SSSIG consider risk management as the process of identifying, assessing and controlling threats to an organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic Management errors, accidents and natural disasters

SSSIG present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches. We examine the individual and organizational challenges inherent in generating open, constructive discussions about managing the risks related to strategic choices and argue that companies need to anchor these discussions in their strategy formulation and implementation processes. We conclude by looking at how organizations can identify and prepare for no preventable risks that arise externally to their strategy and operations.

Managing Risk: Rules or Dialogue?

The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Our field research shows that risks fall into one of three categories. Risk events from any category can be fatal to a company’s strategy and even to its survival.

Category I: Preventable risks.

These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. A rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.

This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviours and decisions toward desired norms. Since considerable literature already exists on the rules-based compliance approach, we refer interested readers to the sidebar “Identifying and Managing Preventable Risks” in lieu of a full discussion of best practices here.

Category II: Strategy risks.

A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities.

Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. BP accepted the high risks of drilling several miles below the surface of the Gulf of Mexico because of the high value of the oil and gas it hoped to extract.

Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.

Category III: External risks.

Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.

Companies should tailor their risk-management processes to these different categories. While a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions. That, however, is easier said than done; extensive behavioural and organizational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.

Why Risk Is Hard to Talk About

Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.

We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. We often compound this problem with a confirmation bias, which drives us to favour information that supports our positions (typically successes) and suppress information that contradicts them (typically failures). When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action—throwing good money after bad.

Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in groupthink: Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections—however valid—and fall in line. Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority.

Collectively, these individual and organizational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.

Effective risk-management processes must counteract those biases. Rules about what to do and what not to do won’t help here. In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches. We start by examining how to identify and mitigate strategy risks.

Managing Strategy Risks

Over the past 10 years of study, we’ve come across three distinct approaches to managing strategy risks. Which model is appropriate for a given firm depends largely on the context in which an organization operates. Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information. Our finding that “one size does not fit all” runs counter to the efforts of regulatory authorities and professional associations to standardize the function.

The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs. But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects. The board members, acting as devil’s advocates, counterbalance the engineers’ natural overconfidence, helping to avoid escalation of commitment to projects with unacceptable levels of risk.

At SSSIG, the risk review board not only promotes vigorous debate about project risks but also has authority over budgets. The board establishes cost and time reserves to be set aside for each project component according to its degree of innovativeness. A simple extension from a prior mission would require a 10% to 20% financial reserve, for instance, whereas an entirely new component that had yet to work on Earth—much less on an unexplored planet—could require a 50% to 75% contingency. The reserves ensure that when problems inevitably arise, the project team has access to the money and time needed to resolve them without jeopardizing the launch date. JPL takes the estimates seriously; projects have been deferred or cancelled if funds were insufficient to cover recommended reserves.

Risk management is painful—not a natural act for humans to perform.

Facilitators.

Many organizations, such as traditional energy and water utilities, operate in stable technological and market environments, with relatively predictable customer demand. In these situations risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time.

Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers. This increases managers’ awareness of the risks that have been taken on across the organization and provides decision makers with a full picture of the company’s risk profile.

The danger from embedding risk managers within the line organization is that they “go native”—becoming deal makers rather than deal questioners.

SSSIG One strengthens accountability by linking capital allocation and budgeting decisions to identified risks. The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently. The risk group draws upon technical experts to challenge line engineers’ investment plans and risk assessments and to provide independent expert oversight to the resource allocation process. At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives. Managers want their projects to attract funding in the risk-based capital planning process, so they learn to overcome their bias to hide or minimize the risks in their areas of accountability.

Embedded experts.

The financial services industry poses a unique challenge because of the volatile dynamics of asset markets and the potential impact of decisions made by decentralized traders and investment managers. An investment bank’s risk profile can change dramatically with a single deal or major market movement. For such companies, risk management requires embedded experts within the organization to continuously monitor and influence the business’s risk profile, working side by side with the line managers whose activities are generating new ideas, innovation, and risks—and, if all goes well, profits.

The chief danger from embedding risk managers within the line organization is that they “go native,” aligning themselves with the inner circle of the business unit’s leadership team—becoming deal makers rather than deal questioners. Preventing this is the responsibility of the company’s senior risk officer and—ultimately—the CEO, who sets the tone for a company’s risk culture.

Avoiding the Function Trap

Even if managers have a system that promotes rich discussions about risk, a second cognitive-behavioural trap awaits them. Because many strategy risks (and some external risks) are quite predictable—even familiar—companies tend to label and compartmentalize them, especially along business function lines. Banks often manage what they label “credit risk,” “market risk,” and “operational risk” in separate groups. Other companies compartmentalize the management of “brand risk,” “reputation risk,” “supply chain risk,” “human resources risk,” “IT risk,” and “financial risk.”

SSSIG Understanding the Three Categories of Risk

Such organizational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. Good risk discussions must be not only confrontational but also integrative. Businesses can be derailed by a combination of small events that reinforce one another in unanticipated ways.

The Risk Event Card

The Risk Report Card

SSSIG Managing the Uncontrollable

External risks, the third category of risk, cannot typically be reduced or avoided through the approaches used for managing preventable and strategy risks. External risks lie largely outside the company’s control; companies should focus on identifying them, assessing their potential impact, and figuring out how best to mitigate their effects should they occur.

A firm’s ability to weather storms depends on how seriously executives take risk management when the sun is shining and no clouds are on the horizon.

SSSIG Tail-risk stress tests.

Stress-testing helps companies assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable. Financial services firms use stress tests to assess, for example, how an event such as the tripling of oil prices, a large swing in exchange or interest rates, or the default of a major institution or sovereign country would affect trading positions and investments.

SSSIG take the Leadership Challenge

Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. And many leaders have a tendency to discount the future; they’re reluctant to spend time and money now to avoid an uncertain future problem that might occur down the road, on someone else’s watch. Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.

For those reasons, most companies need a separate function to handle strategy- and external-risk management. The risk function’s size will vary from company to company, but the group must report directly to the top team. Indeed, nurturing a close relationship with senior leadership will arguably be its most critical task; a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon.