Today’s risk managers are focusing on the wrong things, says Alex Sidorenko, chief risk officer and founder of RISK-ACADEMY, and group head of risk, insurance and internal audit at Serra Verde Group. Here’s what they should being doing instead
I believe there are three things risk managers of the future will be doing.
Today, most of you are doing number 1, some, very few, are doing number 2 and almost no one is doing number 3.
Risk managers of the future will be spending 50% of their time on number 3, 49% of their time on number 2 and 1% on number 1%.
Risk managers of today are spending 95% on number 1, 5% on number 2 and 0% on number 3. No wonder executives see no value in risk management.
1. Maintaining effective ERM (Enterprise Risk Management)
Most of you are doing this already. You develop and implement some sort of risk governance documents, develop a risk register, maybe even establish a risk committee.
I get it, you had no choice, the regulator/auditor/COSO/someone’s mum made you do it.
Maintaining a list of the most significant risks is not going to change how the organisation is run but it gives you a warm feeling of accomplishment.
“Do it if you have to, just don’t waste too much time on it.”
Having such list – your risk register – does serve a useful role as a checklist for reminding you to check that most significant risks are integrated into business plans and decisions. And it is useful to have something colourful to show auditors once a year.
Do it if you have to, just don’t waste too much time on it. The next two groups of activities should take up the majority of your time, because they bring disproportionate value to the bottom line.
Number 3 is huge because it changes everything we do day-to-day as risk managers.
2. Integrating risk analysis into decision-making
The second bucket is about embedding risk analysis directly into specific decision-making processes.
You can easily start by reviewing board agendas, executive committee agendas, and creating processes where a risk assessment will be performed for every decision before that decision is brought in front of executives.
Every large contract, every investment, every significant decision should be supplemented with a mini risk assessment.
This assessment should outline how certain risks are mitigated or introduced by the decision. It’s about understanding the trade-offs and making informed choices.
“Sometimes there are multiple good choices and there is a trade off between benefit and decision makers appetite for risk.”
Whether deciding to build new data centres in specific locations or choosing between different configurations for a coal mine, integrating risk analysis ensures decisions are made with a clear understanding of how associated uncertainties affect the final choice.
Sometimes there are multiple good choices and there is a trade off between benefit and decision makers appetite for risk.
For example, during an investment decision, simulating how volatility in key assumptions affects the choice can reveal that what appears as the best option on paper, might not be the soundest real-world choice.
Such analysis should be specific to the decision, not general or routine.
“I usually start with the most significant and costly decisions and slowly expand the scope.”
Yes, that means dozens of risk assessments each month and it takes up a lot of time.
I usually start with the most significant and costly decisions and slowly expand the scope. Plus I use RAW@AI to automate a lot of risk analysis.
Some organisations are already doing it. For example, most are doing some form of vendor risk analysis or new contract risk assessments or project risk assessments. These are all good examples.
If you investigated the methodology procurement or compliance or project teams are currently using you would discover huge opportunities for improvement, because while they claim to be risk based, most are not.
This includes most if not all software vendors who actually make decision making worse by selling untested and unvalidated risk methodologies.
3. Fighting the averages
The last one is huge. Risk managers of the future realise that their priority is not ERM, not even risk-based decision making, their true strategic mission is to nudge the organization from a deterministic world to a stochastic world.
I believe sooner or later, the global business society will mature to appreciate that many aspects of our lives are stochastic—characterised by uncertainty and volatility.
Imagine a business plan or a budget, where assumptions are made—like foreign exchange rates, recovery rates, equipment availability, employee performance, etc.
Say, your budget uses 5X per USD as a budget foreign exchange rate. In reality, the foreign exchange rate fluctuates, sometimes spiking or diving, all the time.
The same goes for raw material prices and availability, electricity prices, gas prices, and more. Traditional deterministic models fail to capture this volatility.
“Risk managers of the future will have a mission – fighting the averages and embracing the full spectrum of possibilities”
Risk professionals are uniquely positioned to appreciate this volatility and should work to reintroduce it into organisational conversations, business plans, budgets and decisions
We need to replace single point estimates and averages with full distributions or at least risk-adjusted scenarios like P90 or P80. This shift is ground breaking and will fundamentally change how risk management is performed.
This may not feel like much at the moment, or at least until you try it, but it challenges risk management to the core. This will require new skills, new approaches and new methodologies.
Risk managers of the future will have a mission – fighting the averages and embracing the full spectrum of possibilities, never ignoring the real-world volatility.
This means going through business plans and budgets and challenging every single significant assumption, replacing the single number estimates with distributions and then running monte carlo optimisations.
Changing the game
These three buckets redefine our daily practices and elevate the impact of risk management beyond compliance and control. Risk managers can and will have direct and immediate impact on decision making, corporate planning and performance management.
I encourage all risk professionals to start integrating these principles into their work. The shifts might be challenging, but the value they provide is immense—in terms of operational efficiency, financial performance, and strategic resilience.
Give chance a chance, as Sam Savage says, fight the averages, and integrate risk analysis into every decision and business plan the organisation makes.
Ask questions, share your experiences, and consider joining Risk Awareness Week 2024 for a deeper dive into these concepts. I’ll see you online as we continue shaping the future of risk management together.
Join more than 5000 risk managers from 120 countries for this years largest virtual risk event, dedicated to risk management AI, risk based decision making and quantitative risk analysis for non-financial companies. Use this opportunity to upskill your risk team or educate your decision makers about risk management at https://2024.riskawarenessweek.com/
Source
No comments yet