Oliver Houghton & Rigardt Jonker
This is the third article in this series from Andile (Article 1 – Does risk management need to evolve?; Article 2 – Where to now for Operational Risk and Enterprise Risk Management?) and offers considerations for making practical enhancements in Operational Risk Management. These insights will apply equally to other risk types, in particular other “enterprise-wide risks” and the broad range of risks that could be called “non-financial risks”.
What we are trying to achieve with these articles is to influence how businesses, executives and risk managers think about risk and how it needs to be managed. Each article will explore important aspects of risk management, why it sometimes appears to be failing and then provide ideas on how to enhance or optimise desired outcomes. These proposals are not arbitrary and borne out of years of trial and error in the risk fraternity, these should be the foundation of risk management concepts anchored in business realities and fundamentals.
Once again we would like to remind our readers to provide their views and we are happy to debate the pro’s and cons of these discussion points.
The series is structured around the typical dimensions that risk practitioners have come to understand when talking about managing risk. These dimensions are shown in the graphic below and highlight the three broad areas that this series explores: Business, Organisation and Risk. The focus of this article is on all three dimensions:
- What they are
- Why they matter
- How they are connected
The dimensions are exactly the same for every single business and risk manager, regardless of industry, location, or risk type; although an organisation may call them something else, and the individual building blocks may be more or less. The basic dimensions do not change, but how they are designed and implemented will differ from organisation to organisation.
Figure 1 – Organisational Dimensions
All three of these dimensions are fundamental for sustainable business performance and sound risk management. Most importantly, they must all work in unison, cohesively and seamlessly. If one dimension is out of line with another, the net effect will be a suboptimal outcome.
From previous experience it is clear that many organisations have not succeeded in connecting these three dimensions. The dimensions are often viewed separately, despite efforts at integration. Consider how business strategy is determined – is it systematically derived considering all three dimensions? Or is risk and organisation an afterthought? Think about how an organisation will go about establishing a risk management capability, using 3rd party risks as an example – would they start with the risk management policy and framework first? What about the business and organisation dimensions?
How would we know if these three dimensions are not in unison? The following business behaviours may point us in the right direction:
- business management see “Risk” and “Organisation” as a constraint to strategic execution;
- risk managers see businesses as pushing back;
- one or more of the dimensions are missing from reporting;
- the organisation restructures frequently.
The Business Dimension
Every business has a purpose, its reason for existence. The business dimension defines why the business exists and what it does. The other two dimensions (Organisation and Risk) only exist if there is a Business dimension. This is the first thing that a risk manager needs to be cognisant of. In our first article, we stressed the point that risk comes from the nature and strategy of a business. This is important, as it defines the scope and boundaries of the risk managers’ mandate and relevance.
Think about a new business, perhaps a business in start-up mode. What exists? There is no organisation. There is no risk. There is only a business with an intent. A business with a purpose and a vision. No risk is taken or incurred, and no commitment is made; not until the first customer is engaged, contracted, onboarded, and served. There are no exposures until the first transaction – whatever the business may be.
Figure 2 – Establish context and relevance
This is a simplification considering the complex world and environments that businesses operate in. However, the analogy is important, to make sure Risk Management focuses on the correct things. The way that Risk Management is conducted in a business frequently omits the most important element. The true origination of risk. The source of Risk Management’s true priority and essential focus – the business dimension. The business dimension should be the anchor. It is the invariable. The other dimensions are variable, they can and do change.
The business dimension defines what is important for the existence of the business. As the business grows and expands, this “what” becomes larger, but Risk Management frequently overlooks the essence of the business, the core of its purpose and success, as this is the unchanging dimension.
It is easy to forget this simple truth. Things are complex. Life happens. Incidents happen. Regulations are drafted in droves. And Risk needs to respond to all of this. All of this is simply change – things that are changing around the business. Things that introduce variability. Things that could impact the purpose and goals of the business dimension. This provides two further important insights for Risk Management:
- Variability and change introduce uncertainty for the business dimension
- Risk Management is about achieving relevant context of this variability for the business dimension
What does all of this have to do with Risk Management? Well, everything. If Risk Management is to be effective and add value (always the criticism from the Business), then it needs to be understood, very deeply, why the business exists and what its strategy is. Risk Management needs to understand how the business goes about developing, executing, and measuring its strategy. This is the first step in the Risk Management process.
