Who are the heroes in your organisation?

All organisations generate their own stories about themselves that reveal aspects of their culture. The attributes that are most celebrated, and about which most stories are told, are likely to be the ones that managers in your organisation would most like to have associated with them. Here are a few examples of attributes to choose from:
- Visionary leadership
- Performance oriented
- Consistently meets targets
- Focused on outcomes
- Effectively manages risk.

It is likely that if you polled managers in most of your organisations, the last one would get far fewer votes. What are the main reasons for this? Some of them might be the following:
• Risk management is most commonly associated with compliance
• Risk management is believed to be about risk minimisation
• Risk management is thought to be more about conformance than performance
• Risk management is not recognised as a particularly relevant management discipline for entrepreneurial parts of the organisation.

Until some of these fundamental cultural beliefs are successfully challenged, and honour rolls of “hero managers� include those that are lauded for their success in managing risk, it is always going to be difficult to move risk management out of its marginalized position in many organisations. This paper looks at some of the practical ways in which this might be achieved.Managers of uncertainty – the real risk managers

Peter Drucker points out that all economic activity must involve risk, because it requires today’s resources to be applied to achieving tomorrow’s uncertain outcomes. Without risk, there can be no economic activity.
However, if you open up any fund manager’s marketing brochures, you will usually see a simple graph that indicates that increased risk correlates with increased returns. The hero manager probably has a similar thought in mind relating to risk management – playing it “safe� equates to lowered performance. How do we deal with this belief system?

The answer, in broad terms, lies in the governance structure of the modern organisation. Corporate governance is, at its heart, the organisation’s strategic response to risk.

The tension that governance structures are designed to manage is largely to do with the possibility that managers can increase performance by increasing the amount of risk they take on, whereas shareholders (or owners generally) usually want management to increase performance within a given level of risk – their so-called risk tolerance. Ensuring transparency of risks is therefore behind many governance practices. Transparency is an enabler for auditing, which lays the foundation for both repeatability of performance and also for confidence in its reporting. (Enron is a current example of what happens if this is ignored).

These truths form the basis of an understanding that risk management is primarily about performance, and only secondarily about conformance – which is, of course, the opposite of what many managers are conditioned to believe. Perhaps this is not surprising when you consider the cultural factors already mentioned.

Peter Drucker tells the story of how he attended a university symposium on entrepreneurship at which a number of psychologists presented papers that talked about an “entrepreneurial personality�, which was characterised by a propensity for risk taking. Afterwards, a well-known innovator and entrepreneur attending the symposium who had built up a substantial worldwide business was asked to comment. He confessed to being baffled by the papers, maintaining that in all his years of business, during which he had done business with many successful entrepreneurs, the one and only thing that they had in common was that they were not risk takers. Instead, they tried to define the risks they had to take, and then minimise (we would probably now say “mitigate�) them as much as possible.

The idea that the manager who achieves the best performance is the one who most successfully manages the risks to achieving his or her outcomes is a powerful one. How do we get it to take root in our organisations?

I suggest that one way of cementing this changed worldview is to redefine what a “manager� is. Many organisations are a bit fuzzy about who they think their managers are – it is typically either a smaller or a larger list than merely those who have “manager� in their job title. If your Chief Executive has to get a communication distributed to “All Managers�, who does it get to? Everyone who has staff reporting to them? Many of these will be supervisors rather than managers. What about project managers, who often don’t have line control of the staff on their project, but whose success may have a significant impact on the company’s results?

A different paradigm might define managers as anyone who is accountable for managing a risk, or a generic type of risk. This paradigm is based on the understanding that unless the outcomes a person is accountable for are uncertain, there is nothing to manage. In other words, management is to be understood as the art and science of managing uncertainty.

By saying not only that all managers are risk managers, but further, that only risk managers are managers, we move ahead considerably in achieving some real ownership of risk. There starts to be an expectation that questions like “ what area do you manage?� should be answered quite differently from the typical response of naming a function or department.

