Informed Risk Taking : Risk Management Process - Analysis

Kevin W Knight, during his first visit to Russia a few years ago, said ‘risk management is a journey… not a destination’[1]. Risk practitioners are free to start their journey at any point in this guide, however the authors think that evaluating strategic objectives@risk can be considered a good starting point. The reason why we believe this is a good starting point is because it is relatively simple to implement, yet has an immediate and a significant impact on senior management decision making.

Before reading however, risk managers should start by having a frank discussion with their key stakeholders to try to understand what their expectations from risk management are. It is important to understand what their real appetite for change is.

Risk management is ultimately about changing organizational culture to accept risk and facilitate risk discussion when performing business activities or making any strategic, investment or project decisions. Vincent Tophoff in the recent International Federation of Accountants thought paper called From Bolt-on to Built-in has put it nicely “there is no such thing as risk culture. Instead, there is an organizational culture, in which managing risk should be an obvious, integrated action.”

Below are some practical steps to integrate risk management into the overall culture of the organisation, make it part of the corporate DNA.

[1] https://www.scribd.com/document/283750131/A-Journey-Not-a-Destination-pdf

Before you begin integrating risk management into decision making, take time to find sponsors, key stakeholders and understand what their real appetite for change is. 

As far as international risk management standards go, the best choice for any non-financial organisation is by far the ISO 31000:2018. At the time of writing the standard had been officially translated and adopted in 70+ countries, making it truly global. ISO 31000:2018 is an international standard that provides principles and guidelines for effective risk management. It is not specific to any industry or sector and is intended to be tailored to meet the needs of the organisation. The standard is a very powerful document and reinforces the message of integrating risk management into business activities and decision making. Here are just some useful extracts:

• The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.
• The purpose of the risk management framework is to assist the organization in integrating risk management into all its activities and functions.
• The effectiveness of risk management will depend on its integration into the governance and all activities of the organization, including decision-making. This requires support from stakeholders, particularly top management.
• Integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.
• The organization implement the risk management framework by:
  • developing an appropriate plan including timing;
  • identifying where, when and how different types of decisions are made across the organization, and by whom;
  • modifying the applicable decision-making processes where necessary;
  • ensuring that the organization's arrangements for managing risk are clearly understood and practiced.
• The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organization.
• It can be applied at strategic, operational, program or project levels.
• There can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.
• The dynamic and variable nature of human behaviour and culture should be considered throughout the risk management process.[1]

COSO has also published its COSO ERM in autumn of 2017. It has same or similar messages with no additional value, however it is packaged in a very complex document that is more than 250 pages long and very painful to read. We have provided detailed COSO ERM overview on the RISK_ACADEMY website for anyone interested. Nevertheless, risk managers shouldn’t disregard new COSO ERM. Just like it is a marketing tool for PwC, risk managers should be using it as such as well. Here is what COSO ERM 2017 can be used for:

• using it as an argument to initiate a change project to move away from quarterly risk assessments, risk reports and risk mitigation plans to integrating risk analysis into actual decision making process
• using sections and good messages from COSO ERM 2017 to reinforce the changes you have been proposing for a while, which were ignored by management
• showing how COSO ERM 2017 reinforces the work you were already doing 
• justifying whatever good risk management you were doing
• getting attention from the Board or Audit Committee
• opening the door to strategic planning process 
• combating the auditors or consultants that were selling outdated concepts and tools like risk registers, risk management framework documents and risk appetite statements.

Risk management is about using uncertainty to your advantage, so don’t miss an opportunity to use the update of both major integrational standard and framework to your advantage and to better achieve the goal of integrating risk management into decision making.[1] ISO31000:2018 Risk management — Guidelines

In addition, some industries have additional risk management related standards or guidelines. These are usually published by the industry associations, such as the Risk Management Guidelines developed by the European Private Equity & Venture Capital Association. And some countries, Germany for example, have specific laws and regulations related to risk management. All this additional guidance should be taken into account when implementing risk management in any given company.

The complexity and the risk management framework selected should be proportional to the size and risk profile of your business as well as the overall risk management maturity. Now, don’t take this last sentence to mean that only mature organizations should integrate risk management into the actual decision making. No, that’s a given. The depth and breadth of the integration into decision making should depend on the organizational maturity. 

Once the overall framework/standard is agreed upon and signed off by the key stakeholders (very important to get executives to physically sign off and take some responsibility for the agreement that ISO31000:2018 will become the baseline for the risk management within the organization), it is time to assess the effect of uncertainty on strategic objectives. Skip this section if the objectives have not been defined or documented in your company or if the objectives are not measurable. 

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives it is important to follow the McKinsey MECE principle (ME - Mutually Exclusive, CE - Collectively Exhaustive) to avoid unnecessary duplication and overlapping. 

This is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by the management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight.

Common criteria for selecting management assumptions for further risk analysis include:

• The assumption is associated with high uncertainty.
• The assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
• The organisation has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
• There are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions:  the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment (as per the process outlined in ISO31000:2018) to determine whether all significant risks were captured in the management assumptions. The risk assessment should include a review of existing management and financial reports, industry research, auditors' reports, insurance and third-party inspections, as well as interviews with key decision makers.  By the end of this step risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners, internal auditors and utilise internal and external information sources to determine the ranges of possible values and their likely distribution shape.   

The next step includes performing a scenario analysis or the Monte-Carlo simulation to assess the effect of uncertainty on the company's strategic objectives. Risk modelling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modelling. All examples in this guide were performed using the software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modelling.

When modelling risks it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the risk software all well. Such analysis helps to determine the causes and consequences of each risk, improves the modelling of them as well as identifying the correlations between different management assumptions and events. The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is ultimately the strategy@risk.

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then the executive management with the help from the risk manager may need to:

• Revise the assumptions used in the strategy.
• Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
• Consider uncertainty by adopting alternative approaches for achieving the same objective or implementing appropriate control measures.
• Accept risks and develop a business continuity / disaster recovery plan to minimise the negative impact of risks should they eventuate.
• Take the right risks that are within the risk appetite set by the Board or the regulator.
• Or, perhaps, change the strategy altogether.

Based on the risk analysis outcomes it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalised. 

At a later stage the risk manager should work with the internal audit to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.   

It is generally considered a good idea to document an organisation’s attitude and commitment to risk management in a high-level document, such as a Risk Management Policy. The policy may describe the general attitude of the company towards risks, risk management principles, roles and responsibilities, risk management infrastructure as well as resources and processes dedicated to risk management. Section 5.2.1 of the ISO31000:2018 also provides guidance on risk management policy.

An article published by Michael Rasmussen back in October 2010 ‘Enterprise Risk Management Policy Structure’ provides an outline of what should be included in a risk management policy and notes that the organisation’s policy should not be “boilerplate.” The policy should reflect the actual activities undertaken by the company and its attitude and approach to managing its material business risks.

Risk management is useful document to communicate with external stakeholders such as banks, investors, auditors, regulators, key customers and suppliers. 

