“How did the world go so wrong interpreting what the term ‘risk management’ means?” So begins Tim Leech's post on LinkedIn which sets the stage for this article. I want to commend Leech for his passion, consistency and his recent posts on LinkedIn and encourage you to read his post before considering my following thoughts.
I agree with most of Leech's thoughts.
First, let’s consider why the regulators (in particular, the U.S. Securities and Exchange Commission) want "risk" discussed in corporate disclosures. Leech traces it back to 2008 and the financial crisis, but it is older. If you are familiar with the regulations, I suggest skipping to the "Should We Get the Regulators to Change" section of this post.
US Compliance Requirements
This is from a 2013 SEC Report on Review of Disclosure Requirements in Regulation S-K:
"The requirement for disclosure of a summary of risk factors relating to an offering was first set forth in 1968 in Guide 6.251. Item 503(c) was added to Regulation S-K in 1982 as part of the adoption of the integrated disclosure system, combining the provisions of Guide 6 with the provisions of Guide 5 calling for disclosure of risks arising out of a lack of a trading market.
"In 1995, this provision was amended to add a requirement that the risk factors section of a prospectus be captioned with the heading “Risk Factors” and that the section be presented following the summary. In 1998, in connection with the plain English disclosure amendments, this provision was revised to include guidance on presenting risk factors. In 2005, the Commission added risk factor disclosure requirements to annual reports and quarterly reports.
"Item 105 of the SEC’s Regulation S-K requires that registrants “provide under the caption “Risk Factors” a discussion of the material factors that make an investment in the registrant or offering speculative or risky."
The requirements in Regulation S-K were updated in 2020, but there was no change to the overall requirement that registrants disclose “the material factors that make an investment in the registrant or offering speculative or risky.”
SEC's Interest in Risk
The SEC has additional requirements for registrants in some but not all sectors. They seem to have focused on companies in the financial sector.
For example, in 2017 the SEC published Self-Regulatory Organizations; The Options Clearing Corporation (OCC); Notice of Filing of Proposed Rule Change Related to a Comprehensive Risk Management Framework. It stated: "This [sic] purpose of the proposed rule change is to adopt a comprehensive Risk Management Framework Policy, which would describe OCC’s framework for comprehensive risk management, including OCC’s framework to identify, measure, monitor, and manage all risks faced by OCC in the provision of clearing, settlement and risk management services."
The SEC notice referenced rule changes in 2016. The updated rules require that covered clearing agencies:
“[E]stablish, implement, maintain and enforce written policies and procedures reasonably designed to … [m]aintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency, which … [i]ncludes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency, that are subject to review on a specified periodic basis and approved by the board of directors annually ....”
In the SEC document, there is a sentence that makes clear the purpose of the regulations by the SEC: while the OCC requires “a sound framework for comprehensively managing risks,” it is primarily concerned with “potential clearing member default scenarios.” Those could be the result of either “financial exposures [or] service disruptions.”
Risk Regulations Don't Stop With SEC
Other U.S. regulators are concerned with risk management, notably the Office of the Comptroller of the Currency (a different OCC than above) and the Federal Reserve. The OCC regulates banks and is concerned broadly with “the safety and soundness of the national banking system” and specifically to “protect the national bank charter.” Deloitte has a good explanation of the OCC requirements here.
One of the OCC mandates is that the risk function is independent of management and provides the board with its own aggregation and assessment of risk. It seems to view the risk officer as being the sheriff in town to make sure the cowboys in management don’t threaten the health of the town and its citizens. However, when the risk practitioner sees him or herself as the sheriff instead of a partner to management, they will find themselves behind (less visible) bars.
In other parts of the world, the regulators have gone further in requiring an effective risk management activity, including it in their corporate governance framework. When I was with SAP, the company engaged EY to perform a mandated audit of their risk management activity.
Should We Get the Regulators to Change?
