Better risk based situational awareness using risk models

/ CasMo HQ/

This is a rewrite of an article I wrote in 2010. I'm revisiting some of my earlier writings to update them to my current ideas.

Top five versus first five issues

Ask people for their top five issues in any area of concern other than an area they are personally and closely involved with, and they are more than likely to give you the first five important issues that come to their mind. Of course, these are not necessarily the top five issues, they are their top five issues at that moment.

This problem, by the way, is a typical challenge of idea generation which you try to counter with brainstorming. Ideally, you would ask them to tell you their top 50 issues, and then prioritize. However, quite often they don't have the time and you don't have the budget. And that is a critical problem. Why?

Getting an as complete as possible view on risks is essential in a risk management exercise. After all, risks not identified cannot be managed, and will come to the fore at the most inopportune of times.

Using risk models

This is where risk models come into the picture. A risk model aims to take a lot of the preparatory risk identification work out of your hands. There are certain advantages to using a predefined set of potential risks for an organization. Three of the most important ones are:

  • it allows you to focus on the relevance of the proposed potential risks, thus reducing the actual effort invested in thinking about completeness;
  • it allows you the time required to better and more clearly defined the risks which are considered as relevant;
  • it allows you to identify those risks not already present in the risk model.

Errors in understanding the use of a risk model

People opposed to the use of risk models will make the case that the tool has limited value because you can never integrate all relevant risks in one framework.

It is indeed practically impossible to integrate all relevant risks in one overarching framework. However, rather than making a risk model a tool with limited value, the simple fact that the risk model has already defined a lot of potential risks and thus takes away the effort of performing the same analysis again and again, makes it a tool which saves you time and effort. Rather than reinventing the wheel again and again, the risk model allows for true value creation in defining new risks which you otherwise would have never thought about because you were so focused on the top 5 risks.

The relevance of the risk model

A risk model allows you to focus on the essential risks both present in and lacking from the model. This leads to a better degree of concrete, situational risk awareness in a risk assessment exercise.

Simplifying risk models

/

A brief history

The relevance of using risk models as the basis for risk management was disputed in the beginning of this century. It actually remains disputed as an approach by a number of authors. In the early ‘00’s, leading risk management advisory companies did not see the reason to use models. They felt it impeded organizations from assessing the entirety of their risks. In the late 1990’s, Arthur Andersen was the first company to start structuring risk models as a basis for the structural implementation of enterprise risk management. Some of their risk models remain as risk models you can for example find in Protiviti’s Knowledge Leader.

The wider adoption of risk models

Risk models really came to the fore towards the end of the ’00s, when experiments in implementing enterprise risk management or ERM systems showed a significant flaw in the prior reasoning: people did not share a mutual understanding of the term ‘risk’ and even failed to agree on a common definition for the most traditional of risks.

A solution wasthe development of risk models: industry specific structured overviews of potential risks which could occur in companies active in a certain industry, with a clear definition of what the risk means in agreed upon terms. Agreed upon terms would be adapted to company specific terms, in order to limit the risk of misunderstanding and thus mistreatment of a specific risk.

The challenge of today’s risk models

In our quest to increase the transparency and the unified interpretation of risk models, I fear we may have overcomplicated them. Overcomplicating a risk model – or any model for that matter – lowers the adoption rates by users. Therefore, while the move towards a more complex set of risk models was necessary to develop enough detail in the risk models, we now need to make the reverse move. This move should not be towards no risk models, but towards a list, an overview of possible risks.

The added value of risk management

Because what is the actual added value of risk management? It is the optimization of our response to priority, identifiable risks if and when they occur. Risk management should NOT be a central pillar of a management system. It adds to better risk response, and can be added to ways in which an organization is run, but should not be the central element.

In essence, even if no management exists, this would not preclude risk management systems to exist across an entity or a group of entities.

Let me explain: we see the demise of certain (types of) corporations, especially, but not only in the services sector. These are being replaced by decentral, distributed networks of independent contractors which come together on a project-by-project basis. Perhaps more than ever, these decentralized networks need risk management, but they inherently do not have a management structure to, well, structure their risk management.

The trigger list in Getting Things Done

So, how do you manage risk in a distributed, decentralized environment, or in any type of environment for that matter, in an as cost-effective way as possible? You develop a risk trigger list.

Actually, this idea is not new. I borrow the central idea from David Allen, who in his excellent book called Getting Things Done refers to an incompletion trigger list as an essential tool for the brain dump, in essence a way of clearing any issues in your head and getting them on paper, for further processing.

