At the Center of the Risk Radar ScreenAdjunct Assistant Professor of International and Public Affairs, Columbia University and former Vice President and Group Chief Risk Officer, World Bank
Despite having spent almost all of my professional life managing or consulting others on managing risk, I confess to having some trepidation about actually writing about it for a professional audience. This first column, then, sets out where I will be coming from.
As daily headlines underscore anew, effective risk management is essential to the sustained success of any entity. Consequently, whenever the subject is raised, it almost always engenders an emotional reaction as well as a cerebral one. The word “risk” triggers our survival instinct, our “flight or fight” mechanism; no two people react to risk in the same way.
Risk cannot be completely eliminated any more than it can be ignored, but it can be managed. It can be understood, anticipated, measured and related to the rewards that may not be realized unless it is adequately addressed.
There are four key things needed to manage risk in a consistent, comprehensive, transparent and proactive way: understanding, measuring, anticipating and linking risk to reward. Yet, it’s surprising how many senior executives reject this line of thinking.
There is a whole school of management that believes that risk is endemic and that it’s “a cost of doing business.” On one level, this is true—every business activity has risks associated with it—but acknowledging it is different from doing something about it. In my experience, assuming that nothing can—or, worse, should—be done about risk is literally a recipe for disaster.
Understanding risk is fairly straightforward. You sell, manufacture, trade, transport or provide some kind of product or service to your customers or clients. Whatever your business, there are hurdles (risks) that you must overcome. These range from the strategic (environmental, both macro and micro) to the financial, from the business operations to the internal workings of the firm. Developing as complete an understanding as possible of what that landscape looks like is the critical first step to proactively managing risk.
The next two steps are the engine room of a sound risk management approach. They are also where things most often break down. I have been told countless times that “X cannot be measured” or “There is no data for this,” and “Not everything can be reduced to numbers.” Sometimes, these statements are true, but they are often excuses. The phrase is risk management, not risk avoidance or risk containment or risk inevitability. Two things I have learned over the last 40 years: You cannot manage what you cannot measure, and you can usefully measure almost anything.
The key is to find a meaningful yardstick. Trying for false accuracy can be just as damaging as not measuring at all. Whether the metric is the potential size of an event, frequency of occurrence or cost of disruption, almost any risk an entity could face can be evaluated and analyzed. If you do that, then you can be systematic in thinking through what the impact of a given risk could be, how you are going to deal with it and, just as importantly, where the boundary is between what is bearable and what will sink the ship. It also provides a means for defining a firm-wide risk appetite; in the absence of this, everybody reverts to their individual appetite and understanding of risk. If the board has one risk view, the CEO has a second, the COO has a third and the CFO has a fourth—as is all too often the case—it is almost impossible to manage effectively.
There is a whole school of management that believes that risk is endemic and that it’s ‘a cost of doing business.’
Such an approach enables management to not just ask the strategic “what if” questions, such as, “What if we have underappreciated our competitors?” or “What if there is a new technology about to be launched that makes our product obsolete?” Equally important, this approach allows a company to evaluate and answer the “what ifs” in a way that directly ties the answers to corporate objectives, informs strategic choices and provides early warning signals that things may be going off the rails.
To some, the above may sound like motherhood and apple pie. Another oft-repeated response I have heard is, “We already do these things.” My experience has taught me that all too often, “we” don’t do these things systematically, transparently or comprehensively. Moreover, “we” also often don’t communicate what we have learned or are thinking up, down and sideways across our organizations.
Finally, “we” are prone to keeping risk information in its own separate sphere, failing to explicitly think about it in relation to the value we are striving to optimize. Inevitably, this leads to disappointing results. Incorporating information about risks that already may have been identified, parameterized and acknowledged elsewhere within a firm when strategies, tactics and targets are being discussed and finalized often can lead to smiles instead of frowns.
Having articulated my personal template for considering risk issues, future columns, will delve into more depth on specific issues that are proving challenging to C-suite occupants, board members and maybe even new Presidents-elect. I welcome in advance any comments, suggested topics or observations you care to share as these pieces appear.