In last month’s column, we introduced five common risk management failures along with indicators of each:
- Poor governance and “tone at the organization”
- Reckless risk-taking
- Inability to implement effective enterprise risk management
- Nonexistent, ineffective or inefficient risk assessment
- Not integrating risk management with strategy-setting and performance management
The warning signs provided for each of the above failures provide a diagnostic for the Board and management to check the health and vitality of their organization’s risk management.
Below we detail five more common risk management failures, along with warning signs for each. As with the first five failures discussed last month, we separate the warning signs for these additional failures into organizational, process and behavioral indicators.
#6: Falling Prey to a “Herd Mentality”
Several years ago, I participated on a panel at a conference for directors and executives in Utah. During my remarks, I talked about how lax regulation, financial innovation gone awry, nonexistent underwriting standards, over-the-top leverage and short-term motivations driven by incentive compensation programs contributed to the global financial crisis. But more important was the sheer volume of activity by all of the contributing parties – mortgage brokers, lenders, mortgage insurers, investment banks, credit default swap issuers and institutional investors.
When I used this unprecedented environment as a context for discussing the role of risk management, a director asked how a bank could avoid taking on the risks of subprime lending when its competitors were all in. In response, I pointed out that few of the market players knew when to stop, as limits were virtually nonexistent, and that led to heavy concentration and counterparty risks.
It is one thing to engage in legitimate business activity. It is quite another to know when the risks of doing so have reached an unacceptable level. Too much of a good thing can become a bad thing when following the herd. Eventually there will be a mad scramble for the seats when the proverbial music stops.
Some key indicators of this issue are:
- Management continues to execute the same strategy and business model, regardless of whether market conditions may be invalidating the critical assumptions underlying the strategy.
- The organization focuses on its current profitable product portfolio and markets without regard to identifying new market trends, emerging risks and underserved niche opportunities and considering breakthrough innovative ideas to change the status quo.
- The risks underlying execution of the strategy are not evaluated periodically to ensure the strategy remains on target.
- Management approaches the planning and budgeting process with a single-point estimate or view of the future; alternative scenarios are rarely considered when conducting periodic stress tests of financial performance.
- Scenarios used to stress test financial models are not extreme enough to assess the implications of disruptive change in the marketplace.
- Management does not monitor changes in the external environment for signs that point to the need to re-examine and challenge the entity’s operating model.
- The organization is too insular in its outlook, leading it to bypass “reality testing” its assumptions about markets and the business environment.
- Management is so in love with the business model that the organization fails to view the world from the perspective of its customers’ experience and capitalize on the vulnerabilities and shortcomings of its competitors.
- The organization is too reliant on a single market niche and takes no significant steps to diversify.
#7: Misunderstanding the “If You Can’t Measure It, You Can’t Manage It” Mindset
A prevalent view is that if one cannot measure a risk, one cannot manage it. While there is some truth to this assertion, many tend to use it as an excuse to do nothing at all with respect to understanding and addressing a difficult-to-measure risk. Because inability to measure a risk will not make it go away, solely managing the measurable is not good enough and ignores important issues. Leaders cannot bury their heads in the sand. Even if initial efforts to quantify a critical risk are crude at best, the improved understanding, awareness and resulting communications of the risk more than justify the effort.
Key indicators of this issue include:
- Management believes that risk measurement and risk management are the same thing.
- For the priority risks, the organization does not determine:
- The extent of relevant data and information available for each risk.
- The additional information needed to understand the risks and the available sources to use for purposes of developing key risk indicators (KRIs).
- Whether alternative risk responses (such as avoid or share the risk) are appropriate for risks for which more data gathering or insight is not feasible.
- Whether substitute or surrogate measures are available, e.g., if no direct information is readily available, the metrics currently used (often in the form of key performance indicators [KPIs]) might serve as relevant lead or lag indicators.
- There is tolerance for risk exposures that management knows are significant but lacks data and information as to how large they really are (see failure #8).
- The organization lacks a continuous-improvement mindset in risk management and, in particular, risk measurement.
- The organization is too preoccupied with what its financial models indicate and is reluctant to encourage the exercise of judgment based on the data and information available.
- The firm is inundated with reams of data; however, very little of it is useful information from a decision-making standpoint in dealing with key risks.
