The risk intelligent organisation
Enterprise risk management has been around for some time. But it is the rare company that intelligently manages the full spectrum of risk; that adequately assesses and addresses risk from all perspectives; that breaks through the organisational barriers that obscure a view of the entirety of risks facing a company; and that systematically anticipates and prepares an integrated response to potentially significant risks. We call such model companies Risk Intelligent Enterprises.
Intelligent risk management involves not just the desire to avoid something negative, e.g., preventing a hacker from stealing your customer database; but also the need to attain something positive, e.g., successfully integrating an acquired company. The Risk Intelligent Enterprises consider the ability to anticipate and react to a market opportunity to be as important as readiness for a potentially devastating business disruption.
The Risk Intelligent Enterprise links “probability” with “vulnerability” and “risk interaction”. Probability, of course, is important and well-established in traditional risk management. Indeed, many risk events occur with regularity and thus can be effectively modeled using statistical techniques. However, probability has less value for risks that occur abnormally, i.e., where the event is rare, where the rules are unknown or rapidly changing, or where causes are driven by external factors beyond any individual’s or company’s control.
Consider the Tsunami example: probabilistic modeling probably demonstrates that the region will likely suffer major tsunamis every century. But these models can’t state with certainty which particular year a devastating tsunami or earthquake will hit the region, nor have they done a good job of predicting the outcome when multiple risk factors converge. In such instances, the notions of vulnerability and risk interaction should assume prominence in the risk assessment and risk management processes. In the case of recent disasters, the vulnerability to such an event proved exceedingly high in virtually every respect, including process (e.g., poor evacuation plans), people (e.g., unclear chains of command), and systems (e.g., lack of backup communication systems).
While the consideration of vulnerability and interaction should be elevated, this is not to imply that probability is not important. Probability works well in many applications, including industries such as banking, which uses probability to manage market, credit, and operational risk; and insurance, which uses actuarial data to set rates and establish reserves.
But, depending on the variables, vulnerability may also need to play a role in the overall risk assessment. The simple fact is, if a risk is both relevant and has extremely high impact, it should be addressed, regardless of “remote” likelihood. Sometimes, improbable events do occur with devastating effect, while other times probable events fail to materialise. The Risk Intelligent Enterprise understands the possible, not just the probable, and responds accordingly.
One way to evaluate high impact/low probability events is through scenario planning. “What could disrupt our plans? And how vulnerable are we to it?”
Companies have long engaged in budgeting and forecasting in a restricted manner that considers only a narrow range of outcomes (e.g., assumptions about the stability of commodity prices) and focuses primarily on direct, bottom line impact. Unfortunately, this limited view can leave the company unprepared when significant unexpected variations — both good and bad — occur.
The Risk Intelligent Enterprise considers indirect or longer-term effects due to, for example, loss of reputation and customers (a “downside” scenario) or lack of production capacity for demand increases (an “upside” scenario). These companies weigh a wider range of causes and effects beyond just near-term financial impact. Once potential scenarios are identified, then a range of “triggers” (e.g., events such as a currency dropping below a certain value or competitors gaining a specific market share) are established, which alerts the company to a situation requiring further assessment and response.
A company can build its ability to respond to different scenarios by selectively investing in the capabilities needed should the event occur. However, one problem can arise with scenario planning: it is often difficult to address envisioned scenarios within the existing risk management infrastructure (i.e., within functional divisions).
When risk management becomes “siloed,” each of these units — such as internal audit, treasury, HR, and IT — brings to bear different philosophies, jargons and approaches. A host of problems can arise: duplication of effort; increased burden on the business; lack of appropriate reliance on one another’s work; lack of standardisation in methodology; and absence of risk intelligence sharing. All of which can make it difficult to obtain an accurate and comprehensive view of the risk that the entire company is actually exposed to. Most major losses at global 1000 companies were the result of multiple high-impact but low–likelihood, cross-silo risks.
The Risk Intelligent Enterprise is aware of the silo tendency and takes concrete steps to break down the institutional barriers that can inhibit collaborative risk management. This may include the creation of cross-functional teams that share information, perform joint analyses, and engage in scenario planning.
Some executives mistakenly perceive their responsibility to address risk as a duty to avoid risk. This is a recipe for failure. Avoid risk and you will also avoid success. Intelligent risk-taking for reward is a building block for success and essential for competitive advantage.
In enterprises where risk management capabilities are not fully developed, unrewarded risk often represents the full extent of their risk management activities. Unrewarded risk gets its name from the fact that there is no premium to be gained for taking certain kinds of risks (e.g., risks affecting operations, integrity of financial statements, and compliance with laws and regulations).
Conversely, rewarded risk focuses on value creation; it involves managing risks to future growth and making profitable bets. In rewarded risk-taking, a company receives a premium for taking and managing risks — and receiving approval in the marketplace — associated with new products, markets, business models, alliances, and acquisitions.
The process of risk assessment puts both the executives and the board in a better position to evaluate the level of exposure and then decide whether or not to accept the exposure. Of course, determining an acceptable level of exposure is a challenge. Nobody can reasonably expect you to be right all the time; inevitably, some of the careful bets you place will lose. But every stakeholder can reasonably expect and insist that you make the best decision you can, weighing the information available at the time and the options at your disposal, i.e., being risk intelligent.
Steven Lim is an executive director and head of Deloitte Malaysia’s Enterprise Risk Services practice. He can be contacted at firstname.lastname@example.org