Announcing the Definitive Risk Management Guidance

June 2010 Issue

By Diana Del Bel Belluz, M.A.Sc., P.Eng.

Recently a member of the Enterprise Risk Management Association on the LinkedIn business networking site asked "What is the preferred enterprise risk guidelines covering all sectors?" People who ask that question naively search for the perfect decision rule.

In truth, there is no definitive guidance or approach for risk management. The search for it is futile because good decisions don't result from discipline alone; they also require creativity and judgment.

It takes creativity to develop innovative decision options that solve tough problems or seize new opportunities. A disciplined decision-making approach does more than ensure that the best option is selected. It ensures that the judgment of individual decision-makers aligns consistently with corporate values. Indeed, risk appetite and risk tolerance are simply alternate ways of expressing corporate values.

Here are three tips for developing a disciplined approach to risk management.

Tip #1. Pay attention to context

While there are principles of risk management that will apply broadly, they can't be applied in the same way in any two organizations. This is because of the enormous importance of the role of context. Even organizations in the same sector will differ greatly because of their unique contexts.

For example, two companies I know were in the same industry and located in the same town, but were vastly different. These 'night and day' differences began with their organizational cultures (including their risk mindsets), and extended to the employees and suppliers they attracted (one cultivated a strong relationship with its employees and contractors while the other had a union shop), their business processes and practices (one was able to sustain a high degree of innovation while the other was not), and to their business results (one was consistently profitable while the other was in and out of bankruptcy protection).

To illustrate the importance of context in understanding behaviour, Nobel Prize winning psychologist Herbert Simon used the metaphor of the mind as a pair of scissors. One blade of the scissors represents the brain (i.e., capabilities for perception, analysis, and judgment) and the other represents the brain's environment (i.e., the decision-making context). We cannot understand the operation of the scissors without understanding the simultaneous movement of both blades. Extending the metaphor, unless you understand the organizational decision-making context, you cannot influence risk management behaviour.

Attention to context is critical for effective enterprise and operational risk management because the devil is in the details of implementation. Successful application of risk thinking to decision-making requires attention to the interplay between context (including both the general economic and competitive business environment and the specific nature and time horizon of the particular issue that must be decided) and your risk management capabilities (including your current risk culture and your risk management infrastructure).

Tip #2. Understand your current risk capabilities

The Risk Management Spectrum (see box below) is a simple tool for understanding the maturity of your oganization's risk management capabilities. The four points on the spectrum describe typical milestones along the ERM implementation journey. Organizations that constantly find themselves in Crisis Mode perish. I find most organizations are either in Survival Mode or Quality Mode. Over the last 20 years, I have helped many organizations progress towards the proactive end of the spectrum. Getting to Stewardship Mode requires:

1. leadership commitment;
2. integration of risk analytics into key decision-making and management processes; and
3. a culture of risk optimization that shifts resources away from over-managed risks and towards under-managed risks

Tip #3. Customize your risk management approach

In developing your risk management infrastructure, it is wise to adopt elements of existing guidance that are relevant for your organization. Here is my view on how three sources of ERM guidance each add a valuable perpective on the intersection between understanding the role of context and applying risk management capabilties to strategic and operational decisions.

1. ISO 31000

ISO 31000 (like AUS/NZ 4360, CSA-Q850) does a good job of explaining the importance of business context. Unfortunately, too many practitioners skim over this step and rush to misapply risk assessment tools and then wonder why risk management doesn't gain traction.

In my view, the most important contribution of ISO 31000 is that it puts risk management into the context of organizational design. It includes a helpful discussion of the necessary components of an organization's framework for managing risk and the way in which those components interrelate. This validates the approach I've used for over a decade to assist clients to build and continually improve their risk management framework and decision-making capabilities.

What I find disappointing with most standards is that they start with the implicit premise that the status quo level of risk is either acceptable or too high. I'm inferring this from the stereotypical risk management options they offer which are along the lines of: 'avoid', 'reduce', 'transfer', and 'accept'. I'm delighted to see that ISO 31000 includes a 'take or increase risk' option. Risk management professionals need to get comfortable with risk-taking and exploring the upside of risk if we want our discipline to be relevant to executive decision-makers.

2. COSO

While some financial organizations have embraced the COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM Integrated Framework, a recent survey of executives working in the area of ERM revealed that COSO was not considered a key source of information and guidance. [Note, the survey results were published in the article "Who Reads What Most Often? A Survey of Enterprise Risk Management Literature Read by Risk Executives" by John R.S. Fraser, Karen Schoening-Thiessen, and Betty J. Simkins, Journal of Applied Finance, 2008.] Many risk professionals (myself included) find that the COSO cube is needlessly complex and seems to be aimed more at satisfying auditors than supporting decision-makers.

COSO does provide a strong linkage to the concepts of risk control. In an operational context, managers need to ask 'What could stop us from achieving our objectives using our corporate strategy?', not 'Does this strategy effectively balance risk, reward, and costs?' That's because in an operational context, where reliable execution of strategy is the main objective, an emphasis on control is entirely appropriate. If your people constantly second-guess your corporate strategies, they'll never execute them efficiently.

3. Nonprofit Risk Management Center

In the context of developing corporate strategy, an innovation stance is essential for exploring the "opportunity" side of risk. You need to remove your 'risk control' hat and ask questions such as:

• Are we taking enough risk to achieve our goals?
• Are we taking the right risks (i.e., risks that will yield the desired type of benefits AND are consistent with our values)?
• Are we reaping enough benefits (in terms of economic or social goods) for the risks we are taking?

A great source of guidance on these types of strategic risk questions is Ready... Or Not: A Risk Management Guide for Nonprofit Executives the new book by Melanie Lockwood Herman (see this month's Bonus Resource for a review of this book).

The Risk Wise bottom line... If you want your people to display appropriate risk-taking behaviour, you need to ensure they have the know-how to tailor the application of your risk management tools to suit the context of each particular decision they make.

*

How well do managers across your organization apply balanced risk thinking to decisions involving strategy and execution? If you want to achieve the Stewardship Mode of risk management, contact Diana Del Bel Belluz at Risk Wise by phone at (416) 214.7598 or This email address is being protected from spambots. You need JavaScript enabled to view it.

Upcoming Events:

Visit our Events page for details on the following events:

• August 23-26, 2010, Vancouver, BC - Process Hazard Analysis (PHA) Leadership Course fromClearSky Risk Management.

SPECIAL OFFER: 10% discount for Risk Management Made Simple Advisory subscribers.

• September 15-16, 2010, Ottawa, ON - The Conference Board of Canada will present its annual Intergovernmental Forum on Risk Management Conference.

SRECIAL OFFER: $300 discount for Risk Management Made Simple Advisory subscribers.

• September 20, 2010 – Free Webinar hosted by Risk Wise will feature John Fraser and Betty Simkins, editors of the latest textbook on Enterprise Risk Management.
• October 10-12, 2010, Philadelphia, PA - Risk Management and Finance Summit for Nonprofits. The Nonprofit Risk Management Center will present its annual conference.

Follow the links to:

• Read this month's Bonus Resource - Are You Risk Ready...Or Not?
• Download a printable version of the entire June 2010 issue of the Risk Management Made Simple Advisory.
  
• View the Article Index to access back issues of the Risk Management Made Simple Advisory.