There is a wide variety of books, seminars, and consultants who stress that if the proper framework for risk management is developed, then the rest of the task of creating an effective risk management function will fall into place. I am not one of those consultants, and this is not one of those risk books. After the twin evils of regulation for the sake of appearing to do something, and the overmathmatization of risk management based on the false belief that risk is complicated, I believe that risk frameworks are one of the worst things to happen to risk management. Instead of promoting a specific risk framework, or even risk frameworks in general, this chapter puts forward and defends the bold argument that risk frameworks are evil!
Frameworks are ideal for houses and other structures where stability and inflexibility are needed, but risk management is not one of those structures. By its nature, risk management needs to be flexible and adaptable. While conceptually risk frameworks are good, the reality is that they are almost always taken far too seriously (almost religiously) by organizations, and what is left is a rigid shell that is best left for other, yet unknown purposes.
As discussed in the previous chapter, What Causes Risk, risk is fundamentally caused by people and complexity. The rest of risk management is relatively straightforward. People and complexity, however, do not fit well into frameworks, as least not the creative entrepreneurial types who are so key to success in this age of knowledge-based organizations. Frameworks are far better suited in simple or complicated, rather than complex systems. In an earlier time and place, when a human operating the machine was the basis of competitive advantage, rigid frameworks for both operations and risk management had a definite role to play. Whether we like it or not though, those days have either long past or are on their way out the door, so some new thinking is needed.
Two Popular Frameworks
The two main risk frameworks utilized by organizations are the Committee of Sponsoring Organizations of the Treadway Commission (more commonly known as COSO)1 and the International Organization for Standardization’s ISO 31000.2 Both frameworks share a lot in common, although they use somewhat different structures and their language is somewhat different. The common elements begin by acknowledging that the objective of the risk management must be clearly articulated. Other common elements include risk identification, risk assessment, risk monitoring and communication, and importantly, the realization that risk management is an ongoing and continuous process.
Both the COSO and ISO frameworks, as well as the various frameworks put forward by the various consultants engaged in risk management, have attractive features. For organizations that are new to risk management, they provide a quick-start method for getting started in risk management. They also get a robust discussion started on risk management. Indeed, they are likely to start a more thorough discussion on risk management than many organizations may be ready for. The thoroughness of the frameworks is likely to scare, or even shock, organizations into action as an organization compares what it is doing in risk management compared with the comprehensive frameworks that exist.
Both the COSO and ISO 31000 frameworks have been designed by committees. We are all aware of the organizational jokes about the effectiveness of committees (e.g., a camel looks like a horse designed by a committee). They are frameworks that have been designed to be as widely applicable as possible, but risk is almost always specific to a given organization and to the uniqueness of an organization’s culture. It frequently becomes more work to adopting a given risk framework to an organization than it would be to develop a unique framework from scratch, which is tailored for the organization. My experience has been that adopting an existing framework for an organization is akin to adapting a square peg for a round hole.
When an organization first adopts a risk framework, it is undoubtedly a positive for risk management. Just as a house needs a good framework, some form of structure for risk management is generally good. However, the construction of a house does not stop with the framework. Also, one does not generally define their house by its framework. A framework is not what changes a house into a home—to adopt a common phrase for a new use. A home is defined by its decorating and the people who live within its walls that hide the framework. A home is even better defined by the memories, both good and bad, that occurred while the occupants lived there. Likewise, the risk framework in an organization should be similarly hidden. What should define risk management is the culture of the people in the organization and the intuitive wisdom—both good and bad—that they have built up through their collective experiences.
A central issue is that a risk framework can very quickly become risk management of an organization with little in the way of compromises to account for the distinctiveness of the adopting organization and its culture. It is the equivalent of the framing of a house becoming the house. That of course would be silly. Thus, while risk frameworks help to start defining the risk management function, one has to quickly ask whether the risk frameworks are better for the organizations that they are supposedly supposed to help or are they better for the consulting organizations?
Risk frameworks by their nature stifle many of the appropriate risk activities while encouraging many negative activities. Risk frameworks stifle creativity, independent thinking, value differentiation, responsibility, timeliness, opportunities, black swans, and the use of risk management as a strategic tool for competitive advantage. Additionally, risk frameworks encourage laziness, box-ticking, bureaucracy, costs, inefficiency, hopelessness, confusion between auditing and risk management, and finally, act as a catalyst for risk homeostasis.
If this is true, then why have risk frameworks become so popular for risk management? In my opinion, risk frameworks have become popular for two reasons; they give the appearance of doing something concrete, and they allow consultants to firmly embed themselves within a client in order to secure longer consulting contracts, and thus, larger consulting fees.
Risk frameworks outline a process that provides an organization a false level of comfort that they are doing something concrete about risk management. They allow for the quick and easy development of lots of charts, flow diagrams, and progress reports. These elements, in turn, give a level of comfort to senior management, the board, and regulators that the firm is actively doing stuff. It also lends credibility to the risk management department, as they can shows lots of impressive-looking diagrams and schematics. Perhaps, the greatest application of this is for consultants who can show a comprehensive framework that impresses clients and potential clients that they, the consultants, truly have the key for completely solving an organization’s risk management issues.
As will be discussed more fully later in this chapter, risk frameworks enable and encourage bureaucracy. Thus, risk frameworks are a wonderful tool for consultants to use to increase their billable hours. The more comprehensive and the more integrated the framework, the more necessary it is to have consultants manage it. Also, each consultant organization has their proprietary framework, which binds it to an organization. It is kind of like buying a specific brand of shaver—once you buy a shaver, you are more or less committed to using that brand of razor for a significant period of time, and thus, repeatedly buying replacement blades from that same brand. Adopting a consulting firm’s “proprietary” framework also implies you will be stuck with that consulting firm for a while, as the entire organization will likely let out a collective groan at the thought of switching to a new consulting firm’s “proprietary” framework.
