The world is changing and risk managers must adapt, argues Hans Læssøe, founder of AKTUS and former risk manager at The Lego Group. Here are his top three suggested priorities
Risk management as a concept is undergoing changes… – both in terms of what to do, and how to do it.
The world is changing faster than ever before – and anxiety as to the speed of change is becoming increasingly prominent.
The world will never again change as slowly as it does today.
For business managers and risk managers alike, this means that past approaches of identifying, analysing and mitigating risks based on current operations and defined strategies are at high risk of being too little, too late.
Furthermore, as long as everybody is following this approach, it does not provide any competitive or business advantage.
A new and more active approach is needed, leading to a number of significant changes for most organisations.
Leading companies, some of which may be your competitors, are doing this already.
Change 1: It is not about managing risks, but about optimising performance
Risk management functions have, for decades, focused hard on defining smart and efficient methods to manage, i.e. minimise risk-taking… for the sake of minimising the negative effects of risks.
However, this has meant that resources (people, attention, money, time) have been spent on mitigating risks which had a limited impact on business performance and perhaps also limited likelihoods.
”For almost any other risk taken, it is essentially a waste of company resources to mitigate the risk.”
Perhaps, the same resources could have been more effectively used to develop and pursue opportunities, in which case the risk management process has essentially depleted business value.
This does not mean that risks should not be mitigated… naturally, they should, but in two instances:
- When the potential impact of the risk is beyond the company’s risk capacity and would – if it materialises – “kill” the company or drive it into bankruptcy, the board and executives may opt to define/apply a lower level of risk tolerance. But be careful about doing that, no one wins a race giving 80% of their best effort.
- When mitigation makes sense from a cost/benefit viewpoint when comparing the effort/resources needed for mitigation vs the impact/likelihood of the risk in question.
The above is NOT just to be seen from a fiscal/financial viewpoint. It could be based on reputation, environmental impact, legislative breach, or any other key parameter. For example, some companies may be at risk of losing a needed business license.
For almost any other risk taken, it is essentially a waste of company resources to mitigate the risk.
As a challenge, look at the risks your company is allocating resources to mitigate and ask yourself/analyse whether or not it is actually value-creating or value-depleting.
Change 2: Focus on decisions
You and your organisation will live the rest of your lives in the future. Decisions made are all related to the future which is known to be increasingly volatile.
As risk managers, we have to stand up for that and add value.
“Prevention is better than cure”, and attempting to manage risks already taken through decisions made and strategies set is ineffective and at best inefficient.
”The risk manager can be a highly beneficial support in the process of defining a strategy which is resilient as well as optimised in terms of intelligent risk-taking.2
ISO 31000 advocates on every page, that risk management must be integrated with decision-making.
So, instead of looking at a defined strategy, and identifying, analysing and mitigating the risks invoked – risk managers should be part of preparing the decision material.
This is often some finance-based business case spreadsheet model and risk managers can add uncertainties to this both in terms of general uncertainties and explicit risks and opportunities.
With this in hand, the proficient risk manager can:
- Monte Carlo simulate the likelihood of meeting strategic objectives
- Pinpoint key risks to address by adjusting strategic action/implementation plans
- Pinpoint key opportunities which, with an adaptation of the strategic measures/plans, can be effectively pursued and add value
Furthermore, the risk manager will often be a good facilitator for scenario discussions where key strategic assumptions are challenged and addressed, leading to a more resilient strategy.
A strategy which will add value if/when the world changes in a way that differs from the one expected.
In short – the risk manager can be a highly beneficial support in the process of defining a strategy which is resilient as well as optimised in terms of intelligent risk-taking.
Change 3: Collaborate
For decades risk managers have been acting and seen as corporate specialists who “did their thing” more or less without deep business interface.
Insurance programs were designed and procured with no other cross-company collaboration than executive/board approval.
Business continuity plans were developed and documented without much more than basic training of the people involved.
”To stay relevant and valuable, the risk manager has to network and collaborate across the company.”
Risk registers were updated and risk reports were issued without having a major impact.
These days have to be over.
To stay relevant and valuable, the risk manager has to network and collaborate across the company.
With a professional risk and uncertainty mindset and competence, the risk manager collaborates across the company to add value in terms of:
- How budgets are made… and how will they be strengthened by adding a risk perspective recognising that the single number revenue or ROS number will never materialise as is. The risk manager can add value by increasing the understanding of business uncertainties.
- How valid sales and operation plans are… the risk manager can analyse data from a risk and uncertainty perspective and enhance understanding and planning efforts all the way to equipment investment decisions.
- How projects are approved… the risk manager can consolidate the project portfolio and direct attention to those issues where value is most effectively added across a portfolio of projects.
Perhaps, in some instances, the metric of timing is more important than that of money. The risk manager should be able to direct focus to where the most value is added.
There are multiple such value-adding opportunities for the proficient risk manager.
This also means that top management can ask more of the risk manager than the current ERM reporting and insurance programs they are spending time preparing.
A new risk manager profile
None of this comes from nowhere. The person/team assigned to be risk manager(s) must have the appropriate skillset and mindset to meet the above agenda.
Beyond basic statistic and analytical skills which are not new to risk managers, a new set of skills are needed for the risk manager of the future:
- Strong business understanding. This is an internal skill as all business systems differ. The risk manager must understand the business system and the money-making logic of the company to be able to add value.
- Insight into human biases. Decisions are made by human beings who are susceptible to a range of biases which essentially deplete the factual quality of decisions made. The risk manager must have insight into this and how decisions are made within the company to be able to work with this and enhance the quality of decisions.
- Collaborative skills. It is time to leave the office and meet people. Talk to executives about their concerns and more importantly, to specialists about their concerns. Get the insight – which will also add to the insight of the company’s business system. Listen and support, and build on their support to enhance overall company performance. This includes knowing how to work with executives and make them trust you above their immediate gut feeling.
Growing these skills builds trustworthiness and hence impacts company performance. Impact, when applied well, adds value and now the risk manager earns his/her pay to a much higher extent than what is seen in many organisations.
It is by no means a 100-meter sprint, but rather a Tour de France, but the alternative for the risk manager is irrelevance.
The best a risk manager can do is to plan and communicate tangible steps on the way, deliver on these, step by step – and grow the role and the competencies.
Risk management is all about preparing to dare.