This doesn’t diminish our role – we who typically label ourselves as “risk managers� - but the part we play must never be allowed to take the accountability for managing risk away from the real risk managers. Obviously the exact nature of our role depends on the management model of our organisations, e.g., whether we have a central corporate function or a more federalised model. The way we have chosen to do it in Telecom is to have a small corporate team that provides policy frameworks, tools and methodologies for use by the real risk managers. To further emphasise the accountability for managing risk, we changed our name last year from Risk Management to Risk Services.Risk management as a foundation for effective corporate governance

Turning again to the critical linkages between corporate governance and risk management, it is again important to cement in place the idea that risk management and performance management are two sides of the same coin. Risk, by definition, causes variability of performance compared to what was expected, and managing an organisation’s risks is therefore an integral part of managing its performance. This duality is reflected in most codes of practice on corporate governance. For example, in the principles on corporate governance produced by the Commonwealth Association for Corporate Governance (ratified at the last Commonwealth Heads of Government meeting in late 1999), the principle dealing with Risk Management states:

“The Board must identify key risk areas and key performance indicators of the business enterprise and monitor these factors�.

The clear implication is that the key performance indicators are chosen based on what is most at risk – i.e., the areas where variability is likely to be most apparent.

Other worthwhile guidance on integrating risk management into corporate governance practices has been developed during the last decade by bodies such as the Turnbull Committee of the Institute of Chartered Accountants in England and Wales, which states that Boards should adopt a risk-based approach to establishing a sound system of internal control. Furthermore, they should review the system’s effectiveness as part of normal governance processes.
This work reflects the growing recognition and acceptance of risk management as a central element of good governance. But apart from monitoring the effectiveness of risk management frameworks, what tools are available to Boards and CEOs to make this understanding a reality? One suggestion is to use your delegations framework to reinforce risk ownership and transparency. Virtually all organisations have some kind of policy on delegated authorities, usually based on differing levels of permissible expenditure for each layer of management.

Most see such frameworks as a restrictive control – “you are only allowed to spend up to this amount without escalating it to your manager�. However, a more powerful story to be told about delegations is that they actually grant decision rights, based on the level of risk incurred. Underlying these decision rights is the assumption (usually unspoken) that the higher up a manager is in the hierarchy (with the highest level being the Board itself), the better equipped they are to make a judgement on risk.

Using this idea, the levels of financial delegations, for example, can be seen as granting decision rights to take on more and more risk, not a right to spend more and more money per se. On this basis, the dollar amounts specified in the delegations can be seen merely as a proxy for risk – a rather unsophisticated one. Once the idea of decision rights for taking on risk is accepted, such proxies can be replaced or enhanced with explicitly risk-based rights, which might lead, for example, to lower-level managers routinely approving much larger expenditures on projects when similar ones have been successfully completed many times in the past. Conversely, quite small amounts of expenditure on projects in a new area of business, or known risky projects (such as anything involving software development!) may have to go to the Board or CEO. In all cases, a pre-requisite for either assuming the decision right, or escalating the decision, is a formal risk assessment.

Making this connection between the need for formal (but often quite simple) risk assessment and the decision rights underlying the delegations is a simple but effective way of reinforcing the linkage between risk management and corporate governance.

Aligning managers and shareholder’s interests - risk management in practice

Increasing shareholder value through more effective risk management is one of the aims of risk management, yet we know from the Capital Asset Pricing Model (CAPM) that many risk management decisions (especially relating to risk financing) can only be indirectly justified from a shareholder value perspective. Based on CAPM theory, risk management does not enhance the value of an organisation, because it cannot create value by undertaking activities that investors can do equally well. For example, often it is non-systematic risk that is being transferred, which can be eliminated at low cost through simple portfolio diversification by the investor (assuming it is a firm like Telecom whose ownership can be traded).
However, it is also understood by risk economists that there are imperfections in the “risk marketplace� that make risk management relevant, including the cost of financial distress or bankruptcy, non-linear tax rates, and managerial incentives. Looking particularly at the last of these, it is easy to see, for example, that it may be desirable to hold managers accountable for a project’s costs even if the cost of overseas purchases made during the life of the project varies with movement in exchange rates. Hedging the exchange rates achieves this aim, but there is a cost to this hedging, and shareholder value is therefore only added if productivity is thereby enhanced sufficiently to compensate for the cost of the hedging.

The interesting aspect of the theory is that it assumes that managers are risk-averse compared to shareholders, for example because of our inability to diversify our human capital in the way that investors can diversify their investment capital. Our fortunes are closely tied to the fortunes of our employer, says this theory, and therefore we have strong incentives to manage risk, which can be ultimately costly to the shareholder.

Modern performance-based employment contracts (containing performance-based bonuses or share options) deal very adequately with this issue – and perhaps over-compensate for it. The problem may well now be on the other side of the coin, particularly for top management – the upside can be so great, with little downside other than the forgone bonus, that shareholders may well be the comparatively risk-averse party. Because employment contracts that have large upside benefits are often not available to other than top management, one starts to see comments about “risk-averse� middle managers, which simply reflects the differing incentives regime within the organisation.

