You may not be able to predict black swan events but as a risk manager you have to plan for their occurrence. No one could predict or even imagine the series of events that occurred on 9/11, but some firms did plan for the possibility of a long term disruption of their business operations due to a catastrophic event taking place in Manhattan. These companies had business continuity plans in place that provided alternative operation centers for critical business operations. Many of them were up and running within hours of the fatal events of 9/11.

Enterprise risk managers should be aware that many of their key risk exposures, whether they are operational, market or credit risks, do not follow a normal distribution or bell curve. These risks have fat tails and it is these events that lie at the lower and upper ends of the distribution that are most important to consider and plan for. Too often, black swans are ignored by risk managers because we think we understand more than we actually do. You have to fight the natural tendency to focus on the known, the tangible and the repeated and devise strategies to cope with the unknown – your company’s viability may depend on it.

As ENRON proved, creativity is a No-No and common sense just isn’t enough when it comes to risk management. As business activities have become more complex, so too has risk management.

A risk manager’s primary concern is to help protects the firm’s continued business success by preparing for unexpected and unfavorable events and outcomes. Implementing an enterprise risk management process can help by providing a framework within which managers can explicitly consider how the organization’s risk exposures are changing, determine the amount of risk they are willing to accept, and ensure that they have the appropriate risk mitigants and controls in place to limit risk to targeted levels. At a first glance, risk management may seem relatively simple – just apply a good dose of common sense. 

But with the advent of very large organizations that engage in a wide variety of business activities – some of them quite complex – risk management has also grown into a very complex process. First of all, risk management covers a wide variety of risk disciplines including operational, compliance, financial controls, legal, liquidity, business strategy and technology. Each of these disciplines has its own nuances and specialized models for assessing risk. In addition, the risks should not be managed within silos since the interdependencies between risk disciplines are very important to consider.

Another challenge is that as organizations grow larger, it becomes more difficult to make sure that the “right hand” knows what the “left hand” is doing. In other words, risks must be recognized and managed across the entire organization. In some cases, firms may be practicing good risk management on a product-by-product basis, but they may not be paying close enough attention to aggregation of exposures across the entire organization. Growth can place considerable pressure on, among other areas, an organization’s management information systems, change-management controls, strategic planning, and asset-liability management.

Another dimension of risk to consider is the diversity of the business. While business diversification has its benefits, the organization must also understand how the various business components interact on a dynamic basis to affect the risk profile. Related to diversification is the complexity and sophistication of an organization’s products and services. While an institution may alter its risks by expanding into several business lines, the nature of its products and services also makes a tremendous difference in its risk profile.

Compliance risk management is an area that contributes significant complexity especially for highly regulated industries such as banking, insurance and energy. “Compliance risk” can be defined as the risk of legal or regulatory sanctions, financial loss, or damage to an organization’s reputation and franchise value; this type of risk may result when an organization fails to comply with the laws, regulations, or standards or codes of conduct that are applicable to its business activities and functions. Many firms are struggling to put in place processes and infrastructure that are able to identify and control the compliance risks facing their organization due to the sheer magnitude of the regulations they are required to comply with.

ERM is a process that enables management to deal effectively with uncertainty and the associated risk and opportunity and includes:

• aligning the entity’s risk appetite and strategies;
• enhancing the rigor of the entity’s risk-response decisions;
• reducing the frequency and severity of operational surprises and losses;
• identifying and managing multiple and cross-enterprise risks;
• proactively seizing on the opportunities presented to the entity; and
• improving the effectiveness of the entity’s capital deployment.

Implementing a predictable, sustainable and repeatable ERM process requires discipline, determination and attention to detail. It also involves the development of sophisticated models and analytics with accompanying software tools – rocket science may be an apt depiction. 

Creating an enterprise wide risk management structure is certainly not simple. But organizations that successfully measure and act upon risk-adjusted returns are typically rewarded with higher valuations from financial markets, higher credit ratings and lower costs of capital – and that is common sense.

In reality, the situation calls for evolution as opposed to revolution. Much of the blame can be placed on the current regulatory climate (Basel II, SOX, Patriot Act, COSO), which has heavily influenced the design and implementation of ERM approaches. This has resulted in control-based ERM frameworks that have a bias for analysis versus action and the production of evidence for regulators and auditors in some instances has become more important than managing real risks. There needs to be a shift towards a bias for action, reversing the trend towards a top-level, enterprise view which neglects the orientation towards action.

