Moving From ‘Doom Management’ to Effective Risk Management

The decisions we make every day help us get where we want to go, obtain desired results, achieve our objectives, and be successful. We don’t make decisions using only a list of what could go wrong. Rather, we understand both the pros and cons, weighing everything that might happen before making an informed and intelligent decision. But most organizations separate the consideration of what could go wrong—calling it “risk management”—from the assessment of what needs to and should go right.

I call this “doom management.”

It should be no surprise that the vast majority of executives see risk management as a compliance activity. As a Deloitte study found, “Only 13 [percent] of [C-level] respondents believe their risk management processes support, at a high level, the ability to develop and execute business strategies.”

Executives see it as something they have to do rather than what they want to do. Perhaps this is why risk practitioners, such as chief risk officers (CROs), see a lack of support and resources from top management—because top management fails to see how the CROs are helping them run the business for success.

The Enterprise Risk Management (ERM) Initiative at North Carolina State University has been surveying companies about their risk management practices for years. The proportion of organizations that self-assess the maturity of their risk management programs as “robust” and “providing significant competitive advantage” remains a dismal 3 percent. They report that “Overwhelmingly, most organizations do not perceive their risk management processes as providing important risk insights that management can use to create or enhance strategic value.”

Periodically reviewing a list of risks is not what I and many others believe to be effective risk management. Protiviti’s Jim DeLoach accurately refers to ERM as “enterprise list management.”

This post is a call for change that board members can drive within their organizations. It is time to pivot from risk management that avoids failure to risk management that helps you achieve success. Board members need to see the big picture and anticipate all the things that could happen, both good and bad, to make quality strategic and tactical decisions.

This change will enable an organization to:

• Set the right objectives and strategies for achieving them

• Make informed and intelligent decisions

• Take the right level of the right risks, given the potential for reward and the effect on achieving enterprise objectives

• Understand the likelihood of achieving their objectives and act where that likelihood is unacceptable

In my view, effective risk management is not something separate from effective management and leadership. It is not only about managing and mitigating potential harms (“risks” in general parlance); the responsibility of a risk office; something that has to be bolted on or integrated in some way; or a compliance activity. Instead, it is:

• About anticipating what might happen so that you can set and then execute on strategies and achieve objectives, and make informed and intelligent decisions and take the right risks

• A part of effective management, and something that effective managers have been doing since before the concept of risk management was invented

• About success

In other words, organizations must stop managing risk and focus on managing the business for success.

Achieving Enterprise Objectives

Most organizations measure and reward the performance of the management team by their ability to achieve objectives and targets approved by the board. I have reviewed the following format for performance reporting integrated with risk reporting with multiple executives and boards.

An executive or board discussion around a report like this should focus on the areas for which the current status or likelihood of achieving an objective by the end of the year is unacceptable. In the example, these are highlighted in red. There will also be discussion of those orange areas, where achievement is questionable.

By drilling down on any cell, management and the board can identify which risks and opportunities drive the performance assessment. They can then determine the appropriate actions to improve the likelihood of success.

Imagine the report being discussed at a weekly meeting of the CEO and their direct reports. The CEO sees that the likelihood of achieving the revenue target is only 80 percent. They ask what would happen if they joined the team in a meeting with a major customer, increasing the likelihood of that deal closing. The underlying factor is adjusted, and the CEO can see that the likelihood of hitting 10 percent revenue growth increases to 85 percent. In this instance, the report not only provides actionable information but also leads directly to the CEO’s action.

One of the values of a report such as the one above is that an executive can consider where to allocate additional resources. It not only highlights all the areas that merit attention but also enables a comparison of their severity.

Other Periodic Reports

For periodic reporting, review, and ongoing monitoring, there is also value in identifying the more significant risks and opportunities that merit individual attention. These might include risks that:

• Can affect multiple objectives to an unacceptable extent. For example, a cyberbreach is likely to affect both revenue targets and the ability to ensure compliance with trade regulations. While one impact may be acceptable, the combination of both may be considered too much.

But it is very important to ensure that the discussion of something such as cybersecurity is done with a business perspective, paying attention to how a breach could affect the business, rather than the fact that multiple so-called “information assets” are at high risk or have drawn the attention of regulators or the media.

Other examples of risks that have drawn such attention are low levels of management diversity or high levels of gender discrimination. Another is a significant deficiency or material weakness in financial reporting.

• Are especially significant in terms of their magnitude and impact on the organization. For example, when I was the chief audit executive and CRO of BusinessObjects, SAP agreed to buy us. This was by far the largest acquisition SAP had ever made and the ability to preserve and grow its revenue stream was of prime importance. My team worked with management to ensure that risks to revenue were addressed and opportunities to leverage the larger SAP customer base were made possible.

This list of individual or groups of risks would supplement rather than bethe primary risk report as it is in most traditional risk management programs.

In addition, the board should receive formal assurance at least annually from the CEO first, and then the CRO and the head of internal audit, on three things: that daily decision-making is informed and intelligent; that the more significant risks and opportunities are being addressed as part of the everyday running of the business; and that any risk management activity is seen as enabling the quality decisions that lead to success.

Everyday Risk Management

We live and work in a world in which change is not only accelerating but also has a greater impact. There are many moving pieces both outside and within organizations. Customers have varying needs, vendors may change their pricing models or create new products and retire older ones, and regulators may shift their interpretation of existing rules or introduce new ones.

Risks and opportunities are constantly changing, and risk management must be able to keep up.

As it is practiced by most organizations today, risk management is limited to the compilation and periodic review of a list of risks. It inhibits rather than encourages innovation and imagination.

The better path is to move to managing for success. That doesn’t mean that we stop considering all the risks that can hurt us. It means that we consider them within the context of achieving the organization’s objectives. Boards need to ask themselves and management whether they are taking the right level of the right risks, optimizing the extent and likelihood of success.