Operational Risk Management and the Risk Governance Challenge
There are four pillars to effective enterprise risk management:
Most organisations, particularly financial organisations, have allocated significant resources to the first and possibly the second pillars, but have left the others relatively ineffective. These pillars collectively hold the roof up- if one or more are missing or compromised, so is the shelter that the framework provides.
The challenge of risk management governance arises fundamentally from most organisations’ focus on short-term performance. Moreover, compared with performance that has apparently simple metrics, risk is complex- with an extremely diverse range of possible low probability, high impact outcomes or nightmares that need to be managed.
Recent popular governance efforts that concentrate on narrow aspects are inadequate, such as: ensuring that boards include strong independent directors, CEOs do not also chair the board, boards endorse risk management frameworks, boards receive regular risk management reports, and board and management attest that controls are in place, risk management processes have been followed.
They are important but defensive measures, rather than ones designed to ensure that risk is well managed. They are more form than substance, as they do little to ensure that positive governance focus is balanced between performance and risk. Indeed risk management appears often reduced to completion of a task checklist, rather than as a serious endeavour of an organisation’s board and management.
So how do we ensure that risk management is represented adequately in board and management’s proactive governance of an organisation?
We can learn from the way organisations manage performance. Performance targets and progress towards them are the key focus of most governance meetings- both in the operationally focussed short term and in the more strategically focussed longer term. Key characteristics of performance governance include:
The same characteristics should be sought in effective risk management- that is also dependent on management engagement.
In the same way as business managers accept and are held accountable for their business revenues, costs and profits, so they need to be held accountable for their risk management.
As with performance, this needs to balance focus on both the immediate short-term incidents and issues, and on the best medium-term risk management positioning. Risk management is just as dynamic as driving the best performance. Short-term incidents and issues require immediate response, but there are also often more important issues, such as the positioning of the organisation’s operations and relationships with suppliers and distributors, staff and regulators, which are critical to achieving a better, lower risk future.
Since risk is complex and loss outcomes may reflect a number of different contributing factors, some have suggested that clear definitions of risk management accountability are impossible. For example, where do you attribute the accountability for a public relations disaster that was triggered by the discovery of a staff member committing fraud in a trust services business unit?
Such demarcation issues are certainly complex and require due consideration to ensure the appropriate risk management behaviours are encouraged.
But this is no different to performance management. For example, where do you attribute the accountability for the poor performance of a new product line for which the sales division failed to meet sales targets, the economics/strategic planning group overestimated demand, and the manufacturing process failed to meet cost targets due to staff discontent/stoppages? In such cases it is normal to make each contributing area accountable for their area or dimension of the integrated activity- to drive the appropriate performance management behaviours. Sales divisions are accountable for meeting/exceeding sales targets, manufacturers for cost and quality targets, and so on.
In risk management, defining accountability boundaries extends the risk assessment activity usefully into the broader process of defining the organisational and management structure. A firm that understands its risk profile is well on the way to determining how this can be best managed by its management talent. Conversely, one that finds duplication and gaps in its risk management also generally finds an incomplete or siloed understanding of the organisation’s risks.
The risk management accountability needs to be explicitly expressed with the accountability of other managers clearly demarcated to ensure full coverage without duplication. Debate about the accountabilities and their boundaries is a positive exercise that engages the management personnel involved and often generates co-operative risk management responses.
There is a place for a summary all of organisation-type reporting, such as for risk framework rollouts, where progress against target is a useful metric, and exception reporting of those elements that are behind time or quality targets, which prompts a useful management response.
Summary reporting can, however, be the death of enterprise risk management. The risks that matter are those with very unlikely but organisation-threatening impacts. Regular en masse status reporting of these can be dull and disengage the interest of the organisation’s governance bodies. It is like a person falling backwards from a cliff looking up at the sky and saying “so far, so good”. What we want is for the person to look forward, to report only when they reach a cliff edge, and ideally to do so before they take the next step.
For risk management, the first key to reporting is to replace summary status reporting and to focus keenly on a small number of topical issues and exceptions as they emerge. Some of these will be topical at an industry level- no one could avoid a focus on terrorism immediately after 9/11. Others will be the major assessed risks of the organisation dealt with on a rotating basis. There should also be at least one sample from the assessed second tier risks.
The second key to effective reporting- and accountability- is to put the accountable person on the spot and have them report personally to the board or equivalent management group, including responding to questions on-the-fly. Given the complexity of risk management, this will ensure the accountable person gets to know the risk personally and is engaged in its management- effectively grabbing part of his or her limited management time.
This same personal reporting process should cascade down to the real subject matter experts. These experts, who might each cover separate dimensions of the risk, will have to put their credibility on the line via direct reports to the accountable person. Has the risk changed over the past, giving a suitable time period? Should we be doing something different about it?
Tested objective indicators covering a risk or some of its key dimensions are very useful yet not common. There are often so many complicating factors that the story given by a single or a small number of indicators is still incomplete- and it is the new unexpected factor emerging from left field that can trigger the major loss.
‘What gets measured, gets managed’, but measuring enterprise risks is difficult. There is generally insufficient loss data to easily model the different risk types businesses face or to calibrate such measures to the organisation’s current circumstances. For the important low probability, high impact risks, subject matter experts’ judgments are, and are likely to remain, a critical input to the risk assessment and measurement processes.
To a degree this is no different to the difficulties of measuring performance, but here we have significant established, if still evolving, guidelines on accountancy practices to assist.
For risk, the degree of quantification can vary from a statistical or actuarial approach used by banks under a Basel II Advanced Measurement Approach to a simpler structured ranking process supported by many risk standards and used by many organisations. In either case, the best available risk metrics come from a process that:
It is quite likely that from time to time the accountable person for the risk may disagree with the trend movement in the related risk metric that emerges from this structured process. This should not be seen as an insurmountable issue for either the risk metric or the accountable person, but rather another point of engagement. The accountable person needs to be able to represent the organisation’s exposure to the board and if this requires discussion of his or her differences to the judgments reflected in the risk metric, then this is just the situation where a discussion at this level would be warranted.
The risk management industry has largely scoped the technical tools and the remaining technical issues for operational and enterprise risk management. Significant evolution in practices is, however, still required, and nowhere more than in achieving effective risk management.
The single most important step forward in effective risk management is to establish appropriate risk governance and to ensure that risk management is supported by: