Despite all the rhetoric and money invested, risk management is all too often treated as a compliance issue that can be solved with rules. Sometimes we can cripple the ability of our associates to identify risks they face and properly evaluate and address them. It really is a common problem.
Of course, many rules are sensible and do reduce risks that could damage a company. However, rules-based risk management will not diminish either the likelihood or impact of a disaster. The first step in creating an effective risk management system is to understand the qualitative distinctions among the types of risks organizations face.
One type is preventable risks, internal risks that arise within organizations. They are controllable and ought to be eliminated or avoided entirely. Examples include risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect or inappropriate actions and the risks from breakdowns in routine operational processes. Companies must try to eliminate these risks since they get no strategic benefit from taking them on.
The second category involves strategy risks. Every company voluntarily accepts some risk to generate superior returns from its strategy. A bank assumes some credit risk when it lends money. Many firms take on risks through research and development activities or when they make acquisitions. Strategy risks are very different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks. Managing those risks is a key driver in capturing potential gains.
I don’t believe strategy risks can be managed through a rules-based control model. Instead, you need a risk management system designed to reduce the probability that the assumed risks actually happen and the ability to manage or contain the risks should they occur. This would allow companies to take on even higher risk-reward ventures than their competitors with less effective risk management tools.
The third type of risk involves external risks. These arise from events outside the company’s influence or control. Sources include natural and political disasters, major macroeconomic shifts, cybersecurity hacks, etc. Because companies cannot prevent such events from occurring, management must focus on identification and mitigation of their impact.
Risk management most often focuses on the negative – threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams work to foster. Many leaders are reluctant to spend the time and money now needed to avoid an uncertain future problem that may or may not occur. Most companies need a separate function to handle strategy and risk management. The group must report directly to the top team. A company’s ability to weather storms depends very much on how seriously executives take their risk management function.
To manage risk, we break it down into four categories:
- Risk Avoidance. This simply involves avoiding products and services with high potential for losses.
- Loss Prevention. This involves implementing employee training and safety programs, for example, eliminate risks.
- Loss Reduction. These approaches focus on minimizing the effects of risks through response systems that neutralize the effects of a disaster or mishap.
- Financial Risks. This is done by paying for risks by retaining or transferring their costs through tools like insurance policies or having practices in place that guide financial behavior, such as parameters around how much debt a company is willing to take on related to an acquisition.
In the end, risk management requires discipline and commitment from senior leadership in an organization. “Out of sight, out of mind” does not work in an environment where risk is always present. It reminds me of an old saying, “You’re better off spending time building fire houses rather than putting out fires.”