Most organisations have already documented their appetite for different common decisions or business objectives. Segregation of duties, financing and deal limits, procurement criteria, investment criteria, zero tolerance to fraud or safety risks – are all examples of how organisations set risk appetites. Appetites or limits for different kinds of decisions and risks has been around for decades. Not all risks, but most of them.

So, what is this recent hype about risk appetite about? Not much really, it’s just another consulting red herring. Contrary to what most modern-day consultants tell us, the authors believe that any attempts in non-financial companies to aggregate risks into a single risk appetite statement is both unnecessary and unrealistic. Even having few separate risk appetite statements is totally missing the point.

After all, risk appetite is just a tool to help management make decisions and be transparent to stakeholders when making these decisions.

Instead of creating separate new risk appetite statements, risk managers should review existing Board level policies and procedures and identify:

• significant decisions and risks that already have its appetites set. For example, a company may have a Board level policy that prohibits any business ventures with organisations that utilise child labour. Or it may have a requirement not to invest in high risk ventures above a certain ratio or executives have been delegated authority for any budgetary decisions of no more than 300 million.  In cases, where the risk appetite has already been set, risk managers should work with internal auditors to test whether limits are realistic and are in fact adhered to. 80% of the time the appetites for different business decisions have already been set and all the risk manager has to do is to validate, monitor, report any unusual activity.
• for the decisions and risks where no appetite has been set by any of the existing policies or procedures, the risk manager should work with the process owners to develop risk limits and incorporate them into existing policies and procedures. Main risks can be divided into three groups: "zero tolerance" risks, acceptable within quantitative limits and acceptable within qualitative limits. This is the other 20%. Risk managers should use Monte-Carlo simulation, scenario analysis or decision trees to document risk appetites. Once set and documented, risk appetites or limits for different types of decisions should be reviewed periodically to remain current and applicable.

We strongly believe that risk appetites should be integrated into existing Board level documents and very rarely, if ever, published as separate risk appetite statements. Also keep in mind, that risk appetite concept non-financial companies have inherited from regulators in banking sector. For banks risk appetite is used a regulator control mechanism. Sometimes we use the analogy of the dog’s leash. Since most risk managers in non-financial companies are likely to be paid by the CEO and usually work for the management and not the regulator or even the shareholders, risk managers should probably view the concept of risk appetite from a management’s perspective. 

This next step is very important to reinforce strong risk culture within the organisation. ISO31000:2018 states “Oversight bodies are often expected or required to:

— ensure that risks are adequately considered when setting the organization’s objectives;

— understand the principal risks facing the organization in pursuit of its objectives;

— ensure that systems to manage such risks are implemented and operating effectively;

— ensure that such risks are appropriate in the context of the organization’s objectives;

— ensure that information about such risks and their management is properly communicated.”

There are various ways of including risk discussion on the Board’s agenda, however we believe that it is more effective to spend fifteen minutes on risk matters during every significant decision than an hour once a quarter or a day once a year.

It is recommended to discuss risks associated with each decision instead of having risk management as a separate agenda item. After all items on Board’s agenda are risk items.

For example, the Board may want to discuss risks associated with the quarterly budget when discussing the actual budget, or discuss project risks when approving project financing, as opposed to discussing the top ten corporate risks at the end of the meeting when all decisions have already been made.  

The risk manager should, along with the Board secretary, make the necessary amendments to the presentation templates to include a section on risks for every significant decision. The risk manager, in conjunction with the internal audit, should also ensure that the risk information provided to the Board by the management is complete, accurate and consistent. To improve the quality of such information, risk managers may wish to consider staff training or personally quality check the information before it goes to the Board. 

Some Boards may create a separate Risk Committee or expand the scope of the Audit Committee to review matters related to risks. Our experience, when talking to different risk managers during the interviews, shows that this may be more fashionable than practical, since most decisions are taken long before the information is formally presented to the Board of Directors. Several people interviewed mentioned that it makes more practical sense to have a management level risk committee instead. Nevertheless, the Board level risk committee can play an important oversight role and have a very positive impact on the overall risk culture within the organisation. Sometimes this is called “security theatre”. 

Most of the risk managers we have interviewed agreed that having a management level Risk Management Committee has a significant positive effect on the overall risk management culture.

While the composition of the Risk Management Committee can vary from company to company, it should be sufficiently representative to ensure different points of view on risk are considered. Based on our interviews, the best results tend to be achieved when the risk committee brings together supporting functions (finance, risk, legal, security, internal audit) and business units (operations, sales, marketing).

The Committee can either deal with matters related to risk management methodologies and risk management integration into various business processes or it may participate in the decision-making process (investments, projects and other high-risk activities) or both. The Committee may meet on a regular basis (monthly or quarterly) as well as upon request from the Chairman of the Committee if there are questions that require urgent risk analysis. 

Selling risk management to key stakeholders is not simple. Risk managers need to learn to be proud of their contribution to the overall success of the company. Any positive results achieved by managing certain risks to a high standard should trigger the risk manager to share this success both internally and externally. This can be done by presenting at various conferences and industry events or publishing small articles in relevant magazines or web publications. Here is a list of places where we normally publish our work:

• Official RISK-ACADEMY blog https://riskacademy.wordpress.com   
• G31000 LinkedIn discussion forum https://www.linkedin.com/groups/1834592
• Corporate Compliance Insights www.corporatecomplianceinsights.com
• Continuity Central www.continuitycentral.com
• CERM ® RISK INSIGHTS http://insights.cermacademy.com/
• Insurance Thought Leadership http://insurancethoughtleadership.com/
• Company newsletters
• Company intranet portal
• Company public website

Sharing information about risk management will raise risk management awareness internally and reinforce trust and transparency with suppliers, contractors, key clients and regulators externally. Clearly this is only applicable to non-confidential, public information that does not include any trade secrets or other sensitive information.

A number of the risk managers we have interviewed suggested that sharing information about risks and their mitigation with banks, investors, insurance companies and suppliers can result in significant cost savings on finance (lower cost of financing), insurance costs (lower premiums) and the cost of goods.

Another good idea is to participate in annual risk management awards sessions, like the one organised by G31000 globally or by the Institute of Strategic Risk Analysis in Decision Making (ISAR) in Russia.

The best idea, however, is to use risk management to help one or some of the executives achieve their objectives and KPIs and let them promote risk management internally and externally. Noting beats a powerful spokesman to drive the risk management integration message. 

Risk managers should encourage employees to openly raise risk management related issues. This is possible by spending a considerable amount of time every day communicating with their colleagues and staying up-to-date on the latest developments and emerging risks or failures in the internal control system.

Share the risk manager’s contact information with employees or provide a confidential hotline for communicating risks through the internal company website or via the phone. Risk managers should motivate and encourage staff to be proactive about identifying and preventing risks. One of the risk managers we have interviewed started a table tennis tournament to build rapport with other business units and to have regular conversations in an informal setting with other managers. Another risk manager we have interviewed created daily performance and incident reporting meetings to encourage ongoing discussion about potential threats and opportunities. Anything that creates a vision of an approachable and helpful risk manager works.

