Risk Management is NOT Just About the Downside

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
My good friend, Michael Rasmussen, and I have had a number of interesting conversations and debates over the last few years. Many have focused on what the term GRC means, with both of us ascribing to the OCEG definition as a capability that enables optimized performance through the management of risk while acting with integrity (my phrasing).
Recently, Michael concluded a ‘rant’ (his word) about how the analysts view the so-called GRC market. I recommend it to you at http://www.grc2020.com/?p=1239.
But, in his latest post “What is Risk Management?”, Michael has fallen from grace (IMHO). To his credit, he has followed the (lamentably poor) example set by Richard Kaplan and Annette Mikes. I first heard Annette present her view that risk management is about the downside at the ISO 31000 conference in Paris this year, when her views were very much out of tune with the majority of the expert practitioners and thought leaders in attendance.
No, risk management is NOT just about the downside. Whether you like the COSO ERM Framework or the ISO 31000:2009 standard (or its ANZ predecessor), risk management is about managing the effects of uncertainty – which can be positive or adverse. True, COSO defines risk as adverse and opportunity as the positive, but includes both in risk management.
Here is how the COSO ERM Framework Executive Summary starts – the very first paragraph:
“The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”
In another place, the Framework has a statement I really like:
“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
The ISO 31000:2009 risk management standard is built on a number of principles, including that risk management:
  • Creates and protects value
  • Is an integral part of organizational processes
  • Is part of decision-making, and is
  • Dynamic, iterative, responsive to change
My own view is that risk management effectiveness is measured by its ability to influence decision-making. Better decisions, made with quality information, enable better performance.
An Ernst & Young study (which reported that companies with more mature risk management programs had better longer-term financial results) had this to say:
“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”
Another friend with whom I have had interesting debates is Grant Purdy – one of the most respected practitioners and thought leaders in risk management. Grant led the development of the ANZ risk management standard and followed up with a leading role on ISO 31000.
When Grant works with his clients to improve risk management, he starts by understanding how they make decisions: “what they consider and how they act” (from a recent email). I believe this the ‘secret sauce’ to risk management.
Risk management is NOT about assessing risks every so often, so you can check the box and say you have a risk management program.
No, it’s about enabling better decisions, leading to better performance, because you are considering and acting on information about what could happen – positive and negative. It’s about understanding the assumptions behind your planning and forecasting, and taking actions to improve potential outcomes. As Grant said just today of one of his clients: “risks have to be taken and they endeavour to minimise the likelihood and magnitude of detrimental outcomes while maximising the likelihood and magnitude of beneficial ones”.

Risk management is something effective managers do every day, as part of their decision-making process.

Now, you can argue (as many do) that “risk” is just the adverse (which is what COSO says, with “opportunity” being the positive) rather than (as in ISO 31000) any effect of uncertainty on objectives.
But if you want effective risk management that enables optimized performance and the ability to “get to where [you want] to go and avoid pitfalls and surprises along the way”, then limiting yourself to periodic assessments of potential “threats and failures” is itself a recipe for failure.
Incidentally, Kaplan and Mikes add to the recipe for failure with the proposition that risk needs to be managed by a separate group. As my friend Bruce McCuaig wrote in a recent post, the management of risk should be owned by the person who owns and is responsible for performance.
Sorry, Michael. While it is attractive to listen to the sirens of Harvard and the balanced scorecard, this course is one that will drive enterprises onto the rocks. 

Posted on Nov 20, 2012 by Norman Marks

Share This Article:    

  1.  This course will not drive enterprises onto the rocks. This course will cause enterprises to throw rocks onto those individuals giving the course. Of course Kaplan and Mikes are off the mark but they are running a business which has generated revenue for them and do not understand any better as similar to Michael Rasmussen.

    If you took an example and this is quite easy to do,  of the upside- they would be stuck in the middle of the road and not know how to respond. We have gone through this many times before. Those that think as per above will fall by the wayside

    By the way- I think you meant London above as Anette Mikes to the best of my recollection did not speak in Paris at the ISO 31000 meeting unless I have completely lost my marbles


  1.  The problem with COSO ERM not to belabor it- is that taken out of context- there are many excellent one paragraph commentaries in it that could be helpful. But assembling the entire document in this monster that it has becomes only serves to demonstrate that the authors and those using it, really do not understand this discipline at all. Very sad.

  1. Norman - honestly, I'm tired of the arguments/discussions on this topic. I've read so many wordy defensives of people's arguments which in the end are merely terminology and symantics.

    Every single defintion of the term 'risk' which I have found only focusses on the downsides (Oxford & Cambridge dictionaries, the business dictionary, Mirriam Webster, wikipedia and others)

    Nevertheless, I believe that companies should manage both the downsides (risks) and upsides (opportunities) of uncertainties ..... ISO31000 bundle this management advice/standard/guideline as 'risk management'  ...... this is the cause of the problem I think. Perhaps the term should be the longer 'risk and opportunity management' ..... but really, does any successful business not really already do this ..... whether following a formal recommendation (AS/NZS360, ISO31000, COSO ERM, ....etc) or simply their own common sense?

    I'm not arguing with the intentions of ISO31000 or any previous standard, just the distraction of this discussion?

  1.  Arnold, you may well have lost your marbles - but you are right. She was at the IRM conference in Manchester and not the ISO 31000 conference in Paris.

    Chris, I am with you on the debate of the meaning of the word "risk" - when what we need is action. What troubles me about the Mikes/Kaplan/Rasmussen argument is that they are saying that you should not include 'opportunity' in risk management - or the intelligent practice of decision-making or management.

