Norman Marks of SAP maintains an excellent blog dedicated to governance, risk management and internal audit. For those not familiar with it, I recommend you read his recent post on making risk management a way of life. Marks makes such an eloquent and cogent argument, I would add nothing by putting it into my own words. I just want to say how much I agree with his assessment that:
The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a ‘check-the-box’ activity. Used well, it can help an organization achieve and sustain optimal long-term performance.
We need more professionals to make the argument that risk management is a daily activity. Many ‘framework’ approaches tend to push the business to adopting a periodic approach, reminiscent of auditing. However, the Internal Audit function is already well placed to do Internal Audit’s work, including audits of risk management. The demand for improved risk management comes from something additional: the realization that effectively auditing the past is not sufficient to guarantee effective management of future risks.
Perhaps there is some fear that constrains us from insisting on the everyday nature of risk management. If done every day, it becomes clear that the person given the job title of ‘Risk Manager’ will not be able to manage every risk on a daily basis. Responsibility for risk has to be distributed, if action is going to be timely. Risk-related decisions made by the most appropriate people, and most decisions involve an element an risk. This diffusion of responsibility begs the question of how the risk manager adds value to the business, and can lead to a retreat into a manageable universe of tables and reports that list what happened since those tables and reports were last updated.
So how do we make the leap from periodic reviews of how well we managed risks during the past quarter, to genuine forward-looking risk management? I do not have all the answers, but I can draw on the experience of how revenue assurance has (or should have) developed over the past decade. These days the dominant marketing theme in revenue assurance is how it is evolving into business assurance. The words may be vary, but each vendor pushes a similar message. Go back a few years, and the RA industry was in thrall to a different message, which was summarized by the goal of being more “proactive”. I put the word in inverted commas because it was so often abused, and because it was used to refer to a vaguely-defined and somewhat contradictory constellation of proposals for how to improve revenue assurance. Though the intensity of the debate has subsided as the marketing pitches have changed, the TM Forum did the right thing when it pulled apart the idea of proactivity and showed how two very different kinds of improvement were being conflated. To do this required an analysis that went beyond a false dichotomy between reactive and proactive approaches.
We can all agree that we react to things that occur in the past, and we are proactive when we anticipate and change the future. But what about the here and now? This grounds us in the activities that need to be performed on a daily basis. By also talking about ‘active’ revenue assurance, which concerns the present, we can show how it differs from reactive and proactive revenue assurance. In particular, being active is not the same as being proactive; if we confuse them we fail to identify the different strategies for being active and for being proactive. The TMF’s separation of reactive, active and proactive revenue assurance can be generalized to all risk management. Consider the example of how we deal with the risk of a fire in a building…
- Reactive: the building has already burned down. We are no longer dealing with an actual risk, but are rather dealing with the consequences of something that happened in the past. Our (re)actions involve locating staff to a new building, switching to backup facilities, recruiting to replace the people we tragically lost and making claims against our insurance policy.
- Active: the building is on fire! We set off alarms, the sprinklers start working, we evacuate the people and get the fire brigade to fight the fire! There is no time to waste because what we do now is all important.
- Proactive: this is real risk management, in the sense that the risk exists but the adverse impact is still only a future possibility. Our approach is to think ahead, doing such things as ensuring non-flammable materials are used in constructing the building, appointing fire wardens and drilling staff on evacuation, taking out insurance cover and putting plans in place for how the business recovers should the worst happen.
These ideas can get confused, because what we do proactively may involve preparing ourselves for what we will do in the event of a fire (how we act at that specific point in time) and when dealing with the after-effects. Though both are preparation of a sort, the goals are different. The fire drill trains our staff about how to evacuate. Sprinklers will not put out a fire if they were never installed. These proactive steps lead to a better response when a fire occurs, limiting the damage done. In contrast, to claim on insurance we first need to take out a policy, and to recover data from remote storage first requires that backups be stored remotely. These proactive steps enable a better response after the fire has run its course. However, we can do more to manage the risk of fire than improving our response to fires when they occur. One fundamental of risk management is that we can reduce a risk by reducing its impact of an event when it takes place, or by reducing the probability of the event taking place. Reducing the probability of the event is also proactive, but the emphasis is on prevention rather than cure, meaning the undesirable event is less likely or impossible. Returning to our example of a fire, this kind of proactivity is exemplified by using less flammable materials or by enforcing policies that make it less likely that staff will start fires.
Whilst it may never be possible to eliminate the risk of fire, sometimes we can make decisions that make a risk impossible. To take the example of Fukushima nuclear disaster, for all the steps taken to prevent it, some risk would always remain. Germany’s decision to abandon the nuclear option goes one step further, as alternative sources of energy will never have the same risks (though they may introduce others).
It is also worth bearing in mind that we do not need to choose an either-or approach to risk mitigation. For many risks, and certainly the most severe risks, we should be reducing risk through reactive, active and proactive steps. Being reactive is not wrong per se. Whilst none of us want to work in a dangerous building, it still makes sense to take out insurance even after taking every other step to reduce the likelihood of a fire and reduce the damage caused when a fire does occur. That said, the TMF’s analysis of revenue assurance into the proactive, active and reactive gives rise to two options for moving away from a purely reactive mode.
- Shifting the emphasis from reactive to active: In short, this means reducing the delay in responding to a problem so the delay is reduced. Using the metaphor of a fire, reducing reliance on a reactive response by being more active would include activities like installing a sprinkler system to fight a fire from the moment it begins, instead of only relying on calling the fire brigade and waiting for them to arrive and fight the fire. In the language of risk management, the impact is reduced because the mitigating response is more timely.
- Shifting the emphasis from reactive to proactive: This means taking preventative measures, so there are fewer problems. From our metaphor of a fire, this would involve identifying and eliminating fire hazards. In the language of risk management, there is no change to the impact, because the focus is on lowering the probability of the undesirable event.
Whilst I like Marks’ explanation of the need for daily risk management, he could have gone further by highlighting how these two options come up every day. We can monitor aspects of performance every day, and seek to identify ‘hotspots’ before they turn into metaphorical fires. Much of the near real-time data analysis done by revenue assurance falls into this category, but it can also apply to monitoring many other aspects of operational performance, such as understanding the load on the network, or keeping a close eye on the service levels of key suppliers. In addition, decisions are made every day that may introduce new risks, or conversely may prevent them. Those employed to manage risk try to get themselves into the information loop, so they can play a part when those decisions get made. For the big decisions, which will take a while to be made, the periodic approach may be rapid enough to ensure risks are properly calculated and understood. They may be rapid enough – a quarterly approach to managing risk registers will not influence, say, the decision to launch a new promotional tariffs if that decision can be made and executed within a month. For other, smaller, decisions, the periodic approach will never be quick enough. When a member of staff decides to let a stranger through the security gates, or if a contract is signed without a proper review, a periodic cycle of risk review will never be sufficient. In these latter cases, the emphasis must be on instilling a culture where the diffuse responsibility of risk management is understood and acted upon by everybody in the business.
It feels like it took a lot of words to spell out these basics of making risk-relevant decisions on a daily basis. There would be many a CxO who would have stopped reading by now. However, clarity about choices leads to better risk management. We need to work towards making it second nature to analyse risk-related decisions in terms of the proactive, active and reactive, where the options to reduce likelihood and reduce impact are all understood. Only then will risk management be successfully distributed throughout the business, and made part of everyone’s everyday routine.