We, for example, have created a risk management page on the company intranet with a message form to allow people to anonymously send messages to the Head of Risk about any emerging risks. Over the course of three years it was used exactly zero times! Was it a waste of time? Of course not. Because even though no one felt comfortable using the online form, dozens of employees approach me to ask for feedback, comments, opinion or share information about emerging risks or a potential issue.

Risk managers may consider introducing a rewards programme for active participation in risk management activities. It is important to encourage a “no blame” culture and communicate it throughout the company. 

Risk managers should build relationships and join forces with the other managers responsible for performance improvement initiatives, like lean management, quality, safety, environment, security, internal audit or others. Risk managers should participate in relevant major performance improvement workshops (for example, kaizen sessions during lean projects) to better understand sources of risks and suggested solutions, or at least review the results of those analytical sessions.

Risk managers should make sure that common risk management principles and language are used throughout the organization.  

The ISO experts at the ISO Technical Committees level are doing it, making sure the language in ISO9001:2015 and ISO14000:2015 is consistent with ISO31000:2018, so no excuses for the risk managers on the ground. 

Here is a small and clever case we came across during our research. One risk manager we have interviewed approached a CEO of a large investment fund to implement risk management across its 90+ portfolio companies. The CEO said it was a good idea, but since the company was a minority shareholder in most portfolio companies, it has to be voluntary, risk manager was not allowed to force them to implement. So, the risk manager played a little trick with the Head of Internal Audit. Here are the steps:

• Risk manager created an implementation pack and sent a communication to all portfolio company CEOs a free offer to use the pack and implement themselves. 1 out of 90+ responded and the risk manager worked with them to set the foundation.
• One month later the risk manager worked with internal audit to include risk management questions into the annual compliance review questionnaire for the portfolio companies.
• Six months later, not surprisingly, most portfolio companies received non-compliance report for the lack of or limited risk management.
• Another month later the risk manager once again sent a communication to all portfolio company CEOs a free offer to use the risk management implementation pack. This time more than 65% of all portfolio companies opted in. All this was achieved within a single year. Not bad. 

A large part of risk management success depends on the support and commitment from executives, Board members and key stakeholders.

It is important, as early as possible, to identify specific people at different levels within the organisation who support the concept of risk-based management and are ready to assist the risk manager:

• At the executive level – risk managers should find what motivates different executives, the CFO, for example, may be interested in implementing and supporting risk management to show the realistic risk-adjusted results and forecast to the banks and insurance companies to save on financing or insurance costs. Or he may be interested in having a methodology to validate investment projects, because he is not happy with how company was investing in very high risk initiatives lately.  The COO may be interested to decrease the level of operational risks.  The HR Director may be interested in timely identification of the staff turnover risk, etc.
• At the Board level – independent directors or other Board members may be supportive of risk management because it provides greater transparency in decision making and creates an additional information channel for them.
• At the auditor level – risk managers should participate in the audit methodology discussion and try to synchronise risk management methodologies between what is used internally and what external auditors apply.
• At the regulator level - risk managers should discuss regulators’ expectations and methodologies to try to synchronise risk management methodologies between what is used internally and what regulators expect.

Finding the right sponsors is more of an art, than a science. It’s highly unlikely that the risk manager will be able to convince all Board members or all executives. However, this is not really necessary, as long as the risk manager has support from certain individuals at every level mentioned above. 

 The risk governance model depends on the management and shareholders’ expectations, the regulatory requirements as well as on the risk manager’s competencies and on the resources available for risk management implementation.

The risk governance can be structured using the classical three lines of defence concept:

• The 1st line of defence - Business units: executives, business department management as well as employees. As part of their daily duties those listed above are responsible for timely identification, assessment, management, monitoring and reporting on risks. Senior management and the Board of Directors determine the strategy for risk management, approve risk appetite and monitor how major risks are managed.
• The 2nd line of defence - Functions of risk management and other support functions (such as safety and quality, finance, insurance, etc. are business consultants and are responsible for developing the methodology for managing risks, awareness and training, and methodological support. Sometimes the risk management team also performs a quality control function and aggregates information about the risks.
• The 3rd line of defence - Internal audit: Independent bodies, such as internal audit, provide independent monitoring that the risk management is carried out as in line with internal policies and procedures, and that the management of key corporate risks is performed.
• The risk management function is the centre of competence for all risk analysis and is responsible for an independent, timely and quantitative risk analysis for the decisions proposed by management. This approach is different from the traditional three lines of defence, as risk managers take greater responsibility and ownership over some of the risk analysis and maybe even some risks. This allows the risk manager to be directly involved in the process of decision making and to assume the responsibility for the outcomes on par with other executives.
• In certain cases, the risk manager may have the mandate to block excessively risky transactions or projects that do not meet the strategic goals of the company.

While commonly accepted and simple in theory, the three lines of defence model is overly idealistic and doesn’t work well in non-financial services. Risk managers may want to consider an alternative and better risk governance structure where:

Based on the experience of the authors the second option is much more effective. CEOs rarely are prepared to pay good salaries for facilitators and methodology experts that have nothing valuable to contribute to a specific decision. Nassim Taleb calls it ‘having the skin in the game’. To him, this is the only way to manage risks. We agree.

Another interesting analogy for the risk manager is the Advocatus Diaboli (Latin for Devil's Advocate) was formerly an official position within the Catholic Church: one who "argued against the canonization (sainthood) of a candidate in order to uncover any character flaws or misrepresentation of the evidence favouring canonization".[1] Supplements to this chapter a five short recording on how a risk manager can play a devils advocate role and what is required.

[1] Helterbran, Valeri R. (1 January 2008). Exploring Idioms. Maupin House Publishing, Inc. p. 40. ISBN 9781934338148.

Risk managers may begin the implementation of the selected risk governance model by documenting risk management roles and responsibilities. It is quite common to describe risk management roles and responsibilities in risk management policy or a framework document. This approach seems simple to implement, yet not very effective, as business units often don’t feel ownership of these documents, instead they consider them irrelevant in everyday business and simply ignore them. There is a better way.

It is considered more effective to incorporate risk management roles and responsibilities into existing job descriptions, operational policies and procedures, various committee charters and working groups. Risk management roles and responsibilities must be identified and documented for all levels of management. As mentioned by a number of the risk managers we have interviewed, it is a much more effective than listing roles and responsibilities in the risk management policy or framework document.

That being said some people feel quite sensitive about their job descriptions, so instead of initiating major changes and updates for the sake of integrating risk management roles and responsibilities, wait for the HR to initiate change on other topics and add risk management points as part of the broader changes.  

