A question we often hear from senior executives and directors when a company completes a risk assessment is, “How do we know we have a full picture of the risks that matter?” And a common observation voiced is, “The risk assessment process doesn’t tell me anything I don’t already know.” This issue of The Bulletin discusses the risk assessment process, including why traditional approaches aren’t meeting expectations and what can be done differently to increase management’s confidence in the process going forward. In this issue, we will discuss a strategic perspective to assessing risk. In the next issue, we will explore an operational and a compliance perspective to assessing risk.
Traditional risk assessment approaches have limited value
Developing risk maps, heat maps and risk rankings based on subjective assessments of the severity of impact of potential future events and their likelihood of occurrence is common practice. These approaches provide an overall picture of the risks, seem simple and understandable enough to most people, are often the result of a systematic process, and provide a rough profile of the organization’s risks. An illustrative risk map is shown below.
Common attributes of the risk map include governing objectives based on a business strategy or plan that provide a context for the assessment, a common language that provides a context for understanding the universe of relevant risks, and predetermined criteria for conducting an assessment.
While everyone agrees that an effective risk assessment should never end with management holding a list of risks, it is not unusual for traditional risk assessments to do just that, leaving decision-makers with little insight as to what to do next. Standard & Poor’s (S&P) has issued a report on how non-financial companies are managing risk based on its credit reviews. Addressing the current state of enterprise risk management (ERM) in non-financial companies, S&P reported that the development of ERM is generally at an immature stage for those companies claiming to have a formal program in place. According to S&P, for those companies with a “formal program”:
[The] most common approach is to maintain a “risk register” or “heat map” that classifies top risks by likelihood and impact along with a mitigation strategy for each. Fewer companies assign specific ownership for key risks, develop alternative mitigation strategies, and communicate risk tolerances clearly across their organizations. Very few companies … seem fully imbued with a culture that integrates risk assessment into strategic decision-making, clearly communicates risk appetite to … stakeholders, and has a fully engaged and risk-astute board overseeing risk.1
So why is it challenging for companies to move beyond a risk assessment to an actionable plan? We offer four reasons. First, the risk assessment process can allow individual biases to affect the assessment, foster “group think” and preempt outside-the-box thinking. Research has shown that scales derived from qualitative descriptions of severity and likelihood are understood and used differently by different people. Assessments by unknowledgeable participants often are “middle of the road” on these scales and can skew the overall results. Intersections on a risk map are mean averages of sometimes widely dispersed views and are not necessarily a consensus of the participating evaluators.
Second, the process is a linear, point-in-time assessment that isn’t tailored to the unique characteristics of the risks the company faces. While using a common analytical framework to evaluate risks with different characteristics may make the process easier to execute, it also may ignore the interplay among related risks and does not alleviate the fundamental problem of limited risk information. The lack of robustness contributes to problems later on when the organization attempts to assign different risks to the appropriate risk owners as the logical “next step” after the risk assessment and leads to frustration over attempts to integrate risk management with core management processes.
Third, subjective assessments are often influenced by past experience. This is a dangerous shortcoming of the process because one thing we continue to learn over the years is that the past is not always a reliable indicator of what to expect in the future. For example, the financial crisis taught all of us that what we don’t know is more important than what we do know. The integrity of the risk assessment process can be impaired by the overconfidence stemming from past successes and an overly simplified view of the future.
Fourth, the process offers little insight as to what to do about exposures to extreme events. The process sometimes leads to a conclusion to de-emphasize the so-called “high impact, low likelihood” risks because of the low probabilities involved and a false sense of security arising from the lack of historical precedence. These events – if and when they occur unexpectedly – are often those that cause the most damage. Therefore, the process needs to take into account such considerations as the velocity or speed to impact, the persistence of the impact over time and the organization’s response readiness.
There may be a place for traditional risk assessment approaches when creating awareness and obtaining a quick overview of risk, particularly when a company is just starting down the path of ERM. However, traditional approaches lose their value over time and become more of a backward-looking audit tool than a forward-looking exercise as the company’s risk management evolves. Accordingly, more focused assessment mechanisms may be necessary to provide the insights management needs. If very little happens as a result of an organization’s risk assessment process, it is a clear sign that alternative approaches should be considered.
Look at the characteristics of risks to think outside the box
Two principles provide insight as to the way forward. First, companies need to structure their assessment of risk according to the characteristics of the risks being assessed. Second, companies should assign ownership of the risk assessment process to the managers who are best positioned to ensure the expected actionable results are achieved in response to the assessment. While these two principles are fundamental to any integration strategy for risk management, they also provide insights as to why traditional risk assessment approaches are often not actionable.
While all risks can have an impact, as defined by management, and there are probabilities associated with whether they will transpire, there are important differences that distinguish them. For purposes of discussion, we will segregate risks into the following categories: strategic, operational, financial and compliance. Each of these risk categories has fundamentally different characteristics. Strategic risks occur when the business model is not effectively aligned with the strategy, and one or more future events may invalidate fundamental assumptions underlying the strategy. These risks relate primarily to the external environment (e.g., competitors, customers, innovation, regulators, etc.).
