All organisations generate their own stories about themselves
that reveal aspects of their culture. The attributes
that are most celebrated, and about which most stories
are told, are likely to be the ones that managers in
your organisation would most like to have associated
with them. Here are a few examples of attributes to
choose from:
- Visionary leadership
- Performance oriented
- Consistently meets targets
- Focused on outcomes
- Effectively manages risk.

It is likely that if you polled managers in most of
your organisations, the last one would get far fewer
votes. What are the main reasons for this? Some of them
might be the following:
• Risk management is most commonly associated with
compliance
• Risk management is believed to be about risk
minimisation
• Risk management is thought to be more about conformance
than performance
• Risk management is not recognised as a particularly
relevant management discipline for entrepreneurial
parts of the organisation.

Until some of these fundamental cultural beliefs are
successfully challenged, and honour rolls of “hero
managers� include those that are lauded for their
success in managing risk, it is always going to be difficult
to move risk management out of its marginalized position
in many organisations. This paper looks at some of the
practical ways in which this might be achieved.Managers
of uncertainty – the real risk managers

Peter Drucker points out that all economic activity
must involve risk, because it requires today’s
resources to be applied to achieving tomorrow’s
uncertain outcomes. Without risk, there can be no economic
activity.
However, if you open up any fund manager’s marketing
brochures, you will usually see a simple graph that
indicates that increased risk correlates with increased
returns. The hero manager probably has a similar thought
in mind relating to risk management – playing it
“safe� equates to lowered performance. How
do we deal with this belief system?

The answer, in broad terms, lies in the governance
structure of the modern organisation. Corporate governance
is,
at its heart, the organisation’s strategic response
to risk.

The tension that governance structures are designed
to manage is largely to do with the possibility that
managers can increase performance by increasing the
amount of risk they take on, whereas shareholders (or
owners generally) usually want management to increase
performance within a given level of risk – their
so-called risk tolerance. Ensuring transparency of
risks
is therefore behind many governance practices. Transparency
is an enabler for auditing, which lays the foundation
for both repeatability of performance and also for
confidence
in its reporting. (Enron is a current example of what
happens if this is ignored).

These truths form the basis of an understanding that
risk management is primarily about performance, and
only secondarily about conformance – which is,
of course, the opposite of what many managers are conditioned
to believe. Perhaps this is not surprising when you
consider the cultural factors already mentioned.

Peter Drucker tells the story of how he attended a
university symposium on entrepreneurship at which a
number of psychologists
presented papers that talked about an “entrepreneurial
personality�, which was characterised by a propensity
for risk taking. Afterwards, a well-known innovator
and entrepreneur attending the symposium who had built
up a substantial worldwide business was asked to comment.
He confessed to being baffled by the papers, maintaining
that in all his years of business, during which he had
done business with many successful entrepreneurs, the
one and only thing that they had in common was that
they were not risk takers. Instead, they tried to define
the risks they had to take, and then minimise (we would
probably now say “mitigate�) them as much
as possible.

The idea that the manager who achieves the best performance
is the one who most successfully manages the risks to
achieving his or her outcomes is a powerful one. How
do we get it to take root in our organisations?

I suggest that one way of cementing this changed worldview
is to redefine what a “manager� is. Many organisations
are a bit fuzzy about who they think their managers
are – it is typically either a smaller or a larger
list than merely those who have “manager�
in their job title. If your Chief Executive has to get
a communication distributed to “All Managers�,
who does it get to? Everyone who has staff reporting
to them? Many of these will be supervisors rather than
managers. What about project managers, who often don’t
have line control of the staff on their project, but
whose success may have a significant impact on the company’s
results?

A different paradigm might define managers as anyone
who is accountable for managing a risk, or a generic
type of risk. This paradigm is based on the understanding
that unless the outcomes a person is accountable for
are uncertain, there is nothing to manage. In other
words, management is to be understood as the art and
science of managing uncertainty.

By saying not only that all managers are risk managers,
but further, that only risk managers are managers,
we
move ahead considerably in achieving some real ownership
of risk. There starts to be an expectation that questions
like “ what area do you manage?� should be
answered quite differently from the typical response
of naming a function or department.