At the heart of the approach to Risk, should be the purpose and strategy of the business. The Risk Management approach is intrinsically part of and tied to strategic and operating performance and must not be viewed as a separate process. The Risk Management process must use tools and data that enables the identification, development and use of risk data in a strategic and business context, while ensuring that no siloed mentalities or behaviours are created.
The Organisation Dimension
The organisation dimension defines “how the business does things”. This dimension is all about operating model, organisational culture, how the organisation is governed and how accountability is embedded. This is an important dimension and it is one which is often over-looked or not sufficiently understood. It is the organisation dimension that embodies the norms and embedded assumptions of the organisation. These behavioural norms are the forces that can:
- Create or constrain agility
- Entrench a protectionist versus value-creating approach to risk management
- Create a policy conformance emphasis versus a business enablement orientation
- Promote empowered decision-making or inhibit it
- Allow for simple or complicated governance arrangements
This dimension is formed and shaped over time, and this is one of the reasons that it is complicated. Organisational norms frame the approach to business and define the existing culture of the leadership and hence organisation. Embedded assumptions form and are then taken for granted, considered non-negotiable. The operating model reinforces these behavioural norms and entrenches the rules of engagement.
Figure 3 – Organisational Behavioural Norms
Most risk managers and risk disciplines have wholly underestimated the influence of organisational behavioural norms on the effectiveness of Risk Management. There is a direct relationship between how business is conducted and how risks are managed. Organisational norms establish attitude towards risk, perceptions about risk, and directly influence the maturity of risk practice in the organisation. These in turn amplify biases within the organisation. Risk managers need to increase their understanding of the Organisation Dimension if true value is to be extracted from managing risk. It is this dimension that creates the “moulds”, which risk managers need to break and reframe (see Lesson #3, from the 2nd article in the series, Where to now for Operational Risk?).
If Risk Management does not understand the presence of these forces, it can become trapped by them. If these forces have been identified and their workings are understood, then they can become powerful levers for effective risk management. The Organisation Dimension is complex, and this article provides a high-level introduction to it. A practical way for risk managers to think about the influence of this dimension on Risk Management might be to consider where the organisation is positioned on the following spectrums:
Figure 4 – Influence of Organisational Norms
The Risk Dimension
The risk dimension defines “how the organisation deals with risk”. This is the dimension where risk disciplines have spent most of their focus. Naturally, this is the one dimension where most risk managers are comfortable.
One of the reasons that risk practitioners are most comfortable with the Risk Dimension is because it is here that the Risk Management methods and requirements are defined. There is a fair amount of structure to the risk dimension, as it has been informed by regulatory criteria and industry consensus gained over time. In addition, many organisations and regulators have narrowly focused on this dimension either intentionally or due to weak alignment with the other two dimensions.
Figure 1 provides an indication of the various elements that make up the Risk Management process. These elements are traditionally associated with Operational Risk Management and a range of other enterprise risks and “non-financial” risk types. In combination, this amounts to the building blocks which enable risk to be identified, assessed, managed, reported and monitored.
The way risk managers think about risk is not the same as how executives and business management (hence forth referred to as business stakeholders) think about risk. In Risk Management, risks are typically identified, monitored and managed in neat, tidy buckets, for example Credit Risk, Market Risk and Operational Risk.
However, from a business stakeholder perspective they need to have an understanding of how all the different risk types may impact their profitability/survival, how risks are connected and be able to identify any potential risk domino effects. They do not have the luxury of first consuming all the different reports per risk type, brainstorming about an infinite amount of scenarios and then also think of the impact of new risks on the horizon impacting their risk profile.
A criticism that normally stings the risk manager is when the business states that they do not feel they are getting tangible value from Risk Management. The scenario described in the previous paragraph is exactly why that type of criticism is levelled at Risk Management.
The intention of this series of articles is not to denigrate Risk Management, it is rather to identify shortcomings in the way things are currently done, and then to come up with tangible solutions of how these weaknesses can be corrected.
Our next article will be exploring on how to align business strategies with risk appetite.
Want to have a conversation about how we can assist? Get in touch.