As risk managers, we’re haphazard at application of decision-focused risk management because we don’t ask hard questions, says Matt Livingstone, independent risk specialist
Why do we do what we do? Why do we spend our time and professional energy arguing with people who think what we do is a waste of time and adds no real value?
I ask you this: what have you done to really add value? How have you measured your organisations requirements? Why do you do what you do the way you do it? Emotive questions all and intentionally so, however before the metaphorical walls of defence are erected, let’s take a step back.
There have been many posts and articles on LinkedIn in the past few years which have highlighted a growing trend. My disciplined colleague, Alexei Sidorenko, refers to it as risk management 1 (RM1) vs. risk management 2 (RM2). Another colleague, David Vose refers to the need for “business executives being expected to include risk in their decisions”. To me, and many other risk professionals, there is nothing new or innovative here, so why is it that we find so many extremely experienced professionals passionately fighting their corner on every post, article and comment which suggests otherwise?
My view is this: fundamentally, we as a global risk profession are haphazard at application of the above fundamental requirement. There are pockets of excellence in an otherwise cloudy landscape. Our profession should be considered at the forefront of business data analytics. What our honed and developed skillset should provide as an output is the ability to present the decision makers with the confidence around decisions, and their options to increase that confidence (through mitigation or exploitation of opportunity); or to be able to take more risks (through appetite at an organisational level, then delegation down into the business through tolerance and threshold setting).
So, as a risk professional do you do this? Serious question to all those colleagues out there. Do you, hand on heart, believe that you provide the decision makers that you report to with quality, well underpinned, risk modelled outputs where possible, to enable them to make an informed decision?
Do you use probabilistic branching for more complex options?
Do you correlate risks so that if an impact triggers, it also triggers secondary, tertiary risks?
Do you consider where the risk will impact in time and how much of an impact is felt at that moment, and can you articulate this in a format the business can use to forecast, budget and manage against?
Do you run scenarios to underpin multiple option decisions where the answer may not be as simple as “yes” or “no”?
Can you explain what the top risks are in relation to organisational impact from both a bottom up and top down perspective?
Can you confidently inform a decision which may make or break an organisation?
If your job was on the line, would you double down and bet your house on it too?
This is what the risk discipline is missing. This level of confidence is what your business demands (albeit fortunately they often don’t require collateral besides a good professional indemnity insurance). This is what an accountable risk profession should be prepared to enact.
So why isn’t it? Could it be that most risk professionals are incapable of delivering the above? I would argue strongly against this, albeit some professionals are lacking the core skills and experience to really make them professionals (often through no fault of their own). Is it the organisations which is to blame then? Sort of.
From experience, many organisations attempt to foster strong risk cultures, but they are built on unstable footings. A common misconception is that risk management sits in line 1 of the lines of Defence Model (below), when in fact it should absolutely sit in both lines 1 and 2.
If risk management is delivered as a business process without the challenge, without the accountability and without the discipline required to get the best results, the output is often flat and administrative only. It offers no “management” of the risks, only capture and reporting. This often drives the behaviours seen commonly in organisations across the world whereby effort and focus are placed on identification of risks and production of a risk register, an iterative process of ineffective review with little “holding to account” of performance and resulting in marginal benefits at best.
By empowering risk professionals to act with autonomy and the fortitude to be able to aggressively challenge opinions based on factual and reasoned arguments, whilst fostering their desire to be better by supporting their learning and development, you enable difficult discussions to be tabled and resolved for the benefit of the organisation.
If your professionals are worried about the political (and by ramification, personal) fallout of asking the hard questions, ask yourself how you can better provide them with the confidence to do so unhindered. Once they are free to challenge, the quality of the service and by inference, the risk data will improve. This will lead to more accurate outputs and more representative data analytics for the decision makers to make those better-informed decisions.
The only thing that stands in the way of an organisation becoming risk mature is its own opinion of what risk management should be.
The only thing that stands in the way of risk professionals delivering all of the above benefit to their business, is time, effort and the steady pursuit of further knowledge.