Embedding Risk Management: Easier, Faster, Better
October 2003
Risk management workshops often fail to motivate
employees to truly reduce risk. The process of embedding can make a real impact.
Embedding facilitates changes throughout an organization that improve risk management
and improve the evidence of its operation and effectiveness, through audit trails
and performance reporting, and so reduce the overhead of audit and control risk
self certification.
by Matthew
Leitch
Outside the financial services sector, formal corporate risk management activities
usually involve a pattern of behavior that will be familiar to most readers.
Workshops are held at which people think of “risks,” rate them, and write down
what they are doing or plan to do about the ones that seem important. The results
are written up as a “risk register.” The same behavior occurs in the public
sector, where it has been adopted as good practice.
People in many organizations feel this activity adds little value. Their
reaction has been to involve the minimum number of people and do it no more
often than is necessary for compliance.
Knowing this, regulators and other providers of guidance typically say that
risk management should be “embedded” in an organization. It should not be something
extra done to comply with their regulations, but become part of normal management.
So what does “embedding” really mean, how do you do it, and does it work?
This article explains what the real issues are and what embedding has to mean
if we are to see risk management make the impact it should.
Risk Management Workshops
Risk management workshops have been promoted as both an audit and a management
exercise, which is why a lot of the problems arise. First, the audit influence.
A common regulatory requirement is to evaluate your internal controls regularly (e.g., the U.S. Sarbanes-Oxley Act § 302 and
§ 404, and the Combined Code in the United Kingdom). Conventional internal auditing
involves detailed reviews of specific areas of an organization and typically
covers a small proportion of its activities in one year. How do you cover a
whole organization every year and perhaps even every half year or quarter?
The answer that emerged was control risk self assessment. That is, people
audit themselves and sign off their conclusions to create a file of reassurances
that directors can rely on. This can be done with paper forms or by entering
information onto a database, but from the beginning, it has often been driven
by workshops. These workshops were designed to follow the leading thinking in
audit, which is that audits should be risk focused. The format was a direct
result of audit thinking: list risks, look for controls, report gaps.
A second influence was the realization that internal control systems (i.e.,
the many procedures organizations have to make sure that things happen the way
they are supposed to) must be adapted frequently to meet new challenges. This
comes through strongly in the influential “COSO framework,” written by auditors
Coopers & Lybrand for the Committee of Sponsoring Organizations of the Treadway
Commission in the United States. Again, the focus was on identifying risks,
and you could say that the influence of auditors is strong here too.
The Problem with Workshops
As an audit approach, the workshops have a lot to offer, though they can
lack objectivity. People are very aware of the answers they are expected to
give. As a risk management tool, workshops are not ideal because they tend to
look at the current situation rather than looking ahead to identify where new
work on internal controls will be needed. They are also let down by a number
of common technical flaws that tend to undermine risk identification and assessment.
Far more time is typically spent thinking about risks and their effects than
about the controls. Finally, it is risks that are prioritized, instead of actions,
which reflects the lack of attention to actions. Since the relationship between
risks and controls is many-to-many, this is a major technical fault.
It’s not surprising that people often feel they only do formal risk management
for their auditors.
Embedding
Regulators advise “embedding” risk management to encourage organizations
to do something more effective than have an annual meeting at a senior level
to produce some "shelfware." They also advise it to argue that they are asking
for something efficient that organizations should already be doing.
One interpretation of “embedding” risk management is that you can do it by
repeating the workshops more frequently and at more levels in an organization.
As it becomes a regular event, doesn’t that make it part of normal management?
The theory is that the thought process of the workshops (i.e., objectives—risks—controls)
can be applied usefully to anything at any level. Enterprise-wide risk management
is sometimes described in just these terms.
A more realistic view is that there are many different techniques and ways
of thinking about and managing risk and uncertainty. Embedded risk management
is where the right techniques are applied where appropriate, in the right strength,
and in a way that generates evidence of operation and effectiveness.
At its simplest, this can mean elementary internal controls, such as performing
bank reconciliations to combat various risks related to faulty accounting and
theft. More sophisticated examples of controls involve more risk thinking.
In effect, embedding risk management involves expanding the concept of an
internal control to include more sophisticated management processes which involve
an element of risk thinking. Here are some examples.
Credit Management. Though there are spectacular
exceptions, most companies manage the risk of not being paid by their customers.
They have credit risk management embedded already, though perhaps it could be
done better.
They have established procedures and computerized controls that cover assessing
the risk of default, granting credit progressively, monitoring for possible
default, and following up. Sophisticated methods may be used to assess credit
worthiness. These methods are often reviewed, and attempts are made to improve
them. Credit management procedures are documented and generate evidence that
they have been carried out, i.e., they leave an audit trail. Typically there
is monthly reporting of credit risk management performance.
These elements—multiple procedures, intelligent decisions, an audit trail,
and frequent measurement and reporting—characterize embedded risk management.
