In the “good old days” of the post-World War II era, buffers of space and time gave organizations more leeway to react and adapt. Events in remote places seemed to have little impact and were more insulated. Information was available to a relative few, whose power came from their specialized knowledge. Centralized systems of management and control seemed to work. Problems could be reduced to their components and managed separately. Most assets were thought to be tangible and could be protected. Most risks were thought to be known or knowable, and their likelihood predictable. Risks appeared to be far less interdependent.
This is an excerpt of Surviving and Thriving in Uncertainty, Creating the Risk Intelligent Enterprise by Frederick Funston and Stephen Wagner (Wiley Books, 2010).
Conventional risk management focused on asset protection, typically in the form of insurance. It was also believed that risks could be identified and managed within silos and that risk aversion would maximize shareholder value. Risk was typically seen as a cost, not an opportunity. Risk management programs took “one size fits all” forms. For these and many other reasons, conventional risk management has failed.
In the turbulent and uncertain 21st century, the buffers of space and time no longer exist. Information has become instantly available. It still confers power, but now everyone has it. Communities of interest can form overnight. Centralized control often fails in the face of turbulence. Fixing pieces no longer solves problems. Many assets are now intangible and cannot be protected in traditional ways. Many risk events are unknown and perhaps unknowable.
Surviving and thriving in uncertainty and turbulence requires unconventional thinking and calculated risk taking. The enterprise must be understood holistically and seen as a living organism. Risks must also be understood as opportunities that can be optimized or exploited, not just as costs. Risks must be viewed as interconnected and difficult to contain. Like wildfires, they cross boundaries and must be managed accordingly. If a risk is relevant and potentially life-threatening, be prepared for it.
Everything has changed but human nature. Judgment will always be difficult. The 21st century enterprise must develop a 21st century view of risk and risk management. Nearly all enterprises have certain characteristics in common. They all operate to a large degree in the same macro-economic environment. The “fatal flaws” and corresponding “risk intelligence skills” described in Part II apply almost universally.
That said, every enterprise is also unique and differs from all others in key ways. Every enterprise operates at a different stage of development. It possesses different skills, understanding, awareness, and culture. Each of these distinct characteristics must be considered carefully by leaders trying to improve risk intelligence, along with the unique benefits the enterprise can realize through that improvement.
The benefits of improved risk intelligence
Demonstrating the value of prevention is often difficult. It should be intuitively obvious that the improved ability to protect existing assets while more effectively managing the risks to future growth ought to improve the enterprise’s chances of survival and success. The enterprise that builds risk intelligence into the core ways of running its business can improve its resilience and agility and should realize the following benefits:
- Challenging basic business assumptions can help identify “Black Swans” provide first-mover advantage
- Defining the corporate risk appetite and risk tolerances can help reduce the risk of ruin
- Improving signal detection can provide advance warning and enable more proactive responses
- Identifying mission-critical interdependencies can help establish an appropriate margin of safety
- Anticipating potential causes of failure can improve chances of survival and success through improved preparedness
- Factoring in momentum and velocity can improve speed of response and recovery
- Verifying your sources and corroborating the reliability of information can improve insights for decision making and thus the quality of decisions
- Taking a longer-term perspective can aid in identifying the potential unintended consequences of short-term decisions
- Improving operational discipline helps sustain success
- Understanding the Total Cost of Risk (TCOR) can help demonstrate the value proposition and reduce the Cost of Failure while improving risk intelligent enterprise management
Making the transformation
Once the enterprise understands its current state of risk intelligence and the best opportunities for improvement, it needs a plan to close the gap and transform the way it comprehends and manages risks to value. It takes time and effort to become a risk intelligent enterprise.
Risk intelligence is not a status or designation that can be attained and then enjoyed ever more. Rather, it is a way of making better decisions amid uncertainty and under turbulent conditions. Thus, risk intelligence is not an end in itself but a way of doing business, not a goal but a developmental journey. By the same token, improving risk intelligence must be a deliberate and sustainable enterprise process, rather than a mere project.
