Skip to content

Risk Management

June 13, 2011

Business owners have always had to worry about risk. Issues such as quality control, security of payment, the honesty of employees have persisted. Some risks (such as ships destroyed by storms) have become largely irrelevant. Others – for example, regulatory risk – have mushroomed. And ‘risk management’ itself has become a full-time profession.

One result of this is an increasing interest in the relative risk performance of different organizations. In principle, this is worthwhile and may offer insights that assist in improving organizational performance. However, I have grave doubts about the usefulness of most ‘risk surveys’ or ‘maturity assessments’ because they seem to me largely self-serving and potentially damaging to business performance.

I will give just a couple of examples from a survey that says it is about ‘value generation from supply risk management’. Like most such studies, it seeks to understand senior management attitudes to risk and does this through ‘orientation’ statements such as:

“Top management’s involvement with risk management is strong”, and “Risk management is part of the culture of our organization”.

My experience with such questions is that answers are very skewed by subjective factors. For example, the assessment of top management involvement tends to be determined by the individual’s personal attitude towards those top managers. Perceptions of ‘cultural integration’ tend to depend on personal attitudes to risk and the extent to which risk-obsession serves personal interests (for example, if we score badly, can I use these results to elevate the importance of what I do?)

Similarly, “Our risk management function is very well established” is the sort of statement that leads nowhere in understanding value. Well-established relative to what? And indicatiing what? Many would argue that the most mature organizations do not need a bolt-on risk manageent function, because the capability is embedded into the way the organization works.

A recent survey also looks at specific risk areas, such as intellectual property, where it seeks input on statements like “We often deem risks too high and decide not to share knowledge with a supplier”. I know organizations like this – and many are struggling in the market because their assessments take no account of the opportunity cost of their risk policies.

I am very much in favor of risk management and I also think that surveys can be helpful. But to make risk management a valuable discipline, we must be more thoughtful about the assessments we make. For example, when it comes to management attitudes, it would perhaps be more meaningful to explore their sources of advice in reaching business decisions (do they gain balanced input, or engage in a ‘culture of optimism?’). It would be interesting to know whether the internal management and measurement systems have been designed to encourage cross-functional collaboration and inclusive team behaviors, or typically result in disruptive attitudes and key functions being marginalized or ‘involved too late in the process’. In an area such as intellectual property I would like to know whether the business units are seen as the owners of their IP and are accountable for its proper exploitation and management. I would also like to know whether people outside the organization feel that they can share their IP with us. And overall, I would be exploring whether the organization is prepared to accept risks, or seeks to allocate them to others (for example, within supply contracts, how are liabilities, indemnities, price changes, liquidated damages handled?)

Risk awareness is something that will often be driven through specialists. For example, changes in regulation must be assessed by relevant experts who should then design appropriate communication across the organization. It seems to me that management will also benefit from periodic risk capability reviews – for example, having experts observe the way that top management is given advice, or monitoring typical bid or negotiation processes, or testing the procedures for handling unexpected events. But risk management is ultimately determined not by some bureaucracy (which will itself become a source of risk); it is the result of a balanced organizational design in which people feel they have a clear sense of direction and where collaborative behavior is the norm.

No business will ever be risk-free. The goal of risk management must be to anticipate those risks that are potentially both serious and recurrent and prepare for those that are potentially serious but not recurrent. Some risks can be managed through rules and procedures, or through technical development. Many require intelligent assessment by individual employees or associated third parties, whose attitudes and behaviors can eliminate or escalate risk incidents. Which way they go will to some extent depend on their training and personal skills, but in large part will be determined by their morale, their sense of loyalty and the values they have been taught through their performance measurements.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: