Summary by James R. Martin, Ph.D., CMA
Professor Emeritus, University of South Florida
The purpose of this paper is to present a new framework that places risks into three categories that require different risk management approaches. The first step is to understand the distinctions between different types of risks. Some risks can be managed using a rules-based model, while other risks require alternative approaches. The three risk categories include preventable risks, strategy risks and external risks.
Preventable risks are associated with internal events such as illegal or unethical actions by employees and managers. Preventable risks should be managed using a rules-based compliance approach that guides and monitors behaviors. This includes a mission statement, a statement of values, an explicit definition of boundaries and codes of conduct, and a strong internal control system.
Strategy risks are risks that an organization voluntarily accepts in order to generate a significant return. Strategy risks need to be managed with a risk management system as opposed to a rules-based system.
External risks are risks that occur as a result of events beyond an organization's influence and control, such as natural disasters and economic downturns. Managing external risks requires focusing on identification of the risks and the mitigation of their impact.
Risk and Organization Biases
Various biases create problems for risk management. For example, people tend to be over-confident about their forecasts, anchor estimates to historical data, favor information that tends to supports their position (confirmation bias), and fall in line with the group once a course of action has gained support within a group (groupthink). Effective risk management requires counteracting those biases (risk mitigation).
Managing Strategy Risks
There are three approaches to managing strategy risks: Using independent experts, facilitators, or embedded experts.
A risk review board made up of independent technical experts can be used at the project level for organizations that face high risk from pursuing long, complex and expensive product-development projects. Through vigorous debate, board members can counterbalance engineer's overconfidence to avoid projects with unacceptable high levels of risk.
Organizations in stable technological and market environments (e.g., energy and water utilities) face risks that accumulate gradually from unrelated operational decisions across diverse functions. These organizations might find it beneficial to use a small risk management group to facilitate awareness of the organization's risk and risk profile.
Organizations in volatile dynamic financial markets such as investment banks have a risk profile that can change dramatically in a short period of time. Risk management in these companies requires embedded experts that continuously monitor and influence the organization's risks and report to line executives and a central risk management function. Risk managers challenge portfolio managers in how proposed trades will affect risk. It is the job of the senior risk officer and CEO to prevent the embedded risk experts from becoming deal makers rather than deal questioners.
Avoiding the Functional Trap
The functional trap refers to how organizational silos compartmentalize risks by function (credit risk, market risk, operational risk, brand risk, reputation risk, supply chain risk, human resource risk, IT risks, financial risk). This tends to inhibit recognizing how different risks interact. Risk discussions must be integrative and integrated in strategic planning. Some companies incorporate risk discussions into their balanced scorecard initiative. Companies also need an oversight structure to identify general strategy risks, establish central policy, and to monitor policies and controls.
Risk Event Cards and Report Cards
In an example related to Volkswagen do Brasil, the risk management team identifies risk events, develops a risk strategy map, generates a risk event card for each risk on the map, and a risk report card that provides a summary of the risk event cards for senior management.
Each risk event card list the strategic objective, the risk event, the outcomes or practical effects of the event on operations, the risk indicators, the probability of the event occurring, and controls or potential actions to mitigate the risk. The risk report card summaries are organized by strategic objective and show at a glance which risks are critical.
Managing the Uncontrollable
Managing external risks involves identifying those risks, assessing there potential impact and how to mitigate their effects. Some external risks can be predicted and treated as strategy risks. For example, an increase in protectionism leading to tight restrictions on work visas could prompt a company to recruit in a way that mitigated the risks. However, most external risks are more difficult to predict and manage. The authors mention several examples including: Natural and economic disasters (earthquakes, housing bubble), geopolitical and environmental changes with long-term impact (wars, global warming, water shortages), and competitive risks with medium term impacts (electronic commerce).
Tail-risk Stress Tests
Stress test involve assessing how changes in one or two specific variables would impact the organization. Examples include large changes in oil prices, or large swings in interest rates, but assumptions are critical. For example, the tail-risk test for banks in 2007 did not assume housing prices might decline, only that they might stall and remain flat.
Scenario planning is a systematic process for estimating future long term states of the world, including political, economic, technological, social, regulatory, and environmental forces. An organization's risk advisory boards might estimate maximum and minimum values for a five to ten year period and how the organization's strategy would be affected.
War-gaming involves assessing an organization's vulnerability to disruptive changes in technology or competitive strategies. Teams play competitive games to attack the organization's strategy. Some risks can be mitigated with insurance or hedging.
Summary of the Three Risk Categories
The following illustration provides a summary of the three categories of risk including their characteristics, mitigation objectives, applicable control models, roles of the risk management staff, and the relationship of the risk management function to the business units.
The Leadership Challenge
Managing risks runs counter to what managers want to do, i.e., manage strategy and success. Therefore, risk management requires a separate function, particularly when there are no clouds on the horizon to help neutralize managerial bias as seeing the world as they would like it to be.
Summaries related to Enterprise Risk Management:
Axson, D. A. J. 2011. Scenario planning: Navigating through today's uncertain world. Journal of Accountancy (March): 22-27. (Summary).
COSO. 2016. Enterprise Risk Management: Aligning Risk with Strategy and Performance. Public Exposure Draft. (June). (Summary).
Malone, D. and M. Mouritsen. 2014. Change management: Risk, transition, and strategy. Cost Management (May/June): 6-13. (Summary).
McKay, S. 2016. CGMA tools: How to communicate risks using a heat map. Journal of Accountancy (June): 35-40. (Summary).
Merchant, K. A. 2012. ERM: Where to go from here. Journal of Accountancy (September): 32-34, 36. (Summary).
Shenkir, W. G. and P. L. Walker. 2006. Enterprise risk management and the strategy-risk-focused organization. Cost Management (May/June): 32-38. (Summary).
Other related summaries:
Kaplan, R. S. and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action Boston: Harvard Business School Press. (Summary).
Kaplan, R. S. and D. P. Norton. 2001. The Strategy-Focused Organization: How Balanced Scorecard Companies Thrive in the New Business Environment. Harvard Business School Press. (Summary).
Porter, M. E. 1996. What is a strategy? Harvard Business Review (November-December): 61-78. (Summary).
Sull, D. N. 1999. Why good companies go bad. Harvard Business Review (July-August): 42-48, 50, 52. (Summary).