It is always interesting to put on our “all-seeing glasses” and look at situations when risk management failed. By doing this, we have the opportunity to identify warning signs of common failures.
The following are five common risk management failures and some warning signs of each, organized into organizational, process and behavioral indicators.
#1: Poor Governance and “Tone of the Organization”
Governance is the act or process of providing oversight, authoritative direction or control. The term itself is often used to describe what the Board of Directors and executive management do to oversee the enterprise’s planning and operations and ensure the effectiveness of strategy-setting and the organization’s other management processes.
Executive management’s “tone at the top” provides a vital foundation for the transparency, openness and commitment to continuous improvement that are so necessary for effective risk management. However, the tone at the top must be complemented with an effective “tone in the middle.” No matter what leaders communicate to their organizations, what really drives behavior and resonates with employees is what they see and hear every day from the managers to whom they report. If the behavior of middle managers contradicts the messaging and values conveyed from the top, it won’t take long for lower-level employees to notice. Because the top-down emphasis on effective risk management is only as strong as its weakest link, it is vital that this emphasis be translated into an effective tone in the middle before it can be expected to reach across the organization. Therefore, a strong “tone of the organization” is needed.
Here are a few indicators of dysfunction in governance and tone of the organization:
- Poor risk governance, leadership and discipline, resulting in enterprise value creation activities of the lines of business overriding the risk concerns and early warnings raised by the independent risk management function.
- Lack of Board focus on risk oversight, resulting in directors failing to ask the tough questions.
- Risk is not considered explicitly by management when evaluating strategic alternatives and whether to enter new markets, introduce new products or consummate a complex investment or acquisition.
- There is ineffective or nonexistent sharing and communication of risk information up, down and across the organization.
- A myopic focus on the short term – the next month or quarter – is causing the organization to mortgage the future for the present when taking risk.
- A dominant CEO ignores the warning signs posted by the risk management function, resists bad news or contrarian information that the organization’s strategy is not working and/or does not involve the Board with strategic issues and policy matters on a timely basis.
- There is evidence of undeliverable strategies, extreme performance pressures, unrealistic expansion plans, inadequate executive experience and/or a “warrior culture” and unhealthy internal competition creating incentives for excessive risk-taking.
#2: Reckless Risk-Taking
Reckless risk taking is an enterprise value killer. It represents undertaking risks that the Board of Directors and/or executive management neither understand nor approve. A lesson we keep learning, time and again, is the need for more disciplined risk-taking during periods of rapid growth and favorable markets. For example, every MBA program features case studies of companies re-learning a time-honored lesson:
Although competent people are an important aspect of managing risk, management’s reliance on them without limits, checks and balances and without independent monitoring and reporting is as ill-advised as not understanding the risks inherent in their activities.
It is interesting that companies, even entire industries, keep learning this fundamental lesson. In the financial crisis, there is evidence that some institutions fared better than others and we can learn from what they did.
Key indicators of this problem include:
- The Board is not providing sufficient risk oversight.
- The operating unit leaders and process owners are not accountable for managing the risks their activities create, thus the primary risk owners are not monitoring and managing risk at its source.
- There is no independent risk management function in place providing risk oversight.
- Internal audit is not focused on the effectiveness of the first two lines of defense – the primary risk owners and the independent risk functions.
- There is either no risk appetite statement or a lack of accountability to ensure prudent risk-taking within the boundaries set by the organization’s risk appetite.
- There are no efforts to apply contrarian analysis to the critical assumptions underlying the strategy so that trending and other risk indicators can be monitored to ascertain whether one or more critical assumptions are either becoming invalid or have become invalid.
- Trust positions (e.g., the people whose actions or inaction can subject the enterprise to significant risk events) are not identified and managed; therefore, their activities may not be subject to oversight by a knowledgeable executive.
- The organization’s incentive compensation structure and culture drives inappropriate risk-taking behavior, e.g., a “heads I win, tails you lose” compensation plan may be driving unintended consequences that management and the Board would want to avoid if given a choice.
- Responsibility for risk management is not linked to the reward system, or worse, the incentive compensation program encourages unbridled risk taking.
- There are “star performers” who make a lot money, but no one understands how or why they succeed.
- The “smartest people in the room” dominate discussion and drive groupthink.
- There are significant conflicts of interest in complex, volatile and/or difficult-to-measure areas.
