Q. Following some of the high-profile failures, there is concern that we become too risk-averse. How can we ensure that risk management adds real value?
A. Successful organisations add value by ensuring that they consider missed opportunities and recognise the need to take risks. They do not avoid risks nor do they necessarily have to take greater risks – they simply have a better understanding of what the risks are and how best to manage them. That means fewer control failures, an increased likelihood of achieving objectives and improved stakeholder value. Stakeholders might be indifferent about specific risk-management models or methods, but they will increase their support for an organisation if it demonstrates it does a better job of managing its risks to create value.
This requires focus on rewarded and unrewarded risks. Some risks are all downside and no upside. These are the unrewarded risks – they can’t be ignored, but the primary incentive for tackling them is value protection. Other risks are all about upside, and the primary impetus for taking these rewarded risks is value creation. Although they might have a significant downside, the potential upside is even greater. The threat is that individuals focus the bulk of their attention on the threats and wind up missing out on the opportunities.
Focusing only on the downsides can lead to underinvestment in the kinds of opportunities that drive growth and create value for stakeholders. Risk-intelligent organisations understand the distinction between rewarded and unrewarded risks, and they will respond accordingly.
To be truly effective in adding value, risk management should be related to the organisational strategy, which can help embed risk management because it links it to strategy and critical success factors. Linking risk management to strategy in this way puts it into context and within the understanding of all areas and staff. This approach also lends itself to looking at missed opportunities and not just downside risk.
Most people instinctively believe it is unlikely that all risk areas crystallise at one time, but it is also important to recognise the issue of contagion risk and that one small risk can trigger a chain reaction. Organisations that focus only on big risks might find themselves ill-prepared to face the interaction of separate adverse events in the absence of an integrated and coordinated response to linked risks. Understanding the links between risks will allow for a more coherent and joined-up risk response; one risk response can be tailored to impact on more than one risk.
Discussion and understanding of risk appetite is vitally important for management to understand the initiatives and risks that the board are prepared to accept, and which risks need to be reduced and by how much. Understanding risk appetite allows appropriate risk-taking and presents opportunities to deliver better services, make more reliable decisions, improve efficiency and support innovation. Importantly, in these times of scarce resources, it allows an organisation to ensure the risk response is appropriate.
Do not let the scare stories lead to knee-jerk reactions. Sometimes voluntary organisations over-engineer the risk response, leading to either too many scarce resources being allocated to manage down the risk, or leading to a limitation of the scope and benefits of an initiative. The cost and benefit of mitigating risk should be considered in light of the risk appetite. Careful consideration of risk appetite means that fewer resources can be deployed to reducing the risk. Risk management needs to be seen as a value-added tool that is properly embedded in the organisation rather than a once-a-year box-ticking exercise. This will allow risk management to add value to strategy and decision-making.
Pesh Framjee is head of the not-for-profit unit at Crowe Clark Whitehill