To reset the proper balance, enterprise risk management should be embedded within the day to day business processes of the firm. ERM needs to be deployed bottom up so that business managers are the first-line managers of risk. They must understand the risk/reward trade-offs involved in their own business decisions and how they become impaired when business conditions change. Risk management should not be viewed as a way of fixing problems but as a mechanism for encountering problems. For example, organizations should focus on establishing KRIs that provoke the business to take action when certain conditions arise.

In place of creating a dashboard for an entire risk universe, a project which creates endless worries about the completeness of universe description, the focus should be on surfacing problems as they arise and on resolving everyday issues by empowering the entire organization to be risk managers. The measure of success is not the ability to prove and demonstrate control universes via elaborate spreadsheets, but a singular focus on doing the right things with respect to managing risk at the point it is undertaken.

The End of Enterprise Risk Management, David Martin and Michael Power, AEI-Brookings Joint Center For Regulatory Studies, July, 2007. 

 

Freddie Mac, for instance, in their 2005 annual report noted that their reliance on “end user computing systems” (read: Excel) posed a significant risk to their ability to report accurately on their financial data.  More recently, other financial institutions have noted that the Fed and OCC are shining a light on this undocumented spreadsheet problem, looking for more transparency to the data in spreadsheets and file shares.

The reality is that using spreadsheets and file shares for risk and compliance data is a dead end. While companies may be able to get through one cycle of review with internal auditors, a regulator and/or rating agency, the long term implications of adopting a spreadsheet-based architecture for risk and compliance data are extremely problematic. Not only will risk managers have trouble getting visibility into the data because of poor reporting capabilities, but they will also rightly question the accuracy of the data itself.   This skepticism is precisely why so many companies are moving off spreadsheets to a more programmatic approach to managing risk and compliance initiatives.       

Companies that try to implement an out of the box methodology will likely fail.  ERM methodologies and taxonomies must be adapted to a company’s legal, regulatory, economic and competitive environment, all of which can vary dramatically by industry and must, of course, be tailored to the company’s internal processes and culture.  Further, the risk framework must be able to adapt to change over time to avoid losing competitive advantage.

 ¹ http://www.federalreserve.gov/newsevents/speech/olson20060410a.htm
 

The reality is that many CIOs continue to allow the business to buy disparate platforms for different GRC solutions.  In numerous buying decisions, IT is at the table to support solution implementation rather than thinking about the long term strategic benefits of a common GRC platform.  Just as disparate customer data marts drove down customer satisfaction rates and hampered sales efforts, leading to the rise of the CRM market, so too will scattered risk and compliance data marts cause an immense amount of pain for risk managers trying to get a clear picture of risk throughout the business.

There’s a big different between tactical execution and strategic oversight. Therein comes the challenge with most information security programs; they place far too much emphasis on the how and what, and far too little on the why. Information risk management, on the other hand, is necessary to prioritize efforts, and concerns itself with the why.

The problem (and it’s a good problem to have) is that we’ve got a lot of great information available to us regarding how and what. There are libraries of control checklists from numerous standards organizations that provide great common practice guidance around how to secure information assets. As new vulnerabilities are discovered, new patches and workarounds are circulated and proactively communicated through a huge number of alerting services. Modern Information Security practices are mostly controls based — ie they focus on the what. They largely ignore the why — the element of business risk because it’s too difficult to understand.

Where this approach falls down is that there will always be far too much to do. There are too many vulnerabilities to remediate and too many controls to implement across the typical enterprise. As a result, critical deficiencies will go unmanaged. True risk management requires a business perspective on these deficiencies. Only with that business risk perspective is it possible to focus on doing the right things first. That’s lacking in the vast majority of modern businesses, and as a result, time is wasted and risk posture suffers.

1. IT Risk Management = Information Security

2. CIOs Have Embraced GRC

3. A Rigid, Standardized Approach Is Best

4. You Can Only Manage Risk from the Center

5. You Can Manage Risk and Compliance in Spreadsheets

6. Traditional Audit Planning Is Good Enough

7. Enterprise Risk Management Is Dead!

8. It Just Takes Common Sense

9. TJX – It Can’t Happen Here

10. You Can’t Plan for the Unknown