Lost in Translation: Why are risk managers and decision makers still not speaking the same language? By Jonathan Blackhurst
The winning dissertation by this year's City leadership students asks why so few companies have yet to integrate risk management successfully into decision making or find a stable place for risk management in the corporate hierarchy. 'Lost in translation', by Jonathan Blackhurst of Capita, argues that many of the traditional professional disciplines are either over-used in a strategic setting or perhaps should be discarded altogether in order to create a more useful and meaningful dialogue with top management.
As the introduction says, "if something is getting lost in translation then the onus is on risk management to learn a new language."
Cutting out the noise
It is particularly critical of people who rely too much on the bottom-up approach to risk management such as risk registers and heat-maps to engage with top management. As far as board members are concerned this can simply add to the noise that makes well informed strategic decision-making more difficult. The challenge is to "distil all this noise, these messages and best practices into something that could add value." Or, as it says towards the end, Keep it Simple.
Somewhat radically, it argues that company overviews of consolidated information should not include a section on risk. Instead, risk should permeate all aspects of the discussion. The current practice, by contrast, can foster a superficial risk oversight, as often illustrated by the compliance mentalities of the risk and audit committees.
Focus on strategic risks
The shortcomings of this bottom-up approach are well illustrated, the paper says, by the obligatory risk sections in annual reports. Too often these are best practice adherence exercises that quite simply miss the big picture - the really important, real-time, strategic risks facing the company. And these big-ticket items are where risk management could make itself truly relevant and do more to inform the board in a way that it finds genuinely helpful.
The critical risks represent the exposures that can threaten the strategy, business model and the viability of the business and should consequently warrant the most attention from decision makers. Senior management also need to be mindful of emerging trends triggered by unanticipated events of varying significance, ranging from catastrophic new events to existing risks accelerating in their impact.
ISO 31000 - getting it right in practice
The paper puts meat on these broad ideas with a more detailed critique of the internationally accepted risk management standard ISO 31000. Rather than challenging the standard, it questions the way its principles are applied.
Starting with Principle one of the standard (Establishing the scope, context, criteria), it argues:
Risk management, and the context in which it is delivered, must therefore serve as a guidepost for when a new opportunity or significant risk emerges. Dialogue around this often turns to the phrase "Risk Appetite", but this falls back into the trap of a risk language not necessarily aligned to a strategic conversation. The better focus should be on executive management and the board agreeing on the strategic, operational and financial parameters and drivers around their opportunity seeking behaviour - all in 'business' not risk language…. The context of risk management is therefore realigned in order to call attention to the level of risk the organisation is facing, directly corresponding to the decisions they are making in pursuit of value creation.
On Principles two, three and four (risk assessment) it urges risk managers not to just focus on "short-term, business-as-usual conditions affected by such things as market changes, but also the effect this has on the over-arching strategic drivers in the company…The point is that the focus on these day-to-day risks is not the right one when it comes to decision making."
On Principle five (risk treatment), it warns that in practice this too often amounts to rubber-stamping what is already known.
A far more useful exercise for supporting decision makers is for risk treatment to play out the full scenario of the big strategic assumptions that the company depends upon... …Instead of reducing risk treatment to a single most likely outcome, these big assumption scenarios attempt to identify the major forces driving external change and the key uncertainties that lead to a wide range of possible outcomes...
By way of example, it cites a military aircraft manufacturer selling to the Middle East. Conventional risk management considerations like supply chains, materials and logistics are still needed, but so are the big-picture considerations such as political stability and how fluctuations in the price of oil might affect the underlying economic strength of the customer, potentially impacting longer term military spend.
Is the risk reporting model out of date?
The paper concludes by arguing for a radical overhaul of the risk reporting model, which needs to provide insightful, honest and well-synthesised information. Risk reporting, it says, needs to answer the question: "what are the responses needed from management in considering these risks?"
In short, decision makers need to know whether the risk profile of their company performance has changed, why and how might this affect the decisions in front of them. In such a highly competitive corporate landscape, with a constantly evolving economic environment, knowing how and why the level of risks is fluctuating - or spotting the trends that hint how it is about to change - is a significant advantage.
This paper represents a challenge to risk practitioners to change their mind set if they are to be genuinely useful to the board in making strategic decisions. Some people may question or dispute some of the arguments, but it is certain to stimulate new thought and discussion and it is timely in view of the rapid changes taking place in the business world.