This doesn’t diminish our role – we who typically
label ourselves as “risk managers� - but
the part we play must never be allowed to take the
accountability
for managing risk away from the real risk managers.
Obviously the exact nature of our role depends on the
management model of our organisations, e.g., whether
we have a central corporate function or a more federalised
model. The way we have chosen to do it in Telecom is
to have a small corporate team that provides policy
frameworks, tools and methodologies for use by the
real
risk managers. To further emphasise the accountability
for managing risk, we changed our name last year from
Risk Management to Risk Services.Risk management as
a foundation for effective corporate governance

Turning again to the critical linkages between corporate
governance and risk management, it is again important
to cement in place the idea that risk management and
performance management are two sides of the same coin.
Risk, by definition, causes variability of performance
compared to what was expected, and managing an organisation’s
risks is therefore an integral part of managing its
performance. This duality is reflected in most codes
of practice on corporate governance. For example, in
the principles on corporate governance produced by
the
Commonwealth Association for Corporate Governance (ratified
at the last Commonwealth Heads of Government meeting
in late 1999), the principle dealing with Risk Management
states:

“The Board must identify key risk areas and
key performance indicators of the business enterprise
and monitor these factors�.

The clear implication is that the key performance indicators
are chosen based on what is most at risk – i.e.,
the areas where variability is likely to be most apparent.

Other worthwhile guidance on integrating risk management
into corporate governance practices has been developed
during the last decade by bodies such as the Turnbull
Committee of the Institute of Chartered Accountants
in England and Wales, which states that Boards should
adopt a risk-based approach to establishing a sound
system of internal control. Furthermore, they should
review the system’s effectiveness as part of normal
governance processes.
This work reflects the growing recognition and acceptance
of risk management as a central element of good governance.
But apart from monitoring the effectiveness of risk
management frameworks, what tools are available to Boards
and CEOs to make this understanding a reality? One suggestion
is to use your delegations framework to reinforce risk
ownership and transparency. Virtually all organisations
have some kind of policy on delegated authorities, usually
based on differing levels of permissible expenditure
for each layer of management.

Most see such frameworks as a restrictive control –
“you are only allowed to spend up to this amount
without escalating it to your manager�. However,
a more powerful story to be told about delegations
is
that they actually grant decision rights, based on
the level of risk incurred. Underlying these decision
rights
is the assumption (usually unspoken) that the higher
up a manager is in the hierarchy (with the highest
level
being the Board itself), the better equipped they are
to make a judgement on risk.

Using this idea, the levels of financial delegations,
for example, can be seen as granting decision rights
to take on more and more risk, not a right to spend
more and more money per se. On this basis, the dollar
amounts specified in the delegations can be seen merely
as a proxy for risk – a rather unsophisticated
one. Once the idea of decision rights for taking on
risk is accepted, such proxies can be replaced or enhanced
with explicitly risk-based rights, which might lead,
for example, to lower-level managers routinely approving
much larger expenditures on projects when similar ones
have been successfully completed many times in the
past.
Conversely, quite small amounts of expenditure on projects
in a new area of business, or known risky projects
(such
as anything involving software development!) may have
to go to the Board or CEO. In all cases, a pre-requisite
for either assuming the decision right, or escalating
the decision, is a formal risk assessment.

Making this connection between the need for formal (but
often quite simple) risk assessment and the decision
rights underlying the delegations is a simple but effective
way of reinforcing the linkage between risk management
and corporate governance.

Aligning managers and shareholder’s interests
- risk management in practice

Increasing shareholder value through more effective
risk management is one of the aims of risk management,
yet we know from the Capital Asset Pricing Model (CAPM)
that many risk management decisions (especially relating
to risk financing) can only be indirectly justified
from a shareholder value perspective. Based on CAPM
theory, risk management does not enhance the value of
an organisation, because it cannot create value by undertaking
activities that investors can do equally well. For example,
often it is non-systematic risk that is being transferred,
which can be eliminated at low cost through simple portfolio
diversification by the investor (assuming it is a firm
like Telecom whose ownership can be traded).
However, it is also understood by risk economists that
there are imperfections in the “risk marketplace�
that make risk management relevant, including the cost
of financial distress or bankruptcy, non-linear tax
rates, and managerial incentives. Looking particularly
at the last of these, it is easy to see, for example,
that it may be desirable to hold managers accountable
for a project’s costs even if the cost of overseas
purchases made during the life of the project varies
with movement in exchange rates. Hedging the exchange
rates achieves this aim, but there is a cost to this
hedging, and shareholder value is therefore only added
if productivity is thereby enhanced sufficiently to
compensate for the cost of the hedging.

The interesting aspect of the theory is that it assumes
that managers are risk-averse compared to shareholders,
for example because of our inability to diversify our
human capital in the way that investors can diversify
their investment capital. Our fortunes are closely tied
to the fortunes of our employer, says this theory, and
therefore we have strong incentives to manage risk,
which can be ultimately costly to the shareholder.

Modern performance-based employment contracts (containing
performance-based bonuses or share options) deal very
adequately with this issue – and perhaps over-compensate
for it. The problem may well now be on the other side
of the coin, particularly for top management –
the upside can be so great, with little downside other
than the forgone bonus, that shareholders may well be
the comparatively risk-averse party. Because employment
contracts that have large upside benefits are often
not available to other than top management, one starts
to see comments about “risk-averse� middle
managers, which simply reflects the differing incentives
regime within the organisation.

