Risk management department should be more like tax department

Read the whole article for the full story as I will try make quite a compelling argument. By the end my point of view will not feel as ridiculous as it does now, I promise.

To me risk management is no different to tax management or whatever is the name for the work that tax department does. At least that’s where the goal posts are, good risk management team should be as invaluable as good tax team. Just like the tax team, risk managers have niche specialisation and unique competency. Let me illustrate the analogy in the table below:

Comparison Tax team Risk team
Value proposition Ensure tax compliance, optimise amount of taxes paid and deal with complex tax issues locally and globally, ensure decisions are taken with tax implications in mind, ensure tax reporting and disclosure Ensure compliance with regulatory requirements, optimise amount of risk taken in pursuit of objectives, deal with complex risk related issues, ensure decisions are risk based, ensure risk reporting and disclosure
Compliance with external obligations Tax team helps to ensure legal and stakeholder requirements are complied with by the company and its vendors Risk team helps to ensure whatever new great idea the regulators came up with is in place, be it risk appetite statement or a risk policy
Integration into existing policies and procedures Prevention is much cheaper than dealing with consequences, so tax team is integrating into existing processes, decisions, procedures to ensure tax risks are considered before the decision is made and proper approvals are in place Risk team is integrating risk analysis into existing processes and decisions to make sure risks are considered before important decisions are made or business plans approved.
Core work (60% of the work, 90% of the value) Tax team deals with significant tax related issues and risks, investigates tax implications, quantifies and recommends a course of action to optimise taxes  Risk team does the grunt work to investigate the nature of significant risks associated with decisions, builds quant risk models, quantifies the risks, sets limits and stop losses and recommendations a course of action given the forecasted risk exposure. This is what you would normally call quant risk analysis or QRA
Monitoring and control Tax team has controls in place to monitor tax for compliance, has approval authority on certain decisions that have tax implications Risk middle office has controls for monitoring daily risk exposure and track risk against set limits, may activate stop losses on certain risky deals, has approval authority on risky decisions
Reporting Tax team is responsible for regular and transparent reporting and ad-hoc responses to tax authority, auditor, board, etc requests Risk team is responsible for risk reporting, if it is required, and integrating risk information into existing performance reporting and responding to ad-hoc requests related to risk management

Clearly risk management is all of the things in the table and more. Strengthening risk taking culture, process reengineering, considering what might happen before making decisions is all risk management. But, there is a big but, there is a reason why I highlighted one row above in bold. After the dust settles, the most value comes from the grunt work whether it is related to solving a complex tax issue or from building a sophisticated risk model that provides valuable insights to the decision makers. Like the time when my team built an environmental risk model for the HSE team to help them get approval for water purification plants or the time we built a model that showed that we have been historically underinsured and yet overpaying for it.

Business looks to risk team, just like they do to the tax team, not to be a facilitator, aggregator or report generator. Business looks to risk team for the difficult calculations, conclusions and recommendations the others in the company cannot do. Just like with tax, everyone can do the basics until the problem becomes too complex, same with risk management. Everyone is a risk manager, until you need to model multiple scenarios covering few complex correlated risks. Then you call the specialists.

So, of course risk analysis is not the same as risk management, risk management scope is much greater. But make no mistake, we can have risk analysis without risk management but we can’t have risk management without quantitative risk analysis.

Risk analysis is the same thing as risk management for now to me, because solving the issues we have with risk analysis is the first and foremost priority for the risk community. I use the terms interchangeably, because risk analysis is hard, the rest of the risk management is easy. 

Without quant risk analysis, the core product produced by the risk team, they will continue to be viewed as glorified secretaries, looking after agendas, reports and disclosures. In my view of the world, risk team should become the center of competencies for dealing with uncertainty across the company, just like tax team is the center of competencies for dealing with tax issues.

Use the comments below section for insults and outrage 🙂


RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.