Some of the common roles and responsibilities include:

• Board of directors (if available)
  • Provide oversight of the overall risk management effectiveness
  • Make Board level decisions with proper consideration for risks
  • Review and establish risk-adjusted appetites/limits for certain business activities, types of risks (usually required by law) or decisions
  • Set risk-adjusted performance targets and KPIs for CEO and the management
• CEO
  • Responsible for establishing the overall risk management framework
  • Make decisions with proper consideration for risks
  • Approves the strategy, business plans and budgets based on the risk management information
  • Set risk-adjusted performance targets and KPIs for senior management
  • Provide timely and accurate disclosure for risk-adjusted performance, most significant risks and their treatments to the Board of Directors / investors / owners
  • Allocate responsibility for effective risk management to risk owners
  • Assign responsibility for designing and implementing the risk management framework
  • Allocate resources necessary to perform business activities with risks in mind   
• Risk manager
  • Design and implement the risk management framework
  • Coordinate risk management activities and provide methodological support for the risk-based decision making
  • Participate in the decision-making process (if required)
  • Participate in the preparation of management reports, providing relevant information about risks and their treatments
  • Coordinate the work of the Risk Management Committee (if applicable)
  • Provide risk management training or integrate risk management into existing trainings
  • Implement activities designed to integrate risk management into the overall culture of the organization
• Other business unit heads:
  • Identify, assess and treat risks associated with business activities or decision-making within their area of responsibility
  • Allocate resources necessary to manage risks within their area of responsibility
  • Optimize business processes or decision making based on the information about risks.

Work with your HR team to include ISO31000 knowledge and risk management competencies in job descriptions / position descriptions for new hires.

Most modern-day risk managers are familiar with developing a risk management framework or procedure documents. These documents capture risk management roles and responsibilities, outline risk management processes as well as other aspects of risk management.  Risk management framework documents became so common, that nowadays they don’t require much effort to develop and there are plenty of free templates available online. The only problem is that nobody in the organisation, except the risk manager and the internal auditor, reads them. Clearly, something is not right.

Over the years, we have discovered a much better way to document risk management frameworks, procedures and methodologies. Instead of writing a separate risk management framework, companies should upgrade its existing policies and procedures to include elements of risk management where appropriate. One investment company that we interviewed documented risk management methodology in the investment manual instead of creating any new risk management documents. This essentially changed how the investment process works, made risk management a critical step in investment decision making, gave investment managers a sense of ownership and had a huge positive impact on the risk culture within the organisation.

The same approach can also be used for any other business process. Instead of creating a single, centralised risk management framework or procedure document, risk managers should review and update existing policies and procedures to include elements of risk management. Some procedures may require a minor update, with only a sentence or two added while others may need whole appendices written to include risk management methodologies. This approach also reinforces the need to create separate risk management tools and methodologies for different business processes. 

Every risk manager we have interviewed explained to us that periodic risk culture evaluations help strengthen it. So, we wanted to give readers some practical ideas around it.

There are multiple models which can be used to assess the current state of risk culture, including the risk culture framework developed by the Institute of Risk Management, UK or the risk maturity model developed by G31000 that covers elements of risk culture. Whatever the model risk managers select, they should make sure it is aligned with the ISO 31000:2018 principles.  

When reviewing risk management culture, risk managers should, among other things, look at:

• Whether accountabilities and responsibilities for risk are well documented - A critical component of risk management integration is including responsibility and accountability (authority, resources, competences) for managing risks into all business activities. Top management should ensure that responsibilities and authority for relevant roles with respect to risk management are assigned and communicated at all levels of the organisation.
• Evidence of risk management competencies - Risk management competences should be developed in all core business units. Risk management competences should also become an important attribute when hiring new personnel to the organisation.
• Evidence of risk management training and awareness - All employees should receive risk management training appropriate to their level and risk exposure.
• Whether individual performance management considers risk information - Mature organisations align individual performance management with risk management. Employees should have individual key performance indicators relating to the management of risk and their participation in the risk management processes.
• Evidence of open communication and transparency - Information about the risks is openly discussed during the decision-making process. Significant risks are given due attention at the management and Board meetings. Executives are receptive to bad news and are ready to discuss risks and risk mitigations.

Risk managers should regularly discuss culture and attitude to risk with senior management and the Board, as well as help communicate Board and senior management expectations to the employees.

Once risk management roles and responsibilities have been documented in job descriptions and committee charters then appropriate and measurable KPIs should be developed. Just like anything else, risk management KPIs need to be integrated into the overall performance management system, better still existing KPIs should be made risk-based instead of separate risk management KPIs.

Risk management is everyone's responsibility. Yet, research in neuroeconomics [1]shows that managing risks is not natural for people, it may even be against human nature. Without proper motivation or with inadequate motivation, employees are often reluctant to consider and disclose risks as part of their decision making. This message was reinforced during our interviews. Companies that have implemented and monitored risk management KPIs for key employees have demonstrated significantly higher risk management maturity.

KPIs should be specific for each role within the overall risk governance model.

For example, KPIs for the CEO may include:

• an improvement in the risk management culture rating;
• regularity and quality of risk disclosure to shareholders;
• achieving risk-adjusted profitability measures.

For CFO or COO risk management KPIs may include:

• improvement in risk management culture maturity;
• RAROC (risk adjusted return on capital);
• risk-adjusted cash flow and liquidity measures;
• the number of critical operational events and so on.

For the employees, a risk management KPI may include timely and accurate risk analysis during core business processes or significant decisions. 

[1] https://en.wikipedia.org/wiki/Risk_perception

An active network of “risk champions” is a very effective way to develop strong risk management culture. This network could become the “glue” between the risk management team and the rest of the business. “Risk champions” can be of three types:

• Official risk coordinators - employees, whose official duties include coordination of risk management processes within individual processes or business units. They are usually responsible for preparing information about risks, monitoring risk mitigation progress, organising risk management events or training. This role becomes less relevant with the integration of risk management into decision making.
• Unofficial informants – employees, who have established informal, yet trusted relationships with the risk managers. They provide information about emerging risks or changes in the organisation processes or risk profile. A large network of informants is critical for risk managers to stay up-to-date on what is happening in the company. Good risk managers invest significant amount of time to have a network of people who can help with advice or information.
• Influencers – employees, who support the integration of risk management into the organizational activities and processes because it makes good business sense for the company or them personally. They will usually participate in the Risk Management Committee meetings and will support initiatives proposed by the risk managers.

"Risk champions” help to implement risk management elements in key business processes and procedures within the organisation. Usually, "risk-champions" are employees who are naturally motivated to effectively manage risks, such as employees responsible for project management, methodology, process improvement, audit, internal control, etc.  For larger organisations, it may be necessary to identify "risk-champions" not only for key processes, but also for each geographical area where the company is represented. 

New hires come from a variety of education and experience backgrounds and most importantly, each new employee has their own perception of what is an acceptable risk. It is important for risk managers to cooperate with the Human Resources department or any other business unit responsible for training, to jointly carry out training on the basics of risk management for all new employees. One of the risk managers we interviewed mentioned that the risk management induction should not be long. It should take about ten minutes and include the basics of business and investment decisions under uncertainty, key risk management roles and responsibilities and the ISO31000:2018 risk management principles as per the company’s Risk Management Policy. 

Tone at the top is very important for risk culture development. Executives and Board members play a vital role in driving the risk management agenda. Nowadays many executives and Board members have a basic understanding of risk management. Auditors, risk management professional associations and regulators have been quite influential in shaping the Board’s perception of risk management.

