In the final of a four-part series, Alex Sidorenko, founder and CEO of Risk-Academy, explains how to integrate risk management into core processes.
If there is one thing I learned in my previous role as Head of Risk at a multibillion-dollar sovereign investment fund, risk management is not about managing risks. It’s about helping management make strategic, operational and investment decisions while keeping the risks in mind.
It sounds simple enough, but it’s anything but. Here are some of the lessons I had to learn the hard way:
D. Integrating into business processes means knocking on people’s doors
Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same – disappointment. Best case scenario – annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting.
Did it for example ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.
Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense. Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.
I’ve learned that the only way to change the culture in the organization is to change the very nature of existing business processes (planning, budgeting, investment management, performance management, procurement and so on) and make them more risk-based.
Below are just some of the practical ideas to help integrate risk management:
- Document appetites / tolerances for different decision types in the relevant Board level policies and procedures instead of creating separate risk appetite statements.
- Identify significant risks and assess their impact on the Company’s business plan and budget.
- Run risk simulation to determine realistic strategic or operational KPI values.
- Run risk simulation to determine key budget constraints.
- Change the process how key decisions are made and documented. Performing risk assessments for all significant business decisions can dramatically raise decision quality and provide management with valuable insight and alternatives.
- Remunerate management based on risk-adjusted performance measures.
The challenge is all the above require the risk manager to find allies and work very closely with other departments. And sometimes other department heads may not be as excited to share their information or allow the risk manager to participate in their decision-making process. There is really no silver bullet for that, risk managers should get them on board one by one. But that’s a topic for a whole new article.
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
2 thoughts on “Risk Management Could Be a Powerful Tool, But it Just isn’t (part 4)”