There will always be a lot of resistance to change. Contrary to popular belief, risk management is not natural. Some of the most notable research over the last 50 years (Nobel prize in economics in 2002) was focused on explaining human thinking in situations of uncertainty: system 1 thinking – emotional, quick thinking and system 2 – analytical, slow thinking. In our everyday lives, system 1 thinking helps us survive. However, when it comes to work or complex decisions, we should switch onto system 2 but we don’t always do this as it requires effort and energy. This is why people tend to fall into cognitive biases.
Unless we, as risk managers, spend time on reforming company risk culture every day, there is no way we will be able to get honest and factual answers to any of the questions we ask the business as risk managers. Risk managers should also minimise the use of subjective qualitative risk tools and techniques, which do not actively take cognitive biases into account.
Most people are not optimists or pessimists when it comes to risk, most people ignore risk. Most of the time people simply ignore the risks associated with the decisions they make, they don’t see the risks, they incorrectly assess the risks (both ways, perceive moderate risks as scary (sharks) and ignore truly significant risks (GMOs, pandemics). The researchers have discovered that there are certain traps in our brain called cognitive biases which makes people ignore facts that could change their way of thinking. The way humans behave in situations of uncertainty makes implementing risk management very difficult.
3.The role of a risk manager in a company must change. The concept of three lines of defence is obsolete and does not provide value for the business.
The sad reality is if we want things to be done properly, us as risk managers will have to be involved in the first line of defence. We must have skin in the game; there is really no other way. Risk managers must drive the changes and must stand up to management, when required.
To drive this, the risk manager cannot do this alone. We must have allies and build alliances. The best ally Alex has found was the internal auditor. Alex argues, the risk manager role should probably be much closer to the first line of defence as well as the third line of defence. To have a seat at the board table the risk manager must take responsibility for the risks in the business, take the responsibility for the risk analysis, maybe even without the input of business managers but using the data from business systems directly. The risk manager may need to get involved in the running of the business to better understand the risk. Our roles as risk managers has to change.
4. To execute its new role, the risk management team must possess five key competencies – ISO31000 (or whatever regulations are relevant to your business), quantitative analysis, risk perceptions/psychology, computer science and business specifics.
None of these things I have spoken about above should come as a surprise to you – they have all been available to you since 2009 in the ISO31000. Risk management was always designed as a decision-making tool and not as a standalone risk management process.
Risk-based decision making requires risk managers to quantify certain risks and more importantly their impact on the key decisions, goals or objectives. Having a good grasp of quantitative tools such as decision trees, sensitivity analysis, scenario analysis and Mont-Carlo simulations is vital. Next evolution of risk management will be artificial intelligence and machine learning, learning the basic of computer and science is now becoming equally critical for risk managers.
Be able to recognise cognitive biases so that risk managers can spot lies, deceptions and reduce the subjectivity in management decision making is also important. It gives risk managers so much power to understand what people are really trying to tell us, even if they don’t directly say it. This is absolutely critical.
Understanding the nature of the business is so important. If risk managers works in pharmaceuticals, they need to understand how drugs are made, registered and sold. If a risk managers work in an investment company, they need to understand how and why investments are made, how fair value is calculated, what is hurdle rate and so on. If risk management is about integrating into risk management, then we need to understand how the business works.