A couple of weeks ago I was very fortunate to host one of the round tables during the Federation of European Risk Management Associations (FERMA) risk seminar in Malta. The experience of brainstorming for 45 minutes with representatives from various small and medium enterprises (SMEs) highlighted some major problems with modern-day risk management and risk managers.
Here are three things that everyone could learn from managing risk at SMEs:
- SMEs simply cannot afford to waste time or other resources on an activity that does not generate direct value
For SMEs, time is precious, management teams are small, margins are limited and, as a result, management is very pragmatic about any new, sexy activities and initiatives. Risk management is no different. It has been around for years, yet few SMEs have properly adopted it. Something is not right…
Can risk management make companies money? Of course it can. Do modern-day risk managers in non-financial companies make money for their companies? Very few. Most of the modern-day approaches used by risk managers are so academic and superficial that management has a tough job buying it. Here is a short video on showing value from risk management: https://www.youtube.com/watch?v=Cpeu0NhEMZY and it is not what most risk managers are doing.
It is time to have an honest look at some of the activities of risk managers:
- Do risk assessments really change the way business processes work, change the manufacturing process, change the way products are sold?
- Do risk managers bring something of value to the table when any important business decision is made?
- Do risk assessments change the way executives make decisions and is risk analysis available on time to support every significant decision? Do they? Really?
- Are risk registers looked at by the CEO before making an important decision?
- Do risk owners check their risk mitigation actions regularly?
- Do risk appetite statements in non-financial companies change the way the company operates and the way decisions are made?
- Do employees regularly read risk management framework documents?
- Do managers call the risk manager before making a decision when faced with uncertainty?
The answer to most of those questions is probably “not quite”. This could mean one of two things: either the risk manager is not doing his job properly or he is properly doing the completely wrong thing – it is probably the latter. There is simply a better way than risk profiles, risk registers, risk frameworks, risk owners and so on. Here is a short video on what the future holds for risk management: https://www.youtube.com/watch?v=yAiRWwYItdc
- SMEs do not perform risk management to mitigate risks; they do it to make better decisions
There seems to be a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself; it is just another management tool to help managers make better decisions and hence achieve their objectives. This is a big difference between SMEs and large corporations.
SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it is time to do risk management, be it annually, quarterly or at some other regular interval. Unless a company’s methodologies, approaches and tools allow risks to be analysed at any moment during the day, when an important decision is being made or at every milestone within the core business processes, something is probably being done wrongly.
If there is one thing I have learned over the years it is that no one in the company, and I mean NO ONE, except the risk manager cares about risks. Well, maybe some about-to-retire audit committee member as well, but most of them would not have the courage to deal with the real risks. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result. Risk ownership can be assigned to them, but no one cares. SMEs learned it the hard way; unless an activity directly contributes to achieving objectives, it is not going to be done. Risk management is no different. It is ridiculous when risk managers talk about high risks and the need to mitigate them, when instead they could be saying things like, “the probability of meeting this objective is 10 percent unless we change things”, “there is an 85 percent chance your business unit will not get bonuses this year based on our risk analysis” and so on.
- Anyone can be a risk manager, but it is not natural
Despite what those within the risk management community have been telling each other for years, managers are not really managing risks every day. Thinking about risks is not natural for humans. The way system 1 and system 2 thinking operate in the brain make it literally impossible to see most of the risks associated with making decisions, let alone to analyse or manage them. Since the 1970s, many scientists, including two Nobel Prize winners, Kahnemann and Tversky, have discovered over 200 cognitive biases that prevent managers from seeing, understanding and dealing with risks. This basically means that risk surveys, most risk workshops and any kind of qualitative risk assessments are very unlikely to produce truthful results. But then what should risk managers use? There are plenty of better alternatives: https://www.youtube.com/watch?v=4fRAUZ4AD0I
The rest of the FERMA Seminar
My feedback to the organisers stays the same as my last post on the FERMA forum in Venice last year. In short, it is impossible to grow if the people you talk to at conferences are people just like you – risk and insurance professionals. Someone needs to play devil’s advocate. It would be good to hear from a CFO who says he does not care about any of the work risk managers do and budgets based on his own methodology with no input from the risk manager. But then again, Europe is probably way too politically correct for that!
As a Board member of Institute for strategic risk analysis in decision making, Alex is responsible for G31000 risk management training and certification across Russia and CIS, running numerous risk management classroom and e-learning training programs. Alex represents Russian risk management community at the ISO Technical Committee 262 responsible for the update of ISO31000:20XX and Guide 73 since 2015.