Answer the ‘big picture’ questions that matter
We will illustrate the structuring of an appropriate assessment approach using strategic risks as a context. Due to their nature, the objectives of assessing strategic risks are to (a) ensure the enterprise can execute strategic initiatives successfully, (b) explicitly consider the risk/reward balance in making strategic decisions, and (c) address the “do we know what we don’t know” question. The assessment approach should challenge the assumptions underlying the strategy when the strategy is formulated, as well as assess the validity of the assumptions as the business environment changes. In addition, it is important to ensure alignment of the business model with the strategy and test the execution of the strategy against multiple views of the future. The real focus here is gaining an understanding of the issues that management and the board need to know more about relative to value creation and how to preserve the value created.
A black swan event is a high-impact, hard-to-predict and rare event that is beyond the realm of normal expectations in history, science, finance and technology. As introduced by Nassim Nicholas Taleb,2 black swans are a surprise to most observers because, due to their small probabilities, contemporary risk assessment methodologies often ignore or do not consider them. Taleb makes the point that the psychological biases that make people individually and collectively blind to uncertainty and unaware of the massive role rare events can have in historical affairs add to the danger. After the fact, a black swan event is often rationalized by hindsight, as if it should have been expected. In summary, a black swan is an event or combination of events or circumstances that are not foreseen by an organization at a given point in time and can hit a company when it least expects it.
How do we identify something that, by definition, represents an “unknown unknown”? One approach is using contrarian assertions to strategic assumptions. The thinking begins with the premise that no one can foresee every possible event OR combination of events that can result in a black swan. If they could, the occurrence would, by definition, not be a black swan. The thinking continues as follows:
- Define your strategic assumptions. A useful analytical framework to use for strategic risks is to focus on the events that could seriously damage the company; these are the events that invalidate the critical assumptions underlying the strategy. Strategic assumptions are management’s “view of the world” for the duration of the strategic planning horizon. They pertain to such attributes as the enterprise’s capabilities, competitor capabilities and actions, customer preferences, technological trends, capital availability, and regulatory trends, among other things. In effect, strategic assumptions are management’s “white swans” because they reflect management’s view of the environment in which the “extended end-to-end enterprise” will operate during the planning horizon.3 A SWOT (strengths, weaknesses, opportunities and threats) is one source of input into this exercise, as it is often used to identify the internal and external factors that are favorable or unfavorable for achieving a desired end state or strategic objective.
- Develop contrarian statements. These statements are the “antithesis” to the strategic assumptions, meaning they negate the assumptions. If the strategic assumptions are management’s “white swans,” the related contrarian statements are potential “black swans.”4
- Recognize that not all contrarian statements are black swans. Look for the statements that are apt to have the greatest impact on the company if they were to transpire. These statements should reflect situations that would likely arise from events the organization currently lacks sufficient information about and that management would tend to rationalize after the fact, “Why didn’t we see it coming?”
- Articulate the implications of high-impact contrarian statements. An implication statement represents the synthesis point of view: It resolves the conflict between the thesis (strategic assumption) and antithesis (contrarian statement) by reconciling their common truths and forming a new proposition.5 In effect, implication statements address two questions: “What do we do if the critical assumptions underlying our strategy are no longer valid?” and “How would we know if our assumptions are no longer valid?” As with many strategic uncertainties, action plans arising from an implication statement will often include implementing new trending metrics and other indicators to monitor the vital signs germane to the exposures we are concerned about.
An Illustrative Example
Every well-defined strategy of every company, regardless of the industry, has underlying assumptions that are vital to its successful execution. We have chosen an all-too-familiar example from the financial services industry to illustrate the contrarian assertions approach outlined on the previous page.
- Define your strategic assumptions – As we look at the strategy typical of some financial institutions that had difficulty as a result of the financial crisis, we might sum it up as a strategy of leveraging cheap money to achieve volume and speed in lending to the low-income housing sector. Assumptions underlying that strategy included increasing or stable housing prices, continued availability of cheap money and continued economic growth, among other things.
- Develop contrarian statements – To our assumption regarding increasing or stable housing prices, a contrarian statement might be: “The housing market takes a significant dive in all major markets, hitting all segments of the subprime loan portfolio.”
- Recognize that not all contrarian statements are black swans – Continuing our example, it is obvious that an unusually severe and pervasive decline in housing prices would have a huge impact on a strategy concentrating lending activity in the subprime market.
- Articulate the implications of high-impact contrarian statements – Completing our example, we might have stated the following: “The bank needs to monitor housing market indicators in all major markets with significant loan portfolio concentrations, as well as test housing prices by selling selected assets from time to time.”
