Site icon RISK-ACADEMY Blog

Risk management used to be a science, then it became an art, now it’s just bullsh@t

Latest views from Alex Sidorenko on how “innovation”, lack of business acumen and consultants are killing modern risk management in non-financial organizations.

First there was science…

Some sources suggest probability theory started in gambling and maritime insurance. In both cases the science was primarily used to help people and companies make better decision and hence make money. Risk management used mathematical tools available at the time to quantify risk and their application was quite pragmatic.

Banks and investment funds started applying risk management and they too were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. H. Markowitz, M. Miller, W. Sharpe won a Noble prize in 1990 for CAPM, a tool also used for risk management. This doesn’t mean risk management was always always accurate, just see the case of LTCM, but one thing for certain risk managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).

Then risk management became art…

Then came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than science.

Some of the reasons behind the shift were arguably:

Today it’s just a mess…

What I am seeing today however is nothing short of remarkable

Instead of being pragmatic, simple and focused on making money, risk management moved into the “land of buzz-words”. If you are reading this and thinking: “Hold on, Alex, risk velocity is important, organizations should be risk resilient, risk management is about both opportunities and risks, risk appetite, capacity and tolerances should be quantified and discussed at the Board level and inherent risk is useful.” Congratulations! You may have lost touch with business reality and could be contributing to the problem.

I have grouped my thinking into four problem areas:

A. There is literally no link between modern science and business risk management

Today, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis) created in the 40s and the 60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by majority of risk managers in non-financial sector.

Ironically, many organizations do use tools like Monte Carlo simulations (developed in 1946 by the way) for forecasting and research, but it’s not the risk manager who does that. Same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counter-party risk management. Yet pretty much ignored by risk managers.

It’s also been years since I last saw a scientist present at any risk management event sharing new ways or tools to quantify risks associated with business objectives. Same can be said about the overall poor quality of postgraduate research published in the field of risk management.

B. Modern risk management is detached from day to day business operations and decision making

Unless we are talking about not-for-profit or a government entity, the objective is simple – make money. And while making money every organization is faced with a lot of uncertainty. Luckily business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on.

Yet, instead of integrating into all of the above risk managers often choose to go they own separate way, create a parallel universe, specifically dedicated to risks (very naive I think). Some of the common examples include:

C. Risk managers continue to ignore human nature

Despite the extensive research conducted by Noble-prize winners D.Kanehmman, A.Tversky and others, risk managers continue to use expert judgement, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (mildly put), they never have and never will. Just stop using them. There are better tools for integrating risk analysis into decision making.

Building the culture of risk awareness is critical to any organization’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into their day to day activities and decision making.

D. Risk managers are too busy chasing the unicorn

Instead of sticking to the basics and getting them to work, many are too busy chasing the latest “buzz words” and “innovations”. Remember, how “resilience” was a big thing few years ago, before that was the “emerging risks”, also “risk intelligence”, “agility”, “cyber risk”, the list goes on an on. It seems we are so busy finding the new enemy every year that we forgot to get the basics right.

Consultants lately seem to have too much say in how modern risk management evolves. Latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June. And what a load of bullsh@t that was. The authors sure did “innovate”: among other “useful ideas”, they came up with a new way to capture risk profiles. Nice… if risk profiling was the objective of risk management. Sadly it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM click here.

To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants, who have very limited understanding about risk management application in day to day decisions and in helping organizations make money.

I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money.

Interested to hear your thoughts, share, like and comment below.

 

RISK-ACADEMY guides and templates:

Exit mobile version