Unfortunately, not all the messages communicated by the auditors and regulators are sound and some are downright wrong. For example, one of the government agencies in Russia published a guidance document that encourages companies to have a standalone risk management process and in many ways contradict the core principles of ISO31000:2018. Despite our best effort to block the document, it was approved by the government and now most government owned corporations in Russia have to create two parallel risk management frameworks, one for the regulator and one for the decision makers.

It is important for the risk manager to take the lead on forming the Boards and senior managements view on risk management by providing risk awareness sessions and relevant information. Here are some of the most important messages risk managers need to include in their communication with the Board:

• Decision quality and how people make decisions under uncertainty;
• Positioning risk management as a tool to help management make decisions;
• Risk management should be an integral part of existing business processes and regular management reporting, not a standalone quarterly or annual activity;
• Risk management is not about avoiding or minimising risks, it’s about making informed decisions.

It may be appropriate to bring in an independent advisor to conduct risk awareness training for the Boards and senior management to reinforce the messages shared by the risk managers internally.  

Provide additional risk management training to the in-house risk management team and business units responsible for internal control, audit, finance, strategy and others. Risk managers may conduct it personally or outsource to third party providers. In-depth risk management training should include (this example is based on the actual risk management training provided by Institute for Strategic Risk Analysis and RISK-ACADEMY to some of the largest non-financial companies in Russia):

RISK MANAGEMENT FOUNDATIONS

• Definition of risk
• History of risk management
• International and national risk management standards
• Introduction to finance, project management and process management
• Introduction to statistics
• Insurance basics

RISK MANAGEMENT IN DECISION MAKING

• Identification of risks associated with decision making or goals/KPIs achievement
• Risk analysis in decision making (sensitivity analysis, scenario analysis, Monte-Carlo simulations, decision trees, scoring models)
• Risk mitigation and risk-based decision making
• Disclosure, reporting, monitoring and review

PSYCHOLOGY AND RISK MANAGEMENT CULTURE

• Risk psychology and cognitive biases in decision making
• Risk management culture
• Principles of risk management ethics

INTEGRATING RISK MANAGEMENT INTO THE BUSINESS

• Understanding the organisational appetite for risk
• A roadmap for risk management integration:
  • Developing new and updating existing policies and procedures
  • Integration into decision making, planning, budgeting, purchasing, auditing etc.
  • Risk management roles and responsibilities, risk management KPIs
  • Integrating risk information into management reporting
  • Resources required for the implementation of risk management
• Auditing risk management effectiveness
• Risk management continuous improvement
• Risk management software

Just like any other business expense, a risk management training budget needs to be justified. And just like any investment decision, risk management training needs to show adequate return on investment. Training costs money: the development process, hiring trainers and getting employees to dedicate time away from their workplace to participate in training.

One useful way, suggested by risk managers we interviewed, was to make all risk management training competency based and setting KPIs to check for noticeable improvement in the quality of risk based decision making. Each training session should start and end with competency tests. Surveys should also be conducted one month and six months after the training to test for knowledge retention. 

Another useful suggestion is to develop an internal risk management certification for employees working in high-risk activities. This will ensure staff working in high risk activities, like manufacturing, trading, insurance, security and others possess adequate risk management skills and remain cognisant of the risks associated with their work.

Certification programmes may be developed internally or outsourced. Depending on the high-risk activity the certification may be high level or in-depth, in any case it should test:

• Understanding of legal obligations;
• Awareness of risks in the workplace;
• Ability to make quality decisions under uncertainty;
• Understanding the protocol for communicating and escalating risks;
• Evidence of moral and ethical behaviour.

We use a lot of gamification in our training sessions. Some of the examples include:

• Risk management business game 2014 – In 2014 we collaborated with EY to develop Russia’s first risk management business game. It was great fun and as a result we created a pretty sophisticated business simulation. Participants were split into teams of 10, each person receiving a game card that describes their role (CEO, CFO, risk manager, internal auditor, etc.). At the start of the game, teams must choose one of four industry sectors (telecom, oil and gas, energy or retail) and name their company. The game consists of four rounds, each round teams must make risk based decisions. Each decision has a cost associated with it and a number of possible outcomes. Teams must analyze and document the risks inherent in each decision they make. The riskier the decision the higher the probability of adverse outcome. At the end of each round, computer simulation model choses a scenario and the outcome is announced to each team. Each decision has consequences, the outcome may either make money for the business or lose money. The aim of the game is to increase the company valuation by properly weighing up risks and making balanced business decisions. The winning team is the one which increased its company’s value the most after four rounds.
• Risk management business game 2015 – In 2015, we started working with Palisade to develop something a little different. Just like in the previous version of the game, the participants were split up into teams of 10. However, the game mechanics have changed substantially. Each player still receives a card describing their role, but this time the card provides a complete history of the character’s role within the company and assigns each player a unique secret mission. The aim of the game is to successfully complete a merger between large holding company and an innovative startup. The game as before consists of four rounds. The first round involves performing a risk assessment of the target company. Each team must identify 10 significant risks using only the information provided on the cards. The second, third and fourth rounds are dedicated to the management of these risks. Each identified risk has between 5 and 10 possible mitigation strategies that can be selected by the team. Each team has a limited budget dedicated to risk mitigation and each mitigation action has a cost. The winning team is the one which increases the value of the target company more than the others and is then able to successfully complete the merger.
• Risk management business game 2015 (online version) – With the help of eNano, we went even further and produced an interactive online risk management business game (only available in Russian). This game combined e-learning course and an online business simulator. Each participant takes on the role of general manager of one of three innovative companies. They then receive tasks that need to be completed throughout the e-learning course:
  • First each participant needs to conduct interviews with AI colleagues in order to identify and document risks;
  • Then he needs to evaluate risks using the information presented. Note that just like in real world, most of the information presented is biased;
  • Then he needs make difficult decisions relating to risk mitigation given a limited budget;
  • During the last step, participants need to develop an action plan designed to improve risk culture.
• Risk management game 2016 –  This game is the result of collaboration between RISK-ACADEMY, Palisade, Institute for Strategic Risk Analysis (ISAR) and Deloitte. Together we have created an amazing business game to teach non-financial management and staff how to perform risk modelling on day to day management decisions. Participants will have to play a role of an aircraft engine manufacturing company. Each team has prepared a business case for a multimillion dollar plant modernization. Unfortunately, the project plan have just been rejected by the Board, so teams only have a couple of hours to conduct in-depth risk analysis and present updated an business case to the Board. The game is focused around risk modelling, requiring participants to identify and validate management assumptions, identify relevant risks, establish ranges and select possible distributions for each assumption, perform Monte Carlo simulation using Palisade@Risk and present the final results. All this has to be performed in limited time and with incomplete information… just like in real life. And just to add a little bit of drama, like in real life participants have to deal with unexpected “black swans” during the game. The aim of the game is to prepare risk analysis for a multimillion plant modernization investment project. The team with the highest risk adjusted rate of return wins.

Passive learning techniques also work quite well:

• Make sure that risk management information is available to employees, contractors and visitors. Place Risk Management Policy on the intranet and the corporate website, record and publish risk management training or awareness sessions videos on the dedicated risk management intranet page.
• Invite guest speakers (risk managers from other companies) to speak at the Audit Committee or Risk Management Committee and give employees the opportunity to participate. We have used this in the past and it worked very well.
• Periodically post useful risk management related articles and research papers on the corporate intranet. Make the risk management information easily accessible to staff.