There is nothing wrong, IMHO, with the regulators wanting current and potential investors to understand what might happen that would threaten the results or even the viability of the organization. (Although a list of risks without any indication of the likelihood of a severe effect, or of management’s ability to manage any threat, is of dubious value.)
Equally, there is nothing wrong with management and the board wanting a reliable process underlying their risk disclosure.
However, management and the board should require a risk management activity (whatever you call it, which I will come back to later) that not only manages the risk of failure (meeting any compliance requirement), but actively and significantly contributes to the achievement of enterprise success.
If risk management is to be accepted and valued for its contribution to success, it cannot be seen as the sheriff out to lasso the bad guys into acceptable behavior. Please see my previous post, "How to Build Credibility With Management."
If I had the ability to influence the regulators, it would be to tone down their emphasis on positional independence and make it clear that management is responsible for the identification, assessment, and reporting of risks – with the assistance of the risk function. The latter should have the ability to escalate within the management team and then to the board, if absolutely necessary, any inappropriate cattle-taking (ok, risk-taking).
But let’s recognize that the regulators have a different focus and set of responsibilities than management, or rather that management and the board have interests that extend beyond those of the regulators.
What Does the Word ‘Risk’ Mean?
Leech raises a good point, that ISO 31000 and COSO ERM (at least in their executive summary) define risk as including not only bad things that might happen, but good things too (a.k.a. opportunities).
But, while this may be understood by many (but not most) risk practitioners, the general use of the four-letter ‘r’ word is limited to the downside.
Merriam Webster defines risk as:
- possibility of loss or injury
- someone or something that creates or suggests a hazard
- a: the chance of loss or the perils to the subject matter of an insurance contract, also: the degree of probability of such loss b: a person or thing that is a specified hazard to an insurer c: an insurance hazard from a specified cause or source
- the chance that an investment (such as a stock or commodity) will lose value
MacMillan Dictionary's definition is:
- to do something that makes it possible for something important or valuable to be destroyed, damaged, or lost
- to be in a situation in which something unpleasant or dangerous could happen to you
- to do something although you know that something bad could happen as a result
Investopedia defines risk as: Risk is defined in financial terms as the chance that an outcome or investment's actual gains will differ from an expected outcome or return. Risk includes the possibility of losing some or all of an original investment.
The great majority of businesspeople understand the ‘R’ word as relating to threats and their effects.
Do we get them to change, to learn the technobabble of the practitioner, or do we get practitioners to use better, common business language? Now I appreciate that in some companies, especially financial services organizations, practitioners believe that their management team “get it,” that ‘risk’ is not limited to the downside. But I wouldn’t rely on that myself. It’s easy to use common English rather than technical terms.
Grant Purdy and his co-author, Roger Estall allocated an entire chapter of their book "Deciding" to the language question. He summarizes their position well in a comment on my blog in January: "no one can agree on what the ‘r’ word means — and it is used variously as a noun, verb and adjective — with none of the uses consistent. In fact, the word 'risk' has become a nonsense as, of course are any compounds like ‘risk management’ that are based on it. If I was facetious, I might suggest that it’s just too risky to use the word ‘risk.’ But I wouldn’t say that, because that statement would mean nothing sensible at all."
As I have said many times in the past, I prefer to use the expression “what might happen” as it is easier to have a shared understanding of that and a constructive conversation with management using plain English.
When Did Risk Management Start?
It predates the 2008 Great Recession that Leech mentions.
The second edition of "Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives" (which I recommend) has a chapter on a Brief History of Risk Management. Authors John Fraser and Felix Kloman trace back the origins of risk management hundreds of years They identify several milestones starting in 1914 with the formation of what later (in 2000) became the Risk Management Association.
