In the first of a four-part series, Alex Sidorenko, founder and CEO of Risk-Academy, explains how the key to managing corporate risks is often through dealing with the individual risks of decision makers first.
If there is one thing I learned in my previous role as head of risk at a multibillion-dollar sovereign investment fund, it is that risk management is not about managing risks. It is about helping management make strategic, operational and investment decisions while keeping the risks in mind.
It sounds simple enough, but it is anything but. Over four columns, I will share four valuable lessons about integrating risk management principles and methodologies into day-to-day decision making.
There is a big difference between the risks that the board is concerned about, such as corporate risks, and the risks that individual managers worry about – often their personal risks. It is quite natural for humans to consider risks that can potentially impact them personally as significant and the risks that impact the achievement of strategic objectives as somewhat remote or distant.
The important lesson is that if risk managers want management to pay serious attention to corporate risks, they should first help them deal with their individual or personal risks. Personal risks means things like maintaining their area of influence, building a solid reputation, advancing their career, not losing their job and protecting themselves from investigations or prosecution.
Another aspect that has a huge impact on the quality of decision making, and hence the quality of risk management, is remuneration policy. Many people are driven by their financial self-interest much more than any corporate values or best practices. This has a huge implication on the work of risk managers. To address these challenges, I aim to do the following:
- Demonstrate how proactive risk management can benefit individuals within the firm and solve their personal risks. Even basic things like creating a paper trail for key decisions and risks taken by management can protect against any future enquiries.
- Review existing remuneration policies and find out how the bonus payments are calculated to understand whether it drives any excessively risky behaviour and what periods are particularly vulnerable. For example, employees usually make much riskier decisions just before bonus entitlements are calculated.
- Work with human resources to ensure existing individual objectives and key performance indicators (KPIs) adequately take risks into account. This will help to cement the message that risk management is a part of normal performance management.
- Work with strategy to ensure corporate objectives and KPIs are also set based on the outcomes of risk analysis to help make the targets more realistic and achievable.
- Include risk management roles and responsibilities into existing job descriptions, policies, procedures and committee charters to reinforce ownership and accountability.
Risk managers need to be prepared that some managers will ignore risks and take uncalculated risks for a reason. Therefore, it is critical to understand what motivates each individual.
In my next column, I will share some practical suggestions on how to overcome cognitive biases when managing risks.