By the time companies get halfway through the implementation of a risk management framework, it has already become obsolete.
Do you know anyone in the professional world who does not talk about risk? I don’t. As a matter of fact, human beings rose to the top of the food chain because of the ability to perceive and manage risk. Other animals also manage risks, but in a more instinctive way generally based on "fight or flight."
So, why do we seem to make a big deal out of risk management if everyone does it and we humans have been at it for millions of years? Last I checked on Amazon, there are more than 22,000 books on risk management. But who's counting? It seems new jargon is added to the cauldron of concepts and ideas and frameworks of risk management on a daily basis. By the time companies get halfway through the implementation of a framework, it has already become obsolete. There are so many competing solutions being offered in the risk management marketplace – every consulting company has its own branded product. So many solutions looking for a problem. But what is the problem?
See also: 4 Steps to Integrate Risk Management
At a very fundamental level, risk management is about identifying, quantifying and managing risks. And managing risks has four components – avoid, mitigate, transfer or accept risk or some permutation and combination thereof. As Sherlock Holmes would say – "It is elementary, my dear Watson."
In reality, though, it is anything but.
The challenge is not the what and why of risk management but the how. Let me clarify.
Businesses exist and prosper because they create value. That means a decision involving land, labor and capital needs to be made in the present expecting an outcome in the future. Given that no one has perfect insight into the future, there is uncertainty about the outcome and hence there is risk involved in every business decision. So, it makes perfect sense to be able to manage that risk within an acceptable limit. The question is how. There is a lot of fumbling around there.
First, before we can manage something, we need to understand it. Risk is manifested in many different ways and often not in a homogeneous manner. For example, a risk to the balance sheet is not easily comparable with risk to earnings or to cash flow. Risks in the short term are not easily comparable with risks in the long term. Risk from the individual leader’s perspective is not easily comparable with the risks from the organizational perspective. Risk professionals often say risk and opportunities are two sides of the same coin. I say not quite. For example, what may look like an opportunity from an earnings perspective may involve a huge risk on the balance sheet. So, how does one compare and manage even when one identifies the risk properly?
Second, we need to think of managing risks while the decision is being made, not after or even before. Risk is not the same as uncertainty. I find it fascinating that some GRC (governance, risk and compliance) frameworks talk about creating and maintaining a risk universe as if risks exist independent of organizational decisions. I am not sure if this is because the creators of these frameworks do not know any better or because they are just out to make a fast buck off the naïveté of their clients.
See also: Why Risk Management Certifications Matter
Third, I find risk professionals (at least some of the savvier ones) put a lot of emphasis on modeling and quantification of risks. Don’t get me wrong. I absolutely think measuring risks is necessary. But it is a necessary evil, as it is fraught with assumptions, and often the decision maker is oblivious to them. Quantification is only a means toward the end, not the end by itself. The goal needs to be to understand the level of risks so that appropriate resource allocation can be made. Remember, we do not have unlimited resources, and, therefore, we need to prioritize risks. At the heart of it, the purpose should be to understand the level of risk the business needs to accept. No amount of Monte Carlo simulation can help if this goal is not met.
I rest my case here. Looking forward to receiving comments and feedback.