Hans Læssøe, principal consultant at AKTUS and former risk manager of Lego tells StrategicRISK how the effect of an ever-increasing speed of change adds and alters the demands for risk management – both in terms of what to do, and how to do it.

Risk management as a concept is undergoing changes, as most everything else. New developments and an ever-increasing speed of change adds and changes the demands for risk management – both in terms of what to do, and how to do it.

Traditionally, risk management has been managing the risks emerging from decisions already taken. Generally, the company has …

  • Buildings/assets and have added an insurance program for fires, floods etc.
  • Customers and has deployed a credit risk management approach
  • Ongoing dealings in multiple currencies and have a hedging program
  • Vast IT systems and have deployed IT security approaches

This approach to risk management will be referred to as Execution Risk Management (XRM).

What has been added over the past decades, in some companies more than others, is the deliberate risk management of decisions taking, asking what are risks and opportunities of …

  • Developing and launching this new product
  • This market entry
  • This “go to market model”
  • Adding this vendor
  • Building this factory

This approach to risk management will be referred to as Decision Risk Management (DRM).

These two approaches to managing risks have significant differences between them – as they grow out of different angles, from which to look at company performance.

Decision and execution

Decision and execution are essentially two sides of the same coin. One does not make sense without the other. However, there is also a sequencing leading to the below model:

Decisions normally precede and lead to execution. In this (middle) there is a lot of execution and handling in preparing and making a decision, and, once the decision is made, there are lots of embedded decision making in the execution.

In real life businesses, one has to accept that there are plenty of decisions taken, which are never really executed on, and which hence wither in the haze. There are also lots of execution processes, which do not really entail any more decision making – like producing parts on a piece of machinery.

Execution Risk Management

Traditionally, risk management has been focused on the very tangible and visible XRM, where risk management is often:

  • Repetitive
  • Systematic
  • Based on defined standards
  • Handled by functional specialists

XRM is handling risks through insurance programs, currency hedging, credit risk management, safety, IT security, and a wide range of other mitigating actions and approaches. Each of these has over decades evolved into higher and higher levels of technical professionalism and complexity – leading the risks to be handled by trained and focused specialists.

The approach is largely “risk centric”, i.e. risks are identified, assessed and mitigated individually – yet with company performance in the back of the mind. XRM also seeks to limit or avoid risks and is inherently risk adverse.

This approach to risk management is largely an element of process excellence and driven by cost efficiency and effectiveness measures. Measuring techniques, early warning mechanisms and mitigating processes have improved, and will continue to do so. Trade-offs are taken based on cost/value and not really based on these risks. Policies and procedures have been established to frame the execution and further standardise effective and efficient handling.

The approach to XRM is increasingly based on best practices and applied almost alike in different companies and industries across the globe.

Decision Risk Management

As a newer element and approach to risk management, the DRM has emerged and is gradually picking up pace as business process in more and more companies. The base of this is however, very different as …

  • Companies may define strategies with some frequency, but due to changes in business conditions, the process is never the same as last time
  • There may be some element of systematics in the process design, but the discussions and issues are profoundly different from last time
  • Strategies and tactics are defined by business leaders, who are generalists more than specialists … and hence, advanced tools and techniques are not truly applicable
  • Decision making under uncertainty is highly affected by human biases, group dynamics and a range of other “soft” factors

Multiple business analyses have shown that companies that fail often do so because of “bad” decisions or strategies (cf. Nokia, Kodak, …) and hence driven the importance of DRM.

DRM is not a standalone or add-on process as this would lead to decisions to be revised whenever called for by the DRM process – which will cause turmoil in any organisation. DRM must be an element of the decision processes applied in the company. An element where the uncertainty of decision assumptions and consequences is tested, validated and taken into due consideration when/before making the decision.

This is not a realm of generally applied standards and best practices as all companies differ – and both the COSO and ISO standards have principles that state that risk management should be tailored to the organisation.

This however, does not mean that there are no (standard) tools and techniques in DRM. Rather, it places the risk manager as a sparring partner or supporter to the decision process – along with the legal, financial, … partners who also support the definition of a strong and sustainable decision.