Strategic Marketing Planning. In contrast to
credit risk management, risk and uncertainty are rarely managed well in strategic
marketing planning. This is a pity because these plans involve huge uncertainties
and are sometimes indistinguishable from the strategic plans of the whole enterprise.
They can get a company into the sort of deep trouble that leads to ruin and,
occasionally, false accounting.
An embedded risk management process here starts early, ideally before people
tie their personal credibility to particular ideas. Reviewing major areas of
uncertainty frequently helps guide the research and analysis that goes into
creating these plans, as well as introducing risk and uncertainty management
into the plan itself. There are some very simple tools for thinking about risks
and risk factors, and more complicated analytical methods for estimating results.
Project Risk Management. A large organization
can easily have 100+ projects running at any time. The risks are considerable.
Workshops to try to identify specific risks and plan responses are increasingly
common but they are just a small part of project risk management.
Different organizations have different habits on projects but typical activities
include: tracking project risk factors, structuring projects to reduce the risk
profile (e.g., incremental deliveries or a portfolio structure), continuous
monitoring of new information for emerging risks, feasibility studies and other
research, Monte Carlo simulation to support estimates, and independent audits.
It is not necessary for a risk management approach to be standardized to
be embedded. A more efficient approach is to have a generic scheme which people
are encouraged to flex as appropriate to meet the specific needs of their project.
The Process of Embedding
If embedding is interpreted as holding the same type of workshop at more
levels and more frequently, then the process of embedding looks very simple: define the thought process and way of documenting
it, then train as many people as possible to do it. The difficult part is to
convince people that this is a good use of their time.
If you accept that embedding is more complicated than this, the process of
embedding becomes:
- Identify risk and uncertainty management activities (a.k.a. controls)
already operating, recognizing the wide range of different techniques and
thought processes that can be used.
- Improve and refine them where appropriate.
- Ensure the activities generate evidence of having operated and of their
own effectiveness (e.g., performance metrics, independent reports) to minimize
the need for audit and control risk self assessment.
At the top level it is helpful to have executive leadership (i.e., not normally
the Audit Committee) anticipate the need for work on controls and direct resources
to it in good time.
The Ultimate Test of Embedding
Sometimes it seems that whatever procedures we invent, people find a way
to manage risk poorly anyway. This is not an illusion. In many situations, people
actively fight good risk management. Perhaps risk management should only be
described as truly embedded when this fight is over. That may be idealistic,
but by understanding why people fight it, we can perhaps begin to see how to
change the psychology of risk management.
First, psychological studies show that we tend to have an overly narrow view
of the future. We think we can predict and control it more than we really can.
Second, everyday experience should confirm for you that we experience many pressures
from other people that tend to reinforce this.
For example, imagine your boss suggests an idea. You think of a significant
risk to it but he seems enthusiastic about his idea. Do you point out the potential
problem? Imagine this time you have an idea and you want approval to go ahead.
Your plan is based on some assumptions, but as you list the advantages of your
proposal to your boss, do these even cross your mind let alone get into the
conversation? We feel that a show of confidence, i.e., certainty, is important
for making our case. If someone suggests a sensible risk management action for
your plan, would you be inclined to accept it or reject it? Many people reject
such suggestions because acceptance implies they have doubts.
Target setting and incentives also play their part. If you are running a
venture and believe that it could do better than expected, do you say so and
risk having your targets raised? If you fear it may turn out worse than expected,
do you say so or stay quiet and hope that things get better so you never have
to mention your concerns?
This is called uncertainty suppression and it is the enemy of good risk management.
For example, a consulting company introduced a new idea for managing risk in
bids. People had to estimate the expected profit, but also estimate the level
they were 90 percent confident of beating and the level they believed they had
a 10 percent chance of exceeding. This is technically good, but actual estimates
were far too narrowly spread with a strong bias toward upside risk!
It’s too early to say we know how to combat uncertainty suppression, but
here are some suggestions:
- Leaders should show that they dislike uncertainty much less
than its concealment and will reward responsible discussion of risks,
both upside and downside. Most subordinates assume their boss is
less enlightened than this, so it is worth showing it often.
- In activities like new product development, it may help to avoid
linking individual managers with individual ideas, while making
it clear that wise choices are more important than getting your
pet idea accepted. Start talking openly about uncertainties as early
as possible.
- Include upside and downside risks in formal risk management.
Often, it is best to start by simply asking people to identify “areas
of uncertainty” rather than “risks.” A purely negative focus tends
to be demotivating and unpopular.
- Remove management systems that use fixed targets and incentivises
people to minimize variances between actual results and the target.
Case studies of large companies that have done this show it can
be done with good effect. It encourages people to plan for a realistic
variety of futures rather than assuming that the target is what
will happen.
|
Summary
To embed risk management, begin by accepting that you already have a lot
of risk management embedded and find it. Then go after the many opportunities
for risk experts to facilitate changes throughout an organization that improve
risk management and improve the evidence of its operation and effectiveness,
through audit trails and performance reporting, and so reduce the overhead of
audit and control risk self certification.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.