Mike Thornton challenges businesses to consider what their risk management framework is trying to achieve, and how it could be missing the mark.
Risk management frameworks can be complex. That’s because there are a number of components related to policies, procedures, systems, governance and people, and these need to impact and influence thinking across all risks categories, in all parts of the business.
As a result, it comes as no surprise that risk management frameworks can be complex, cumbersome and poorly integrated into the business. Unless this is aligned and consistent with the culture, structure and operating rhythm of the business, it will introduce inefficiencies and frictional costs, as well as sub-optimal outcomes. The form may well be in place, but the substance might be lacking, and you might obtain a false sense of security from going through the motions, executing processes that are missing the mark.
To be effective and efficient, a risk management framework needs to be seamlessly integrated into business processes, and be consistent with the culture, structure and operating rhythm.
Ultimately, if risk management is not leading to the right conversations, and is not impacting strategic thinking and the allocation of resources, it is missing the mark.
Risk management ought to be simple
At its core, risk management ought to be simple. A focus on awareness, prioritisation and people ought to be sufficient to drive the right outcomes.
- Awareness: Are you aware of your risks, the causes and the potential impacts? Are these transparent and well understood by executives and the board?
- Prioritisation: Are you working on the most important risks? Are sufficient resources allocated to address them? Are you transparently making the tough prioritisation calls?
- People: Does your culture and management disciplines support this? Do you encourage leaders to actively manage their risks and make these transparent?
A focus on these simple principles should go a long way to making sure that risks are consistently identified, transparently discussed, prioritised, and where appropriate, acted upon.
Tough prioritisation calls should establish what will and won’t be worked on, ensuring that capital and resources are allocated efficiently. The businesses culture, management and operating rhythm should create a self-reinforcing system that learns, refines and reprioritises risks on an on-going basis.
Finally, risk management disciplines and the prioritisation process can be ‘right-sized’ for the business, so that this is consistent with desired financial outcomes and risk appetite.
Why do we find this difficult?
It’s not that easy! In practice, businesses are different, and within them, people don’t behave consistently.
Businesses have different cultures, sub-cultures and operating rhythms, and people have different priorities, interests and agendas. Some executives will naturally and intuitively manage risks, balancing this effectively with other priorities, whilst others will see the management of risk as a distraction from other more important issues and interests that warrant attention right now.
Even if this is done well within business units, it is often challenging to ensure that this occurs consistently for end-to-end processes that straddle several parts of the business.
As a result, it is not easy to develop one, simple, self-reinforcing system, that is aligned to your culture, structure and operating rhythm, and is going to operate effectively and consistently right across your business.
Moreover, as all businesses are different, there is no cookie-cutter approach!
Focus on the outcomes you are looking for
This is why a focus on outcomes is essential. If you can clearly articulate a few simple outcomes that need to be achieved, these will provide a consistent frame of reference.
For businesses who already have mature risk management frameworks, this provides a way of reviewing its effectiveness. For those businesses who are enhancing their approaches, a focus on outcomes will help to set the direction, increase buy-in and engagement, tease out key issues early on, and help to shape the actions designed to deliver these.
For example, should individual executives ‘own’ each of the businesses key risks, recommending and driving mitigating actions, and taking accountability for the remaining residual risk? Such an objective might be obvious to risk practitioners, but can be confronting to some executives.
Putting an objective out there sets the scene, removes ambiguity, and helps to drive the supporting processes.
The alternative is developing processes and tools you think you need, only to realise later that these are poorly integrated into the business, costly, and are missing the mark.
So, are you comfortable with your risk management framework? Is it time to step back and consider what you’re trying to achieve?
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.