Reasons You Could be Failing at Risk Management

Reasons You Could be Failing at Risk Management

Here are the top ten reasons why you might be failing at risk management and how they can be avoided.

1. Poor Tone and Governance at Senior Levels

Risk management always tends to function better when the right tone and governance is set and when leadership is strong. In reality, this does not always happen. If you’re wondering whether this is a particular problem within your organization, here are some things to look out for.

  • Your chief executive is not acknowledging warning signs, or information that may suggest your current risk strategy isn’t working
  • Management lack knowledge about risks that exist in your organization
  • Management isn’t considering risk when looking into new business opportunities
  • Management is dealing with strategic issues and policy problems, rather than the board
  • Everyone in the organization is not sufficiently discussing possible risks
  • Staff are pressured to perform, or incentivized to take risks, resulting in unhealthy competition
  • Unrealistic expansion goals and an unusual emphasis on short term activities

Another common problem is when organizations focus on the short term, as this in itself generates more risk. Yet with a robust corporate structure in place, and the right balance between performance goals and objectives, much of this risk can be mitigated.

For organizations who are unsure of how risk management and compliance currently operate, a governance assessment can take place to evaluate this. Specifically, policy structure, accountabilities, lines of reporting and escalation protocols should be reviewed and improved to enhance governance further.

The entire company's risk appetite should also be considered. A common problem which occurs, often when a new manager enters a business, and board members assume they are knowledgeable about risk and know how to manage it effectively. Unfortunately this is not always the case.

2. Too Much Risk Taking

Risk-taking must be considered when an organization is growing quickly. And yet it’s surprising just how many fast-growing companies assume their senior figures to be a ‘safe pair of hands’ without knowing this for sure. Here are some signs that the senior figure you previously trusted with risk management might not be up to the job after all.

  • Risk management is lacking or non-existent within your organization
  • Staff are actively encouraged to take risk through poorly designed reward systems
  • Some staff are capable of generating significant revenue, while other members of the team are unsure how they’re achieving it
  • Conflicts of interest often occur within complex, volatile or difficult to measure areas

What do organizations need to do if they realize risk is not being appropriately managed? To begin, the organization will need to look over its business model and see if any risks exist there. They will also need to evaluate whether senior members of the team are capable of managing risk. Equally, certain employee behaviours could be contributing to risk as a result of incentives available or the culture of the organization. So instead of encouraging a ‘herd’ mentality, staff should be made accountable for their actions. Equally, an atmosphere of transparency should be promoted within the organization so that staff feel comfortable talking about risk, rather than avoiding the subject entirely. Above all, a risk assessment should take place, which should include different scenario analyses being performed.

3. Enterprise Risk Management (eRM) Not Being Used

Although enterprise risk management is vital to mitigate risk within an organization, it needs to be carried out the in the correct way to be successful. It’s surprising just how many organizations implement eRM, but achieve very little from it because it’s been executed in the wrong manner, specifically with a lack of relevance, resources or focus. Similarly, talks to establish the purpose of the exercise could have been dragged out. Or, various silos could have formed within separate departments of the organization, meaning that senior management isn’t even aware of any risks which exist.

Common problems with eRM include:

  • A lack of involvement or support from people knowledgeable in risk management, or delegation to other staff who are less knowledgeable
  • Staff often questioning why eRM is necessary
  • Employees believing that existing eRM silos adequately cover risk or project scope, or only specific parts of the organization should be considered for risk
  • Poor overall compliance with the current risk management policy

If an organization wants to work towards eliminating these types of problems, they should begin by assessing whether senior executives actually understand risk management. This can be achieved by asking them to define ‘risk management’ and explain the type of role it plays within the organization. Once this has been done, a risk assessment and capability gap analysis should then take place, the results of which can be used to compile a business case for risk management.

4. Poor or Non-Existent Risk Assessments

While it’s right for an organization to carry out a risk assessment, it’s equally vital for that assessment to be designed effectively so that it doesn’t result in total failure. A common problem with poorly designed risk assessments is when the issues identified by it cannot be translated into actionable steps. Which does not rectify any problems.

If you are concerned that this could be happening within your organization, look out for some of these warning signs.

  • Multiple risk assessments have taken place instead of one interconnected assessment
  • Processes that currently exist for managing risk are inadequate, or risks are siloed into separate departments within the organization
  • Previously raised concerns about how risk assessments take place
  • Existing risk assessments not being used for effective decision making or business planning

Luckily, some measures can be put in place to make risk assessments as effective as possible. Firstly, a risk assessment process should be established at the enterprise level, which should also conform to the organizations business plan. Then, the results of the assessment should be reviewed by the board of directors as one final check.

5. Accepting a ‘Herd Mentality’

In organizations, it is common for staff to be seduced by internal incentive programs, rather than focus on long term goals. This is linked with the idea of the ‘herd mentality’. Similarly, organizations are putting themselves at greater risk if they adopt poor underwriting practices, suffer excessive debt or do not sufficiently innovate or regulate.

Businesses that use the same model or strategy despite changing market conditions are also at risk. Or, organizations who make too many assumptions, or deal with essential topics in a single-minded manner. Many organizations carry out stress tests or conduct financial models. However, these are only effective if they consider alternate scenarios or current market conditions and operating environments.

If you recognize these types of problems within your own organization, there are things you can do to rectify them.

  • The current financial situation of the organization should be reviewed in detail
  • Changes in the operating environment should be determined by examining both business and operating models
  • The operating environment should be considered from different angles so that strategy can be sufficiently planned
  • Dangerous scenarios should be introduced into existing financial models, particularly ones relating to market or credit risk
  • The system should be reviewed at regular intervals so that managers feel confident it is performing properly


6. A Misconception that if Risk can’t be Measured, then it can’t be Managed

There’s a misconception amongst lazy managers that if the risk cannot be measured, then it cannot be managed. While this is sometimes true, it’s often just an excuse for reluctant managers not to do anything.