Voice of experience
“To be successful, risk management has to be a core process of managing the enterprise, not merely a project. A lot of directors seem to think that because they devise a ‘strategy’ to deal with known risk, they’ve got a good handle on risk. My perception is that they don’t. Too often, all they want to do is identify the top 10 risks based on what people know. It’s a project approach—and that’s not what’s really needed. A systematized approach of understanding the most basic business assumptions has more long-lasting potential.”
—Larry Rittenberg, Professor and Chairman Emeritus, Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Developing and applying the necessary supporting processes, systems, and tools enterprisewide requires a “fractal” approach, in which any part of the whole embodies the properties of the whole. That implies that skills, processes, systems, and tools are common at every organizational level.
To be effective, these processes, systems, and tools must be deployed throughout the enterprise and applied with discipline. Although they will be applied differently at different levels, if the skills, processes, systems, and tools work for senior executives and the board, then directors and executives should have confidence that they will work elsewhere. Also, as with any skills, the more you practice, the better you become—provided you practice properly and maintain discipline.
At its best, risk intelligence informs every area of the business at every level such that the practices become part of every function, strategy, initiative, decision, activity, and job. This entails making risk intelligence an organizational value on the order of practicing true customer focus or achieving high quality through zero defects.
Such values do not come about by themselves or by executive decree or through a one-shot training initiative, a short-term project, or a “check the box” approach. They come about because the board and management view them as worthwhile, practice them publicly, recognize them in compensation programs, and embed them in core processes and systems.
The transformation challenge
In many organizations, despite the number and severity of risk management failures, executives still remain unconvinced of the business case for improved risk intelligence and thus risk management. Given this, there are several possible explanations as to why transformation efforts may fail.
For starters, even though the greatest value of risk management is prevention and preparation, demonstrating its value in advance often proves daunting. People may say, “That can’t happen here,” or “It can’t happen again,” or “We’re too smart to let that happen to us.”
Voice of Experience
“People don’t see the need for prevention until it’s too late. Obviously when a crisis occurs, everyone recognizes the need; it’s self-evident. It ought to be obvious that prevention is less expensive and more effective than response and recovery. I’ve tried to create recognition of the need for prevention in stages by starting with a risk scan. Let’s make sure we understand the risks that we have in the organization and the need to take some actions to mitigate the risk, understand it more, and be more involved in what this looks like.”–Suzanne Hopgood, director
Prevention, therefore, is much less likely to receive priority, especially when resources are scarce. A clear statement of the TCOR may be required to demonstrate the value of improved prevention and preparation. Even when executives are convinced of the value, those who try to implement a systematic approach may experience flawed or prolonged execution.
Generally, it is best to aim for rapid implementation by building more systematic consideration of risk to value directly into core business processes. Early wins are important to demonstrate value. Nothing succeeds like success, and word of mouth can aid implementation.
Lack of program management such as specific milestones and metrics as well as a failure to recognize the level of effort required can contribute to failed implementation. The implementation may also fail if the implementation team lacks dedicated, credible, and capable resources; if the vision and expectations are poorly communicated; and if the enterprise lacks a common language of risk. Difficulties in reconciling the different perspectives of various specialist silos also can result in a lack of cross-functional alignment and coordination.
Conclusion
The first part of this book addresses the reality that conventional risk management has failed. The 21st century enterprise requires an unconventional approach to the understanding and management of risk to value in times of uncertainty and turbulence. Because turbulence cannot be predicted or modeled, the enterprise needs to improve its vigilance and preparedness.
The second part of the book describes 10 risk intelligence skills that ought to be common to directors, officers, and employees even if the challenges and decisions they must make will be different. The development of these ten skills is, of course, no absolute guarantee of success. However, their absence is likely a harbinger of fatal flaws that could lead to the demise of the enterprise.
The third part of the book describes the characteristics of the risk intelligent enterprise and the responsibilities of directors, officers, and employees. It outlined steps that can be taken to improve risk intelligence. It also discussed some missteps that ought to be avoided.
While all these parts when taken together may seem to be onerous and costly, the reality is that decisions that affect the enterprise’s survival and success are made every day at every level of the enterprise. This is enterprise management.