The Role
What is the future role of Risk Management, and what does this mean for the Risk Manager? Will the world of risk be machine-driven decision-making based on quantitative models and AI algos determining the most cost-effective mechanism for reducing risk? Or will risk be a qualitative function relying on relationships and individual expertise to influence decision-making, identifying potential problems and opportunities? Or, will risk be "everyone's job" and, therefore, we can dispose of the Risk Management function completely?
I would posit that Risk Management and the Risk Manager of the future are the same as the role today. What may change are the systems, tools and processes used by Risk Management and the enterprise.
However, the core concept is that the role of Risk Management in the future will be the same as the role today. Notably missing from the definition above is the word "Risk". What is in its place are the twin concepts of opportunity and potential problems. This follows the definition I have used for "Risk" for about 25 years - "The possibility of something bad happening, or something good not happening".
Risk Management is the process by which good things are encouraged, and bad things are discouraged from occurring. Simple really.
"Risk Management uses the appropriate tools and processes to continuously learn and grow to ensure effective decision-making vertically and horizontally across the enterprise, focusing as much on opportunities as on identification and mitigation of potential problems."
There is a huge amount to unpack in there.
- Appropriate tools and processes
- Continuously learning
- Ensuring effective decision-making
- Opportunities
- Mitigation of potential problems
The Risk Manager of the Future, to achieve that, must:
- Be Curious,
- Demonstrate Adaptability, and
- Inspire leaders and decision-makers
While not breaking down each of these three attributes, I think they are embedded in the discussion below.
Noticeably missing from the definition above are the words "framework", "risk identification", and "risk assessment". There is a reason for that. Those words belong in the position description and the long-form description of Risk Management, and are focused on the detail of the process and not on the objective of Risk Management. But more about that later.
Let's go back and focus on the keywords and phrases.
Appropriate tools and processes: Risk Management should use tools and processes, and they should be the right tools and processes for the maturity of the enterprise and the maturity of the function. The size of the enterprise will also influence the tools and processes. Risk Registers are important throughout the maturity of the enterprise and function, not because they are the best tool, but because the stakeholder community (up, down, sideways, internal and external) understand the concept of recording and monitoring risks through some form of repository of risks.
There will be many situations in which modelling such as Monte Carlo will be appropriate and indeed, may be the only appropriate tools. Where there are repeatable processes or large amounts of data to support modelling, that is the appropriate approach. Where the risks and situations are new, unique to the enterprise, or rely heavily on the judgements and choices of a few individuals (Board members, C-suite individuals, marketing specialists, application developers, etc) then quantification of the risk through modelling will be of little value.
Where subjective judgement based on experience and expertise is required, qualitative assessment of risks and determination of appropriate mitigation (by the risk owner) may be the most appropriate response. Such situations should be subject to challenge and review, which is part of the role (today and into the future) of Risk Management.
Likewise, the "standards" such as ISO31000 (and its precursor the Australia New Zealand standard) provide a source for definitions and concepts, but there is no rocket science in any of them. They are valuable but are frameworks and standards only, not actual useable guidance for the day to day.
The tools and processes used must be appropriate.
Continuously learning: this applies as much to the Risk Managers as it does to all in the enterprise who are responsible for activities that may deliver benefits and support the achievement of the objectives and plans. Risks are "owned" by individuals across the enterprise, and they should continually be learning about how to more effectively manage those risks. The owners need to be educating those around them and those impacted by the risk, about the nature of the risk and the mitigation that is in place to reduce counter-objective results. This includes advocating for the budget required to effectively mitigate the risk. Likewise, these "owners" also own the opportunities and are responsible for identifying them and advocating for exploiting them.
This is as true about strategic risks and opportunities. There are owners of such risks (in many cases deriving directly from opportunities and decisions to exploit or avoid such opportunities). Considering the strategic cannot happen except through continuous learning and consideration, incorporation of new information, and the assessment of trends, both short and long term.
Included in the area of continual learning must be the development and use of KRIs (Key Risk Indicators) by the owners of the risks, with the support of Risk Management in the development of those KRIs. Monitoring and interpretation of the KRIs are (and will be) a core element of the role of Risk Management. And that will require a continual review of the appropriateness and effectiveness of the KRIs in actually providing effective risk monitoring information, to lead to and support...
Ensuring effective decision-making: Effective decision-making is the core of a successful enterprise. Decision-making takes place every day, by everyone in the enterprise, the difference being the criticality and importance, short and long term, of the decisions being made. All decisions include some amount of risk; the risk of misallocation of resources, retention of customers or alienation of customers through service delivery or failure. Suppliers and supply-chain issues result from scheduling or price negotiations, or from factors outside the direct control of the decision-makers.
Furthermore, it is not enough to ensure effective decision-making at the top of the enterprise, but vertically throughout all levels, and horizontally between business units and teams. Support is provided across and between teams, and the resulting or enabling decisions can deliver or hinder the achievement of objectives.
Each decision contains an overt or implied risk-reward payoff calculation within it.
Opportunities: Each decision represents opportunities, and that must be one of the primary goals of Risk Management - to encourage the identification and consideration of opportunities and thereby contribute to more effective decision-making. Enterprise success comes from identifying and exploiting opportunities, all the while being cognizant of the potential impediments. Risk Management has a habit of focusing on impediments to success, and that needs to be balanced by an understanding of opportunities and objectives.
While COSO (the original 1993 version) defined the "Objectives - Activities - Risk - Controls" hierarchy, the "opportunities" aspect is lost in the "Objectives". Sometimes Risk Management needs to provide visibility on the opportunities from the "Risk - Control" level. Of course, COSO specifically addressed the failure of control that contributed to the Savings & Loan crisis in the US in the 1980s, so it is not a surprise that the focus was on the need to control risks, and not identify and exploit opportunities. Yet COSO '93 remains probably one of the best frameworks for considering risks and controls.
That has made it more difficult to inculcate a philosophy of constantly looking for the "upside" or opportunities when looking at risks. The Risk Manager of the future will, as they should already be doing, be looking for opportunities to balance the risks, thus reducing the danger of becoming overly controls-focused.
Mitigation of potential problems: Finally, of course, Risk Management (today and the future role) must consider the range of possible "bad things" (Risks) that can happen and work with risk owners to build and implement effective mitigation strategies and actions. The Risk Manager's expertise in identifying and assessing the range of possible "bad things" is not the same as having expertise in mitigating those risks. That is the purview of the experts operating and managing the activities subject to the risk.
Now we get to the traditional words and concepts of risk identification, assessment, mitigation, and monitoring. Of course, Risk Management does these, today and into the future.
Without the identification (and assessment) of the universe of risks that the enterprise faces, it is impossible to know if resources are applied most effectively to reduce the potential for "bad things" to happen, but also to encourage "good things" to happen. This universe must include internal and external risks, immediate and potential long term risks, and of course, a plethora of "emerging" risks.
---------------------
Editorial comment: I've not addressed the voluminous volumes of follow-on COSOs and other standards, for "Verily this vichyssoise of verbiage veers most verbose" (Thank you "V for Vendetta"). The COSO organisation has become just another vested interest in the production of ever newer variations with the primary purpose of demonstrating the intellectual prowess and therefore thought leadership of whichever brand "sponsored" this new COSO.
No comments:
Post a Comment