The trigger list is a very powerful tool: it is small enough (David Allen’s trigger list covers at most 2 modest pages) to be used on a regular basis and yet complete enough so all elements you may have forgotten can be dealt with.

The Risk trigger list

In order to enhance adoption of risk management as a tool, in order to make it usable on a regular basis and complete enough to deal with most risks one could forget, I would suggest to develop a risk trigger list per project, process, organization or even industry. This trigger list, which should not be more than 2 pages long, contains trigger words, words that will result in a comprehensive listing of most of the relevant risks which can occur in that process, project, organization or industry.

You may be surprised. At least per industry, I believe at least 50% of the risks will be the same across organizations. The list will partly be generic, and partly specific to the organization, the process or the project. Developing a risk trigger list should be one of the first responsibilities in any new process or project.

The relevance

By simplifying the comprehensive risk models we’ve developed in the past 10 years and condensing them into risk trigger lists, we may reach the critical threshold to wider adoption of risk management principles, which will in turn lead to better managed processes, projects, organizations and industries.

Risks associated with measuring impact and likelihood

/

Subjectivity is all around us

Any evaluation, however objective you want it to be, is necessarily subjective. Just read some of Nassim Nicolas Taleb’s books which provide ample illustration of how easily we start to act based on subjective assessments. Now, contrast this to new risk management methodologies and applications which frequently tout new and improved ways and means of measuring impact of a risk on objectives and likelihood of occurrence of that risk as part of their process.

Impact and likelihood are subjective

We need to raise the question: can subjectively assessed impact and likelihood be considered that relevant? Can we ensure that the evaluation of these two criteria is done in an as objective as possible manner? * The negative: performing this assessment in an entirely objective and therefore relevant manner will be very difficult. * The positive: these criteria do not necessarily need to be evaluated to perform good risk management.

We frequently over-evaluate the likelihood of recent occurrences

When assessing likelihood of occurrence of a risk, participants tend to over-evaluate risks which occurred recently or at all. If there is a reference point, people charged with evaluating will often attribute a higher likelihood to these recent events, even if the probability of occurrence has in effect been reduced by the (over)reaction to the event. An example: Remember 9/11? People were more scared of terrorist events after the attacks on New York and Washington than before, whereas the actual likelihood of occurrence had diminished because of reactive measures taken. The conclusion If it has happened before, we think it more likely to happen again. Turning this around, we also tend to under-evaluate those risks we know little or nothing about. Often these risks won’t even show up in an assessment until they occur … after which they are over-evaluated in terms of likelihood of occurrence.

Abstract risk description leads to under-evaluating the impact of a risk

If we cannot imagine a risk occurring, we cannot assess the potential impact of it and we tend to underestimate its impact. On the contrary, the more informed we are, and the more concrete a risk is formulated, the better we are at assessing its impact. Now, this does not only make the case of a significant investment in a risk (identification) model which aims at translating a risk in as concrete as possible terms, but it also warns for risks in skewing assessments if risks are not appropriately described.

What this means for assessed versus “real” inherent risk

Assessed inherent risk, as a function of impact and likelihood of occurrence will likely not be a correct representation of the actual inherent risk. Assessments are skewed as the evaluations are done by people, are always subjective and are very difficult to correct for as we have no insight in the motivation to vote one way or another.

Trusted collaborators skew our perception of current control level

The problems, however, do not end there. Often, a third dimension is measured: the current control level or the current risk management level. In this assessment, the presence of known and trusted collaborators charged with working on internal controls will skew management’s assessment of the current level of internal control or current level of risk management, which they will tend to overrate. The better the measures functioned in the past, the more concrete the measures are to the manager evaluating them, the more likely he or she will actually overestimate their effectiveness.

First conclusions: is risk management doomed?

Not necessarily. There are however a couple of elements to keep in mind. The traditional risk matrix, representing impact and likelihood on two separate axis will more than probably misrepresent the objective truth. When using a standard risk matrix, do so with caution. The risk control matrix can be used as a good tool subject to certain preconditions:

  • Do not merely and blindly use impact and likelihood as this will create a false sense of security. Evaluate level of (inherent) risk as one evaluation instead. Inform participants in the assessment level of (inherent) risk is a function of their perception of impact and likelihood, but ask them to perform their own ‘integration’ of the two factors. Level of (inherent) risk remains an intuitive assessment.

  • Instead of assessing level of current control, reverse the question and ask participants to assess ‘exposure’ or ‘vulnerability’. Again, this is an intuitive assessment. I refer to this post for some more ideas on that.