The golden rule of risk management - the simpler it is, the more transparent and easier it is to understand and implement!

The Risk manager’s goal should be helping organisations become more risk-based. Risk management tools and methodologies should be clear to the rest of the organisation and easily adoptable in the normal course of doing business. Otherwise risk managers are likely to meet a lot of resistance or be simply ignored, which is even worse.

Risk managers need to speak the business language and avoid the risk management jargon when dealing with the business. The use of the terms VaR, EaR, CFaR may be perfectly acceptable to communicate with the CFO, but the Head of production will very quickly lose interest. Even the most basic terms like risk profile, risk mitigation, risk owner, risk assessment are unnecessary and completely avoidable.

Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same - disappointment. Best case scenario - annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting. In this guide the authors are proposing an alternative approach. Something that will help integrate risk management into everything the business does.

Did it ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.

Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense.  Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.  

This guide is designed to help the business take risks into account every time they take a decision, not quarterly or annually. The authors believe that this can only be achieved by changing the very nature of existing business processes (planning, budgeting, investment management, performance management, procurement and so on) and making them more risk-based. This also means that risk management process is not a singular process, there should be multiple, different risk management processes in the organisation.

According to the ISO 31000:2018 principles, risk management is an integral part of all organizational activities. and decision making. Picking up on that important point, risk management should be seen as a management tool designed to improve planning, budgeting, performance management and other core business processes. Risk management also helps management to make more informed business decisions about achieving strategic or operational goals and sometimes may even highlight the need to change the strategy altogether due to an unacceptable level of risk.  

Below are just some of the practical ideas to help integrate risk management:

• Document appetites / tolerances for different risk types in the relevant Board level policies and procedures instead of creating separate risk appetite statements;
• Identify significant risks and assess their impact on the Company’s business plan and budget;
• Run risk simulation to determine realistic strategic or operational KPI values;
• Run risk simulation to determine key budget constraints;
• Integrate risk analysis into key management, investment and project decisions;
• Remunerate management based on risk-adjusted performance measures.   

Effective risk management increases management confidence in achieving objectives, reduces uncertainty and helps make informed, risk-based decisions. In this section, we provide examples of how risk management can be integrated into:

• Strategic planning;
• Budgeting;
• Performance management;
• Decision making. 

We start with strategic planning because it affects all levels of management, hence giving maximum exposure to risk management. Senior management, Board members and even some shareholders input into the process, while the rest of the company and broader stakeholders usually see the outputs of strategic planning. Integrating risk management into strategic planning helps to raise the risk management awareness and address the uncertainty associated with achieving strategic objectives.

The impact of uncertainty on the strategic objectives should be assessed at the time the strategy is formulated and not after it was approved by the Board of Directors. To integrate risk management into strategic planning properly, risk managers first need to build the relationship with the strategic planning department then make sure the strategic risks are included on the strategic sessions / workshops agenda and provide risk analysis to support such discussions. Another action point is to include elements of risk analysis into the actual strategy setting and update processes. Risk managers can use scenario analysis or simulation modelling to present an independent opinion on strategic objectives and the impact the risks may have on their achievement. In some cases, the company's senior management or Board members may request an in-depth analysis of certain strategic risks before finalising the strategy. One of the risk managers we interviewed told us how analysing long-term liquidity using the Monte-Carlo simulation helped reshape the whole strategy of the company. 

While it is quite common to budget using three scenarios (optimistic, realistic and pessimistic) it may not be sufficient from a risk management point of view. These scenarios are often formed without the risk management team’s participation or even without due consideration of the actual risks, associated with the budget. Thus, even the pessimistic scenarios often do not account for many significant risks, creating an overly optimistic and misleading picture for the executives and decision-makers.

Proper risk analysis can bring significant value to the budgeting process. Risk managers should review and improve management assumptions used in scenario analysis or introduce the use of simulation modelling to make sure all important risks are captured and their impact on liquidity assessed. Risk analysis helps replace static, point in time, budgets with a distribution of possible values. It also helps set management KPIs based on the risk information, thus improving the likelihood of them being achieved and reduces the conflict of interest the finance department and management team have in presenting an overly optimistic budget. Risk analysis helps to identify the most critical risks affecting the budget, allowing management to allocate ownership and determine the budget for risk mitigation.

Integrating risk management into the budgeting process requires the risk management team working closely with the finance department, as risk analysis may lead to the change in budget assumptions or targets. 

Risk management should be integrated into the performance management cycle of the organisation: both at the individual level and the corporate level.

One of the risk managers we interviewed shared an example where traditional static corporate key performance indicators (KPIs) have been replaced with dynamic, risk-based, ranged KPIs. This allowed their management to have bands of values instead of a single value. Some KPIs stayed as single value estimates however they were calculated as the 95% percentile of the distribution of possible values based on the Monte-Carlo simulation. Triggers and key risk indicators may also be set for corporate KPIs to improve monitoring and performance tracking.

At an individual level, risk management KPIs may be set around risk-based decision making, timely risk mitigation, risk management training grades or an internal audit assessment of the risk management effectiveness in different business units.  

Risk management should not be viewed as a separate, stand-alone process. One of the most effective and yet simple ways to change management’s perception about risk management is to integrate risk analysis into the various decision-making processes.

Performing risk assessments for all significant business decisions can dramatically raise decision quality and provide management with valuable insight and alternatives. This statement alone has great implications for modern-day risk management. Business decisions are made daily, not monthly or quarterly when risk managers usually refresh their risk assessments. Risk management processes should change to accommodate this business demand.

Another important question is - who should be responsible for the quality and timeliness of risk analysis for each decision. Should it be the business units, risk owners who initiate the decision or an independent risk manager?  Despite the widely-accepted model of three lines of defence, the choice is not always obvious. While the authors are confident that risk analysis should be integrated in the decision-making process, the scope and complexity of each decision should determine the extent of the necessary risk analysis, the tools used and the responsible party.

To help integrate risk management into decision-making, risk managers may consider making changes to the current templates which are used for presenting decisions to senior management and the Board. Including a simple section called “risks associated with the proposed decisions and risk mitigation” can help raise risk awareness, reinforce the need for timely risk analysis and improve risk disclosure.

Other examples may include:

• Investment decisions. Using simulation modelling to assess the investment attractiveness of projects can allow the company to avoid many pitfalls associated with more traditional valuation methods. Instead of the net present value (NPV) assessment, companies can estimate distribution of possible outcomes, the probability of a negative NPV and most significant risks that need to be mitigated to improve project performance. Scenario analysis and simulations can significantly improve the quality of the investment analysis.
• Assessing behavioural risks. Use elements of game theory and behavioural psychology to improve the quality of risk analysis, identify trends and, consequently, increase the quality of business decisions. Additional material on game theory can be found at www.patrickmcnutt.com
• Financing decisions. Most financing decisions involve a trade-off between risk (potential cost) and potential benefit. Very often these decisions are based on expert opinions and assumptions, instead of the proper analysis of cash flow at risk or other risk-based financial indicators.
• Operational decisions. Decisions on production forecasts, supply chain, plant maintenance, outsourcing and inventory also require a balanced analysis of risk and return.

