Matthew Leitch | October 1, 2003
Risk management workshops often fail to motivate employees to truly reduce risk. The process of embedding can make a real impact. Embedding facilitates changes throughout an organization that improve risk management and improve the evidence of its operation and effectiveness, through audit trails and performance reporting, and so reduce the overhead of audit and control risk self certification.
Outside the financial services sector, formal corporate risk management activities usually involve a pattern of behavior that will be familiar to most readers. Workshops are held at which people think of "risks," rate them, and write down what they are doing or plan to do about the ones that seem important. The results are written up as a "risk register." The same behavior occurs in the public sector, where it has been adopted as good practice.
People in many organizations feel this activity adds little value. Their reaction has been to involve the minimum number of people and do it no more often than is necessary for compliance.
Knowing this, regulators and other providers of guidance typically say that risk management should be "embedded" in an organization. It should not be something extra done to comply with their regulations, but become part of normal management.
So what does "embedding" really mean, how do you do it, and does it work? This article explains what the real issues are and what embedding has to mean if we are to see risk management make the impact it should.
Risk management workshops have been promoted as both an audit and a management exercise, which is why a lot of the problems arise. First, the audit influence. A common regulatory requirement is to evaluate your internal controls regularly (e.g., the U.S. Sarbanes-Oxley Act § 302 and § 404, and the Combined Code in the United Kingdom). Conventional internal auditing involves detailed reviews of specific areas of an organization and typically covers a small proportion of its activities in one year. How do you cover a whole organization every year and perhaps even every half year or quarter?
The answer that emerged was control risk self assessment. That is, people audit themselves and sign off their conclusions to create a file of reassurances that directors can rely on. This can be done with paper forms or by entering information onto a database, but from the beginning, it has often been driven by workshops. These workshops were designed to follow the leading thinking in audit, which is that audits should be risk focused. The format was a direct result of audit thinking: list risks, look for controls, report gaps.
A second influence was the realization that internal control systems (i.e., the many procedures organizations have to make sure that things happen the way they are supposed to) must be adapted frequently to meet new challenges. This comes through strongly in the influential "COSO framework," written by auditors Coopers & Lybrand for the Committee of Sponsoring Organizations of the Treadway Commission in the United States. Again, the focus was on identifying risks, and you could say that the influence of auditors is strong here too.
As an audit approach, the workshops have a lot to offer, though they can lack objectivity. People are very aware of the answers they are expected to give. As a risk management tool, workshops are not ideal because they tend to look at the current situation rather than looking ahead to identify where new work on internal controls will be needed. They are also let down by a number of common technical flaws that tend to undermine risk identification and assessment. Far more time is typically spent thinking about risks and their effects than about the controls. Finally, it is risks that are prioritized, instead of actions, which reflects the lack of attention to actions. Since the relationship between risks and controls is many-to-many, this is a major technical fault.
It's not surprising that people often feel they only do formal risk management for their auditors.
Regulators advise "embedding" risk management to encourage organizations to do something more effective than have an annual meeting at a senior level to produce some "shelfware." They also advise it to argue that they are asking for something efficient that organizations should already be doing.
One interpretation of "embedding" risk management is that you can do it by repeating the workshops more frequently and at more levels in an organization. As it becomes a regular event, doesn't that make it part of normal management?
The theory is that the thought process of the workshops (i.e., objectives—risks—controls) can be applied usefully to anything at any level. Enterprise-wide risk management is sometimes described in just these terms.
A more realistic view is that there are many different techniques and ways of thinking about and managing risk and uncertainty. Embedded risk management is where the right techniques are applied where appropriate, in the right strength, and in a way that generates evidence of operation and effectiveness.
At its simplest, this can mean elementary internal controls, such as performing bank reconciliations to combat various risks related to faulty accounting and theft. More sophisticated examples of controls involve more risk thinking.
In effect, embedding risk management involves expanding the concept of an internal control to include more sophisticated management processes which involve an element of risk thinking. Here are some examples.
Credit Management. Though there are spectacular exceptions, most companies manage the risk of not being paid by their customers. They have credit risk management embedded already, though perhaps it could be done better.
