Managing Risks: How do we know we are managing risks well?
Laycee last edited by
When an auditor performs an inspection on a process area, the auditor will use interviews and documented evidence to make a judgment about how well the process is being performed. Inspecting a risk management capability should not be any different, but I think it is.
Auditing a risk management process on a project I would expect to see:
- Risk management plan
- Risk management process and procedures
- Evidence of risk meetings on some cadence
- Evidence of escalated risks
- Evidence of risk analyses and reanalyses
- Evidence of various mitigation plans
- Risk log
But the absence of all of this evidence does not necessarily indicate with a high degree of validity that risks are not being managed well and vice versa. In our daily lives, we manage all kinds of risks without any documentation at all and, if you're alive reading this, you're doing a reasonable job.
So my question is: what truly indicates a high-performing risk management capability?
There are two standards to which risk management should be compared. First, the compliance standard.
Do you have the documentation? Can you defend that you have expended effort? By this standard a "risk management softball team" is equal in vale to any other risk management efforts. I have little respect for this, but it is what is normally meant by a risk management program. Management wants to know that someone has expended effort (and generally wants those who expend that effort to remain silent, or failing silence to utter reassuring words). This effort will pass the muster with auditors and other compliance organs. After all, the Titanic was compliant with all safety standards.
Return on Risk Investment. If you are really serious about risk, then you should be able to measure the reduction in risk (increase in opportunity). Naturally, this is a probabilistic measurement, and it demands some sophistication to articulate, but mature organizations are content when the risk management function makes concrete recommendations that
a. Reduce the probability of risk/increase the probability of successfully exploiting opportunities
b. Reduce the impact of realized risk/ increase the impact of exploited opportunities
c. Transfer risk to competent external parties and demonstrate a cost savings by doing so
d. Plan and document alternative strategies that give management the option of avoiding risk.
If you do that, you can measure the risk avoided, subtract the cost of the program and calculate the return on risk investment.
This is not for the faint of heart; it demands a serious investment, rather than a compliance eyewash. It demands that the organization commit to understanding risk, and take action based on empirical, albeit probabilistic, evidence. Sometimes this means making a decision on evidence rather than on bias or "gut" (which, in my experience, nearly all managers are reluctant to do). This is rare, but there are significant institutions that do this.
There is a third standard that I've discussed theoretically, but I don't think I have ever seen in practice. What % of capital is spent on investments, rather than on reactions? Every good manager has a list of investments/projects that will increase their value to the organization. Every manager and every CFO is forced to redirect some of that capital to less productive purposes to cover issues ("issue" is a risk that was not managed properly, and results in unexpected costs/damages). Risk cannot be eliminated, but if you study your institution and your competitors, you can reduce your risk, and keep unplanned spending within control. That gives you more capital available to invest in capital deepening, and reduces the frequency and impact of "one time charges" that appear on your balance sheet.
Simply sit down periodically and classify all your budget requests (not expenditures, requests) into three buckets
- O&M that is inflexible; can't be reduced without further capital spending (this should be static)
- Capital investment that will increase the value (reduce costs/add new services) These are long term planned costs with specified budgets
- Unplanned remediation - money that had to be repurposed/special requests, etc. Money that you had to spend because something went wrong.
Unplanned remediation can be further divided into
Risk Management Failures - technical debt that you knew was accruing and failed to manage. People who quit, but for whom you didn't have replacements in the pipeline (succession plans). Every employee who leaves because the enterprise didn't provide enough training/appreciation/opportunity/career path/fairness/flexibility. Equipment that you failed to maintain, or failed to depreciate and acquire bench stock. Bugs and defects of which you were aware, but for which you failed to explore alternatives. Other issues that you were aware of, informed your management/responsible parties, but failed to be noisy enough or persistent enough to transfer the risk. The effect of attacks or disruptive actions by competitors or other adverse entities. Ransomware events. Lawsuits, EEO complaints. discrimination actions. Inability to take advantage of opportunities because your workforce isn't nimble, or T-Shaped, or is missing some critical skill, or lacks some other attribute that prevents you from acting in a timely fashion.) Failure to be aware of shifts in demand and supply. Other supply chain issues. Building your nuclear reaction in an area that is prone to Tsunami's in a predictable period, and failing to cover that. Accepting the cost cutting recommendations that result in halving the double hull on the Titanic. Ignoring the briefing that warned you about O rings.
True https://www.investopedia.com/terms/f/forcemajeure.asp events. COVID. Sure, in theory we could have estimated the probability of a pandemic. I'm not going to fault you for failing to do so; the probability was so low.
If you do that exercise with honesty and integrity, the risk management failures bucket is the rough order magnitude of the budget for your risk management function. If you invested some of the unplanned spend money, could you have avoided one or more of those unplanned spends? You don't have to be completely successful - you just have to save the enterprise more money than you spend. Building a risk management program won't be magical; it will take time to build and integrated processes that avoid losses and exploit opportunities