Bryan Whitefield said it best in his newsletter: ‘Identify all the stakeholders you need to influence. Identify the order in which you wish to tackle them. It is always best to get senior management’s buy-in first; however, sometimes that just isn’t possible, and you have to win over their key influencers before you can tackle them. Make sure you have a clear strategy. Identify their main motivators, hobbies, and interests. Your best opportunity for engaging someone who does not already know you and trust you is to ignite his/her interest through something he/she is already passionate about.

Risk management has so many intangibles. You need to do your best to make what you want to achieve seem tangible to your target audience. People comprehend best when you provide them with both visual and verbal descriptions—so draw a picture and tell a story. Choose examples that are most likely to relate to the motivators, hobbies, and interests you have identified.

Speak their language—I call it moving from “risk speak” to “c-suite speak” when engaging senior executives. Too often we simply blurt out what we know is needed in what we might consider to be simple risk language; however, it may mean almost nothing to our audience. Try talking “inherent risk” with a CEO. You know—the world without controls. You would probably agree that a better approach would be to discuss the need to identify where the organisation may be able to save some compliance costs by understanding which of the company’s current controls are the most important and which are not.’

Source: Risk e-Views Vol 4, December 2010, Risk Leadership: How to be Heard, Bryan Whitefield, Director, Risk Management Partners (reproduced with the permission of the author).

Risk disclosure is very important. Increasingly, stakeholders are expecting companies to test and disclose the effectiveness of not only financial risk management but also other business risks, including market, operational, safety, legal etc.

When disclosing information about risks to external stakeholders, it is recommended to include at least:

• A brief statement about the company's overall commitment to risk-based planning, budgeting, project management, investment and decision-making. This information may be disclosed in the annual report and on the company's website in the section entitled "Corporate Governance".
• A more detailed statement in the annual report, including:
  • overview of the current risk-based processes,
  • the progress that has been made in integrating risks and building risk culture since last year,
  • the management structure, which contributes to the risk-based management of the company and any other significant achievements.

In the true spirit of risk management integration, it may be a good idea to spread the information about risk management throughout the annual report instead of creating a separate section titled “Risk Management”. For example, risks associated with strategic objectives may be described in the Company Strategy sections, risks associated with liquidity, foreign exchange and interest rates may be described in the Financial report (most organisations already do this part), risk associated with social and environmental activities covered in the Social responsibility section etc.

The disclosure of the following information is optional: information about key risks associated with the business plan or the achievement of the strategic objectives and any information about the past incidents or losses. Keep in mind, that risk management disclosure should not include any sensitive information or trade secrets.

It is important to remember however that there may be some risks which are required to be disclosed by law.

Other external reports where risk management information may need to be disclosed:

• any fundraising activities;
• security issuer quarterly reports;
• other documents, required by stock exchanges, regulators or investors.

Finally, we would like to encourage risk managers to present at conferences and related events to talk about risk management and to raise awareness about ISO31000:2018. 

Forget the old-fashioned risk information flows from business units to risk managers who develop risk reports and present them to executives, the audit committee or the Board. There is a better way. Based on the research and interviews we conducted, the internal risk communication should be two-way:

• Business units should be reporting on their own risks as part of normal performance reporting (be it weekly, monthly or quarterly performance reporting) as well as for any significant decisions;
• Risk managers should be reporting on risks when there is an alternative point of view that is contradictory to business unit opinion or risk managers have additional information which should be considered when making a decision.

One thing is clear, information about risks should flow in the organisation every day and every time a decision is being made, not once a week or month when a risk assessment is done.

There are several ways to significantly improve internal risk management communication:

• Include the requirement to share / disclose risk information in policies and procedures;
• Change performance reporting / management reporting templates to include risk analysis results;
• Get involved in report and document preparation to make sure risks are adequately captured;
• Create own communication channels (newsletters, intranet site, email alerts);
• Take ownership of some internal reporting on risks. 

Risks rarely happen overnight. There are usually signals, warning signs. Despite their best intentions, executives and most certainly the risk manager are often detached from the operational activities. And while it should be the risk manager’s goal to get involved and at least be aware of what is happening in the company, it is up to all employees to identify potential issues early and notify the decision makers.

Employees are an invaluable source of information on operational and emerging risks. Usually, junior and mid-level staff discuss emerging issues and potential threats freely long before they become public knowledge. To take advantage of this source of information, risk managers need to develop a simple and transparent mechanism for communicating and escalating risks. The company employees should be able to just make a phone call or send a confidential email or upload information to a secure intranet site to share their concern about a risk and/or any uncertainty. It is equally important to promote these confidential channels and inform staff about their existence. Based on the interviews we have conducted, risk managers told us that while such hotlines are rarely used, their shear existence creates a trustworthy relationship between the risk manager and the business.  

Validating management assumptions is probably the single most important value a risk manager can bring to his / her company. As companies and markets are becoming more interdependent, an issue in one industry or country may have a flow on effect on the global supply chain. The business environment is becoming more volatile. Unfortunately, many companies have been slow to adjust for such volatility. We have noticed an alarming trend to match the models to the desired outcomes to keep shareholders happy and justify bonus payments. Risk management needs to be vigilant to this often unethical behaviour. These topics were very well disclosed in the Professor Patrick McNutt’s book Strategic code - patterns and prediction of behaviour.

Management assumptions about interest rates, FX, market growth, customer behaviour and new technologies are quickly becoming outdated or overly optimistic. Risk managers play a vital role in verifying those assumptions to ensure they remain current and realistic.

Scenario analysis, stress testing and Monte-Carlo simulations help risk managers test current business plans and financial models to verify and validate assumptions made by management. Some risk managers use game theory principles and behavioural psychology to help management look at the strategic risks from different angles.

Risk managers can bring a lot of value to the company by informing management about emerging risks. To do this, risk managers need to establish procedures for scanning the external and internal environment, for identifying emerging risks, recording them and informing senior management in a timely manner. 

In order to identify emerging risks, risk managers need to regularly communicate with representatives from different business units. Some suggested that risk managers should establish a routine that allows them to have weekly or daily informal conversations (over coffee, group lunches, quick chats in the corridor) with the heads of different business units. One risk manager we interviewed created an informal table tennis tournament to have an opportunity to meet different business units in an informal relaxed setting every week. Another risk manager suggested joining efforts with internal auditors or internal control specialists to identify emerging risks and to provide management with an assessment of organisational readiness / resilience to meet emerging threats.

Staying connected with the global risk community is also a good way to learn about some emerging risks. Although truth be told most national risk management associations are more concerned about fashionable risks or what we may call fads. And they are often late, jumping on the bandwagon once the risk becomes imminent, not emerging. 

