Ok, the title is obviously irony, because no organisation on the planet is ever “just” starting to implement risk management” or “starting from scratch”. Organisations have been making risk-based decisions since the inception. Often poorly, but that’s another point altogether. And yet, far too many job advertisements I see are looking risk specialists to build risk management from scratch. No joke. I hope this is just a Russian thing and you don’t see this in your country.
🚩 Focus too much on RM1
One of biggest mistakes a risk manager can make when implementing risk management is to focus too much on RM1. What is RM1? I tried to explain in this article RM1 vs RM2 – which side will you choose? Basically, RM1 is the formal, compliance side of risk management that is promoted by international standards and guidelines, risk management associations and consulting companies. None of the practices they promote have any real foundation in decision science or probability theory, often even contradict them. And there is compelling evidence to suggest those “best practices” do not add value to organisations beyond just a pretty wrapping.
This may come as a surprise, but we don’t need a risk management framework, a risk appetite statement or risk owners to perform quantitative risk analysis and help companies better risk-based decisions.
RM1 is sometimes the necessary evil and may need to be done at some stage, but definitely not the first priority.
🚩 Ignore existing risk practices
Another grave mistake is to think that risk management is somehow new or unique. While an organisation may have never had a risk appetite statement and haven’t done an enterprise-wide risk assessment before, all of those things are RM1.
Any company on the planet has been doing RM2 forever. Can you think of examples where good quantitative risk analysis has been applied by your company long before you joined? Here are just some:
- running scenarios on the budget
- performing sensitivity analysis on investment projects
- simulations when designing new products
- diversifying project portfolio
- keeping money in solid banks
- credit rating and credit limits
- different pricing for different markets/risks
Risk management is not about building something from scratch, it’s about improving existing decision making practices. More on that in the next section.
🚩 Implement RM2 as an ad-on
This is also a huge challenge for many new risk managers. It’s so much easier and more appealing a build a new process, it is so much harder to improve something existing. And yet, it is my strong believe, that risk management should be focusing more on improving existing processes and decisions. For example implementing quant risk analysis into investment decisions seems like the obvious place to start. But sometimes it is necessary to fix the investment decision making process before any kind of sensible risk analysis can be implemented. Often, for example, risk managers need to collaborate with the investment team to change the financial model template itself to make for later risk analysis possible. Most financial models are unsuitable for MC simulations something that surprised me for example.
🚩 Hold onto RM2 for too long
Another important point is that sooner or later, risk analysis will need to be handed over to the business units. While risk team can perform quant risk analysis on any decision, at some stage the volume of decisions would be too much for any risk team to handle. For example I never had a risk team with more than 3 people. So our capacity is quite limited and we are actively preparing for the time when we will need to handover the risk analysis to the strategy team, investment team, financial controllers, commercial division, project management office and so on.
🚩 Implement what you know, not what the company needs or what works
This is a tough one because there is much noise in the risk profession and so little agreement on what works and what doesn’t. For example, every “best practice” recommends using heat maps but they never did and never will work. How are risk professionals supposed to know this? Multiplying ordinal scales for likelihood and consequences to calculate risk levels is insane, but who are we to promote proper science when even legislation forces us to do just that. I don’t think I have an answer but I have a story. In my new role as a CRO I started with the kind of quant risk analysis I know and have done many times before but through a lot of iterations with the CFO and the Board we settled on a new mandate. Under the new mandate what I though would be my main tasks are not only 30% of the overall responsibilities. That’s right, 70% of my current mandate is what the company needs not what I feel comfortable and easy doing. Don’t worry, still RM2. I hope this is powerful reminder to everyone in the risk profession.