Where is the value in risk management?
It always starts the same way – “So what is it that you do, risk management? So you work for a bank?” Err no. “So you are in insurance?” No not quite. “Health and safety?” Definitely not!
So what exactly is “risk management” and where is it really valued – it means so many things to so many people. To many it will mean financial risk management that forms the backbone of all banks (albeit a weak backbone as we saw when the financial crisis broke…). People will talk about Enterprise Risk Management without really expanding much beyond the financial aspects of risk. And if we get into H&S then we lose the “business” context of risk to a great extent and probably credibility, whether justified or not.
Rather than try and define all these different types of “risk management” (you have Wikipedia for that…), I was thinking about how risk management can bring the most “value” to your business. Value can be measured in many ways and perhaps the most obvious way to measure value in risk management is to look at the financial value of the risks identified. The problem with this approach is that it relies on estimates that may be no more than wild guesses. And when someone estimates the financial impact of a risk, where do they stop, at the immediate impact or the ultimate impact? For example, it could be claimed that every “showstopper” risk could be valued at the entire cost of a project or business process.
The way I am going to describe value here works very well for an “uncertain” subject like risk management. Demonstrable value from a risk management process would be gained from helping to identify risks that are not obvious and would not have been identified without its application.
Which then leads us to look at the different areas of risk that fall under the Enterprise risk umbrella and assess their relative “difficulty” and therefore the opportunity to demonstrate value by identifying new risks i.e.:
Operational risk management: True operational risk looks at the ongoing, recurring processes in the business and not the one-off projects. As such, the operational staff tend to be very familiar with the business processes – they do it every day – and therefore they can tell you the risks without the need for formal risk management. In situations like this, formal risk management tends to be seen as an administrative overhead as it doesn’t tend to identify “new” risks.
Strategic risk management: The risk to the business strategy is obviously a big deal – if the strategy fails, the entire business could fail. But when the strategy statement (assuming that there is one?) has been broken down into its constituent assumptions, there will be a reasonably small number to analyse. How they are rated may raise a surprise or two but completely new risks are unlikely.
Project risk management: Projects are one-off exercises, that is, you have never tried to achieve the specific objectives before or it would already be an ongoing business process. The sheer newness of a project will ensure that new risks are guaranteed and all will not be obvious from the start. The use of a formal risk management process is therefore entirely justified and will be valued.
Programme risk management: Programmes are made up from multiple projects that are interdependent. Therefore all that was said about project risk management above can be multiplied exponentially. A true programme risk management process like ABCD is required here to prioritise clearly and ensure that “you can see the wood for the trees”. Get this right and immense benefits will be realised in the form of risks that would never have been identified without the rigor and the perceived value will be very high.
The four types of risk management above have therefore been ranked in terms of perceived value from the lowest (operational) to the highest (programme). That is, you are more likely to identify new risks by using formal risk management processes in a programme than a project, or strategy or operations, in that order. And let’s be clear that we are talking about risks that require proactive management. Black Swans introduce a whole new ball game, but that’s a different story…
ABS packs inflate via a rip-cord if you are caught in an avalanche – real risk management