Risk managers have a unique competency to identify and analyse risks using advanced tools like scenario analysis, sensitivity analysis, decision trees and Monte-Carlo simulations. This toolset can significantly improve business decision making. And just like any other service or tool it needs to be marketed to the rest of the organisation.  

Risk management needs to be seen as an internal service offering.

Risk managers need to make management aware and to promote its quantitative risk analysis and risk modelling services to the business. Risk managers should have a clearly documented value proposition for its services, including:

• Documented methodology;
• Estimation of time and company resources;
• Expected benefits;
• Reporting templates and examples.

A number of the risk managers we have interviewed commented on the fact that best results and most value is created when an executive approaches the risk manager to perform a specific risk calculation or model a particular set of scenarios. Risk managers need to make sure executives know what risk management team can offer the rest of the organization.

At the risk of sounding controversial, we believe risk managers sometimes need to take responsibility for providing an independent risk analysis not based on the information supplied by the management. Although rare, there may be situations where manager approving the project or making a decision has significant conflicts of interest or there may be suspicion of fraud.

Risk managers need to establish risk analysis methodologies that limit reliance on management information and internal data which may be tampered with. Risk analysis should be based on industry data, statistical information, verifiable data and external reliable providers etc.

Risk managers should also use communication channels that allow presentation of an alternative point of view to management. While the goal should be working with the business and providing the necessary support to make risk-based decisions, sometimes risk managers need to play the role of a policeman.

As a result, risk managers may be required to defend their position at the executive meetings, propose risk mitigation actions and even take responsibility for some of the risk mitigation. As someone who had to do it almost on a weekly basis, we can tell you it takes a lot of courage and bulletproof risk management methodologies. It’s difficult, but it’s the only way to become an equal participant in the decision making and not just an observer. 

We always encourage risk managers not to reinvent the wheel. Learn from others. Build connections with risk managers from similar companies. A good place to meet similar minded risk managers is the G31000 group on LinkedIn https://www.linkedin.com/groups/1834592.

Do not be afraid to share your own experiences or participate in online and face-to-face discussions or initiatives designed to promote risk management in your country. For example, help improve ISO 31000:2018 Wikipedia page or make one in your language (we have created the one in Russian language) or provide comments to your national representative in the ISO Technical Committee 262 who are currently working on updating the ISO31000 family of standards.

Help spread the messages in this guide by sharing it with your colleagues.

And join the RISK-ACADEMY YouTube channel to watch more videos.  

Risk management has evolved significantly over the last 10 years and we probably haven’t seen the last of the changes just yet. Norman Marks recently called for a leap change in risk management guidance. Alex Sidorenko, one of the authors of this guide, has also published a series of articles calling for a major change in risk management thinking, moving away from a stand-alone risk management process to a tool integrated into day to day decision making. Alas, it’s unlikely to happen any time soon, the resistance of some old-fashioned risk managers and consultants, who have little comprehension of how risk management works in real life, is very strong, pushing back on a lot of very valid and sound ideas. And while the leap change is not likely to happen, the progress is obvious. Significant changes are already coming in the updated ISO31000.

Just as risk management is evolving, risk managers need to continuously build and improve their own skills as well. This means understanding the science behind how humans think in situations of uncertainty, how they behave and make decisions. Studying quantitative risk analysis tools and techniques is also becoming more and more important, given the abundance of data.  And of course, understanding the company’s core business, what drives its performance and applicable industry trends.

Nowadays, senior management expect risk managers to actively participate in the decision-making process, taking ownership of the risk analysis and sharing the responsibility for the decisions outcome. As a result, some risk managers need a major upgrade to their teams and their own thinking. The times of qualitative risk assessments, risk registers and heat maps are finally over.

In this video I talked about risk management 1. Why it's not real but still important and how to make the most of it.

Thinking about what is risk management 2, I came to a very difficult realization. In this video I talk about the origins of risk management competencies and where the idea behind risk management 2 came from.

Risk managers are extremely busy, so it is very important to priotise their effort into risk management 1 (lower priority and less effort) and risk management 2 (higher priority and hard).

I feel risk management is on a verge of something interesting, something very exciting at the moment.

For a long time, I naively thought that by doing good risk management all the key stakeholders would be satisfied, but the reality is, different stakeholders want completely different things. There is risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks) and risk management 2 – risk management for the decision makers inside the company.

In this video, I would argue RM1 and RM2 are totally different.

Note, however, the matrix reference is used quite loosely because it’s not really a choice between RM1 and RM2. Both need to be done, unfortunately, because regulators, banks and most external stakeholders still expect all the wrong things. It is rather a choice about how much time should be allocated to each. My rule of thumb is 10% to RM1 and 90% to RM2, but this is pretty much the opposite of how many businesses operate today. Ironically, they argue, that RM1 takes up so much time, that no time left for RM2, even though they supposedly want to. This is simply not true.

The most common excuse I hear risk managers say when talking about risk management 1 and risk management 2 is lack of time. Risk managers are already so busy that there is simply no time to integrate risk management into decision making as well as do all the recommendations above are implemented. Well, is it really true? I don't believe it is.

Save time on doing quarterly risk assessments without any sacrifice in quality.

Save time on developing risk ranking criteria without any sacrifice in quality.

Save time on developing a risk appetite without any sacrifice in quality.

BONUS: Alex Sidorenko will talk about 4 amazing trends in risk management that may change everything you ever knew about risk management.

Here is a sneak preview of the things we will talk about during the free webinar:

• The transition from risk management as a stand-alone activity to a quantitative tool built into the key decisions and processes of an organization

• Risk management is against human nature. Building risk culture to counteract

• The role of a risk manager in a company must change. The concept of three lines of defense is flawed

• To execute its new role the risk management team must possess four key competencies

Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same – disappointment. Best case scenario – annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting.

Did it ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.

Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense. Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.

Risk management is changing with more than ever focus on integration and human culture and cognitive aspects. It sounds obvious, but is it really?

Here is a quick test: Which typical risk management element/tool has the least amount of value?

• Risk management framework

• Quarterly risk assessment workshops

• Risk reports

• Risk registers

• Heat maps?

In my mind, they are equally useless and maybe even detrimental to the effective management of risks or risk-based decision making. Unfortunately, you cannot agree with the first statement about integration and culture while continuing to use these outdated tools. There is a much better alternative for every single point in the list above. Join me for the latest installment in RISK-ACADEMY free webinars.

In this bonus lecture, I will talk about integrating risk management into decision making by sharing some practical steps on how to move from standalone risk management to risk-based decision making.

Gareth Byatt, Global Ambassador for Australia and Asia-Pacific, Institute of Risk Management talks to Alex Sidorenko about decision making, risk management and cognitive biases

Hans Laessoe, founder of AKTUS and former CRO of LEGO,  talks to Alex Sidorenko about ERM and what it means to the risk management profession.

Alex argues how most common ERM concepts have failed, increased bureaucracy, failed to add value to decision making, not aligned with the ISO31000 principles and contradictory to the latest research in decision quality, cognitive sciences and probability theory. Hans, on the other hand, presents a view on how to apply ERM principles and still add value to the organizations. Hans will argue that decision risk management is good, but inadequate, and some level of overview is needed.