While we can never say with certainty that we know what we don’t know, we can apply techniques that encourage knowledgeable managers to think strategically on a comprehensive basis by focusing on the big picture. The “premortem technique”6 described above is an example of a process for getting managers engaged in contrarian “devil’s advocate” thinking without encountering resistance. The idea is to assume a strategic assumption is no longer valid, provide the reason(s) why from a point in time in the future and explain what that development might mean.
Why engage in contrarian thinking? A company can fall so in love with its business model and strategy that it fails to recognize changing paradigms until it is too late – the “strategic inflection point” problem.7 Strategic assumptions may or may not remain valid over time; the only certainty is that no one knows for sure what will happen that could invalidate them in the future. The “contrarian thinking” process helps managers to think outside the box, challenge assumptions constructively without fear of “disrupting harmony,” and develop new ideas that can make the strategy more robust.
Most important, the exercise may tell managers more about the knowledge and information they need to obtain to address their uncertainty around what they don’t know.
Assess your view of the future
Given the complexity of the business environment, executives need to be careful to avoid overconfidence that can be bred by an expressed or implied “official” view of the future. Overconfidence is a powerful source of illusions. It is often driven by the degree of success managers have experienced, and the quality and coherence of the storyline they construct regarding the future they envision.
Scenario planning is the process of testing management’s “view of the future” by visualizing different future conditions or events, what their consequences or effects would be like, and how the organization can respond to or benefit from them. Scenario planning avoids the risk of a single view of the future by enabling management to identify the likely direction and order of magnitude of the effects of changes that affect the drivers of the enterprise’s revenues, costs, profits and market share.
Scenario planning starts by dividing knowledge into two broad domains:
- “Known knowns” – Things we believe we know something about (e.g., established backlog, firm contracts, current demographic shifts, seasonal consumer behavior and other factors that essentially cast the past forward, recognizing that the current environment possesses some level of momentum and continuity)
- “Known unknowns” – Things we consider uncertain or unknowable (e.g., true uncertainties such as future interest rates, rates of technological innovation, economic growth, market trends and outcomes of political elections)
The art of scenario planning lies in blending the known with the unknown into a limited number of internally consistent views of the future spanning a wide range of possibilities. Scenario planning helps the enterprise challenge expectations, address “what if ” questions, identify sensitive external environment factors that should be monitored, identify the need for contingency plans and exit strategies, and reinforce the need for flexibility and boundaries when executing the strategy. Management must be committed to the exercise to ensure it is sufficiently robust and discriminates the vital signs on which the company must focus.
Engage the appropriate process owners to drive expected actionable results
Ask yourself these questions: Does your current risk assessment process provide a clear view as to what should happen upon completion of the assessment? Are the right people asking for the results of the assessment? Is it clear who will drive and own the responses? Do those individuals act on that responsibility? These questions are fundamental to any strategy around integrating risk management into strategy-setting, business planning and performance management.
Earlier, we pointed out that companies should assign ownership of the risk assessment process appropriate for specific risks to the managers who are best positioned to ensure the expected actionable results are achieved in response to the completed assessment. When the appropriate analytical framework is applied to the appropriate risks, the expected actionable results become clearer. For example, for strategic risks, the insights gained from the premortem technique and contrarian analysis described earlier are likely to identify the vital signs for the enterprise to monitor to provide management with the time value of “first mover” options. By continuing to monitor the business environment for changing conditions, the company is better positioned to recognize and prepare for emerging risks, and provide input into the strategic management process. The senior executives responsible for the strategic management process are those most likely to drive these actions and ensure involvement of appropriate managers with a stake in executing the strategy.
Every organization should ask the following question: Do we devote enough attention to thinking about what we don’t know by focusing on our strategy and the external environment? Risk assessments directed at cataloging risks everyone knows about are not going to generate insights for management and the board. An indicator of the quality of the assessment process is the extent to which it fosters the sharing of new insights among the company’s executives and directors. The more “unknowns” a company is able to identify in the assessment process, the more effective the risk assessment process – and the more anticipatory and better prepared the company will be.
Understanding risks and how they are managed used to be the threshold for most companies. However, that was when risk was an afterthought to strategy-setting and an appendage to performance management. Now the bar is raised. Risk management must also instill greater confidence in the board of directors and senior management that the corporate strategy can be executed successfully, and the business plan and performance goals achieved. If managers are not devoting sufficient time to thinking about the unthinkable, their strategic thinking process is incomplete.
1“Standard & Poor’s Looks Further Into How Nonfinancial Companies Manage Risk,” June 24, 2010, page 3.
2The Black Swan, Nassim Nicholas Taleb, 2010.
3Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise, Frederick Funston and Stephen Wagner, 2010, pp. 86-87.
6The Power of Intuition, Gary Klein, 2003, pp. 98-101, 131.
7This term is attributed to Andy Grove, former CEO of Intel, in his book, Only the Paranoid Survive, 1996.
The Bulletin (Volume 4, Issue 2)