In a recent article, my good friend Jim Deloach asks an interesting question: How many senior executives and directors can name a chief risk officer who has advised them that the organization is too risk averse?
What Does 'Risk Culture' Mean?
Before I venture into the body of his thinking, I'd like to discuss the odd title of the article: "Is Your Risk Culture Aligned With the Realities of the Digital Age?"
“Risk culture” is a term that has crept into use over the last few years, but it is unclear to me what its purpose and value is.
Jim wisely chooses not to define it in this article, but others have:
- “The norms of behavior for individuals and groups within an organization that. determine the collective ability to identify and understand, openly discuss and act on the. organization's current and future risks” (McKinsey)
- ‘Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees.” (North Carolina State’s ERM Initiative)
- “The values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” (Institute of Risk Management).
I have written several posts on culture generally and risk culture in particular. The general point across all is that there are many, often competing, dimensions to an organization’s culture. While you want decision-makers to exercise caution when needed, they also need to be entrepreneurial when appropriate as well. You desire imagination and creativity, not simply awareness and trepidation about what bad stuff might happen.
In addition, you don’t want everybody in the organization to have the same attitude towards taking risk. You want sales, marketing and product design to think one way, and accountants and treasury staff to think another.
So, I hesitate to talk about “risk culture.” Instead, we can either talk about organizational culture (with all its complexities) or whether the key decision-makers are making informed and intelligent decisions that involve (as they all do) taking risk to seize opportunities.
Related Article: Did Risk Management Fail?
Risk Taking 'Fit for the Digital Age'
Jim gets it totally right when he writes: "The ground rules for risk and reward are well known. These rules hold that one must take risks to grow, and typically, the more risk one takes, the higher the potential return. They also suggest that a risk-averse mindset often leads to a lower return. These canonical laws have been embedded in business and finance since before any of us were born."
He also makes a point that I have been making for a few years: "Given the pace of change in the digital economy, the realities are such that it’s not just a matter of taking risk to grow or generate greater returns, it’s also a matter of survival. Bottom line: Organizations must undertake more risk than they may be accustomed to taking if they are going to survive. Refusal to take risk means accepting the risk of growing stale and becoming irrelevant. This is no time to be comfortable with the status quo."
Jim has a very interesting couple of tables that contrast a traditional view of risk-taking to one that is “fit for the digital age.” He explains that we need to move “from a fragmented, siloed model focused narrowly on myriad risks to an enterprise-wide approach focused on the most critical enterprise risks and integrated with strategy setting and performance management."
The tables include a number of excellent points, which I encourage everybody to not only read but also reflect on the depth of meaning behind each of them. For example, he suggests that today we need to:
- Move from avoiding or mitigating risks to taking them within limits — something I have written about before.
- Maximize the upside while managing the downside. In other words, taking the right level of the right risks. Don’t just try to manage and mitigate them out of context of what you are trying to achieve.
- Be proactive and agile.
- Do all of this continuously, not periodically.
- Move away from managing a list of risks and towards managing outcomes.
- While he still (sadly) mentions risk appetite, it is essential to ensure an acceptable likelihood of success.
- Leave heat maps behind in favor of Monte Carlo, scenario (what-if) analysis, and other techniques.
- Integrate all our thinking and actions around achieving our objectives as an organization.
- Ensure decision-making is high velocity and high quality.
Another point he makes refers to cyber and why it should not be assessed in isolation: "… an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities that offer significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept."
In the digital age, risk management must help leaders make the best bets from a risk/reward standpoint that have the greatest potential for creating enterprise value. This means that the creation and protection of enterprise value in the digital age depend on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level. A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy setting, planning and business execution; and customized, reflecting organizational business needs, expectations and cultural attributes.
His final points echo much of what I have been writing about for years. (That is not to say that he is simply following my thinking; he is a highly intelligent individual and independent thought leader, recognized as such by boards and professional associations for his many contributions. I am pleased to see us aligned on many fronts today.)
He puts this very well indeed — note especially the highlighted portions:
"In the digital age, it is all about maximizing the upside while managing the downside, thus fitting the profile of companies best positioned to compete, thrive and win with an obsessive focus on growth and improving the customer experience. If the organization does not advance its digital maturity, another risk arises. We call it “digital risk,” or the risk of choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend share against new entrants.
"In the digital age, becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the impact on the achievement of strategic objectives and desired corporate risk profile of alternative scenarios. This analysis contributes to a more robust strategic decision-making process."
Related Article: What Risk Managers Need to Communicate to the Board
Move From Doom to Success Management
Wrapping this up:
- The traditional ERM practice of a periodic list of risks has little value beyond compliance.
- It is far better to ensure your decision-makers are able to weigh all the things that might happen, both the pros and the cons, and make an informed and intelligent business decision.
- These times require agility in the support of fast decision-making, recognizing that fear can easily prevent success.
- Move from doom to success management.
- Don’t be afraid to tell decision-makers and management in general when they are being too risk averse. That is part of your job.
I welcome your thoughts.