We live in uncertain times. The failures in risk management which lead to the global financial crisis have created an unprecedented set of circumstances. Not only are regulators imposing heavier compliance burdens but shareholders and investors are demanding greater reporting and higher levels of information transparency. On top of all this operational costs are too tight to carry the overhead of separate risk and assurance functions.
When the analysis is done there are 6 key lessons to learn from the global financial crisis:
- Integrate G, R & C. In medium and large corporations isolated risk management practices actively work against the business. Technical and operational experts will identify risk from experience and create risk slush-funds to mitigate them. These increase the cost of business and in many cases price the company out of the market. In an integrated GRC system the firm is able to manage risks across business units so that the risk funds are held centrally and do not add a premium to initial project costs. Risk identification and analysis percolates from the bottom up but governance is driven from the top down. In an integrated system they both to work within the business lifecycle to add the right mix of checks and balances so that no additional drag is added to investment/project approvals.
- Make Passive GRC Active. Systems need to be active. They need to hunt out risk, define it, quantify it and measure the dependencies of the risk. Then, those same systems need to bring it to the attention of the executives so that they may make informed investment decisions. In the end, humans follow the law of least effort: employees will follow the path of least resistance in designing and gaining approval for their projects. GRC must not follow a system of honour & audit but rather one of active assurance. When GRC systems are passive the business lifecycle becomes clogged with nugatory and useless program reviews that turn into technical sales pitches by design teams. Such events and practices only serve to affirm the belief that GRC is a legal burden and one which only serves to satisfy the needs of regulatory compliance. Raytheon, for instance, have an excellent system of governance-by-exception. Their Integrated Product Design System (IPDS) has active governance measures and allows Raytheon to manage a pipeline of thousands of critical projects dynamically and by exception.
- Get Granular. When projects fail it is not usually because the risks have not been adequately managed. The primary problems in risk practices are the failures of risk identification and analysis. Managers are simply unable to deal with risks at a granular level and then weigh them up on a per project basis. This is largely because the technical skills needed to do so are not within the standard sets of most executives (but they are within the more mathematical ones of the FS&I industry). Where this disparity exists then businesses need to develop separate Red Teams or Assurance Teams, either from the existing PMO of from hand picked executives.
- Bottom Up & Top Down. Risk management is bottom-up but governance is top-down. The technical skills and software reliance involved in effective risk management mean that the entire practice usually percolates from the bottom of a business, upwards. Consequently, unless it fits within a comprehensive governance framework it will be open to being gamed by senior executives. This is why major projects which are seen as must-win are often approved with little or no governance or assurance.
- Risk Ownership. Risks need to be owned at the lowest responsible level. This is to say that when things go wrong the person at the lowest level who has the greatest amount of operational responsibility must be able to take charge to mitigate all aspects of the risk. It is vital that the person owning the risk be able to recognise the variables which may see the risk realised. It is also critical that the risk owner understand the corporate decision points, i.e. the points at which the contingency plans should be triggered.
- Invest in the Right Type of Risk Culture. Risk should not be a dirty word. Risks are inherent in every project and balancing them quantitatively and qualitatively is an essential skill for all senior executives. Risk should be as much about seizing opportunity as it is about guarding profitability. Businesses need to invest in top talent in order to drive good risk practices from the top. Effective, Active-GRC involves a complex array of tools, practices, structures and processes which need an experienced senior executive to drive them constantly and consistently in the business. The softer side of risk management cannot be neglected. The nature of risk forces people onto the defensive as they attempt to justify all aspects of their project designs. CROs need to help executives understand that all projects must balance risk if they are to attempt to push profitability. Otherwise, risk cultures will mire companies in conservative, risk averse cultures which only act to add friction and reduce profitability.
Risk practices need to work together inside a single, comprehensive risk framework that goes beyond simple probabilistic modelling and disjointed regulatory compliance. Businesses need to implement processes which not only integrate the business lifecycle but actively increase both liquidity and opportunity for risk to be seen to add real value to the company. Only once this is achieved can risk management cease to be an operational drag for the business and become a value-adding proposition which works actively to increase the profit and performance of a company.