Analyzing the CEO’s Risk Agenda: Part I

McKinsey and Company recently published a paper entitled The CEO’s risk agenda: An insurance perspective. Though oriented toward the insurance industry, it’s an excellent overview of the importance for all organizations to manage risk differently than in the past. 

McKinsey’s message identified four key areas to consider: 

• robust and appropriate risk management capabilities
• orchestrating alignment on strategic trade-offs 
• promoting a risk-aware culture that supports entrepreneurship
• importance of the CEO having a personal stake in high-stakes decisions 

In order to do justice to these initiatives, one must first have perspective on what they really mean, their implications, and how they relate to the circumstances and people of the organization.

Let’s expand upon how to make the McKinsey report relevant to the embattled executive.

What do we mean by “risk”?

We tend to have a good understanding of what constitutes risk, but without a bit of assistance we may be unintentionally limiting when we put that understanding to work. Risk, after all, includes matters as diverse as technology obsolescence, talent mobility, reputation and social media exposures, privacy and cyber security, political risk and much more.  The real-world takeaway is that business executives can better assess risk when they are supplied with a baseline reminder of some of its important dimensions.

Risk appetite: more than rhetoric, more than numbers

One of the enduring truisms of enterprise risk management is that decisions need to be made in the context of the organization’s risk tolerance and appetite. This begs the question of whether that risk appetite and tolerance has been appropriately established and expressed. The usual answer is no, not for lack of effort but because it is very difficult to define risk appetite and tolerance in a useful way.

Most risk appetite and tolerance statements consist of either broad principles that are well-intended but not very relevant to a matter at hand, or quantitative thresholds that lack nuance and tend to be too high-level. The remedy isn’t to forego better defining of risk appetite and tolerance, rather it is to be cognizant of these limitations and seek to make the statement more applicable to the company’s situation and circumstances.

Risk management isn’t about timidity and constraints

In most organizations, the risk management function is charged with purchasing insurance, dealing with claims and accidents, and advising about the risks of selected business activities. Differently put, the risk manager’s job tends to surround adverse events and unfavorable situations. The risk manager usually isn’t consulted when revenue from a new product launch is beating the budget, or when the reasons for a gain in market share are being identified.

This dynamic presents an impediment with respect to the organizational perception of risk management. The reason is that to be most effective, the risk management function must pivot from dealing only with the adverse, to helping address the upside of risk as well. In other words, dealing with adverse accidents reactively will cost you more in the long-run. It is better to spend the time and money upfront implementing active risk management best practices.

In the new world of risk management, the opportunities associated with smart risk-taking can be as important as the downside. Indeed, one of the greatest risks that organizations now face is the failure to adapt and grow while seizing the opportunities brought about by an unprecedented pace of change. But for too many risk managers, this isn’t “home territory.” Perhaps worse, even the dynamic risk manager may have to swim upstream against the organization's preconception of their role and expected behavior when taking an active risk management approach. 

The problem here is not the career implications for the risk manager, rather it is the potential failure of organizational leadership to engage the risk management function in the most effective and appropriate way. It’s up to executive leadership to change this dynamic, and then up to the risk manager to rise to the occasion.

Systems as the backbone

We’ll address deployment in a separate message, but information systems are more than just a deployment issue. Risk management systems and technology are no longer nice-to-haves nor common to multinational corporations. They are crucial to establishing and maintaining a competitive advantage, to meeting the wants and needs of a diverse palette of stakeholders, to regulatory compliance, and to cost management. But most risk management technologies can’t address all of these critical objectives. 

Risk management systems tend to be oriented to after-the fact record keeping, siloed into specific areas of specialization, too complex for use by anybody except a handful of specialists, or simply too expensive once all costs are included. As technology evolves and the needs of the risk manager continue to surge, it is time to expect more from the risk management technology stack. In order to make a real difference, the chosen technologies must be accessible to and embraced by a spectrum of daily operators, not just backroom staff.

It indeed starts with the CEO, but don’t forget the Board

Just as line managers respond to what their leadership demonstrates to be important, the CEO is likely to exert more energy into risk management when the Board of Directors is engaged. In some cases the Board influences the CEO, in others just the opposite; sometimes the initiative may be mutual. Regardless of its genesis, risk management as a strategic priority is far more likely to exist and thrive when the Board and CEO are on the same page.

Are you appropriately quantifying risk?

There are more aspects to risk than ever before, and the stakes continue to rise. Many of today’s most critical risks constitute of very-low-likelihood events with catastrophic potential consequences. These unlikely scenarios, many of which may be “black swans,” aren’t always amenable to cost-benefit analyses or meaningful trailing measures of results. 

When encountering the unlikely high-severity event, the best quantification may not consist of measuring past results.  Energy may be better devoted to measuring the activities and processes put in place to minimize the likelihood of adverse events or to at least lessen their consequences. Consistency and depth of process deployment stands as a good example.

Regardless of the metrics chosen, there could arise a tendency to manage against those metrics as opposed to taking the most appropriate actions and making the best decisions. Be prepared to use risk metrics as a tool and a source of insight, not an end unto themselves. As with all risk management matters, one needs to learn from experience and adapt to changing circumstances when considering the best risk measurements.

Culture: are you identifying and measuring what really matters?

Beware of treating culture monitoring and morale as a check-the-box, one-and-done endeavor. There can be great subtlety to what constitutes culture. Among these challenges is understanding the impact to morale when an accident occurs. You’re not only asking your employees to take on work to cover another’s absence, they are very much aware the same accident could happen to them. There is also considerable risk of the organization telegraphing its desired state and securing answers that are pleasing rather than truthful.

Integrating with strategic planning

Finally, if risk management isn’t infusing the strategic planning process, then the organization hasn’t achieved the holistic risk management approach that McKinsey advocates. A signal of insufficiency is when risk management is indeed considered in the process but disconnected into a separate “risk’ page or slide in the strategic plan. Another yellow flag is when a clear distinction is made between business strategy risks on the one hand, and hazard or insurance risks on the other.

A sign of success is when risk is an inherent aspect of all business deliberations, in a balanced way that never exaggerates and considers both downside and opportunity. Risk is then identified as a consideration factor when, and only when, it is especially important or material to a decision. Rather than being a specialized function, effective risk management requires the infusion of an enlightened understanding of risk throughout organizational leadership so that sound decisions are made in the course of daily business practices.

Coming in Part 2: How to Better Implement

We’ll be issuing a followup message on how to effectively implement a risk-aware environment that is responsive to the four principles set forth by McKinsey. In the meantime we hope that the advice presented here represents a good starting point for both senior executives and those with daily responsibilities for holistic risk management.