Alex Sidorenko shares four valuable lessons about integrating risk management principles and methodologies into the day-to-day decision making. He shares some practical suggestions on how to overcome cognitive biases when managing risks and make risk-based thinking part of the overall corporate culture of the organisation.
If there is one thing I learned in my previous role as Head of Risk of a multibillion-dollar sovereign investment fund, risk management is not about managing risks. It’s about helping management make strategic, operational and investment decisions with the risks in mind.
It sounds simple enough, but it’s anything but. Here are some of the lessons I had to learn the hard way:
A. Thinking about risks is not natural
A common misconception in risk management community is that management thinks about risks anyway. Not true. Naturally, managers do consider some of the more obvious risks and there are exceptional cases where risk analysis is already integrated into the decision making. For the other 95% of the companies, existing processes and management tools barely account for the inflation and ignore or purposefully hide significant risks. If there is anything scientists have taught us is that humans behave very differently when making decisions under uncertainty. Daniel Kahneman and Vernon Smith won a Noble prize in Economic Sciences back in 2002 “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty”. Their and others scientist’s, like Amos Tversky, studies showed that most people when faced with a lot of uncertainty fall into what they called cognitive biases. A cognitive bias refers to the systematic pattern of deviation from norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion.
Risk managers simply cannot afford to continue to ignore the effect cognitive biases have on the decision making and the quality of risk analysis. Here are some of the practical suggestions I implemented to overcome them:
- Create a number of different risk assessment methodologies designed for different types of decisions being made by the management. I, for example, had five different risk methodologies for different investment decisions and separate methodologies for strategic planning and budgeting. Then provide decision makers with tailored risk identification checklists for each type of decision to help managers overcome some of the cognitive biases.
- Provide training and awareness sessions dedicated to risk perception, risk psychology and cognitive biases.
- Always, always, always validate the information used in the risk analysis if it was received from management. This means validating the information either externally or with other independent internal experts (for example internal audit, finance or legal).
- Integrate risk analysis into existing business processes, so it is not perceived by management as a stand-alone activity. This is actually ridiculously hard and I have a whole article on integrating into strategic planning: https://riskacademy.blog/2017/03/16/4-steps-to-integrate-risk-management-into-strategic-planning/
- Use quantitative risk analysis tools to reduce the subjectivity and the need to rely on management opinions or input.
Read more in the free book: https://www.risk-academy.ru/en/download/risk-management-book/
B. Individual and corporate risks are not the same
There is a big difference between the risks that the board is concerned about, such as corporate risks, and the risks that individual managers worry about, often their personal risks. It is quite natural for humans to consider risks that can potentially impact them personally as significant, while the risks that impact the achievement of strategic objectives as somewhat remote or distant.
The important lesson I learned is that if you want management to pay serious attention to corporate risks, you should first help them deal with their individual or personal risks. And by personal risks I mean things like maintaining their area of influence, building a solid reputation, advancing their career, not losing their job and protecting themselves from investigations or prosecution.
Another aspect that has a huge impact on the quality of decision-making – and hence the quality of risk management – is remuneration policy. Many people are driven by their financial self-interest much more than any corporate values or best practices. And this has a huge implication on the work of risk managers.
To address these challenges, I aim to do the following:
- Demonstrate how proactive risk management can benefit individuals within the firm and solve their personal risks. Even basic things like creating a paper trail for key decisions and risks taken by management to protect against any future inquiries;
- Review existing remuneration policies and find out how the bonus payments are calculated to understand whether it drives any excessively risky behavior and what periods are particularly vulnerable. For example, employees usually make much riskier decisions just before bonus entitlements are calculated at the end of each quarter or year-end;
- Work with HR to ensure existing individual objectives and KPIs adequately take risks into account. This will help to cement the message that risk management is a part of normal performance management;
- Work with strategy to ensure corporate objectives and KPIs are also set based on the outcomes of risk analysis to help make the targets more realistic and achievable;
- Include risk management roles and responsibilities into existing job descriptions, policies, procedures and committee charters to reinforce ownership and accountability.
As risk managers, we need to be prepared to the fact that some managers ignore risks and take uncalculated risks for a reason. Therefore, it’s absolutely critical to understand what motivates each individual.
Agree? Disagree? Post your comments below to join the conversation.
C. Business decisions happen every day, not once a quarter
This I found most bizarre, we seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It’s just another management tool to help them make better decisions and hence achieve the objectives. There is a big difference between how mature organizations implement risk management and the rest.
Mature organizations do risk analysis when a decision is made, using whatever risk analysis methodology is appropriate for that particular type of decision. The rest do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless our methodologies, approaches and tools allow risks to be analyzed at any moment during the day, when an important decision is being made or at every milestone within the core business processes, we are unlikely to get management’s attention. This was a big challenge for me personally and to overcome the challenges I recommend the following:
- Integrate risk analysis into significant strategic, operational or investment decisions.
- Create a methodology that allows management to identify, analyze and document key risks associated with the decision. Make sure the outcomes of the risk analysis have a direct impact on the decision structure or content, otherwise it makes no sense for the management to do the risk analysis. For example, on some of the investment projects the outcomes of the risk analysis affected the valuation of the projects.
- Provide risk management training and support.
- Create a separate methodology to validate the results of the risk analysis prepared by the management using the information provided by finance, legal, strategy, internal audit and security departments.
D. Integrating into business processes means knocking on people’s doors
Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same – disappointment. Best case scenario – annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting.
Did it for example ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.
Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense. Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.
I’ve learned that the only way to change the culture in the organization is to change the very nature of existing business processes (planning, budgeting, investment management, performance management, procurement and so on) and make them more risk-based.
Below are just some of the practical ideas to help integrate risk management:
- Document appetites / tolerances for different decision types in the relevant Board level policies and procedures instead of creating separate risk appetite statements.
- Identify significant risks and assess their impact on the Company’s business plan and budget.
- Run risk simulation to determine realistic strategic or operational KPI values.
- Run risk simulation to determine key budget constraints.
- Change the process how key decisions are made and documented. Performing risk assessments for all significant business decisions can dramatically raise decision quality and provide management with valuable insight and alternatives.
- Remunerate management based on risk-adjusted performance measures.
The challenge is all the above require the risk manager to find allies and work very closely with other departments. And sometimes other department heads may not be as excited to share their information or allow the risk manager to participate in their decision-making process. There is really no silver bullet for that, risk managers should get them on board one by one. But that’s a topic for a whole new article.