Why risk management is important and hard and what to do about it

This article is about risk management, an essential requirement for any organization to meet its objectives, yet something that often turns out to be hard to implement in practice. There are many well documented high-profile examples of corporate failures that are to blame on a failure of risk management and that have resulted in massive financial and reputational losses.

What is risk management?

People and organizations typically act to achieve something. That something is either called an objective, a goal, a target or something else carrying similar meaning.

In order to achieve objectives, there are essentially two things that need to be done. First, we need to execute the set of activities (“do the work”) that leads to the objective being met and secondly, we need to understand and manage the risks that can get in the way of doing those activities and reaching our objectives.

If this sounds abstract, let’s make it more concrete. Imagine that you are planning to go to a soccer game with a friend. The activities that you have to do are buy the tickets, travel to the stadium, watch the game and go back home. Naturally, you will think about the risks involved and how you can mitigate them. The tickets may sell very fast in which case you should buy early. Under normal circumstances it takes three hours to travel to the stadium but you do not want to be caught out by heavy traffic so you may leave 5 hours in advance or even the night before. Maybe your friend has an unpredictable job and you want to find a back-up person to go with you if he or she has to work.

Depending on how important the game is, you adjust your appetite for risk. If this is your once-in-a-lifetime opportunity to see your team in the Champions League Final, you will probably get up in the middle of the night to buy the tickets on-line; for a more regular game, you won’t do that. For the former, you will most likely travel very early and eliminate all risk that you miss it, for the latter, you won’t as you do not want to have a long wait in case you arrive with a lot of time to spare.

Almost automatically, we all apply risk management principles in our daily lives to ensure we achieve our objectives. The same principles apply to businesses and organizations.

A common misperception is that risk management is about eliminating all risk. This is not the case, taking risks is a fundamental part of achieving progress in a business. Risk management is about systematic identification, evaluation and management of all risks that form a threat to meeting objectives.

Why is risk management so hard and what can you do about it?

There are multiple underlying causes for why risk management is hard in practice.

Cause 1: Insufficient belief in the importance of risk management

Sometimes, there is insufficient belief in the importance of risk management in an organization. Staff are confident that the business and its risks are well understood and that the latter are sufficiently addressed through the “normal way of doing things”.

This sentiment could prevail across the entire organization, including management layers or there could be a situation where senior management sees the benefits but the rest of the organization does not yet buy in.

A belief in the need for risk management often comes with having lived through painful situations where you and your organisation have been seriously damaged by unidentified or unmitigated risks. This happens to all of us at some point but of course the longer our careers have been – and the more diverse our experience – the more scars we are likely to have.

In order to win over the entire organization, senior management (or even the Board) needs to set the right Tone from the Top, and communicate why they believe risk management is important. The more this is done using impactful personal examples, the more powerful it will be.

Another factor contributing to a lack of belief in the importance of risk management is WYSIATI, a term coined by the Nobel Prize winning economist Daniel Kahneman, in his famous book “Thinking Fast and Slow”. WYSIATI stands for What You See Is All There Is and is a cognitive bias that is common in all of us. Below a link to a YouTube clip in which Kahneman talks about WYSIATI.

https://www.youtube.com/watch?v=R6ArpK5HOzU

WYSIATI describes how in making decisions we tend to rely on the information we already have. Our instinct is to quickly build a coherent story that we “can believe in”. The alternative of continually asking ourselves “what else is out there that could make us go off the rails?” is not in our DNA. Exacerbated further by the time pressures many of us feel on a continuous basis, it is easy to understand how WYSIATI contributes to a lack of risk management.    

Cause 2: Lack of good processes to implement risk management

Another requirement for effective risk management is to have a good process and the discipline to stick to it.

The most important elements of such a process (in no particular order) are:

  • Risks need to be specific and linked to a business objective.
  • Risks need to be ranked for example on the basis of potential impact and probability of occurrence
  • The process of identifying, evaluating and addressing risks needs to be regularly conducted.
  • Agreed risk mitigation measures need to be recorded and progress needs to be tracked.
  • There needs to be a discussion on risk appetite. Not all identified risks can be actively followed up on all the time. Taking risk is an essential part of progress in business and some risks just need to be taken.
  • Risks need to be identified by a wide and diverse group of people – the business environment is so complex that many different areas of expertise and knowledge are needed to cover the total spectrum of risk.
  • As much as possible, the risk management process should be part of other on-going business processes and not feel like a “bolt-on”.
  • There needs to be recognition of both net and gross

Keeping discipline around the risk management process is often difficult. Even if there is agreement on its importance, having a risk management discussion is hardly ever the most urgently required thing and may suffer from procrastination. Working on a short-term objective like delivering the next project milestone or finishing a critical report is often giving a bigger and certainly more immediate sense of achievement, a phenomenon called present bias by behavioural scientists.

There is a lot of research on how to beat procrastination of activities with a more long-term benefit. In summary it comes down to making the benefits of action feel bigger and making the costs of action feel smaller. Below a link to a very good Harvard Business Review article further describing this.

https://hbr.org/2016/07/how-to-beat-procrastination

Cause 3: Organizational Culture

Even if both issues described above are addressed, organizations may still fail to identify and manage risks adequately and undesirable consequences may materialize.

Organizational culture is an important factor. For risk management to work, the culture needs to be one of openness and transparency so that staff are confident raising risks early without fear of negative consequences (“shoot the messenger”). Another key element is for all staff to understand that risks are a normal part of any business and that flagging risks in their own area is a sign of strength and maturity, not one of weakness or incompetence.

Another reason why despite good intent and good processes risk management fails, is lacking diversity of views during the risk identification process. Particularly for complex projects and activities, it is important to have experts of a wide range of professional areas involved.

Conclusion

Risk management is an essential business process which for a number of psychological, organizational and technical reasons can be hard to implement in practice. There are ways to address these challenges. Finally, it is important to bear in mind that having a less than perfect process, and working on continuously improving it, is much better than having nothing at all.

At ValVestris, we have vast experience with the application of risk management in a business setting. We support organizations in taking their first steps towards setting up a sound and pragmatic process or we can help with suggestions for improving an existing one.     

Johan Pieters is Partner at ValVestris (https://www.valvestris.com)

Leave a comment