I feel risk management is on a verge of something interesting, something very exciting at the moment.
For a long time, I naively thought that by doing good risk management all the key stakeholders would be satisfied, but the reality is, different stakeholders want completely different things. There is risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks) and risk management 2 – risk management for the decision makers inside the company.
In this article, I would argue RM1 and RM2 are totally different.
Note, however, the matrix reference is used quite loosely because it’s not really a choice between RM1 and RM2. Both need to be done, unfortunately, because regulators, banks and most external stakeholders still expect all the wrong things. It is rather a choice about how much time should be allocated to each. My rule of thumb is 10% to RM1 and 90% to RM2, but this is pretty much the opposite of how many businesses operate today. Ironically, they argue, that RM1 takes up so much time, that no time left for RM2, even though they supposedly want to. This is simply not true.
The best way to illustrate my point is to group common risk management activities into 2 types and show how significant time can be saved on RM1 to be reallocated to RM2.
I have written a lot about risk appetite here, here and here. The bottom line is, no separate risk appetite statements are necessary because all the limits are already contained in Board level policies. And if the regulator or an auditor or a Board member insists on having one, either show how stupid the request is or just do one yourself by copy-pasting from existing policies and linking to strategic objectives. Don’t waste business’s time on interviews, discussions and consultations, it’s copy-pasting.
What if existing policies don’t have all or some limits? Then update existing policies, having a separate risk appetite statements is still RM1. Risk appetite statements duplicating existing policies hardly help the decision makers.
Risk management framework*
I have a video on the topic here (please subscribe to watch the other 250+ videos) as well as an article describing a better way. RM1 is to have a framework document, RM2 is to integrate elements of risk management into key existing policies, procedures, manuals. Risk management roles and responsibilities can also move from the framework document to position descriptions and committee charters.
* I am talking about a document called framework or manual or procedure, etc., not the risk management framework in the ISO31000 sense.
Enterprisewide risk register
Enterprisewide risk registers are quite common but are so RM1. On so many levels too. Can you even imagine an auditor who would not automatically ask for a risk register? Some particularly bad auditors may even ask for a risk and opportunity register. There really seems to be no limit to stupidity nowadays.
Centralised, company-wide risk registers don’t help decision makers make decisions. It’s also completely naive to think a single consolidated methodology and risk criteria are capable of addressing the whole universe of risks faced by an organization. In fact, organizations that switched to RM2 have discovered that different decisions require different risk analysis methodologies and different criteria.
Using qualitative risk analysis techniques is also RM1, as they don’t provide enough insights for the decision makers.
More information is available here.
Surprisingly, updating a quarterly risk reports is also RM1. It doesn’t help decision makers. The decision makers need risk information put in the context, next to the performance information, inside the normal management performance reporting linked to how risks affect the achievement of objectives.
Key risk indicators
Even having key risk indicators is potentially RM1, because why would you create separate indicators for risks outside of the typical performance management cycle, when you can just expand the existing KPIs to cover whatever risks you feel are important. There is even a name for it, leading indicators, and they existed long before risk managers came up with KRIs.
Also, why waste time tracking and monitoring them, just let the business unit responsible for performance management deal with it like they do for all the other KPIs.
More information can be found here.
Risk management committee
Ok, technically speaking having a separate management Risk Committee (not to be confused with a Board risk committee) is RM1. But for some reason, it has a huge positive impact on the overall culture, so I kept it. Risk management committee is both RM1 and RM2.
What else is RM1? 3 lines of defence, risk owners, risk mitigation plans, disclosure in the annual reports, risk management benchmarking and many other things.