[Each year, the best Canadian risk managers gather to discuss the state of the discipline at the RIMS Canada Conference. The 2011 incarnation is taking place this week in Ottawa so I will be reporting from here for the next few days.
]
The first session I attended at the 2011 RIMS Canada Conference in Ottawa promised to detail the top 10 common ERM errors — and how to avoid them. True to form, presenter Diana Del Bel Belluz of Risk Wise Inc and moderator Nowell Seaman, the head of risk management for the University of Saskatchewan and RIMS board member, did just that.
Here is a recap of Belluz’s list, highlighting the top five.
#1. Complacency Has Set In
Complacency is an enemy of risk management. Once it cements itself into the organization’s culture, it is difficult to get out from under. Risk mangers must determine if this is a hurdle at their company. Some warning signs Belluz says to look for are executives who respond to risks with statements like …
“It’s never happened before.”
“It can’t happen here”
“We can handle it.”
“Ignore it and it will go away.”
She mentioned one company she advised whose CEO took an ignore it and it will go away approach to one risk. “It worked,” she said. “It took seven years and a lawsuit, but he was right — eventually it did go away.”
#2. Not Understanding Your Risk Exposure
“At its heart, this mistake is really about not linking risk to strategy,” said Belluz. In an attempt to understand its exposure, most companies will start their risk identification by brainstorming. Various company stakeholders gather and throw out ideas about what worse-case scenarios could harm the organization. One big benefit, says Belluz, is that this allows you to tap into the expert knowledge.
But there are also many cons.
First off, success hinges upon the individuals in the room, so you need to ensure you get the right people. Second, groupthink — or simply one dominant personality — can skew the discussion, possibly towards concerns that are not actually the biggest threats. Additionally, because you are looking at each risk in isolation, you don’t factor in the interdependencies that exist between risk factors. You can ask just about any financial firm still in existence today how that can lead to a company’s downfall. And lastly, brainstorming tends to create a very large list of risks, which then makes prioritizing the threats difficult.
For these reasons, she suggests creating “an influence diagram,” which is essentially a flowchart map of risks that shows how they interact and allows you to use colors or shape size to demarcate which exposures are the most critical. It is a visual approach that lets you view and understand the interrelationships between multiple risks/objectives.
This, too, has its own con, however.
Because it relies on linking internal risks to one another, it can overlook big risk factors that are outside the organization. Think of the economic meltdown or terrorist attack. These could affect multiple parts of the operation. But the flowchart lines won’t show this connection to an external threat.
Thus, Belluz recommends that you don’t rely on either of these methods exclusively. Use both. Such an approach will leave fewer gaps in your identification, quantification and prioritization of risks. And don’t stop there. Add checklists, “risk heat maps” and risk matrixes as well, she suggests.
Still, many companies are failing to use such formal procedurs.
To highlight this, Belluz asked the room “what would it take in our organization to implement more structural approaches [to risk management]?”
Immediately, one risk manager in the crowd shouted out “more resources.”
I’m sure many others can relate.
#3. Relying on Gut Instinct to Assess Risk
This is an obvious mistake with a not-so-obvious solution. Essentially, it comes down to one question: “What role should judgment, experience and intuition play in analyzing and informing strategic decisions?”
Ironically, determining the right answer to that question might take more art than science, but there are a few pitfalls that Belluz pointed out.
- Mistaking beliefs and opinions for facts
- Confirmation bias
- Group polarization (in which like-minded people gather and a risk they all had becomes intensified due to the discussion. For instance, a group of people very concerned about hazardous waste come together, discuss the issue and then walk out of the room thinking it’s an even worse problem than they did when they went in.)
- Emotionally charged situations
A way to mitigate being too “gutsy” in your thinking, if you will, is ensuring that the methodology remains evidence-based. Because if you are using your gut during risk identification rather than using a process that is grounded in facts, you may actually even make the problem worse.
Could ignorance is better than a sense of false protection? Maybe.
As Nowell Seaman pointed out, use your gut rather than facts and you may come out of a meeting and “feel like we have done something but we really haven’t.”
Is an unknown risk that remains unmanaged better than a known risk that you is poorly managed? I would lean towards no, but it’s certainly debatable.
#4. Overlooking the information you have
Belluz’s suggestion to avoid this one was simple: “Frame a question about the risk properly and then mine your data.” As we know, life consists of lies, damned lies and statistics. So numbers can usually be found to support any conclusion. And finding the right information is key.
This can be overwhelming, however. To ease the burden, Belluz suggests four useful measurement assumptions you should remember:
- Someone has measured it before (Google is your friend)
- You have more data than you think.
- You need less data than you think
- New data is more easily accessible than you think
In short, there is data out there. Be sure you use it.
#5. Focusing on the Wrong Risks
The key question to ask here is whether or not the risk aligns with the company’s risk appetite. And this concept led to an even more interesting question from the audience. “What’s the difference between risk tolerance and risk appetite?” asked a risk manager.
Belluz’s answer? “I don’t think, as a discipline, we have decided on that.” Seaman agreed, but was able to add some insight he has learned from his years of managing risk in the trenches. “Tolerance is how much risk can you stand. How much you can stomach,” he said. “Appetite is how much you want to stand.”
So in trying to determine whether or not you’re focusing on the wrong risks, perhaps the best lesson is to always identify those areas in which your exposure is higher than the amount of risk you want to stand. If you look through that lens and everything seems kosher, you should be able to sleep a lot better at night.