#3: Inability to Implement Effective Enterprise Risk Management (ERM)
Most efforts to implement ERM are unfocused, severely resource-constrained and pushed down so far into the organization that it is difficult to establish their relevance. The near-term result is “starts and stops” and ceaseless discussions focused on understanding what the objective is. The longer-term result is that risk management is rarely, if ever, elevated to a strategic level and continues to be driven by functional silos within the organization.
Common indicators of this potential failure include:
- Lack of support from executive management and other key stakeholders and/or lack of traction due to delegation of the initiative to lower levels in the organization.
- The ERM initiative is neither enterprisewide in scope, nor strategic in focus.
- An “additive” point of view that the various risk management silos combined together constitute an ERM response because they collectively cover the enterprise’s risks.
- There is either no risk management policy, or a policy exists but it does not emphasize ERM principles.
- The ERM process does not focus on the vital few risks that really matter and/or does not position the organization as an early mover to capitalize on market opportunities and emerging risks.
- Lack of clarity as to the business motivation and economic justification for ERM, e.g., understanding “the problem we’re trying to solve with ERM,” leading to endless dialogue about the “what” and “why.”
- Inability to respond in a manner acceptable to the Board of Directors to such questions as: What are our most critical risks? How well are we managing them and how do we know?
- Paralysis (i.e., unwillingness to start somewhere to ensure an effective enterprisewide approach to managing risk).
#4: Nonexistent, Ineffective or Inefficient Risk Assessment
This failure arises when risk assessment activities are not identifying the critical enterprise risks effectively, efficiently and promptly. Or, worse, nothing happens when a risk assessment is completed beyond sharing the most current list of risks with company executives.
Some key indicators of this failure include:
- An abundance of risk management silos and lack of a process view allow significant risks to go unnoticed.
- Multiple risk assessment requests besiege the entity’s process and functional owners due to the silo mentality of multiple requesting risk evaluators.
- The risk assessment process does not involve key stakeholders and the results are not reported to the Board of Directors to obtain their input and perspective.
- Risk assessments rarely surface an “a-ha” moment that alters senior management’s view of the world, leave decision makers with little insight as to what to do next to manage risk and rarely impact business plans and decisions.
- The process offers little insight as to what to do about exposures to extreme events, with little or no impact on improving response readiness.
- The process does not devote enough attention to helping managers think about what they don’t know.
- The use of a common analytical framework does not take into account multiple views of the future and doesn’t address the unique characteristics and time horizon considerations of the risks the company faces.
- General counsel constrains the risk assessment process with concerns over risk documentation.
- The organization practices ELM, or “enterprise list management,” which ranks risks periodically, but contributes little insight as to how they are managed.
- Subjective assessments are often influenced by past experience, foster groupthink and preempt out-of-box thinking.
#5: Not Integrating Risk Management with Strategy-Setting and Performance Management
This failure occurs when risk is treated as an afterthought to strategy-setting, resulting in strategic objectives that may be unrealistic and risk management becoming an appendage to performance management. The consequences of this failure include a strategy the organization is unable to deliver, a deteriorating competitive position, an inability to adapt to a changing business environment and a significant loss of enterprise value.
Key potential indicators of this failure include:
- Management has not implemented an effective approach to integrate the implications of risk with strategic planning and performance management.
- The risks inherent in the organization’s strategy are not identified, sourced and mitigated.
- Consideration is not given to the risk of disruptive change affecting the business model.
- Key risks embedded within the enterprise’s operations, including how they are managed, are not transparent to key stakeholders.
- There is a lack of connectivity of risk management to core management processes.
- There is poor alignment of risk responses with strategy and enterprise performance management.
- No process is in place for anticipating extreme risk scenarios that could derail execution of the strategy, e.g., the velocity, persistence and response readiness associated with high-impact, low-likelihood risks are not assessed to ascertain whether new risk response plans are required.
- The strategy and the related risk responses are not communicated in a consistent manner across the enterprise.
- Risk management is mired in minutiae rather than focused on what is really important: the vital strategic risks.
- There is evidence of unacceptable risk-taking or unnecessary risk-adverse activity.
We have discussed five common risk management failures:
- Poor governance and “tone at the organization”
- Reckless risk-taking
- Inability to implement effective ERM
- Nonexistent, ineffective or inefficient risk assessment
- Not integrating risk management with strategy-setting and performance management
The warning signs provided for each of the above failures provide a high-level diagnostic for the Board and management to check the health and vitality of their organization’s risk management.
 “Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,” James DeLoach and Jeff Thomson, thought paper sponsored by the Committee of Sponsoring Organizations (COSO), 2014.