  1.  My own view is that risk management effectiveness is measured by ensuring there is a baseline level of tranperancy in the organization and that everyone clearly understands financial and operational risk tolerance levels. Without this all the models and frameworks are not effective. Once this is in-place, the opportunity side of risk will be well understood.

  1. I'd like to emphasize Norman's point about the need to perform risk and opportunity management (ROM) continuously. Integrating it with the product life cycle means continuous assessment and feedback into all business processes. 

    Recently, I sadly observed a billion-dollar business slowly sink into quicksand because the front office failed to account for risks and then failed to commit enough resources to manage the risks they created. The organization include best and brightest personnel, but the lack of integration between organizations, business processes, work products, and even between projects made them function more like a rattling jalopy made from the parts of a dozen different models than like the new sports model they should have been.

    It's easy to associate Risk Management with projects and associate Opportunity Management with operations functions of product and business development. Perhaps that is as it should be; but I've seen enough parallels to think the processes for managing risk and managing opportunity are identical, and one should perform the two together. In physics, you would never use separate variables for moving to the left and moving to the right.

  1. From both an academic and practical point of view I can understand that risk most often is associated with adverse effect of events. Adverse outcomes from events which are able to calculated based on likelyhood and effect are associated with the term risk, in risk insurance terms. Beneficial outcomes are sometimes labeled chances or oppurtunities. From a practical point of view however, risk management comprises o both managing oppurtunies and threats - restraining risk taking and ensuring that risk control measures are in place. To say that risk management only entails the downside of risktaking acitviites is just completely inaccurate for me, a person working within the financail sector. Risk management efforts are applied to contrain and restrain risk exposures but also to review the need to soften controls and to take on more risk in the pursuit of greater revenue. Such efforts are of course (hopefully..) the result of a deliberate risk appetite and  the ability to consume risk.

  1. Suggest a refresher from the insurance industry, that is a few centuries ahead of the auditing community.  Try any of George Head's books on risk management.  George was so radical that he inferred that to just buy insurance was not managing the risk at all, just transferring the payment to someone else.  Most purchasers of company insurance programs today consider themselves as a Risk Manager.  PS:  notice the ARM designation.

  1. This topic and discussion persists because good risk management has been very limited and is finally starting to find its way into other industries and disciplines, and unfortunately many professional organizations decided they knew better and muddied the waters with endless interpretations of "what is risk?".  So at thsi point, harmonizing risk management terminology is a worthwhile effort, but more importantly most companies need to integrate better risk management processes throughout the company and at all levels.  Managing risk (and opportunities) is everyone's responsibility.

  1. Interesting discussion on a very interesting subject. Concept of Risk is inherently abstract and complex, so is concept of strategy. In ideal world, you'd start with Aristotle's approach to definition, where you'd break each 'element' into distinctive category of meaning to eliminate overlap. The result of which would be a perfect scientific framework that is inherently more complex than anything currently in existence - we're not there yet. Concur with perspectives shared in this article. However, one basic assumption ("underlying premise of enterprise risk management is every entity exists to provide value for its stakeholders") is not applicable to today's business. As for public entities, it is not stakeholder value, but shareholder value that dominates, resulting in overemphasis on financial perspective. In world of shareholder value, importance of true strategy management is diminished to point of irrelevance. Anything that brings revenue at profit margin of 20% plus is welcome, independent of organization's business model & strategy. For example, if software business with a 20% profit margin decided to build refrigerators, which yielded a 30% profit margin, it would be welcome addition from financial perspective. I'd hardly call that strategy, but rather an irrational thing to do to meet irrational (financial) expectations. Such scenario is an example for lack of applicability of true strategy when being subject to quarterly financial scrutiny. In this scenario, risk management becomes more important than strategy management, because there was no strategy in the 1st place. However, there is a strong reputational risk for the software company that now sells refrigerators - why would a software company do that? How to manage this risk? This very risk management discovery will now give an input back to strategy, which wasn't there 1st place, and prompt decision to not go into business of refrigerators due to reputational risk to the company.
  1. Your friend Grant Purdy said it best based on his work with clients in that he starts by understanding how they make decisions: "what they consider and how they act".  As you stated, it is the 'secret sauce' to risk management.  If you don't understand their logic in their decision making process, how can truly evaluate it.  Once you can answer that question then you can come up with effective suggestions and/or solutions.  The scary thing about it is that in my 35+ years of audit work I get amazed in the number of different methods by the key decision makers on how they make decisions.  They usually do a poor due diligence evaluation of the process, which means that they don't perform a good evaluation all of the different business risks that can impact their business decision.  And to top it off, they are rarely held accountable.  From a risk management perspective, I would like to think that a company will at least make sure that its high risk departments operate effectively but a lot of times I find that it's the opposite.  They will have some of their weaker managers in charge of their key risk areas.  Whenever this occurs I ask if the CEO is asleep behing the wheel and not steering the company in the right direction.     

  1. Mitigating risk within an organization is fundamental to operational optimization, regardless of how you define the term. In my opinion, hedging adverse risk and improving governance will inevitably lay the foundation for better strategic decision making within the organization as a beneficial bi-product. I don't understand why there are such polarized views concerning the definition itself. Maybe the definition informs the direction the organization takes when designing the plan to begin with. I partially agree with Kaplan and Mikes and believe that risk management should be performed by an outside independent group that can objectively assess the structural elements of the organization and any relevant constraints. However, I don't understand why the development of such a strategy and the input of internal management should be completely exclusive. In this sense Kaplan and Mikes have lost me and in my opinion sound kind of dogmatic. On top of that appealing to authority (a Harvard study) doesn't really enhance their stance, it just shows us they can regurgitate someone's opinion.

Leave a Reply