  • Develop the risk control matrix by combining level of (inherent) risk with exposure or vulnerability in a two dimensional representation.

  • Remain very aware the assessment is a subjective assessment at all times. The map is NOT the territory.

  • Correct quadrant III of the risk control matrix (which I will detail in a further post) for under-evaluation of level of (inherent) risk due to the factors discussed above. Internal audit, in executing its assurance function, needs to focus on both quadrant II and III of the risk control matrix.

Public sector performance enhancement

/

Let’s not get run over again

There are quite a few performance enhancing methodologies for administrations available on the market today. Most have not proven to be that successful all the time. However, under pressure to enhance performance, the public servants hope if or rather when someone turns government around, they don’t get run over again.

Potential added value of performance related methodologies

Can we integrate some of these approaches and methodologies into a comprehensive, sensible whole? There are four methodologies that can be integrated into one relevant, value added approach that has a real potential for adding value. The integration may prove relevant for administrations because most of the analyses executed in the past years can be used to feed this integrated approach. The investment in analysis and development of the past years will not necessarily go to waste. This reduces stress on the public servants that are trying to do their job.

Combining four existing methodologies in one new approach

How do we go about developing the best possible solution for the execution of a given role or responsibility? We aim to hit the optimal total cost to society for a public service or good. Which methodologies and/or tools would I use in what order?

  1. Extended burden measurement - I suggest starting with an extended burden measurement in order to determine the actual total administrative burden to on the one hand the citizen and/or organization impacted by this responsibility and on the other hand the government charged with preparing the legislation, implementing it and ensuring compliance. Based on this initial calculation, we need to determine which activities or requirements can be cut at what level, where cutting is the most optimal. Important: I am not starting from the assumption that we need to cut burden to the citizen or the organization first. We need to cut where the effect of cutting is the most relevant, i.e. reduces the total cost the most. The burden to the citizen or the organization, as defined by the Standard Cost Model, is a function of the time invested in complying with the requirements and the out of pocket costs which are part of the compliance. These are very direct costs, as these are cash-outs directly related to the role of the administration, which is bothering you until you comply. The costs to government, while less direct in nature, are still cash-outs, as these are being paid for by our taxes. These costs to government are the subject of our second methodology.

  2. Cost optimization at the level of the administration - When an administration is tasked to execute a role, it needs three elements: it needs people to execute, processes which these people need to follow, and technology to support these people and where possible replace them in repetitive work. This costing exercise exists under many names, but has been executed one time or another in the past years in most administrations. The data gathered here can easily be used to determine the cost elements internal to the administrations in calculating the extended burden. The risk of unchecked administration bloat needs to be countered using ideas on lean administrations.

  3. Lean administrations governed by management contracts avoid administrative bloat: once beyond a certain size, traditional organizations in both public and private sector no longer exist to fulfill a purpose, but primarily exist to maintain themselves. Using management contracts limited in time which define SMART outcomes the relevance of which is questioned on a regular basis, and which can be achieved with the right resources while maintaining a positive cost/benefit balance, managed by risk metrics has been the subject of a previous post.

  4. Risk metrics based on well-defined and researched risk management systems which are tasked with monitoring the weaknesses of and threats to the achievement of objectives by an administration are an essential tool to make sure that the effort of the administration, in terms of both budgetary means and resources, remains focused where it needs to be.

An approach well beyond window dressing

By integrating four of the most current public management methodologies, i.e. burden measurement, cost optimization, lean administration/lean government and risk management, we can develop an approach which makes sense to the public servants and finally gives them a shot ata structural improvement of their activities, which goes beyond current window dressing with maturity assessments which only identify a problem based on interviews and are not made for or capable of providing a comprehensive and pragmatic solution. Making the performance optimization effort transparent will significantly increase the credibility of the public sector as a whole.

You are already managing risks

/

How do we start to manage our risks?

It’s an often heard question when talking to organizations about risk management. The honest answer to that is that most organizations already manage risk. It’s often just not called risk management.

Risk management by any other name

Let’s look at a number of examples of risk management which are not necessarily recognized as such: * Any organization that develops processes to optimize its activities is managing risk. It is managing the risks of its operations not running in an effective and efficient manner; * Any organization that has a people retention policy is managing risk. It’s managing the risk that good people will leave because they have no clear view on their future development within the company; * Any organization that has someone who gathers all press articles about it or its sector is managing risk. It is managing the risk that there are opinions or evolutions out there about itself or its market it would not know about.

