Risk Management Practices Cannot Be "Bolted On"
July 2007
Enterprise risk management is prone to glib
simplifications and erroneous perceptions. For example, many executives harbor
the notion that risk management is merely one more management tool. In other
instances, risk management is sometimes considered a hindrance to those trying
to run the business, viewed as an additional layer of bureaucracy causing inaction,
or worse, incorrect action.
by Mark
Layton and Michael Fuchs
Deloitte & Touche
Both of these situations are harbingers of risk management failure. As we
have previously pointed out, if an organization doesn't embed risk management
into the decision-making process, it will almost assuredly fail.
An abundance of real-world examples clearly demonstrate that even comprehensive
knowledge of risk management best practices is necessary but not sufficient
to increase an organization's ability to make risk-informed strategic decisions.
As oft-ignored risk managers will attest, successfully avoiding or mitigating
costly risks while increasing the payoff of judicious risk-taking depends on
more than possessing risk management expertise alone. In these cases, risk management
tends to be considered the responsibility of the risk function/risk officers.
While that is where the risk expertise and oversight lies, a risk intelligent
organization relies on its individuals throughout the organization to make educated decisions that appropriately factor in applicable
risks.
We believe that an organization's single greatest obstacle to becoming a Risk Intelligence Enterprise™ is its existing
corporate culture, perhaps best defined "as the way we do things here." Many
once-dominant companies that were overtaken by feisty and hungry competitors
suffered defeat not so much at the hands of those competitors. Rather, their
downfall was often a result of their own unsupportive corporate culture that
offered more rewards for "staying the course" than for innovating in the face
of change. The problem is, when individuals hear the words "risk management,"
they fear that it means risk avoidance, eliminating opportunities to embark
on strategic initiatives and/or make big decisions. As many historical examples
show, the lack of a robust risk management culture often results in less action,
not more. By not understanding the risks of staying the course, or assuming
that the risks of a strategic initiative outweigh the rewards without any sophisticated
analysis, companies have failed to take an appropriate course of action.
Companies in myriad industries failed to gauge shifting customer preferences,
were unable to perceive and react to social and geopolitical conditions, and
consequently were not in a position to identify and deal with the bold initiatives
of their increasingly proactive competition. Consider the following examples.
-
A leading Swiss watch manufacturer failed to recognize advances had shifted
the base of manufacturing from mechanical to electronic technology.
-
In the 1980s, dominant players in the typewriter market were taken totally
by surprise at the advances of word processing.
-
During that same decade several mainframe computer makers dismissed personal
computing, allowing that market to be dominated by new arrivals, such as
Apple.
-
A dominant sewing machine vendor failed to perceive that the employment
of increasing numbers of women left little time for making clothes at home.
Can such misjudgments be attributed to a failure of risk management practices?
The overwhelming evidence indicates the plight of such companies is due less
to a shortage of internal risk-savvy managers and more to a corporate culture
inimical to their talents and insights, a setting often characterized by shortsightedness,
compliancy, insensitivity, and sometimes arrogance. Such failures often arise
when the organization relies on individuals, when facing a key decision, to
determine the risk/reward profile base on their own risk tolerance. Conversely,
in a Risk Intelligence Enterprise™, individuals
have the tools to factor-in risk effectively in their everyday decision-making
processes, and work in a culture that allows for effective communication across
functions, businesses, and levels in the organization.
Risk intelligence cannot flourish, and, indeed, even rudimentary risk management
cannot take place in an environment where risk-taking is discouraged, dissent
not permitted, and contrarian alternatives are off the table. Rather, risk intelligence
blossoms in an atmosphere that permits employees to question accepted assumptions
and critique conventional wisdom.
Establishing risk intelligence means seamlessly merging risk management into
an organization's decision-making process. This will encourage intelligent risk-taking
in a sustainable manner, which will result in risk management being understood
as everyone's job. Simply put, people throughout the organization need to know
how to factor-in risk, why it is important to the organization, and be held
accountable in the risk management process.
But how is this successfully put in place? In our view, this is possible
only through recognizing that risk intelligence not only cannot be "added on"
to an organization's culture, it can only be successfully implemented by transforming
and eventually becoming that organization's culture.
-
According to a study in the January 21, 2006, edition of The Economist magazine, a surprising
number of companies still have much the same command-and-control structure
they had 50 years ago. Such an organizational hierarchy will often impede
the flow of communication from the bottom up, and across departments and
divisions. As we have pointed out in prior columns, true risk intelligence
requires unimpeded communication.
-
Instituting a risk aware culture will compel an organization to be more
comfortable with confrontation, dissent, and even conflict as a mechanism
for individual and collective transparency and accountability. "Thinking
outside the box" must become more than company boilerplate.
-
Since risk management is, in part, a function of questioning conventional
wisdom, establishing a risk management infrastructure will institutionalize
powerful change agents that will not only impact the way business is done
but will make external and internal change an ongoing component of a company's
culture.
What's also essential to this equation is leadership. So much of an organization's
culture is a direct reflection of top management's demonstrated values and behavior.
For an organization to achieve a risk intelligent culture, it cannot be perceived
as an initiative solely of the risk function of the organization under the directive
of the chief risk officer. Rather, companies should have a directive from management
that considering risk as part of the everyday decision-making process is the
right way to run the business.
In other words, to successfully implement risk intelligence, and in so doing
transform an organization's culture into one that focuses on both risk and return,
C-level managers must do more than just talk a good game.
Next Installment
Coming next month, risk-taking as a means to create value.
Michael
Fuchs is a principal with Deloitte Consulting, specializing in Human
Capital Consulting. He can be reached at (212) 618-4370 or at mfuchs@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.