In DRM, there is no need for heat maps or risk registers – but there is a need for having the business plan or business case calculations enhanced with due considerations to uncertainties, and thus enable Monte Carlo simulation and/or decision tree processing supporting the decision and planning.

DRM is performance centric and address the uncertainties to the extent these affect the plausibility of meeting defined targets. As such, DRM is about intelligent risk-taking, and is hence more risk-prone than risk adverse … it becomes a matter of which risks to take, not whether or not to take any risks.

When looking ahead into an unknown future, it may also be relevant to apply scenarios to identify issues which need to be taken into consideration to make the strategy resilient, bearing in mind, that the world may change differently from what we have assumed/planned for.

Balancing approaches

The opportunity for risk managers these days is to leverage the two different approaches in all elements of risk management and thereby enhance value and business performance overall. Just a few examples:

  • Credit risk management can apply elements of the DRM approach and help Sales creating more business by balancing terms and conditions, including Days of Sales Outstanding between customers based on credit rating
  • Employee safety management may help to incentivise new manufacturing processes or equipment, which may enhance productivity as well as increasing worker safety
  • The insurance team may propose handling of risks not traditionally insured, and hence allow more risk taking
  • IT security may apply scenario planning to identify emerging IT or cyber risks to the company
  • DRM may include XRM techniques such as fishbone analyses, butterfly diagrams, and 5 Why’s to decision quality
  • DRM can look for and apply quantitative risk analytics as parts of uncertainty analyses prior to decision making
  • DRM may apply elements of standardised processes to ensure decisions will lead to meeting business objectives … or may even serve to raise the bar and exceed targets.

The challenge is to look at each element of risk management … from both approaches and imagine how this can be improved by adapting new elements.

This adds to the job content and scope of every risk manager, an opportunity of job enhancement. However, it also requires attainment of new skills.

  • The XRM based risk specialist needs to learn and understand the business, the operating model, the money-making logic, the decision-making process, etc. He/she also needs to learn how to effectively work with executives and how to address human biases.
  • The DRM based strategic risk manager needs to learn the techniques applied elsewhere in the company. These may be Monte Carlo simulation, operational analysis, FMEA, basic statistics, etc. He/she also needs to learn how to collaborate effectively with specialists.

In small organisations, there will be very limited resources, and one person will be required to handle the full scale and be the “Jack of all trades” when it comes to risk management. This will only be possible due to the limited size (and complexity) of the business. In larger organisations, no-one will be able to master the full scale well – and trying will invoke a risk of being equally inadequate in all elements. Yet, larger organisations will have the resources and harvest the value of having a team of specialists manning the risk management end-to-end.

Summing up

Risk management is changing, and this provides the people focusing on risk management with opportunities of learning, job enhancement and development by balancing the approaches of Execution and Decision risk management in every element.

Some of the differences in the approaches are highlighted in this table:

Execution Risk Management Decision Risk Management

Frequent/Repetitive … may happen daily

<… Continuum …>

Rarer … perhaps as rare as once every 3rd year

Systematic … same approach every time

Ad hoc … new approach every time

Transparent, technical and largely fact-based

Opaque and highly affected by human biases

Standardised … approach based on best practice

Unique to each company based on culture, set-up etc.

Trade-off is between costs and “safety”

Trade-off is between choosing option A or option B

Risk centric … about minimising expected loss

Business-centric … about optimising performance

Measured on efficiency and effectiveness (cost/value)

Measured on business performance vs. targets

Driven by functional specialists

Driven by business supporters or leaders

Deep insight in tools and methodologies

Deep business understanding

Many small decisions made “on the spot”

Few(er) large(r) decisions, carefully considered

Limited/shorter term business impact

Massive/longer-term business impact

The challenge for each organisation is to create its own optimal balance and adapt this balance to the ever-changing business conditions of the company. Outperforming competitors on this will provide an advantage which can be leveraged and hence create tangible value to the company.