Six Myths of Risk Management

Continuing on our six myths theme (see six myths of customer loyalty and six myths of corporate strategy), we look at some of the most cherished beliefs behind firms’ risk management practices and why they should be dismissed.

Myth 1: The Biggest Risk My Firm Faces is Financial Risk

Reality: Strategic risks account for the greatest loss in shareholder wealth when measured by a fall in share price.

Fact: As shown in this slide, strategic failures account for 68% of market capitalization declines of 50% or more, while financial risks only account for 12% of the declines.

Must Do:

• Expand your risk universe to include strategic risks.
• Decompose strategic risks into manageable and controllable activities and prioritize the mitigation efforts.

Myth 2: My Company is Safe Because We Review Risks and Prioritize Mitigation Efforts Annually

Reality: An annual risk review process gives a static view of the world and prevents managers redefining enterprise risks in a changing business environment. Effective risk management requires companies to be agile and place greater emphasis on actively managing risks instead of the process.

Fact: 88% of senior executives in a 2009 Corporate Executive Board survey tagged “agility” as “important” or “extremely important” to the overall success of their companies.

Must Do:

• Improve organizational risk agility by making changes to risk identification, assessment and response behaviors.
• Shift time dramatically away from assessment to building response capabilities.

Myth 3: We Are Good at Sensing Risk Because of Our Investment in Risk Management (ERM) Systems

Reality: Traditional ERM systems are only one part of the solution and are ineffective unless companies foster a culture of risk awareness throughout the firm.

Fact: ERM systems tend to create a “Check the Box” mentality, making companies focus 80% of their energies on technical assessments and 20% or less on actual management of risks and opportunities.

Must Do:

• Embed risk considerations into day-to-day processes and provide more visibility on who owns risk management in your firm.
• Link risk management to performance processes to foster a risk-aware culture and set clear risk management objectives to develop the organization’s risk culture.
  Audit Director Roundtable (ADR) clients can learn from this financial services firm and CFO Executive Board clients can listen to a webinar replay on the topic.

Myth 4: Our Risk Assessment is Comprehensive Because We Measure Likelihood and Impact

Reality: Traditional risk assessments that prioritize risks by their likelihood and impact are outpaced by the speed at which the firm is hit by certain risks.

Fact: While 70% of finance executives agree that risk velocity is a core consideration, only 11% have introduced it into their risk assessments.

Must Do:

• Include risk velocity—in addition to likelihood and impact—into your risk assessment and mitigation activities. ADR clients can learn from the internal audit team at Dun & Bradstreet.

Myth 5: We Are Well Protected Because We Have a Strong Quantitative Model to Measure Risk

Reality: While quantitative models can provide visibility to risk exposure, they tend to oversimplify risks and override good judgment.

Fact: Risk models fell short in the financial crisis. Nearly half of asset managers who participated in a wide-ranging survey said they were not happy with Value at Risk as a reliable measure any more; 32% said they were “partly satisfied” and only 19% said they were “satisfied”.

Must Do:

• Only quantify a risk if it improves decision making; focus more on the hard-to-quantify risks.
• Reinstate judgment in risk management decisions.
• Ensure that the organization has the right people in the right places, exercising good judgement about strategic and operational risks.

Myth 6: We Are Good Guardians of Our Business Because We Manage Risks at the Business Unit Level

Reality: Tracking and developing mitigation strategies for business unit-specific risks means suboptimal use of ERM resources. Effective risk management requires a holistic view of risks using both bottom-up and top-down approaches.

Fact: While holding a single view of risk is critical for making consistent and informed decisions, firms do little to establish one consistent process. Only 13% of the internal auditors surveyed have consolidated risk assessment processes, and just 14% have either
established one governance or oversight function (ie the risk committee).

Must Do:

• Maintain a focus on key risks that have the potential to affect your organization’s strategic business objectives.
• Link enterprise risks to organizational balanced score card to establish greater responsiveness and organization-wide accountability.

Let us know about the myths that you are constantly having to explain away, or contact me for more detail.


This series was first published in LiveMint a joint venture between the publisher of the Hindustan Times and The Wall Street Journal.