1 of 7 – Of course I know what risk management is!
We are living in a complex, data filled world that is moving at a speed that is difficult to comprehend. I would have used the term velocity but for that we need a direction. Direction is one area where the risk manager can provide advice and support. But more significantly there are different stakeholders who need answers to different questions that are sometimes contradictory. This makes direction setting challenging.
In this first of a series of seven articles I will give my views on a few of the points we need to address as risk managers. Thee ideas and thoughts are from a personal standpoint and gathered from experience of working in multinational companies.
Top management are in the difficult position of providing a vision and business model that can deliver on a multitude of directions. Some created by the speed and complexity, some resulting from the decisions made to address the speed and complexity. Some stakeholders want long term vision, but most management teams are measured on short term KPI´s. There are also opportunities missed due to lack of insight and a business model able to capture these actions. Can the risk manager help the management in these difficult times?
To answer this question, we need to know what lies behind the question. What is really being asked.
Management are looking towards, and answering, some supposedly key questions. At least from a shareholder’s viewpoint:
- Which actions are creating EBITDA?
- How to reduce costs?
- What the next quarterly report needs to highlight …..
Stakeholders are looking at slightly different key elements:
- Is enterprise value increasing?
- Is the business model sustainable?
- How is your environmental footprint?
- What’s your long-term vision?
In order to stay in the race however, there are other questions which need to be answered also:
- Where do we need to be to stay alive?
- Are we innovating enough to move forward?
- Stop repeating the same errors
- Reputation building.
So where does Risk Management fit in? How can we combine these questions and expectations into a business approach using the risk management function as the glue keeping it all aligned and evolving?
Well first we need to make people understand what risk management is. There are too many players promoting the function of risk management as what they do that the management are losing sight of what it actually is and should achieve. This understanding is key to establishing the needed resonance within management and listening time in their hectic agendas.
So, in which way is the function, individual, perceived by those who experience it? The understanding of risk management is a person’s gut feeling about the function or individual. The intangible sum of a risk managements attributes. Simply put, a perception.
Put this way its clear why many risk managers are having difficulty in spending time with senior management or getting into those board room discussions. If you are perceived as the head of insurance, then why would you want to be in on those meetings? If you’re in the assurance or internal revision department what can you bring to a strategic alignment meeting?
If you’re a financial risk manager looking at market risk or Forex, then reporting to the CFO he /she will give the information needed. Not you, the risk manager.
Just look at the way job postings have been written and what qualifications they are asking for and you will understand Risk Management has been promoted, but in a way, which has nothing to do with what risk management actually is. In fact, we have fallen into our own trap. Not moving and making decisions has resulted in us standing still and therefore moving backwards. Risk management has lost strength and direction.
So, when I put all these points together its clear we need a brand! We have one I hear many people shouting. Really?
We, as practitioners, need to brand Risk Management and then explain clearly what each one of us is actually doing in the plethora of jobs, positions, activities, scope etc so that the management team understand they are potentially missing some key information they need
There are some key elements the risk manager should do in order to differentiate him or herself from what other people do. And create the space that is risk management domain.
As a sounding board for ideas. This means pushing opportunities as well as highlighting potential down sides and highlighting the costs associated with mitigation of the risks and capturing opportunity. This is key when thinking about true holistic risk management and challenging the traditional. Have you ever asked the CEO why the business is doing what its doing? Why not try something else? Why do they operate in that way and not another? This will be clearly uncomfortable for many people but its how the brainstorming sessions should go in order to identify potentials that create differentiation.
This function is aligned with strategy and the risk management role is to set the framework and atmosphere for brainstorming.
Too much information and too fast. Looking backwards and not forwards. Not being clear about where you need to be rather than where you can get using what you have now. Challenging the management of where they need to be. Markets, products, countries etc. The role of CEO is tough. So, what can the risk manager bring? A simple summary of this volatility and complexity. When we extend to stakeholder value then what environmental footprint, what company culture will we need, what image and brand should be present. The management need to understand there is a system, rather than a process, behind the summary. It needs to be practical but based on complex systems. The risk manager should create confidence, respect and trust. But maybe commodities and traditional are where your management are happy? So, make sure, in your risk view, this is noted. But in your opportunity’s summary highlight the team’s conclusions and advice.
Gluing strategies together
Through decentralisation and plant empowerment we generate a multiple strategy model. Not all creating the same value for the overall company. In fact, there will be value destroying strategies. Good for the plant but bad for the company.
There are also potential conflicts between departments such as finance and operations. Cost cutting can result in critical spare parts with long delivery time and supply chain risks being reduced below efficiency levels.
Reducing staff cuts costs but cuts strategic knowledge gathered over many years.
The whole point behind risk management is to provide insight for strategic decision making. As most company’s top management are there to guide the company into the future rather than manage the hands-on day to day business then a longer timeline is needed than the quarterly reporting deadlines. Unfortunately, there are many auditing companies who are specifically asking for risk management to report each quarter. There are naturally some fast-moving risks but normally a longer-term view is needed. And some strategies should not be shown to auditors or consultants specifically as they are strategic in nature. Future benefits come from placing the company in the right place at the right time with the right products etc. The actions then being taken are on a quarterly basis are not in fact risk measures but operational ones.
Here a careful balance between compliance, which can stifle growth, and opportunity management is needed. I believe the compliance and risk function, when combined hierarchically, is fundamentally flawed. There is naturally the risk of noncompliance but as with all other risks needs to be independently addressed by the risk function and therefore there is a conflict of interest if risk reports to compliance.
But no matter what the management want or need it’s the sustainability of actions that is key. And the advice on where action prioritisation is needed to ensure this goal will bring the trust and respect that is needed. It’s the results that count. As we have seen many times in the past if this risk management system approach is followed there is steady growth but if not then one small error or misunderstanding can increase costs and reduce advantage in the long term for stakeholders.
Ultimately, even though decentralisation and local empowerment reduces risk to the board member it also can destroy value for the company which is the boards responsibility.
So, if each of these roles, and many more, are what a risk manager can bring to a company then you can see why many of us are not making it into the board room meetings. Our brand is inadequate. However, each of us is doing a job that clearly benefits the company.
The first step to branding is therefore creating the RASCI matrix and creating the role and responsibility chart needed for each level of the company. Once this is done, without any cognitive bias, HR, Management, etc can see and establish the skill sets needed, the reporting lines and the deliverables necessary, to create the value needed.
This will create the transparency needed and awareness of gaps in the management structure that require the glue that is risk management to stick it all together.
Once the actual scope and impact a risk manager can make is more transparent, we can start to answer some other question such as adding the value we clearly can bring the company. The next article addresses the issue of opportunity. But taken from a slightly different viewpoint. Unfortunately, value is measured in monetary terms so let’s use this as a start. In a separate article I will give my view on why money will ultimately fail as a kpi to describe long term value creation.
2 – Where’s all our money going?
3 – Severity or frequency – which comes first?
4 – Trees creating transparency
5 – Barriers creating openness
6 – The playing field is not flat!
7 – What do you mean I’m the owner?