I feel risk management is on a verge of something interesting, something very exciting at the moment.
For a long time, I naively thought that by doing good risk management all the key stakeholders would be satisfied, but the reality is, different stakeholders want completely different things. There is risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks) and risk management 2 – risk management for the decision makers inside the company.
In this article, I would argue RM1 and RM2 are totally different.
Note, however, the matrix reference is used quite loosely because it’s not really a choice between RM1 and RM2. Both need to be done, unfortunately, because regulators, banks and most external stakeholders still expect all the wrong things. It is rather a choice about how much time should be allocated to each. My rule of thumb is 10% to RM1 and 90% to RM2, but this is pretty much the opposite of how many businesses operate today. Ironically, they argue, that RM1 takes up so much time, that no time left for RM2, even though they supposedly want to. This is simply not true.
The best way to illustrate my point is to group common risk management activities into 2 types and show how significant time can be saved on RM1 to be reallocated to RM2.
Risk appetite
I have written a lot about risk appetite here, here and here. The bottom line is, no separate risk appetite statements are necessary because all the limits are already contained in Board level policies. And if the regulator or an auditor or a Board member insists on having one, either show how stupid the request is or just do one yourself by copy-pasting from existing policies and linking to strategic objectives. Don’t waste business’s time on interviews, discussions and consultations, it’s copy-pasting.
What if existing policies don’t have all or some limits? Then update existing policies, having a separate risk appetite statements is still RM1. Risk appetite statements duplicating existing policies hardly help the decision makers.
Risk management framework*
I have a video on the topic here (please subscribe to watch the other 250+ videos) as well as an article describing a better way. RM1 is to have a framework document, RM2 is to integrate elements of risk management into key existing policies, procedures, manuals. Risk management roles and responsibilities can also move from the framework document to position descriptions and committee charters.
* I am talking about a document called framework or manual or procedure, etc., not the risk management framework in the ISO31000 sense.
Enterprisewide risk register
Enterprisewide risk registers are quite common but are so RM1. On so many levels too. Can you even imagine an auditor who would not automatically ask for a risk register? Some particularly bad auditors may even ask for a risk and opportunity register. There really seems to be no limit to stupidity nowadays.
Centralised, company-wide risk registers don’t help decision makers make decisions. It’s also completely naive to think a single consolidated methodology and risk criteria are capable of addressing the whole universe of risks faced by an organization. In fact, organizations that switched to RM2 have discovered that different decisions require different risk analysis methodologies and different criteria.
Using qualitative risk analysis techniques is also RM1, as they don’t provide enough insights for the decision makers.
More information is available here.
Risk reports
Surprisingly, updating a quarterly risk reports is also RM1. It doesn’t help decision makers. The decision makers need risk information put in the context, next to the performance information, inside the normal management performance reporting linked to how risks affect the achievement of objectives.
More information is available here and here.
Key risk indicators
Even having key risk indicators is potentially RM1, because why would you create separate indicators for risks outside of the typical performance management cycle, when you can just expand the existing KPIs to cover whatever risks you feel are important. There is even a name for it, leading indicators, and they existed long before risk managers came up with KRIs.
Also, why waste time tracking and monitoring them, just let the business unit responsible for performance management deal with it like they do for all the other KPIs.
More information can be found here.
Risk management committee
Ok, technically speaking having a separate management Risk Committee (not to be confused with a Board risk committee) is RM1. But for some reason, it has a huge positive impact on the overall culture, so I kept it. Risk management committee is both RM1 and RM2.
What else is RM1? 3 lines of defence, risk owners, risk mitigation plans, disclosure in the annual reports, risk management benchmarking and many other things.
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
A great practical article as always, thanks Alex for sharing such interesting real know-how.
Sharp minded and thought provoking as always.
My question is: in RM2 what is the role for an enterprise level risk control unit? To ensure that all relevant decision making processes embed risk considerations even though managed and assisted by independent function/ business line risk management units?
Thanks for sharing!
The purpose of risk management unit is to help integrate risk management into various decision making processes and do the risk analysis, if requested plus culture and all rm1. Not sure what business line risk units are.
Thank you for the response and clarity, could have easily misunderstood your earlier comment. This helps!
So your RM1 and RM 2 theory is interesting and provocative as usual. What you’re missing is that a risk leader fulfills a role initially defined by their employer. It may be completely off base, but is usually defined by perceived risk priorities of leadership for better or for worse. So my starting point advice has always been, do what you were hired to do and then, move to change stakeholder’s minds on what the priorities might shift to. In the highly regulated world we unavoidably live in, we at forced to ensure RM1 bases are covered, like it or not. Only those who don’t sit in the risk leader’s chair, can take the position that RM1 deserves as little time as possible.
I totally agree, it takes 1-2 months to take care of ALL RM1 activities (took me 3 because I am slow), so a bit hard to explain why many risk managers are still stuck in RM1 years later
Hi Alex! I am so sorry for bringing up such an old post! I am glad I found it and got curious about this statement “In fact, organizations that switched to RM2 have discovered that different decisions require different risk analysis methodologies and different criteria.”. So, are you saying that risk aggregation is not worthy it? I problem the company I work for right now faces is that we have several departments (risk management, IT, infosec, security, business continuity, IT security, legal, etc) performing some sort of risk analysis, which identify risks as a results, and in many occasions we realize they are the SAME risk or very, very similar. Risk aggregation has been sold as the silver bullet here and now I’m a bit confused given this article. It’s definitely very provoking and that’s why I’d really appreciate if you could clarify it to this confused girl. Thank you!
I am saying ERM is complete bs. Risk aggregation however is normal, for example for liquidity risk you would aggregate many risks into the cash flow model. Market or operational risks can and do get aggregated. Although it is highly unlikely too many different risks will need to be aggregated together. To aggregate risks have to presented as probability distributions and aggregation has to account for correlation. That’s RM2
What you are doing sounds very much like RM1, so whether you aggregate risks or not, doesn’t matter, it is unlikely to lead to better decision making. If your risk assessment was probability x consequence then it is not mathematically sound to aggregate to begin with.