The focus of all the early standards, books, etc. was on managing the downside. Grant Purdy, in another January blog comment, shared the history of risk registers (a list of risks that you manage or mitigate, recently renamed a risk profile by COSO):
"Risk registers came into being during the 1970s. In the UK under successive editions of the Factories [Act] (including the 1961 version that I enforced) there was a requirement for a factory occupier to maintain a ‘general register’. This was standard form that contained information such as when the walls were last painted, a list of lifting tackle, steam boilers and air receivers together, in some cases with list of women whom the factory owner had “good reason to believe” were pregnant!
"When the UK moved to ‘enabling legislation’ in 1974 and later adopted the European safety requirements, the general register was also used to list ‘hazards’.
"In all cases, its purpose was to demonstrate that the factory occupier had thought about how his employees could be injured and also, their well-being. It was also supposed to help the Factories Inspector (of which I was one) do his or her job by giving them a ‘heads up’ what to look for on their inspection.
"Of course, what was a list of hazards eventually morphed into a list of risks (because a lot of people could not tell the difference) and with the advent of spreadsheets (I first used VisiCalc) we could then play tunes on them by ascribing ratings, conducting arithmetic and sorting and ranking and even drawing graphs.
"This was all well and good, but these registers were never intended to be used in any form of decision making and, as we now know, they have taken on a life of their own such that, for many organizations, ‘risk management’ (whatever that means – and I don’t know), merely involves the updating of this spreadsheet, normally on an annual basis."
Purdy makes the excellent point that these lists of risks were not intended for use in decision-making.
The problem, as Leech reminds us, is that people seem to believe that the periodic review of a list of risks is not only sufficient to comply with any regulations but is all that risk management can and should be.
In my opinion, this belief is very wrong.
Should We Stop Using the ‘R’ Word Entirely?
There’s a good argument that using the ‘R’ word obstructs not only common understanding and constructive discussion of business problems but what we are trying to achieve with risk management. Risk is not only seen as being about avoiding failure, but risk management is viewed by 80% of executives (according to all the surveys I have seen) as a compliance activity.
We need to recognize that regulators (and boards) require us to manage risk and to have effective risk management. They are using plain English, not ISO or practitioner technobabble. Much as we might be inclined to do so, we can ignore the reality that regulators, investors, and boards believe they want ‘risk management’ of the downside. They are not that interested in the upside — it's not their remit.
Regulators are not likely to change their requirements any time soon. Executives and board members might be persuaded to use other terms for risk management, but that takes time we simply don’t have. Therefore, I will continue to use the term ‘risk management,’ even though I have suggested that practitioners change the name of their function to Decision Support or similar.
I just have to explain what effective risk management is.
Similarly, asking directors and executives to learn ISO technobabble is misguided. It is far easier to have practitioners use language their leaders will completely not only understand but be able to seed how ‘risk management’ helps them individually as well as the organization be successful.
Try: 'What Might Happen'
What I have done, and while this may annoy some on purist grounds, is accept the reality.
- When I can, I use ‘what might happen’ instead of the four-letter ‘R’ word.
- When I can’t, especially if I want to emphasize that what might happen could be either (usually both) good and bad, I talk about ‘risk and opportunities.’ This is consistent with my favorite corporate governance framework, South Africa’s King IV.
- I talk about ‘risk management’ but explain that it should refer to the ability to anticipate what might happen and then use that to enable the informed and intelligent decisions necessary to achieve objectives.
- I explain that those informed and intelligent strategic and tactical decisions enable people to take the right level of the right risks, leading the organization to optimize the likelihood of achieving enterprise objectives.
- If I can, I refer to ‘success management’ or even the simple idea of effective management. After all, that is what it is.
One Path to Change
Leech shared another post which sets out eight suggestions for change. I encourage you to read and consider them now.
My primary issue with his suggestions is his description of effective risk management. I dislike the idea of “an acceptable level of residual risk/uncertainty.” It is hard to understand, and I can’t see CEOs or board members readily accepting more technobabble. Don’t use a term you have to define, especially if it takes time and diagrams, when you can use plain English. Personally, I have little tolerance (pun intended) for the notion of residual risk.