So do we pay managers to take risks? Yes, we certainly
do – but often not in a uniform manner in relation
to risk incentives, which makes it all the more difficult
to align the risk tolerance of shareholders with those
of managers. Many of the corporate scandals that have
occurred over the past couple of years, seem to have
as their root cause the absolute necessity for management
to “make the numbers�, coupled with the huge
incentives for them to do so. Boards need to better
understand that such incentives are not necessarily
aligning management’s interests with shareholders
at all. What are needed are frameworks that align management
with the shareholders’ risk tolerance – and
that’s a whole lot harder.

The nature of risk – a Hydra

Finally, I want to address to another aspect of risk
ownership that has proved to be somewhat problematic,
namely, the very different types of risk that managers
typically encounter. It is extremely difficult to conceptualise
all types of risk within a single framework. Enterprise
Risk Management (ERM) points the way forward conceptually
for risk management practitioners. However, it has a
number of potential roadblocks before it will become
a widespread best practice within business enterprises.

Firstly, much of the language of ERM is still biased
towards the financial services industry. For example,
it is common to see risk categorised as “Credit�,
“Market� and “Operating� in ERM
literature and surveys, which are not particularly useful
categories for other industries. The terms themselves
are misleading – “market� risk is always
assumed to mean financial market risk, for example,
rather than the risk associated with the particular
industry market the enterprise is operating within.
Even the term “risk management� is often
incorrectly applied to risk transfer mechanisms, although
they are
merely one form of risk treatment within the overall
risk management process. As we all know, language can
be excluding, and persisting in using language that
is only meaningful in one context results in ERM being
perceived as not having much relevance to enterprises
outside the financial services sector.

Secondly, much of the published material on ERM is
focused on risk transfer alone, and usually on only
one aspect
of risk transfer – shifting risk to other parties
through the insurance and capital markets. While integrating
these forms of risk transfer within an enterprise is
a worthwhile exercise, they together constitute only
a very small part of risk management activity, as neither
the insurance nor the capital markets are able or willing
to assume the bulk of the risk that enterprises are
confronted with (for example, because moral hazard exists)
– at least, not at a price that make any sense
from a shareholder value perspective.

We have found it more useful to think about the different
natures of risk in the following terms.

• Risks to the achievement of forward strategy
(Note that this is different to what are often termed “strategic� risks)
Structure, culture and politics constrain the implementation
of a defined strategy. Even the most exceptional strategy
is useless unless it can be implemented, so an understanding
of the risks associated with a strategy is essential
for success. Scenario analysis is a useful tool for
identifying these risks, and their mitigation costs
should be included in strategic financial plans. Ownership
of these risks may be difficult to assign, as they
are often “cross-functional�.

• “Event� risks
These risks typically result in sudden, “unexpected�
changes in service performance or financial outlook.
Mitigation expenditure is less easy to justify, as they
typically have a low frequency of occurrence, but can
have a disastrous impact. A combination of insurance,
business continuity planning, and risk-specific mitigation
is required. Authentic ownership (i.e., resulting in
some genuine action) of these risks is sometimes particularly
difficult, as their lower frequency of occurrence means
that managers who do not expect to stay in an organisation
for a long period may be tempted to “take the risk�.
They are therefore often best dealt with by Board or
CEO policies.

• “Customary� risks
These are the normal business uncertainties that are
faced by a firm every day, similar to so-called “market
volatility� in the example of financial markets.
They are typically well understood, are more likely
to be “owned� by a specific manager than
the two other types of risk, and can often be managed
though
improved operating procedures or process improvements.
Internal controls play a big part in addressing these
risks.

But is it seen as “risk management� by our
organisations? The tools that are available to help
identify and characterise these risks are almost indistinguishable
from those used by the “quality management�
discipline, such as the statistical analysis tools used
by quality improvement teams. Some organisations may
therefore not use the term “risk management�
for this activity, but customary risk qualifies as risk
because it impacts on core earnings predictability,
and in many years – perhaps most – it will
impact more on earnings than the other types of risk.
The fact that it is seen as “just what I do�
by managers makes it a useful starting point for changing
the perception about risk management from “something
that someone else is doing� to “what all managers
are doing�.

Conclusion
The risk management discipline needs to get out of
its ghetto and take a leadership role in assigning
real
ownership of risk where it really lies – with real
risk managers. This paper has suggested some alternative
governance and management paradigms that can be powerful
change agents towards achieving this ownership. It has
also offered some practical methods of embedding these
different paradigms in our organisations. The current
focus on corporate governance practice offers a first
class opportunity for us all to be in the driving seat
– let’s not waste it.