So how could you identify if this was happening within your organization? Here are some common signs to look out for.

  • Incorrect measurement or mapping of risk which has resulted in a confusing situation
  • The potential for a considerable exposure to risk
  • Managing and measuring risk without using a continuous improvement mindset
  • Not being able to tell the difference between risk measurement and risk management

To put some of these points into action, some industries, such as financial services, overly worry about the results of their models, without applying sensible judgement as well. Or, some businesses generate reams and reams of information but do not make enough use of it for decision making.

There are things organizations can do to avoid these kinds of problems. To begin, they should examine all the data they have available, then work out which risks are most dangerous to their organization. This can then be used to develop risk indicators, or alternatively, KPIs could be used if no other information is at hand. By aggregating many different sources of data, a more accurate picture of risk can be established across the entire company by creating possible risk outcomes.

7. Management is Unwilling or Unsure how to Make Improvements

Within an organization, managers should make use of as much information as possible to aid their decision making. Although decision making is usually made more difficult by complex situations, problems can occur if management is unable or unwilling to improve a situation. In contrast, when management or boards are open to improving a situation, better decisions can be made. Management and executives must have a strong awareness of risk, and foster a positive culture within their organization surrounding risk and risk management. The firm's business model should also be reviewed so that any possible risk in it can be identified.

Members of staff should feel comfortable in raising concerns to others surrounding risk. In reality, though, this might not always be the case. Here are some signs that indicate it might be time to make changes in the way your organization deals with risk.

  • Brand new risk suddenly appear, with no prior knowledge and without warning
  • Analysis tools for KPIs and KRIs are non-existent, so performance reviews cannot be carried out effectively
  • Decision making is passed to other members of the organization
  • Oversight of risk is poor, and silos separate knowledge into different departments rather than utilizing it across the entire organization
  • People within the organization are attempting to hide risk, so directors are unable to determine risk exposure accurately

Organizations looking to improve their overall risk management processes could make use of enterprise risk management, or eRM for short. eRM aims to set policies, develop focus and create risk management capabilities that adapt to the changing environment. eRM works best in organizations which are very risk-aware and are run by a CEO who actively encourages an open and honest environment. If you are keen to work towards this environment for your own organization, with a future view of utilizing eRM, there are steps you can take to help you get there.

  • Use regular reporting to brief executive management on the main risks that exist
  • Across the entire organization, introduce risk assessment processes
  • When determining unacceptable risks, first consider the required level of risk each entity can manage before it’s deemed overly dangerous
  • Establish measures, procedures and metrics for accountability of the most severe risks


8. Risk Management Not Linked with Performance Management or Strategy Setting

When an overall strategy is being established, consideration of risk is not always considered essential. Strategic objectives which are set could be unrealistic, and several problems could result. Such as an inability to adapt within the organization or deliver what was initially planned. Or a loss of value within the organization.

If you’re worried that a particular project or activity is destined for failure, look out for these warning signs.

  • Strategic performance management does not correlate well with risk responses.
  • Risk management is somewhat disconnected with contract management processes.
  • Risk scenarios have been poorly considered, which affects strategy execution.
  • Too many risk-heavy activities are being carried out by staff who lack knowledge of risk.

So that risk doesn’t cause too much of a negative impact, management needs to set up the right risk strategy which identifies and mitigates any kind of risk. This can then be rolled out across all business units, who benefit from improved performance and strategic planning, and a more transparent view of risks.

9. An Organizational Culture that Ignores Blind Spots and Dysfunction

Organizations which have put serious thought into their culture are more likely to be able to manage unacceptable risk. Consideration of this also allows new dangers to be identified more easily within a forever changing operational environment. In contrast, organizations which are unable to pick up on risk warning signs, must make changes as the impact of specific risks can be devastating.

Dysfunction and blind spots can be visible in many different ways. However, the most common ones include:

  • Members of staff being rewarded for taking risks.
  • Executives who have unrealistic targets, encourage competition between staff or who are resistant to things they don’t want to hear.
  • A loose connection between risk management and high priority business problems.
  • Lack of responsibility concerning risk management, sometimes resulting in total failure for certain parts of the organization.

Within the organization, an open dialogue should be established regarding both opportunities and risk. Policies should be created that govern risk exposure. In other words, employees that don’t follow the rules should be disciplined. A process of escalation should also be present which manages risk problems rather than allow them to get out of control.

10. Poor Board Involvement from the Beginning

Corporate boards need to be involved from the start with things like business planning, corporate strategy or risk appetite. Look out for these warning signs that can indicate a lack of involvement for risk activities within an organization.

  • The board are only aware of particular risks once they’ve occurred.
  • Board discussions about risk are ad-hoc and unstructured.
  • Directors are not aware of the essential risks within the organization.
  • A lack of discussion by the board on the organization’s risk profile.

Only by evaluating the entire operating environment can both the directors and board begin to determine existing and emerging risk before it happens. Similarly, risk appetite, and significant risks within the organization also need to be considered. A strategy should be established so that existing threats to the business model can be dealt with appropriately.

Risk reporting also needs to take place, which should include activities such as:

  • Determining the most critical risks which exist over the entire organization.
  • Working out which investments perform well, and which ones that don’t and the reasons to why this is happening.
  • Reviewing the position of certain portfolio items and how prone to risk they could be.
  • Performing scenario analysis to see how different changes could impact on specific business activities.
  • Reporting all risks to executives so they can be addressed appropriately.