Integrated risk management occurs enterprise wide

More than starting with risk management, organizations have a need to structure, integrate and optimize risk management. It’s not really about whether or not you manage risk, it’s about how to do it in the most appropriate of manners. And it’s about making the most of risk management.

High level assessment of the appropriateness of current risk management practices

So, if you are hesitant about starting up risk management, don’t be. Chances are you are already managing risk. The question therefore should be whether you are spending the money you spend on risk management in the most appropriate manner. This comes down to asking three basic questions: 1. Are we managing risk in the most optimal integrated manner for our organization? Are we aware of all initiatives being taken and are we integrating them in order to be as cost-effective about risk management as we can be? 2. If we are doing that, do we find optimization opportunities for risk management across functions? Are other functions handling similar issues in different, better ways and do we know about it? 3. Given that, are we exploiting the opportunities to the maximum extent? Risk management is not just about managing the downside. It is also about exploiting the upside, a dimension quite often forgotten.

If you can answer these three questions, you will have a better view on where you are and where you should be going.

Sense and nonsense of risk maturity assessments

/

Can you “manage” maturity?

Maturity assessments are the new fad of management. You encounter them everywhere. Also, and perhaps most often, in risk management. Risk management and internal control systems need to be assessed and benchmarked and turned upside down and inside out. These tendencies appear to be indicative of an overly strong desire for micro management. Organizations are afraid of a big unknown which may come to haunt them, so they check the doors; then they benchmark their doors against the doors of their neighbors (peer group). The problem is that it is yet another way many organizations hide from their core responsibility, which is managing their risks, not talking about managing their risks, or planning to manage their risks.

Maturity assessments can favor form over substance

The formal process of assessment has gotten in the way of the actual execution. How wrong can that be? Time spent assessing performance, which is not bad in and of itself, is not spent on doing actual work. All other things remaining equal, the relative part spent on actual management should significantly outweigh the effort invested in assessment.

The new frontier of Risk Management

Matthew Leitch stated a couple of years ago that risk management was a practice which was in full development. He mentioned the wild risk management frontier, with snake oil salesmen trying to sell you the newest fad. This time, it’s not hair growth potion, it’s multi dollar investments.

Back stage pass

Now, how would you do this? Snake oil salesmen had an accomplish in the audience, with a “bald” wig (hiding his hair) who all of a sudden appeared to have had hair growth at an amazing speed. He told a wonderful story, which appeared possible (although not likely); and he provided a benchmark, a recognizable reference which could be used as a baseline for own future hair growth assessment. “Hey, I may be balding, but I am not as bald as this guy was, therefore, this tonic will do me even more good.” Any comparison in the paragraphs below between risk consultants and snake oil salesmen is - by the way - purely coincidental.

Objective maturity assessments

Your consultant develops a risk maturity assessment tool. Quite likely he will use the most often referenced framework, COSO-ERM. This framework, written by accountants for accountants , is most certainly not the best risk reference framework out there for anything but financial processes. Using COSO-ERM, your consultant creates a reference framework which will allow you to assess your risk maturity across different dimensions. If they do their jobs right (remember, their job is not giving you the best possible risk management framework), The tool will score your performance higher in some aspects, lower in some others, for a total score which is just about a tiny bit lower than the average for your sector, industry or whatever. In other words, the consultant took their own mirror, held it in front of you and claimed an objective assessment. Do this: match your weaknesses with their preferred product portfolio. You’ll likely see a trend. Risk maturity assessments against an external benchmark are irrelevant, because there is no organization like your own organization. Your risk response is tailored to the environment you are working in, the structure and constitution of your organization and the exposures you have. There is no wrong or right risk response, there is only your own risk response, which is entirely based on your risk perception and your risk appetite.

When risk maturity assessments are relevant

Risk maturity assessment are not inherently bad. They will contribute value if their scope contains at least the following elements: * you compare the risk maturity evolution for your own organization over time * you compare the evolution with the evolution of your risk profile: the exposure of your organization to risks.

If you repeat this assessment on a regular basis with the same assessment team will provide you with insights on how the risk management focus of your organization shifts with the changes in your organizational risk exposures.

There is no ideal risk management profile

There are risks, and there are people that manage those risks as best as they can, with the available means, within certain limits. We should focus on building this kind of systems instead of overanalyzing and providing snake oil salesmen with a gullible audience. I’m not saying there are no good consultants in this area (I consider myself one) but there are quite a few charlatans as well. Be aware and remain critical. After all, the management of your external provider risk is a key risk to manage.