Practically everyone's job today requires managing risk in some form. Are you prepared?
By John Buchanan
Risk management used to be someone else's job. And that someone else was often head of security—the guy who worried about fire drills and industrial espionage, who posted warnings about business trips to dubious countries, who ran credit checks on executive candidates. In many companies, the “risk manager” was really the person who bought various kinds of insurance, to make sure that if anything went wrong, somebody else paid up.
But as the business world has become less stable and more complex, risk has meant more and more, especially since the financial crisis of 2008, largely caused by outsized risks that too few people took seriously enough. The discipline itself has evolved, along with the list of those responsible for being watchdogs. And now you're on that list, along with almost every other manager in your organization.
“What the financial crisis brought to light is that risk management needs to be looked at more holistically, so that you're looking at all aspects of a business and assessing risk in all of the areas where it exists,” says Guy Gioino, VP and senior risk consultant for insurance broker HUB International. “That means a much larger context than just hazard or peril.”
And that larger context, says Winning with Risk Management author Russell Walker, includes new frontiers of concern such as funding or liquidity risk, operational risk, regulatory risk, employee action risk such as whistleblowers or intellectual-property thieves, and customer and victim risk. Also falling under the risk umbrella: growing concerns about the availability and cost of natural resources—even, in some parts of the world, water.
Omaha, Neb.-based financial consultant and actuary Max Rudolph has conducted a survey of the top corporate risk concerns for the last seven years. This year, the big four were financial volatility, a blowup in asset prices, cyber security/data risk, and the falling value of the U.S. dollar. (Three that declined this year were oil price shock, failed or failing states, and regional conflicts.) Such findings indicate that risk concerns are now global and often external—and that many key areas of risk are essentially beyond any company's ability to control. Related to that, Rudolph says, is his most acute personal concern—what he calls “concentration risk,” or placing all of one's eggs in a single basket, such as one banking relationship or major supplier.
But while the field of corporate risk management is expanding, taking on a much broader set of considerations, the biggest change is one of mindset: People whose responsibilities never touched on risk now must consider what happens if and when things go wrong, incorporating elements of scenario planning into their daily lives.
In redefining how they assess, manage, and mitigate risk, companies are making all their people chief risk officers, regardless of whose business card carries that title.
What Keeps You Up at Night?
Carl Spetzler, chairman and CEO of Strategic Decisions Group and director of Stanford University's Strategic Decision and Risk Management certificate program, warns that the traditional perception of risk management has effectively been rendered obsolete. “What people don't get is that, in fact, most of the risk that needs to be managed isn't the low-probability, high-consequence stuff,” he says. “It's actually the more likely stuff that's in the middle.”
About 70 percent of the major risks that companies face today come from core value drivers, Spetzler says. “And most risk managers don't typically worry about those things, because they are considered normal parts of the business. But the potential combination of a couple of those key drivers going the wrong way can end up tanking a business. So to me, the big challenge is how to combine those core business risks with the traditional low-probability, high-consequence events.”
Rudolph cites yet another example of how the discipline of risk management is changing. Smart companies now think in broader terms of enterprise risk management (ERM), a more holistic approach than traditional risk management, which by definition is more narrowly defined. Forward-thinking companies now use a more sophisticated type of ERM as a tool for making better strategic decisions, Rudolph says. And that now encompasses the upside benefits of risk as well as the traditional downside. Finding the right balance between the two extremes facilitates improved strategic decision-making and a more dynamic enterprise.
Brian Schwartz, governance, risk, and compliance leader at PricewaterhouseCoopers' risk-assurance practice in Washington, D.C., agrees with that assessment. “Many organizations,” he says, “are now starting to move away from the sole focus on, ‘What are my top ten or fifteen risks? Let me assess those each year and put together a risk register that defines those risks.' They're moving away from looking at enterprise risk only as an assessment process, and they're getting more into looking at how the risks they care about align with strategy, how they align with specific performance drivers that fuel the business. And they're going so far beyond a traditional enterprise risk assessment that they are really monitoring and managing risks from end to end, in a much more holistic manner.”
That trend is a healthy one, Schwartz says, because it allows companies to assess and justify the risks that matter most to their bottom-line success and long-term well-being. “And if you can protect the downside by doing that, but also use it in some way to better enable business performance, then you're getting the best of both worlds.”
Meanwhile, cautions Walker, associate professor at the Kellogg School of Management at Northwestern University, there is another trend afoot in the wake of the 2008 financial crisis: a clear understanding that it is no longer sufficient, in the event of a risk-related crisis, for executives to say, “We didn't know. We didn't project. We didn't anticipate.” None of those old mea culpas will serve as survival mantras in the post-crisis environment. And, Walker says, although it's impossible for anyone to be perfectly prepared, there is a new expectation of excellence when it comes to risk management. “And that often means looking inward rather than outward,” he says.
But at the same time, he adds, corporate thinking—and vigilance—have expanded well beyond the traditional parameters of risk management, or the things that can reasonably realistically be expected to go wrong in your company or your industry, to include the many more things that can go wrong in an increasingly complex global business world, such as cyber attacks or intellectual-property theft by a criminal ring or even a foreign government such as China.
The Conference Board
From the Archives