Risk management is undergoing a significant change and complacency is not an option, argues Hans Læssøe
Risk management is an industry/profession undergoing change – as are all other professions. It appears three things are happening in concert:
- Some risk management individuals, some risk organisations and the two global risk standards (ISO 31000 and COSO) are calling for more influential, proactive and pre-decision risk management;
- Yet most risk managers still keep on trucking. Doing what they have always done, the way they have always done it, and
- At the same time, more and more management teams consider risk managers to be nay-sayers and administrative burdens with little or no perceived value add.
The world is changing faster than ever before, and hence is changing slower that it will be in the future. The requirements to be competitive and value-adding in everything that you do becomes increasingly important as executives reduce, outsource or even cut functional areas that are not considered to add value to the company. They have to, in order to maintain a sustainable business.
From that perspective, the COVID-19 crisis may “only” be a bump on the road, whereas climate change may pose a significant, game changing and long-term change of conditions.
When Darwin expressed “survival of the fittest” 150 years ago, he was not talking about the ability of the strongest or biggest species to survive and evolve, but of those most able to adapt to changes in circumstances. This is true for businesses as well – and as the speed of change grows, effective adaptability becomes pivotal for business sustainability.
This leads me to two observations:
- Something has to happen if the risk profession is going to be a profession going forward – and we cannot rely on the risk profession being maintained for compliance reasons. After all, it will not take much for an Artificial Intelligent system to do it better, faster and cheaper just a few years in the future, and
- Risk managers have to drive the change themselves. No one else will do it for them – why should they? This also means that risk managers have the “freedom” to define how to change.
This may all be true – but that does not help the individual risk manager much. Where is the direction, aspiration and strategy for what has to happen?
Paradigm shifts are hard to grasp, even harder to internalise and harder yet to execute in real life
I see the need for a paradigm shift based on three steps to be taken by the risk manager. These may be easy to describe, but paradigm shifts are hard to grasp, even harder to internalise and harder yet to execute in real life. So what we are looking at is not a quick fix, but a hard process of change. Change in the way the risk manager sees things, changes in what and in the way risk managers act on things, and changes in the way risk managers are perceived by the rest of the organisation.
Change 1 – risk is good
And no, I am not talking about “positive” risks.
Traditionally, the focus of a risk manager has been to control/minimise and eliminate risk taking. To a business executive this is nonsense. There is no such thing as making a decision without taking risks – and if there were no risks, there would be no profit/benefit to be gained.
So as risk professionals we must drop the notion of minimising risk taking, and start looking at what is intelligent risk taking. When is it prudent and valuable to take, even big, risks? Racing icon Mario Andretti stated, “If everything is under control, you are moving too slowly”. This statement is very true in business as well, and also applies to governmental and non-profit organisations that need to develop based on other parameters than necessarily money and earnings. They all have to “move” on something.
If and when an industry becomes too predictable and slow – the way some companies succeed and disrupt is to change the rules, the products, the marketing, the business model – something/anything in order to establish a competitive advantage.
So change and hence risk is good. Learn to love risk taking – intelligent risk taking.
Change 2 – focus on performance
Traditionally, the risk manager focuses on the risks and (helps) manage risks to minimise the level of exposure the company may face. By and large, within the organisation, the risk manager is the only one who cares about risks in that respect. As a risk manager, you need to do two things:
- Start learning, if you have not done so already, the language of the business. Measure (risk) in terms of business performance metrics and replace impact, likelihood, velocity, vulnerability etc. with net present value, profit, return on sales, or whatever performance parameters the company is using.
Be aware, any business will have a “battery” of performance measures – but no one outside the risk office sees having three “red” risks as better than having four. Counting risks add no value.
- Start looking at your risk portfolio and measure/analyse how these risks affect performance on business metrics. ISO 31000 states that “risk is the effect of uncertainty on objectives”.
Learn to measure in performance scales and communicate performance rather than using risk-centric metrics. This is how you can more easily communicate with executives in a way they find meaningful.
Change 3 – influence decisions
Sad to say, but most risk managers around the world are busy saving the performance of projects, actions and decisions that have already been made. This way they are, rightly, seen as somewhat reactive.
In an increasingly volatile world being reactive means being too slow.
ISO 31000 and with somewhat lesser tenacity, COSO states that risk management must be integrated with decision making. Instead of deciding (implicitly or unknowingly) to take a risk and then trying to manage this – companies need to deploy intelligent (aware, analysed and deliberate) risk taking.
Risk managers have to look at “how decisions are made and what are they based on?”. The good news is the risk manager may not need direct access to the C-suite or Board of Directors to succeed. They may be better off liaising with the specialists and analysts who preparing the information that will be presented to decision-makers higher up in the chain. Collaborate with these people to ensure risk (positive or negative) are duly and validly embedded in the decision material.
A competent risk manager knows which analytical tools are needed and which can support the material with Monte Carlo simulations and outcomes in ranges, rather than fixed numbers, which will never materialise in real life anyway.
The risk manager should then focus on “how do we use this insight to execute and meet our targets”. All of this in close collaboration with the people informing the decision-makers and execution planners. Stop the nay-saying and become part of the solution. Be an active, positive and hence valued member of the team that effectively designs decisions made by those in power.
This way, you will earn your right to be heard, and earn your right to influence decisions and actively and tangibly add value to the business. It will not be a quick fix. So the sooner you get started the sooner you will finish.
- Start small focusing on a decision process/project/initiative where you most easily and effectively can make a tangible positive impact;
- Learn and adjust your approach to match next step, and the next, and
- Scale fast, you will not have the time/luxury to ‘stroll’ along. The business around you is moving and changing too fast.
Now you, as a risk manager, can build/create your opportunity to have impact on decision making, and to establish intelligent risk taking in the company. This way you become valuable. You will also gradually build your network across the company as well as your understanding/insight into the company’s business system and money-making logic. This is a vital expansion of your professional competency.
Change 4 – influence strategies
Once you have “earned your wings” on tactical/operational decision processes and projects, you may start looking at the more evasive decision processes such as strategic design and strategy definition. You will not be granted access to discuss strategy with executives before you have proven the value of your approach and efforts.
But do not worry - you do not have to. Instead, liaise closely with the strategy specialist/analyst team that drives the strategy definition process. Together you can shape scenario thinking, war gaming, pre-mortems etc to push for a strategy definition/description/planning which will be (more) resilient in a volatile future.
This may not earn you a C-suite title, but it will make you trusted and highly-regarded amongst those who have it. And if you do have top management aspirations, you will need to look across and get leadership experience from different parts of the organisation. But that’s another story.
Gradually and increasingly, you will be adding tangible and significant value to your business and will be “pulling above your weight”, which is a prerequisite for being truly valued as a professional in your company. Your leverage is the increasing volatility – so the need for your competency is also growing. You just have to show you have this competency.
This approach needs to be developed and fine-tuned by the wider profession over the next few years. In risk, we do not have decades to get this right. The world is moving too fast.
Twenty years from today everything will be different. There is no telling what will be safely handled by trusted AI and what we will still be contemplating and doing as human beings. It’s time to act now. Good luck!
Hans Læssøe is founder of AKTUS