Three mistakes that risk consultants often make
- Published: Wednesday, 19 October 2016 08:40
As more and more companies across the globe are looking to implement robust risk management, the demand for risk management consultants is also growing. Unfortunately, not all risk consultants are able to generate long term value for their clients; here are three reasons why…
By Alexei Sidorenko, CRMP.
Selling the wrong product
Non-financial companies want to buy, and many risk consultants continue to sell, risk assessments, risk management frameworks, risk appetite statements and risk profiles. What do all these products have in common? I am being intentionally provocative here, so I will say all these products are missing the point completely. One thing they have in common is that they are designed to measure, capture or document risks, making us all believe that risks and their mitigation are the ultimate goals of the exercise.
Over the years this tendency to treat risk management as a separate, standalone (some go as far as say independent) process with its own inputs (data, interviews, experts) and outputs (risk reports, risk matrices, risk registers) created a whole community of risk consultants who seem to be missing the plot. Risk management is not really about dealing with risks; risk management is about helping companies achieve their objectives and make better decisions.
Yes, sometimes it may be useful to capture risks for the sake of risks and discuss them with the management team; but this should be more an exception than a norm. I believe, that risk management is ultimately about changing how companies make decisions and operate with risks in mind.
The two modern trends in risk management by far are: integration into business processes / decision making; and human and cultural factors. Yet, it seems that many modern risk consultants completely ignore both of them.
- It is fundamentally wrong measuring risk levels when instead you could measure the impact that risks have on key objectives or business decisions using budget@risk, schedule@risk, profit@risk or KPI@risk.
- It is wrong to have a risk management framework document, when instead you can integrate risk management principles and procedures into operational policies and procedures, such as budgeting, planning, procurement and so on.
- It is a mistake to try and use a single enterprise wide approach to measure different risks. Different risks, different types of decisions and different business processes deserve unique risk methodologies, risk criteria and risk analysis tools.
The reality is that most risk management consultants sell completely wrong products. Management doesn't care about risks per se; they care about making decisions that will hold in court, making money and meeting KPIs. Risk managers need to show value from risk management and fail to do so by focusing on risks (their domain) instead of business processes or decisions (the business domain).
Confusing risk management with compliance
Did you know that, unlike many other ISO standards, the ISO 31000:2009 risk management standard is not intended for the purpose of certification? This was a conscious decision made by the people working on the standard at the time. It is a guidance document.
Risk management is simply not black and white. For example, risk management is about integrating into decision making and business processes, but every organization will find its unique way of doing so.
Many consultants make a huge mistake by insisting on a single version of the truth. Non-financial regulators or government agencies often make an even bigger mistake by taking guidelines and making them compulsory. Like COSO:ERM in the US, a guidance document (and a bad one in my opinion) made obligatory for listed companies.
By far the best way to assess risk management effectiveness is by applying a risk management maturity model. Just keep in mind that most existing maturity models were created by consultants who miss the big picture, see my first point above.
Failing to see the intimate details
A few years ago one of my good friends, Anna Korbut, said an interesting thing: "Risk management is a very intimate affair". I liked this phrase, so I used it ever since. Risk management truly is intimate and unique. I have been working in risk management for over 13 years in four different countries, I have seen close to 300 risk management implementations and yet every single one was unique in some way.
Unfortunately, many consultants fail to dig deep enough to see how risk management is really implemented into organizational processes and into the overall culture of the organization.
Risk management goes against human nature (see research by D.Kahnemann and A.Tversky), so most of the time risk managers use techniques that are border line neuro-linguistic programming or are building an internal intelligence network. Here are just two examples:
- I personally created a table tennis tournament in the company where I used to work to get an opportunity to meet all business units in informal settings and build rapport. This had a bigger positive impact than monthly executive risk committee meetings where all the same department heads were present.
- A colleague of mine created the whole operational planning procedure within a company to reinforce the need to discuss risks on a daily basis.
The key takeaway is that, unless specifically asked, most risk managers will never disclose how they really build risk management culture within the organization or how they integrate risk analysis into the business. According to ISO 31000:2009 risk management is the coordinated activities to direct and control an organization with regard to risk. It consists of many small things that risk managers do on a daily basis, most of which may not directly relate to risk. Yet it is those small things that build risk management culture within the organization. Unfortunately, most risk consultants are quick to jump to conclusions and do not bother to dig deep enough to see all the nuances.
Risk management in every company is unique, it is the risk consultant's job to figure out how it all comes together to build a better risk-based organization.