How to live with risks PDF

Preview

Summary

Download How to live with risks PDF

Description

IDEA WATCH

STRATEGY HOW TO LIVE WITH RISKS

the next three years and have already begun

You can’t get rid of them all.

as any portfolio manager knows, lower risk

F

increasing budgets to that end. The researchers

Strike the right balance between risk and reward. “Risk management” is often synonymous with “risk prevention.” But often means lower returns. Today’s risk managers see their role as helping firms de-

ollowing a crisis, regulators and managers naturally take steps to prevent a

questioning the role of risk management in

termine and clarify their appetite for risk and

their organizations,” says Matt Shinkman

communicate it across the company to guide

recurrence.

of CEB, a Washington-based firm that re-

decision making. In some cases this means

searches and disseminates best practices

helping line managers reduce their risk aver-

among its 10,000 member companies.

sion. For example, one large company de-

after Enron and

WorldCom succumbed to m , which gave directors and execu-

New research from CEB highlights the

cided to terminate the policy of a client it had

tives new oversight responsibilities. In the

concern. Fully 60% of the corporate strategy

insured for 35 years. The client wasn’t very

wake of the

many large

officers surveyed said that their company’s

risky, so profits on its policy were negligible.

banks changed their business models, and

decision-making process is too slow, in part

other companies implemented systems to

because of an excessive focus on preventing

Focus on decisions, not process. Many employees associate risk management with

better manage credit risks or eliminate over-

risk. They added that if this “organizational

compliance-driven busywork, such as annual

reliance on mathematical models.

drag” were reduced, the rate of revenue

IT security quizzes. Although cybersecurity

But there’s a problem with managing

growth might double. Just 20% described

is certainly important, such exercises might

risk retrospectively: It’s a variation on what

their companies as “risk seeking.” Executives

not reduce risk. In addition to relying on pa-

military historians call “fighting the last war.”

also reported that risk managers and auditors

perwork or process, risk managers are turn-

As memories of the recession fade, leaders

spend more than half their time on financial-

ing to tools (such as dashboards that show

worry that risk management policies are

reporting, legal, and compliance risks, even

risks in real time) and training that help

impeding growth and profits without much

though the vast majority of big losses in mar-

employees assess risk. They are also helping

gain. “Firms are questioning whether the

ket value occur because of mismanaged stra-

companies factor a better understanding of

models they put in place after the financial

tegic risks. Most companies—91%—plan to

risk into their decision making. At Lego, for

crisis are working—and more fundamentally

reorganize or reprioritize risk management in

instance, the senior director of strategic risk management is included in all decisions in-

Looking for Risk in All the Wrong Places

volving capital above a certain amount. He

Risk management has historically focused more than half its time on legal, compliance, helps colleagues spot potential problems and financial-reporting functions. That’s starting to change as companies realize that most and managers see how their projects fit into big hits to shareholder value come from strategic and operating risks.

the company’s overall portfolio of projects, each with its own set of risks. “This is less

THE PROPORTION OF SIGNIFICANT LOSSES IN MARKET VALUE CAUSED BY EACH TYPE OF RISK OVER THE PAST DECADE

about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects,” Shinkman says.

STRATEGIC

OPERATING

LEGAL AND COMPLIANCE

FINANCIAL REPORTING

Make employees the first line of defense. Decisions don’t make themselves—

86%

9%

3%

2%

people make them, and there isn’t always a chief risk officer present when they do. So

THE PROPORTION OF TIME AUDITORS SPENT ON EACH TYPE

smart companies work to improve employees’ ability to incorporate appropriate levels of risk when making choices. This might begin during the hiring process: Some firms

6% 42%

13%

39%

now use “risk screens” or other types of SOURCE CEB

20 Harvard Business Review July–August 2015

assessments to gauge candidates’ appetite

HBR.ORG

1958

FROM THE ARCHIVE “The Internal Revenue Service also considers the expense account a major problem.…The increasing tendency to misstate, ‘pad,’ and even cheat in handling these expenses reduces tax revenues, thus placing an added burden on the honest taxpayer.” “WATCH YOUR EXPENSE ACCOUNTS,” BY HENRY CASSORTE SMITH (HBR, JANUARY–FEBRUARY 1958)

for risk. By bringing in people with an aptitude for risk assessment, they reduce the need for training or remediation later. Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that train-

THE IDEA IN PRACTICE

“THE FUN PART IS FOCUSING ON VALUE CREATION” IBM has been managing risk since its founding, in 1911, but in 2006 it created an enterprise risk management function to help its 380,000 employees become more “risk aware.” HBR spoke with Luis Custodio, IBM’s chief risk officer, about the endeavor. Edited excerpts follow.

ing less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss. To direct risk managers to the right activities, many firms are changing their organizational structure. For instance, some now have risk managers report to the strategy officer or the chief operating officer instead of to the general counsel or the compliance officer. Other firms, which have

FURTHER READING For a look at how Shell uses scenario planning to manage risk, see “Living in the Futures,” by Angela Wilkinson and Roland Kupers (HBR, May 2013).

historically spread responsibility for risk management across multiple departments—security, compliance, legal, audit, safety, quality, and so on—are establishing enterprise risk management functions to provide coordination. The goal is to transform risk management from a peripheral function to one with

What’s the role of the enterprise risk management function? We have risk leaders throughout the company—it’s not as if we brought a lot of people together in a new department. Our philosophy is that risk management should be centered in the businesses, which need to understand risk and make trade-offs in pursuit of strategic gains. Risk management is the responsibility of every IBMer. Our role is to support senior managers, risk leaders, and all employees with targeted resources, education, and training.

a voice integrated into day-to-day management. “Leading companies view every decision they make as a risk decision [and] choose their risks with great calculation,” according to the CEB white paper outlining this research. “They [use] risk management as a protection shield, not an action stopper.”

Keeping the latter sense in mind may ANDRÉ METZGER

help companies counter old-school tendencies to simply run in the opposite direction when encountering risk.

ABOUT THE RESEARCH“Reducing Risk Management’s Organizational Drag,” by CEB.

What’s an example? We have about 30 online courses available to all employees. We’ve added gamification. We have a simulation in which you’re a business leader developing a customer proposal and you have to consider different risks—how to account for them, how to mitigate and control them. People find it fun and engaging. Risk management has historically been more about defense than offense. How is that changing? Some companies still focus on value protection, and that’s critical— I don’t want to downplay the importance of strong internal procedures, audit teams, and compliance officers. But at the enterprise level we spend more time on the strategic side, engaging with risk leaders and ensuring that they’re thinking about things like technology shifts, industry disruptions, and the risks of mergers and acquisitions. The more fun part of our job is when we focus on value creation. We want risk management to be engrained in the fabric of the business, not a separate check-the-box process.

July–August 2015 Harvard Business Review 21

Copyright 2015 Harvard Business Publishing. All Rights Reserved. Additional restrictions may apply including the use of this content as assigned course material. Please consult your institution's librarian about any restrictions that might apply under the license with your institution. For more information and teaching resources from Harvard Business Publishing including Harvard Business School Cases, eLearning products, and business simulations please visit hbsp.harvard.edu....