They have established procedures and computerized controls that cover assessing the risk of default, granting credit progressively, monitoring for possible default, and following up. Sophisticated methods may be used to assess credit worthiness. These methods are often reviewed, and attempts are made to improve them. Credit management procedures are documented and generate evidence that they have been carried out, i.e., they leave an audit trail. Typically there is monthly reporting of credit risk management performance.
These elements—multiple procedures, intelligent decisions, an audit trail, and frequent measurement and reporting—characterize embedded risk management.
Strategic Marketing Planning. In contrast to credit risk management, risk and uncertainty are rarely managed well in strategic marketing planning. This is a pity because these plans involve huge uncertainties and are sometimes indistinguishable from the strategic plans of the whole enterprise. They can get a company into the sort of deep trouble that leads to ruin and, occasionally, false accounting.
An embedded risk management process here starts early, ideally before people tie their personal credibility to particular ideas. Reviewing major areas of uncertainty frequently helps guide the research and analysis that goes into creating these plans, as well as introducing risk and uncertainty management into the plan itself. There are some very simple tools for thinking about risks and risk factors, and more complicated analytical methods for estimating results.
Project Risk Management. A large organization can easily have 100+ projects running at any time. The risks are considerable. Workshops to try to identify specific risks and plan responses are increasingly common but they are just a small part of project risk management.
Different organizations have different habits on projects but typical activities include: tracking project risk factors, structuring projects to reduce the risk profile (e.g., incremental deliveries or a portfolio structure), continuous monitoring of new information for emerging risks, feasibility studies and other research, Monte Carlo simulation to support estimates, and independent audits.
It is not necessary for a risk management approach to be standardized to be embedded. A more efficient approach is to have a generic scheme which people are encouraged to flex as appropriate to meet the specific needs of their project.
If embedding is interpreted as holding the same type of workshop at more levels and more frequently, then the process of embedding looks very simple: define the thought process and way of documenting it, then train as many people as possible to do it. The difficult part is to convince people that this is a good use of their time.
If you accept that embedding is more complicated than this, the process of embedding becomes:
At the top level it is helpful to have executive leadership (i.e., not normally the Audit Committee) anticipate the need for work on controls and direct resources to it in good time.
Sometimes it seems that whatever procedures we invent, people find a way to manage risk poorly anyway. This is not an illusion. In many situations, people actively fight good risk management. Perhaps risk management should only be described as truly embedded when this fight is over. That may be idealistic, but by understanding why people fight it, we can perhaps begin to see how to change the psychology of risk management.
First, psychological studies show that we tend to have an overly narrow view of the future. We think we can predict and control it more than we really can. Second, everyday experience should confirm for you that we experience many pressures from other people that tend to reinforce this.
For example, imagine your boss suggests an idea. You think of a significant risk to it but he seems enthusiastic about his idea. Do you point out the potential problem? Imagine this time you have an idea and you want approval to go ahead. Your plan is based on some assumptions, but as you list the advantages of your proposal to your boss, do these even cross your mind let alone get into the conversation? We feel that a show of confidence, i.e., certainty, is important for making our case. If someone suggests a sensible risk management action for your plan, would you be inclined to accept it or reject it? Many people reject such suggestions because acceptance implies they have doubts.
Target setting and incentives also play their part. If you are running a venture and believe that it could do better than expected, do you say so and risk having your targets raised? If you fear it may turn out worse than expected, do you say so or stay quiet and hope that things get better so you never have to mention your concerns?
This is called uncertainty suppression and it is the enemy of good risk management. For example, a consulting company introduced a new idea for managing risk in bids. People had to estimate the expected profit, but also estimate the level they were 90 percent confident of beating and the level they believed they had a 10 percent chance of exceeding. This is technically good, but actual estimates were far too narrowly spread with a strong bias toward upside risk!
It's too early to say we know how to combat uncertainty suppression, but here are some suggestions:
To embed risk management, begin by accepting that you already have a lot of risk management embedded and find it. Then go after the many opportunities for risk experts to facilitate changes throughout an organization that improve risk management and improve the evidence of its operation and effectiveness, through audit trails and performance reporting, and so reduce the overhead of audit and control risk self certification.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.