He also talks about “certainty management.” But you can’t manage certainty. You can only reach a level of certainty. However, you can estimate the likelihood of something happening or not happening and the range of its potential effects.
I prefer to talk about ‘an acceptable likelihood’ that enterprise objectives will be achieved.
Boards and executives set and then are measured (and compensated) on their ability to achieve objectives for the organization. They see, in my experience, the tremendous value in being able to:
- understand where they are relative to those objectives (from performance reporting),
- what might happen to affect their achievement (from ‘risk management’), and
- estimate the likelihood of getting there by the end of the period (the integration of both). They can then decide whether that likelihood is acceptable or not.
My Recommendations to Fix Risk Management
Tim has, as I said, eight suggestions to fix risk management.
Here are mine:
- Everybody should accept that there is a compliance requirement to manage the downside, but as Alexei Sidorenko suggests, this should be accomplished with the least number of resources. Obviously, that will depend on the specific regulations affecting each organization. Sidorenko calls this Risk Management 1, or RM1.
- Everybody should also accept that there is more to effective risk management, whether you like my concepts, Leech's, or somebody else’s. Each organization should work to determine what would work best for them if they are to be successful. Then they should strive to implement RM2: risk management that enables the informed and intelligent decisions necessary to achieve enterprise objectives.
- Those who have the ear of the regulators should ask them to refine their position on the independence of the chief risk officer, recognizing that behaving as the sheriff instead of a partner can alienate those trying to run the business for success. The CRO’s job should be to help management do the right thing, not catch them out and throw them in the hoosegow when they don’t. The regulators should also acknowledge that there is more to risk management than avoiding failure.
- Those responsible for the ISO and COSO standards should try to avoid the unnecessary and useless competition between them. Converge around new or updated guidance that:
- Uses plain English and avoids technobabble. Include board members, CEOs, and other executives in the guidance process to ensure that it will not only be clear and understood, but that leaders of the enterprise will see how it will help them and their organizations succeed.
- Explains clearly that events and situations almost always have multiple potential effects, or ranges of potential effects, some of which are advantageous and others are harmful.
- Drives risk management top down, pointing out that we are concerned with risk to objectives. Explains how objective and strategy-setting depend on an understanding of what might happen; risks are not only defined after strategies and objectives are established.
- Not only explains risk identification, assessment, and evaluation, but how to see the big picture – evaluating all the things that might happen, weighing the pros and cons to enable effective decision-making. They should help demolish risk silos.
- Clarifies the role of risk management in enabling informed and intelligent decisions.
- Defines effective risk management as contributing to the success of the enterprise, preferably as I have described it.
- The bodies responsible for corporate governance frameworks should similarly be persuaded to adapt their guidance.
- Each of the practitioner organizations (such as RIMS, IRM, RMA, PRMIA, IIA, ISACA, etc.) should be persuaded to bring their standards and guidance in line.
- The IIA in particular should, as Tim says, require internal audit teams to assess and report on the effectiveness of risk management at their organization. However, my recommendation is to assess whether it ‘meets the needs of the organization’. In other words, understand what is needed, by whom and when, so that the informed and intelligent decisions necessary for success (achieving objectives) are made. That would include risk disclosures.
- Board members, hopefully with the guidance of national Institutes of Directors (such as the NACD in the US), should press the CEO to report personally to the board on the effectiveness of risk management and decision-making.
- Everybody reading this post should share it, even if they don’t fully agree, so that we can all have a constructive discussion about the effectiveness of risk management.
- Finally, the consulting firms and those conducting research should modify their focus to how organizations can be successful as a result of effective risk management (anticipating what might happen). Stop promoting products and services that continue practices like heat maps, especially when isolated from what the organization is trying to achieve. The ERM Institute should define what it means by effective risk management, hopefully on the lines of what I have suggested, and only then survey organizations and their practices.
This is one of the longest posts I have written. I hope it is of interest and ask that you share your thoughts and comments.