#8: Accepting a Lack of Transparency in High-Risk Areas
Lack of information for decision-making leaves management with little insight as to what is really happening in the business. Transaction complexity and volatility can obscure the full picture when management must make decisions. If this environment clearly exists within the organization and management does not seek to correct the situation, that in and of itself is a warning sign. Dysfunctional, excessive risk-taking is fostered by an inability to see the full picture. Simply stated, complexity masks the true economics.
When facts are clarified and management and the Board can discuss everything out in the open, the best decisions result. Accordingly, it is vital that executive management creates an open, positive culture with respect to risk that fosters risk awareness and effective risk management across the enterprise. Transparency enables all stakeholders, including the Board of Directors, to understand both how the firm’s business model is performing and the risks inherent in the business.
Key indicators of this issue include:
- An enterprisewide view of the critical risks is inhibited due to a high level of decentralized decision-making, proliferation of risk management silos and ineffective oversight.
- Executive management has not created an open, positive and risk-aware environment where people can raise their hands, express concerns and raise issues with confidence that their careers or compensation will not be threatened.
- There is a lack of focus, discipline and control around improving risk management capabilities over time as the business environment changes.
- Policies with respect to establishing accountability for the largest risk exposures are either nonexistent or deficient.
- The entity’s risk appetite statement does not address unacceptable risk exposures.
- Performance is evaluated after the fact due to the lack of data analytics and lead KRIs that offer a more anticipatory view.
- Reports are not submitted to executive management and the Board regarding the organization’s largest risk exposures undertaken by different business units and activities, with appropriate commentary on the ones that are being managed well and those that are not.
- Unexpected surprises occur periodically as a result of previously unknown risks.
- There are “multiple versions of the truth” with respect to certain risks.
- The Board of Directors desires greater transparency to size the magnitude of the organization’s exposure to risk, yet the Board is not satisfied it is getting such transparency.
#9: Ignoring the Dysfunctionalities and “Blind Spots” of the Organization’s Culture
Everyone knows that an organization’s culture can have a huge impact on its ability to prevent the occurrence of unacceptable risk events, as well as identify new and emerging risks in a changing business environment on a timely basis. Openness, transparency and accountability are topics every organization should be considering on an ongoing basis, with an eye toward improving its culture continuously. More importantly, firms should pay attention to the root cause of management’s missing the warning signs that something is either wrong or isn’t working, particularly in situations that objective parties can recognize easily when armed with the benefit of 20/20 hindsight.
The following are key indicators that organizational dysfunctionalities and blind spots may exist:
- Gaps and overlaps exist in risk management ownership responsibilities.
- There is inadequate linkage between risk management and priority business issues.
- There is a lack of open dialogue among the people who matter regarding risks and opportunities.
- There are reward systems incentivizing or encouraging extreme entrepreneurial risk-taking.
- Escalation processes to ensure that significant problems are recognized and addressed promptly are either nonexistent or ineffective.
- There are no consequences or actions taken to address violations of established policies and limits related to the largest risk exposures.
- The culture surrounding entrepreneurial risk-taking activities is too disproportionately strong relative to control activities.
- There is pressure to achieve unrealistic targets and executive resistance to bad news.
- Internal competition is fostering a warrior culture.
- There is tolerance for obvious conflicts of interests.
#10: Not Involving the Board of Directors in a Timely Manner
Lack of Board involvement with significant issues on a timely basis results in management not receiving the benefits of the Board’s experience with respect to managing critical risks. The Board needs to be involved with such matters timely to discharge its risk oversight responsibilities. From the perspective of the shareholders, the Board is the last line of defense.
Key indicators of this issue include:
- Directors are not fully knowledgeable of the priority business risks facing the company.
- The organization’s risk profile is rarely, if ever, discussed at the Board level in a meaningful way.
- The Board is not satisfied that management’s strategy-setting process appropriately considers, in a robust manner, the risks inherent in the business model.
- Management does not engage the Board in substantive discussions regarding the enterprise’s risk appetite and whether the entity’s risk profile is consistent with it.
- Directors lack confidence in management’s process for identifying emerging risks.
- The Board is not satisfied with the risk reporting it receives.
- The Board is only engaged in occasional, ad hoc treatment of risks and risk management.
- Management habitually informs the Board after the fact when significant risks are undertaken.
In summary, coupled with the five risk management failures we discussed last month, we have now introduced 10 common areas where risk management fails. The key indicators we offer for these failures provide the basis for a diagnostic that the Board and executive management can use to evaluate the health and viability of the organization’s risk management capabilities.