So do we pay managers to take risks? Yes, we certainly do – but often not in a uniform manner in relation to risk incentives, which makes it all the more difficult to align the risk tolerance of shareholders with those of managers. Many of the corporate scandals that have occurred over the past couple of years, seem to have as their root cause the absolute necessity for management to “make the numbers�, coupled with the huge incentives for them to do so. Boards need to better understand that such incentives are not necessarily aligning management’s interests with shareholders at all. What are needed are frameworks that align management with the shareholders’ risk tolerance – and that’s a whole lot harder.

The nature of risk – a Hydra

Finally, I want to address to another aspect of risk ownership that has proved to be somewhat problematic, namely, the very different types of risk that managers typically encounter. It is extremely difficult to conceptualise all types of risk within a single framework. Enterprise Risk Management (ERM) points the way forward conceptually for risk management practitioners. However, it has a number of potential roadblocks before it will become a widespread best practice within business enterprises.

Firstly, much of the language of ERM is still biased towards the financial services industry. For example, it is common to see risk categorised as “Credit�, “Market� and “Operating� in ERM literature and surveys, which are not particularly useful categories for other industries. The terms themselves are misleading – “market� risk is always assumed to mean financial market risk, for example, rather than the risk associated with the particular industry market the enterprise is operating within. Even the term “risk management� is often incorrectly applied to risk transfer mechanisms, although they are merely one form of risk treatment within the overall risk management process. As we all know, language can be excluding, and persisting in using language that is only meaningful in one context results in ERM being perceived as not having much relevance to enterprises outside the financial services sector.

Secondly, much of the published material on ERM is focused on risk transfer alone, and usually on only one aspect of risk transfer – shifting risk to other parties through the insurance and capital markets. While integrating these forms of risk transfer within an enterprise is a worthwhile exercise, they together constitute only a very small part of risk management activity, as neither the insurance nor the capital markets are able or willing to assume the bulk of the risk that enterprises are confronted with (for example, because moral hazard exists) – at least, not at a price that make any sense from a shareholder value perspective.

We have found it more useful to think about the different natures of risk in the following terms.

• Risks to the achievement of forward strategy
(Note that this is different to what are often termed “strategic� risks)
Structure, culture and politics constrain the implementation of a defined strategy. Even the most exceptional strategy is useless unless it can be implemented, so an understanding of the risks associated with a strategy is essential for success. Scenario analysis is a useful tool for identifying these risks, and their mitigation costs should be included in strategic financial plans. Ownership of these risks may be difficult to assign, as they are often “cross-functional�.

• “Event� risks
These risks typically result in sudden, “unexpected� changes in service performance or financial outlook. Mitigation expenditure is less easy to justify, as they typically have a low frequency of occurrence, but can have a disastrous impact. A combination of insurance, business continuity planning, and risk-specific mitigation is required. Authentic ownership (i.e., resulting in some genuine action) of these risks is sometimes particularly difficult, as their lower frequency of occurrence means that managers who do not expect to stay in an organisation for a long period may be tempted to “take the risk�. They are therefore often best dealt with by Board or CEO policies.

• “Customary� risks
These are the normal business uncertainties that are faced by a firm every day, similar to so-called “market volatility� in the example of financial markets. They are typically well understood, are more likely to be “owned� by a specific manager than the two other types of risk, and can often be managed though improved operating procedures or process improvements. Internal controls play a big part in addressing these risks.

But is it seen as “risk management� by our organisations? The tools that are available to help identify and characterise these risks are almost indistinguishable from those used by the “quality management� discipline, such as the statistical analysis tools used by quality improvement teams. Some organisations may therefore not use the term “risk management� for this activity, but customary risk qualifies as risk because it impacts on core earnings predictability, and in many years – perhaps most – it will impact more on earnings than the other types of risk. The fact that it is seen as “just what I do� by managers makes it a useful starting point for changing the perception about risk management from “something that someone else is doing� to “what all managers are doing�.

Conclusion
The risk management discipline needs to get out of its ghetto and take a leadership role in assigning real ownership of risk where it really lies – with real risk managers. This paper has suggested some alternative governance and management paradigms that can be powerful change agents towards achieving this ownership. It has also offered some practical methods of embedding these different paradigms in our organisations. The current focus on corporate governance practice offers a first class opportunity for us all to be in the driving seat – let’s not waste it.