So I’m going to be brave and wander into the much contested space of risk management. It’s a legitimate space for internal auditors, as the IIA Standards and industry best practice require that we are meant to be ‘risk based’.
I say the space is contested because there are ever more strongly expressed concerns about risk management as a profession. A range of the leading internal audit, risk management and oversight thought leaders are having a lively debate on risk management.
So what’s the debate about? First there is the quant v qual risk management debate. For some, risk management is not ‘proper’ unless it is scientific, numbers and probability based. I think these commentators have a point, in my experience far too few organisations have decisions taken by management teams that have a good grip of the data underpinning that decision, let alone a full quantitative data model analysing the risk curves from that decision.
I think, however, too much of these debates becomes pejorative and frankly a bit silly around the positivist, scientific approach, versus realist or even idealist approaches to knowledge and truth. For me, the debate is more practical. As David Apgar sets out in his book Risk Intelligence (still the best book I’ve read on risk), of course any risk is theoretically prone to quantitative modeling. He excepts commodity markets (as otherwise the market would be gamed for money). His practical example is a buttered slice of toast. Yes, you can model which side down it will land – butter or not – if you know force, air pressure, angle of release, typical physical characteristics of bread etc. It’s the cost of doing so. Sure, for an insurance company modeling risk is the day job. Where the impact of failure is high, say in the airline industry, the costs of failure make the investment in prevention worth it. For many decisions within a business and for many businesses in total, however, the cost outweighs the benefit.
Here’s also the real blow for quantitative purists, frankly most businesses don’t use data, or even compliance control frameworks to run their businesses. They use cultural and personal relationships to run their businesses. They also appeal to pyschological needs of humans i.e. their customers, to fund themselves. If you take a Drucker view of the business, as long as the customer is satisfied, many businesses can be hugely inefficient, make lots of ‘wrong’ risk decisions, and succeed quite well. Indeed what is ‘brand value’ other than a multiplier of sentiment over assets? Consider banks – they are, arguably, the most advanced in quantitative risk management, yet the banking sector periodically explodes and collapses, requiring government bail-outs. If we consider the airline industry, the quant stuff drives the baseline – i.e. a safe flight. It’s the experience and brand that drives success and profitability though. Do airlines model these risks in the same way? Perhaps not. So there is space for evidence-based qualitative data analysis, even in the most quant-driven businesses. Simply, humans are not fully data-rational machines.
None of this is to invalidate the point that most, if not all, organisations should use more and better data and analysis to drive and support objective-led decision making.
The second debate in risk management is the objectives-led challenge. For me, sensible risk management must be linked by objectives, as that is the starting point for risks. If I don’t have an objective to walk to work outside, where it might rain, and if I don’t want to stay dry, then I attract no risks of rain getting me wet. In business terms if I don’t trade internationally in any way, I attract no exchange rate or a raft of other international risks (and yes, I know that’s a simplified view). So those who have the clarion call of ‘objective-led’ ‘value-add’ risk management should be preaching to an already convinced risk management choir.
Again though, there is a point to their concerns. Most risk management processes focuses on the process, not the end. A risk register (or risk management 1 – a term used by some commentators for risk management activities that are illusory and designed for boards and auditor stakeholders to appear is if risk is being managed) has little benefit to an organisation. Merely describing a train in ever-greater, and more accurate detail, without stepping off the track before it hits, will not yield better risk management or organisational success outcomes.
This critique, whilst sometimes framed more semantically than practically, does land. So much risk management practice stalls at the maturity level before taking action. It’s a framework to, likely without good data or analysis, describe the train, rather than deciding what to do about its impending arrival. Again David Apgar’s book has a great concept of risk intelligence – how good is your organisation at risk, as opposed to issue, managing? He asks, how surprised is an organisation by a risk’s crystallisation? If so, then the risk intelligence needs to be improved i.e. the capacity to detect and assess a risk before its crystallisation into an issue.
I have to say, as an auditor, I am rarely surprised by risks’ crystallisation. Not because I am super clever or have extra sensory perception, but because a majority of things are entirely predictable. As an internal auditor I spend most of my time analysing and reporting on things that have either, or are about to, go wrong. A few moments to pause and some careful thought would, in so many cases, have predicted most of these points in most cases. As an auditor I know an unmanaged risk will become, eventually, an issue. At that point it is less prone to being managed, and much more expensive and stressful to do so.
The third debate I detect in risk management circles is around what is the right role of risk management functions. As an auditor I would see a risk management function as a second line function. Typically small, highly skilled, and focused on supporting line one management in improving their risk intelligence, risk asssessment and risk management capacity. Sadly, I have often seen risk management functions actually denude line management capability to handle risks, with ‘risk management’ becoming a specialist activity done outside of the normal management discourse by the risk management function; the exact opposite of what they are supposed to achieve. Here also the RM1 critique often lands. Risk management becomes the distraction activity of the production of risk registers and the dreaded risk maps, rather than embedding better data, fact and evidence analysis in the management line, linked to objective-led decision making.
Here, though, I want to temper the critique. Risk maps and risk registers, used well, can be good ways to express and simplify a more complex risk reality. This is especially useful for senior executives who have wide spans of control and responsibilities. In my view, as long as the risk map is supported by a reasonable set of data, evidence and analysis they can be useful. Also, don’t forget, for a majority of organisations and for a majority of decisions within organisations, the cost of a quant analysis simply outweighs the benefit.
This post could become longer but I want to work through these challenges throughout this year, so I want to bring this to a close. To my mind, risk management is not particularly intellectually complex. You have an objective. From that objective flow a range of uncertainties over its achievement. It’s better to use evidence and analyse that risk in advance of its occurrence and to take action earlier. The extent and level of that action should be determined by some sense of how much of that risk’s occurrence you can tolerate and desire, and the costs of the action to be taken.
I will save the ‘so what does this mean for risk based internal audit?’ question for my next blog entry. Suffice to say, my conclusion for the moment is that the risk management profession is at a crossroads and will need to have a stronger expression in most organisations of what it is for, and what the risk management model in operation within the organsiation is.
Do your clients or organisation have risk management sorted yet?