7.6 KiB
| Related | |
|---|---|
|
Managing Risks: A New Framework
by Robert S. Kaplan and Anette Mikes, June 2012
Source Retrieved January 3, 2024
In 2010 BP's Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history. A U.S. investigation commission attributed the disaster to management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.”
risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them.
rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the 2007–2008 credit crisis.
In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches.
Risk Categories
Category I: Preventable risks. These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. These risks are best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms.
Category II: Strategy risks A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities. These risks are not inherently undesirable. These risks cannot be managed through a rules-based control model: you need to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events, should they occur.
Category III: External risks arise from events outside the company and are beyond its influence or control. Risk management must focus on identification and impact mitigation.
While a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions.
That, however, is easier said than done; extensive behavioral and organizational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.
Rules about what to do and what not to do won’t help here. In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches.
Managing the different Risk Categories
Managing Preventable Risks
See: Identifying and Managing Preventable Risks
Managing Strategy Risks
Over the past 10 years of study, we’ve come across three distinct approaches to managing strategy risks. all three encourage employees to challenge existing assumptions and debate risk information. Which model is appropriate for a given firm depends largely on the context in which an organization operates.
Independent experts Organizations that push technological innovation face high intrinsic risks. But the risks themselves are mostly 'calculeerbaar'. Risk management can be handled at the project level, for instance throuugh a project reveiw board with independent technical experts whose role is to challenge project engineers’ design, risk-assessment, and risk-mitigation decisions.
Facilitators For organizations with stable technological and market environments, and relatively predictable customer demand, risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time.
Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers. This increases managers’ awareness of the risks that have been taken on across the organization and provides decision-makers with a full picture of the company’s risk profile.
We observed this model in action at Hydro One, the Canadian electricity company. Chief risk officer John Fraser, with the explicit backing of the CEO, runs dozens of workshops each year at which employees from all levels and functions identify and rank the principal risks they see to the company’s strategic objectives. Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls. The rankings are discussed in the workshops, and employees are empowered to voice and debate their risk perceptions. The group ultimately develops a consensus view that gets recorded on a visual risk map, recommends action plans, and designates an “owner” for each major risk.
Hydro One strengthens accountability by linking capital allocation and budgeting decisions to identified risks.
Embedded experts For companies in highly volatile environments (such as the financial services industry), risk management requires embedded experts within the organization to continuously monitor and influence the business’s risk profile, working side by side with the line managers whose activities are generating new ideas, innovation, risks, and profits. The chief danger from embedding risk managers within the line organization is that they “go native,” aligning themselves with the inner circle of the business unit’s leadership team—becoming deal makers rather than deal questioners.
Managing External Risks
Different approaches can be used, see article:
- tail-risk stress tests
- scenario planning
- war-gaming
Avoid Risk Silo's
Companies tend to label and compartmentalize risk categories, e.g. financial risk, operational risk, reputation risk, supply chain risk, HR risk and IT risk. This creates the problem of risk silo's, inhibiting discussion of how risks interact, and lead to ineffective risk management.
The Leadership Challenge
Risk management focuses on the negative instead of the positive, and runs exactly counter to the “can do” culture most leadership teams try to cultivate. Risk management typically involves 'dispersing?' resources away from primary goals. That's why most companies need a separate function to handle strategy- and external-risk management.
a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon.
That was what separated the banks that failed in the financial crisis from those that survived. The failed companies had relegated risk management to a compliance function; their risk managers had limited access to senior management and their boards of directors.