I usually interact with corporate risk managers (CROs), most of them work in large corporations and multinational companies. One of the most common –and problematic- issues they face is the lack of integration of risk management and business strategy. Some of my favorite quotes I received along these years include: “when I step in the office elevator everybody shuts up”; “I am always running behind business managers trying to have them complying with the risk management procedures”; “once a general manager of one of our business units asked me what was the reason why I was being paid a salary in the company”. On the other hand, I also get comments from the business managers, a few weeks ago I got a “I hate risk managers, I have been receiving no for an answer for the last 25 years” … Most of the other comments are along these lines. This is showing us that we have an integration problem that needs some attention.
In my opinion the source of this problem is the separation of tasks between business managers and risk managers. This last statement can be rephrased with “the source of this problem is that lack of a risk management culture in the firm”. Risk, as of today, is seen as a negative outcome that might happen in the future with some probability. This definition of risk, that stresses its negative side, is way more than a semantic problem, since it fails to recognize the most important aspect of risk; the potential upside that can be obtained by the company that dares to assume a risk. Risk has both the upside and the downside. We assume the downside of a risk because we want to profit from its upside. The more downside we are willing to assume, the higher the upside we can gain from it. Under this alternative view, risk is part of strategic planning, and should be treated as such.
As stated by Peter Bernstein in his magnificent book Against the Gods: The Remarkable Story of Risk, risk derives from the ancient Italian term risicare, that means to dare. This captures the main essence of risk management; we need to dare to assume a risk in order to gain its associated profits. Take for example a mountaineer, who decides to go and climb Everest. He or she is taking a fair amount of risk in the hope of getting the reward of reaching the summit. A good planning needs a careful risk assessment and an adequate preparation in order to be suitable for assuming the associated risks. Potential risks need to be identified, measured and classified, and mitigation procedures need to be identified and evaluated. In the end the mountaineer needs to assess whether he or she is suitable to assume the risks associated with the expedition. Alfredo Barragan is an Argentine expeditioner who has completed several famous expeditions, among them Atlantis Expedition, where with a group of colleagues built a raft with logs and ropes and sailed from Africa to America to prove that Afrikaners might have reached America before Columbus. Barragan likes to state that he is an expeditioner, not an adventurer. The difference is that an adventurer goes to the ocean and see what will happen, whereas and adventurer goes to the ocean already knowing what will happen. These two examples give a nice flavor of what risk management should be. A risk manager is not there to say “no, don’t do it”; a good risk manager is supposed to be involved in the strategy and discuss which is the best way to accomplish the strategic goal given its associated risks. In the corporate world risk management should be embedded in strategic planning; it should not come running behind it!
In most companies, Risk Management used to be part of auditing or control and was hardly perceived as a strategic partner… Under this setting it is very hard for business and risk management to be synchronized, rather, they are likely to be sitting at opposite sides of the table, and their interaction is a forced one. They do not collaborate. In this setting nobody sees risk management as a strategic weapon, it is mostly regarded as a required check in a checklist, and mostly considered a hassle. Nobody really takes advantages of the importance of managing risks and its associated opportunities in advance, and companies end up assuming risks without any strategic planning.
The only way to have risk management and strategic planning working in collaboration, is to have them together in the organization. In other words, we need to recognize the fact that risk management is not a task of the CRO, rather it is function that is embedded in every member of the organizations’ job. Everybody in the organization needs to be aware that it is his or her responsibility to take care of the risks and opportunities. Companies need to have a risk committee that decides regarding the risks faced by the firm in every business decision. The risk committee has to be formed by the business managers, and every business manager is responsible for managing a certain part of the business and its associated risks. In this setting every business decision is analyzed both in its business and risk dimension by the firm’s management. Risk analysis is embedded in the very inception of the business decision; this is the only way in which risk management can be embedded in business strategy. In this setting risk management will not be chasing people around to get checks or signatures, rather they will be leading the strategic decisions of the company.
