This series of articles is an irreverent, tongue-in-cheek look at the serious business of risk management and compliance and the lack of scientific rigor dressed up in charts and graphs, which have an appearance of legitimacy, but tell us little about risks.
First of all, let me say that risk management and compliance are important functions and deserve to be taken as seriously as any other discipline in business and government to ensure efficient operational outcomes. My point in these articles is to point out where many firms diverge from serious risk management into the realm of mystery cloaked as rigor.
Click to read Part 1, Part 2 and Part 3.
Victim #4 – The Illiteracy of Risk Management
The language of risk management has reached the consciousness of the general public; that is both good and awful at the same time.
Organizations big and small have all begun to think about risk and develop systems and processes to address risk. That is a very good thing. Risk is not a new phenomenon, but risk management is now “cool!” Everyone wants to be a risk manager, and each wannabe risk manager is free to practice risk management however they feel is appropriate.
Risk management is a discipline that invites diversity and insights from a cross-disciplinary collection of backgrounds, experience and expertise. In fact, a plethora of nonprofit associations have cropped up to offer training and certification in various forms of risk management, including standards groups devoted to memorializing their imprint on the best way to conduct the evaluation and execution of risk management.
The concept of a formalized “risk framework” developed in 1985 by independent groups led by public auditors (COSO), with further advancements by risk managers in 2009 (ISO 31000), each with their own competing version of risk definitions, guidelines and principles of what constitutes good risk practice. More recently, college graduate courses have begun to issue advanced degrees in risk management, as well as doctoral degrees in a variety of disciplines devoted to the study of risk.
And finally, regulatory and credit rating agencies have adopted many of the new standards of risk practice into their guidance to boards of directors of publicly traded companies as evidence that organizations have strong risk management processes in place which are expected to mitigate whatever bad thing or recurrence of bad things threatens the viability of our economic system of free enterprise.
Yet with all this progress and rapid growth of the risk profession (with a few notable exceptions), progress has moved forward in fits and starts.[1]
Of all the disciplines in organizations, besides economics, risk management (or more specifically, decision management) traces its origins to the halls of Nobel laureates. As early as 1969, The Sveriges Riksbank, awarded economists and a single psychologist with the Nobel Prize for explaining how organizations operate within markets and a global economy. Herbert Simon’s 1978 groundbreaking “bounded rationality” theory has grown into the now widely accepted work by Daniel Kahneman and Amos Tversky on “human judgment and decision-making under uncertainty” in 2002.[2][3]
The lessons of these big thinkers is hardly recognizable in risk practice today, except for a community of mathematical economists, engineers, scientific researchers, physicists, “quants” and philosophers of decision science. The rest of us mere mortals suffer from an illiteracy of risk management.
Why is the general risk community illiterate regarding risk management?
Ask a risk manager to define risk management. I did this exercise in several LinkedIn risk groups and was surprised to find the variety and diversity of definitions and iterations of risk management. There is little consensus on a risk management mandate. Some respondents believe that risk management should aspire to anticipate future events before they happen and prevent or detect the manifestation of loss or operational failure before they occur. Other respondents define risk in terms of improved financial performance through better internal controls. Still others believe that risk management’s mandate is to improve decision-making; however, all respondent definitions fail to clearly articulate how these objectives will be achieved. The definitions include vague activities such as implementing processes and assessments that lead to aspirational outcomes.
These definitions remind me of the movie “Minority Report,” starring Tom Cruise as a member of a futuristic police unit whose task is to arrest murderers and other criminals before they commit a crime.[4] Not only is guilt predetermined, but the arrest is based on an unrealistic set of possible outcomes, one of which is murder or criminal intent.
The aforementioned risk definitions contain the same errors found in the movie. If, in fact, risk managers possessed the ability to “see the future” and adjust in real time to prevent bad things from happening or conversely enhance financial outcomes, why would such a person work for any company? Why not use these skills to become the wealthiest person on the planet and not share these secrets with anyone? Algorithmic traders may come closest to these mythical beings. None of the definitions have a quantitative path to achieving their stated objectives, which is part of the problem. The other half of the problem is what Herbert Simon called bounded rationality.
Risk managers are not omniscient and cannot prevent risks from happening.
No one will admit this publicly, but everyone understands human knowledge is bounded by abilities, experience, training and other factors that limit our capacity to solve every problem. Instead, we take a hard problem and simplify it to create a solution that we determine is good enough. These half-solved problems leave a legacy of operational inefficiencies that build over time into tail risk. Risk illiteracy is illustrated in these partial solutions. How many firms actually plan for failure, even though failure is a probable outcome?
Bounded rationality leads to unrealistic expectations which typically results in the blame game when something goes wrong or outcomes fail to deliver.
Sales goals always point upwards in a hockey stick projection of growth. Marketing projects always add value and risk managers must always prevent, detect and correct violations in internal controls. Failure to meet these expectations are often based on ill-prepared, one-dimensional expectations. Success or failure is not binary….there are incremental versions of each dimension which, when viewed from this perspective, allow firms to adjust accordingly to learn from each event to improve future outcomes.
Developing risk literacy will take time, but change is coming! Here is what it will look like in the R.I.S.K. enhanced office of the future.
I recently coined the phrase, R.I.S.K. (Risk Intelligent Systems Knowledgeware) to describe the future state of back-office operations. R.I.S.K. systems will become the smart back office of the future. Policies and procedures will be embedded in operational systems from IT to transaction processing and more. Real-time risk analysis will be conducted with live data and alerts and reports will become instantaneous.
In some cases, networks will heal themselves after a cyber breach or policy violation replete with after-action reports. Operational systems will conduct financial and regulatory audits at prescheduled times without any input from external sources, and external auditors will be able to upload data for management’s attestation. Disaster recovery will occur in cloud-based regional locations both domestically and offshore as redundant fail-overs in the event of nodule failure. Lastly, operational systems will compliment client-facing applications allowing customers to execute self-service applications and eliminating the need for large risk, compliance, audit or operational staff resources.
This is not a fantasy scenario, nor a far-fetched reality. A version of this future already exists in concept in auto manufacturing, warehouse robotics, unmanned space travel, among other fields. Firms who begin to plan for and anticipate this future will be leaner, resilient and more nimble than competitors. The steps for realizing a R.I.S.K. enhanced environment are being laid right now. The only question is: where will you be when R.I.S.K. becomes the new reality?
[1] https://hbr.org/2008/09/the-new-arsenal-of-risk-management
[2] http://www.economist.com/node/13350892
[3] http://www.princeton.edu/~kahneman/docs/Publications/prospect_theory.pdf
[4] http://www.imdb.com/title/tt0181689/
James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
