It is that time of the year again, we will soon start seeing top 5, 10 and 100 risk lists from every broker and consultant on the planet. Let me guess, it will say something like geopolitics, interest rates, COVID, cyber and logistics? Boooooring. I wanted to take us in a different direction. Here are 5 things risk managers really should be concerned about, yesterday, today and most likely tomorrow.
Being excluded from planning and decision making
By far the biggest challenge risk professionals need to overcome is to convince the decision makers to allow risk views to be heard at the table and to invite risk manager to the decision. Most business processes involved in planning, forecasting, budgeting, decision making or performance management have been inherently designed to ignore uncertainty. Open most books on strategic planning, guidelines for budgeting or procedures for performance management and you would be amazed how there is almost no mention of risk or risk is seen as a parallel afterthought. Management disciplines are deterministic and not stochastic, means pretending there is single predictable future as opposed to multiple uncertain futures. To most decision makers value of risk analysis is not obvious.
So what risk managers need to be concerned about is how to get involved in important decisions and justify the time and effort required to perform risk analysis and to convince decision makers to use the outputs in their decisions. Often this will require significant process reengineering. I did it for insurance, procurement, investment decisions, strategy, operational risks and maintenance. Every time it is a different story, what worked in one organization didn’t in the next, it is a constant reinvention. Book a quick chat and ask me how https://meet.sendinblue.com/risk-academy or just watch one of the videos I recorded for the RISK-ACADEMY youtube channel https://www.youtube.com/@riskacademy.
Not having the competency to produce timely quant risk analysis
The next big concern is having to deliver once the risk manager is invited to the decision table. In fact being concerned about not having the right competencies is often the roadblock preventing many risk managers asking to be at the table in the first place and settling for mindless risk list reporting and risk register updating.
There are four options that I can think of to overcome this concern:
- hire a quant to join the risk team (this is what I did in my previous job)
- outsource the quant and model building (this is what I do now)
- use software that has a solid quant methodology behind it, where someone already did the hard math for you (Archer Insights does that)
- upskill and become a quant (RAW2022 is a useful starting point for this)
Selling the promise of valuable risk insights is hard but not being able to deliver on the promise is even harder. Sometimes getting people in the room and getting them to talk and share is enough to generate insights but the real value, savings and groundbreaking ideas come from pretty comprehensive risk analysis that cannot be done qualitatively. This brings me to the next point.
This is what any risk manager on the planet should be concerned about but clearly isn’t. Risk management methodology and frameworks almost feel like it is free for all. So many books have been written about personal experiences of a single risk manager or a specific company. And, naturally, every consultant has their own unique methodology.
Last year, just for fun, I went around the markets asking for back tests to see how well the methodologies actually performed. Imagine my surprise when most companies not only couldn’t produce them, they never even heard about it. Sarcasm.
Anyway, model error is a title I used to describe performance of risk models, methodologies and approaches. And this is something any risk manager should be very concerned about. Because, surprise surprise, most of the ideas behind common things like ERM, ESG or common techniques like heatmaps have actually been proven to add so much error, that companies are better not doing any risk management at all, rather than using them. Not my words, quoting from a published research https://www.researchgate.net/publication/266666768_The_Risk_of_Using_Risk_Matrices
Good risk managers back test their models and are very transparent about the limitations. For example I know some of my models work at CI90% and don’t work at higher confidence intervals. You want methodology and software that can share back tests.
Decision makers ignoring the results of the risk analysis
Another huge concern is that decision making is still human. This means no matter how good or useful risk analysis is, at the end it is a human being that makes the decision. A human being with own risk appetite, perception, biases and preferences. To add fuel to fire, behavioral economics research tells us that when faced with the choice to do something about risks and do nothing, many people will go for the option that requires less effort.
The math behind risk analysis is usually pretty straight forward and consistent, how you package the conclusions however depends on the decision maker. I, for example, spent a lot of time and effort figuring out how to best present outputs from risk analysis and how to use software to build dashboard that drive decisions.
Focusing on too many risks
Risk management team has a limited bandwidth, so the decisions they get involved in and the type of risk analysis they perform have to be carefully selected. My personal risk implementation worked best when I was allowed to have a narrow mandate with specific risks that we focused on. All other risks were managed by the risk owners or 2nd line responsible for these risks who always had an option to reach out to my team for methodology advice. For example I didn’t have the capacity to deep dive into cyber risk and it stayed the responsibility of the IT department.
To get real value and savings from mitigating a risk, one needs to really deep dive into the topic. Weeks and months of building models and running simulations. I call it STANDARDIZED and ADVANCED approaches to risk analysis and talk about it at RAW2022. Most risks should be covered by BASIC approach and only few by STANDARDIZED and only a handful by ADVANCED.
Let me know what you think in the comments.