Businesses struggle to strike a balance between creating and preserving value when it comes to risk management.
"An old sporting aphorism states that 'offence wins games, defence wins championships.' In business, the ability to deliver sustainable value to stakeholders requires a subtle blending of both value creation (offence) and value preservation (defence) efforts. This requires an understanding of these two antagonistic yet complimentary principles, which are inherently intertwined and mutually interdependent within a dynamic environment. It requires an appreciation that these two principles represent two sides of the same coin and therefore cannot and should not be addressed in isolation of one another. Now more than ever, 21st century business requires a balanced integration of both value creation and value preservation at all levels of the business."
Where Lyons and I part ways is in how this is achieved.
An Offensive or Defensive Take on Risk
Lyons advocates “a formal defense program.” To me, this tactic aligns with traditional risk management programs, which focus on defending the organization from hazards, threats and misfortunes — the bad things that might happen.
Lyons separates, for example, risk management and controls, whereas I and others such as COSO consider controls an integral part of risk management.
Such a program has its merits, but also creates a problem: Establishing a corporate defense program creates yet another siloed program with management and board attention that fails to integrate with strategy, execution and performance. While that may not be Lyons' intention, unfortunately that is likely the way it would play out.
Operating management makes the decisions and takes the actions that both create and preserve value. As Lyons writes, they are intertwined.
Chief Risk Officer = Corporate Police Officer?
Separating those who defend value and those who strive to create it sets up the CRO as the corporate police officer — who works to contain the cowboys in management who are willing to take too much risk.
When the CRO acts as the corporate police officer, independent from management and reporting (i.e., ‘telling on’ management) when he or she believes excessive risk is being taken, it can cripple an organization's ability to take the right amount of the right risk.
Wouldn’t you be deterred from using your judgment to take a risk when the reward justified it if a policeman was watching your every move, ready to report on you to your boss?
A number of executives at financial institutions (including, interestingly, CROs) told me they saw the regulators’ drive to define the risk management function as an independent policing force as damaging. (Mind you, the regulators don’t use the words ‘police force,’ but that is what they are pushing.)
Aligning Maintenance and Creation of Value
The CRO may assist management, by providing processes and information that helps management know what risk they are taking, but the ownership for risk remains with operating management. Yes, the executive management and the board offer strategic direction and make decisions, but the tactical running of the organization is by operating management.
My point is this: both value creation and preservation are the responsibility of the same people. They only have one head, one heart and one voice. They don’t have two, even two intertwined heads.
Rather than establishing competing groups, one who maintains/defends and one who creates value, each manager and executive does both.
The extent to which they do each depends on how they are guided (e.g., by policy and directives) and inclined (their attitude towards risk), and then how they assess both the up and downsides of every decision.
That is where the balance needs to be struck.
What's the Right Level of Right Risks?
We want all the risk-takers, all the decision-makers, to take a balanced view. They should analytically view each decision and action, considering the options, with as much trusted information as possible about what might happen.
We don’t want them to be excessive risk- takers. We also don’t want them to be excessively risk-averse.
My parting questions:
- How does the risk officer help management take a balanced view, both creating and preserving value by taking the right level of the right risks?
- How does internal audit strike the right balance itself, focusing not only on value preservation but the ability of the organization to create value by taking the right level of the right risks?
I welcome your comments.
Title image Cindy Tang