Gary Alterson, is the Senior Director, Risk and Advisory Services at Neohapsis. In this interview he discusses the most significant issues in risk management today, offers tips on how to develop a risk management plan, and more.
What are the biggest issues in risk management today? How do you expect them to evolve in the future?
There are a couple of issues in terms of risk management we see most often.
1. A lack of risk decision making structure and lack of accountability for risk decisions in an organization. Almost every business executive is comfortable with risk decision making, however, in many cases the right people aren’t making those decisions. In many cases, big risk decisions are being made too low in organizations, with people who aren’t incentivized to make the right decisions for the organization. For example, a project manager may accept a large information security risk that can lead to compliance and reputational issues simply because they only thing they get incentivized on is getting the new product out the door. However, the executive in charge of the business unit, accountable for sustained results may make a very different decision.
Organizations need to develop a structure so that the important risk-based decisions are made by the right people, those who are accountable for the impacts – good or bad. This typically means some kind of risk governance structure that defines what decision making powers each level of the organization has and an oversight structure and escalation path for those risks that need monitored or managed higher up in the food chain.
2. The lack of meaningful risk assessment process. There are organizations that consider risk management something they have to do from a compliance standpoint who conduct superficial risk assessments. Others just don’t have the right skills to develop a meaningful risk assessment process. A meaningful process enables the identification of risks based on the goals of the organization and describes those risks in business terms either qualitatively or qualitatively through a common risk taxonomy. Enabling risks to be compared as apples-to-apples is extremely important for decision makers who need to be able to allocate resources across complex organizations. In terms of risk assessment effectiveness, organizations who take a control based approach to risk assessment are often missing the business context required to make the right decisions.
There’s a common approach of “I’ve compared myself to a best practices list and anything I am missing must not be a risk” which misses the point. The best practices should be adopted as controls to manage the risks you’ve identified. Taking a list and just applying it wholesale means you’re likely not going to be spending your money in the controls you need to manage your real top enterprise risks and overspending in areas for small gains in risk mitigation. A true, goals-based risk management strategy facilitates a more effective allocation or risk mitigation resources and sometimes even saves money!
3. A lack of an open, risk -ware culture. In order to build a culture where business managers are willing to be transparent to their executives, the executives have to be careful to craft the kind of culture that fosters this transparency. Open dialogs about concerns, risks, and trade-offs necessary without “shooting the messenger” are often missing in organizations that lack effective risk management.
What are the first steps in figuring out how to develop a risk management plan for a medium-sized organization?
The obvious, and very true, answer to this is to perform a real, goals-based risk assessment where the organization looks at its long term strategies and goals as well as operational necessities and identifies those threats which may cause uncertainty.
However, before being able to do this, the proper risk management framework needs to be put in place. This includes a risk oversight and governance structure, a common risk universe used to categorize and scope the assessment, a common risk taxonomy to describe risks and their impacts in a manner so that business leaders can compare risks across the company, the establishment of a risk assessment process, and clear articulation of the short and long term goals of the company.
What risk management issues are often overlooked?
Often times risk assessments are structured so that business managers only capture the known risks. As Donald Rumsfeld might call them, the “known unknowns”. However, in many cases it’s the “unknown unknowns” that are some of the larger risks. Bringing in outside expertise to contribute to or facilitate risk assessments and including as wide an array of skill sets, employee levels, and functions can help identify those unknowns. The other important piece is to also be prepared for those black swan, unforeseeable events. You may not know or understand specifics, but you should have a general process for dealing with them when they happen.
As stated before, I also think the importance of a risk taxonomy, how you describe and rate risks, cannot be understated.
What is the best way to explain the importance of risk management to senior executives?
I actually think most senior executives understand risk management and the good ones practice it instinctively. Even if they’re not formal about it, they’re constantly performing scenario planning in their heads: “If that happens, I’ll do this.” The “My executives don’t get it” message heard from many middle managers often arises from a failure of middle management to communicate risk effectively or they just disagree with the decision by an executive to accept certain risks. In the former case, there may be a real lack of an ability for that middle manager to communicate in business terms or the organization is lacking the right taxonomy to facilitate that communication. In the latter case, the organization is missing the right governance structures so that the risk acceptance can be formally communicated and accountability assigned appropriately.
However, that’s not to say that all senior executives understand risk management. I think explaining the importance of risk management to these executives needs to be in the context of assuring the ability to meet and exceed company goals while minimize the amount of volatility and variability. It’s also about transparency, making sure the decisions being made are in line with the goals of that executive – who is ultimately accountable for both short term and sustainable results.