KEY CONCEPT

Opponents of quantitative risk management models believe these models are counterproductive: they inhibit companies from taking calculated chances without preventing major mistakes (see the 2008 economic crisis). A new study of seven successful companies shows that when complemented by rigorous qualitative risk management practices and expanded roles for risk managers, quantitative models enhance rather than inhibit a company’s innovation and initiative.

---

IDEA SUMMARY

Sceptics of enterprise risk management believe that the 2008 financial crisis proves their point: risk management practices do little to prevent risks. Instead, according to these sceptics, focusing on potential risks only leads to a fear of innovation and initiative. Companies stay in their safe zones, becoming sitting ducks for competitors who are not afraid to take chances.

Robert Kaplan of Harvard Business School and Anette Mikes of HEC Lausanne reject the idea of risk management as a ‘hiding hand’ that inhibits companies. On the contrary, by clearly identifying the risks that a company can manage, they argue, effective risk management is a ‘revealing hand’ that highlights the best opportunities for change and growth.

A core problem is that the traditional approach of risk management focuses exclusively on quantitative measurements and compliance objectives. The core role of traditional risk management functions is independent overseer, with a mandate to prevent risks.

Based on their in-depth case studies of seven companies (including four financial companies) with highly effective risk management practices, Kaplan and Mikes reveal additional roles for risk management beyond the traditional compliance role.

• Business Partner. Risk management functions can act as business partners of management, using their domain expertise to influence key decisions on new projects. For example, risk managers at engineering firm Jet Propulsion Laboratory have the expertise to challenge risk-taking engineers, and also interpret changing conditions related to JPL projects. Instead of focusing exclusively on risk prevention, they help decision makers mitigate risks so that new projects can move forward.
• Independent Facilitator. At Canadian utility Hydro One and at the LEGO Group, the risk management functions act as independent facilitators, setting the agenda and facilitating a wide-ranging discussion on a project’s risk among the appropriate actors throughout the organization. In some ways, this is a more humble role for the function. Chief Risk Officers (CROs) are no longer top-down enforcers or business partners embedded in the C-suite, but rather communication enablers, helping to develop the relationships that ensure optimum resource allocation to risk management, and careful decision-making on new projects.
• Hybrid Business Partner/Compliance Oversight. The financial services case studies in Kaplan and Mikes’ sample of companies reveal a fourth risk management role, a hybrid role that combines compliance oversight with business partnership. One set of risk managers will be focused on compliance oversight, while a second set of risk managers with domain experience advise line managers on key risk management decisions.

Fulfilling these various roles requires a set of fundamental risk components, including effective processes (e.g. face-to-face meetings with key managers or on-going workshops with broad participation), and tools (e.g. value-at-risk models, scenarios, risk radar charts), for identifying, assessing and prioritizing risk.

For example, risk radar charts map a company’s risk appetite based on key dimensions, such as employee relations, shareholder returns, environment, safety, corporate image, and so forth. The map might show risk appetite stretching to 4.5 for the corporate image dimension, but staying at less than 2 for employee relations, indicating that companies might be ready to risk their corporate image but are concerned about maintaining their employee relations.

Effective risk management also requires an organization-wide consensus on values and beliefs — that is, which risks are most important to the company. Leaders must reach an agreement on the usually unavoidable trade-offs in risk situations (e.g. the risk related to a price increase involves a trade-off between revenue growth and dissatisfied customers) in order to make the best decisions for the long-term success of the company.

Guided by values, empowered through expanded roles and armed with quantitative and qualitative processes and tools, risk managers don’t impede a company’s progress but on the contrary help light the way.

---

BUSINESS APPLICATION

To ensure active and effective risk management, companies should take the following steps:

• Develop a consensus about the company’s belief system: it’s core objectives, values and priorities. Without this first step, the most sophisticated processes and tools will be nearly useless.
• Formulate the company’s risk appetite: how much and what kind of risk can be tolerated.
• Monitor and benchmark a company’s risk-taking behaviour against its risk appetite parameters.

Failures in quantitative risk management should not be used to reject all quantitative risk management models and tools. The problem is not with the models, but the fact that they are mistakenly used as the sole factor in making risk-management decisions that involve complex and sometimes subtle trade-offs. Risk management is more art than science; it requires both quantitative and qualitative approaches to be successful.

---

---

REFERENCES

Risk Management — The Revealing Hand. Robert S. Kaplan & Anette Mikes. Journal of Applied Corporate Finance (Winter 2016).

•   DOWNLOAD IDEA
•   PIN TO MY IDEAS
•   PRINT IDEA
•   LIKE

---