Risk frameworks do have their place in an organization’s risk toolbox. However, it is important that an organization thinks carefully about the pros and cons of adapting a specific framework, and how they plan on using a framework. Very quickly, frameworks tend to become risk management, rather than a guide for risk management. In other words, people manage to the framework, rather than manage risk—two very different things. Risk frameworks can very quickly turn from something that is useful to something that is evil. Frameworks have risk elements that they stifle and elements that they enable. It is critical that a firm becomes aware of these elements.
Stifling Abilities of Frameworks
The first thing that risk frameworks stifle is creativity. Creativity is absolutely key for effective risk management. I claim that the mere fact that you acknowledge that a risk exists automatically increases the probability and magnitude of it occurring if it is a good risk, while it also simultaneously decreases the probability and severity of it occurring if it is a bad risk. Being creative helps the risk management team and the organization to see risks—both good and bad—while there is still time to manage them.
Risk management frameworks are great at cataloguing existing risks and historical risks, but by their nature, they are very poor at creatively seeing new risks on the horizon. Risk frameworks tend to be comprehensive. This is a plus for an organization brand-new to risk management. However, it tends to be an even bigger plus for the risk management organizations that provide an army of consultants to implement and maintain the framework.
The fact that the frameworks are so comprehensive is very much a two-edged sword. The extensive development of the frameworks means that a lot of experience has gone into their creation. This helps an organization uncover risks and elements of risks that they likely would have overlooked. But the other side of the sword is that the comprehensiveness can easily overwhelm an organization. The second drawback is, with comprehensiveness, comes a complacency that everything has already been incorporated into the framework. The forest often gets lost for the trees in the effort to be true to the comprehensiveness of the framework.
Sometimes, the best way to generate creativity is to start with a blank sheet of paper. An existing framework is anything but a blank sheet of paper. Too conveniently, it has a label and a place for seemingly everything, and it is all too easy to quickly develop faith that the framework will cover everything that needs to be covered. This feeling of more than adequate coverage quashes the questions that lead to creativity.
In high school, I worked for a well-known sales organization selling vacuum cleaners. It was to earn extra money for all those things that a young person thinks they need while going through high school. Before setting out on our nightly sales calls, there would be an office meeting, basically a sales pep rally. One night, relatively soon after I started working, one of the newer sales agents queried whether or not there might be a better way to conduct operations. I remember the office manager walked over to the eager, but unsuspecting newbie and letting loose with a tirade about how the company had been in business for decades and what in blazes could this relatively inexperienced sales agent possibly know that the company had not already thought of. The newbie left the company that night in tears, and I considered the statement “what makes you think you are smarter than the organization?” to be one of the dumbest management sayings ever. I quit two nights later, and a couple of months later, the organization went bankrupt.
A comprehensive framework makes everyone think they are “dumber than the framework,” which is false, demoralizing, stupid, and obnoxious.
A comprehensive framework creates the illusion that everything is covered. However, there is value in feeling exposed. A feeling of exposure creates a valuable paranoia. Intel CEO Andy Grove famously said that only the paranoid survive, and it is likely that he is correct in thinking so. When one is paranoid and feeling exposed, it leads one to be more aware. It leads one to either find ways to eliminate the exposure or exploit the exposure. These are instincts that should not be stifled.
Related to stifling creativity, risk frameworks stifle thinking. Having an established framework firstly means that one does not have to think hard about how to create it. In fact, the realization that a framework already exists means one does not need to think at all in order to create it or to maintain it. While it is obviously convenient and a real time and energy saver, not having done the hard work of designing a risk framework means that one likely does not know both the strengths and weaknesses of the framework.
It is simply too easy to accept a new framework without thinking. Sure there is likely to be push back at inception as various groups with special interests in the status quo will attack the framework pointing out its weaknesses and inconsistencies. Likely almost everyone in the organization will take a shot at knocking down the proposed framework, but will ultimately accept it, as intuitively they know it is much easier to criticize than it is to create a better solution—although many likely better ideas exist.
Without the hard thinking in creating a framework, there will also not be the same level of ownership. This is particularly so if a consulting team is engaged to implement the framework. In such cases, the “intelligence” of the framework will be seen to exist with the consultants, and not the organization. There will be a lack of internal ownership. This has implications not only for ownership, but also for future adaptation. Who wants to fix another’s mistakes? If the risk management function is built internally, then the intellectual energy that created it will also have a vested interest in maintaining it and keeping it current. Engaged thinking minds are always a good thing.
Perhaps, the biggest lack of thinking about risk is that there is the potential for risk management to become management to the framework. A framework does not think. A framework does not adapt. A framework is static, and not dynamic. Management to such a framework is, thus, anything but effective risk management.
No matter how good a risk framework is, there will be problems. No risk framework can pick up and help to exploit every type of opportunity, and likewise, there will be mistakes. With a standard framework, however, there is no ownership of the framework, and with no ownership, there is no responsibility or accountability.
Risk frameworks create the illusion that risk management is the role and responsibility of the framework. If something goes wrong, it is the framework’s fault, and not the fault of the employee or the department or even the organization. The framework becomes a very easy and convenient scapegoat. This is not productive and will only cause problems down the road.
Using an existing risk management framework is akin to inviting all of your friends over for a summer barbeque and serving them fast food hamburgers. Simply put, there is an embarrassing lack of value differentiation, and the next time you throw a summer time party, it is likely that your friends will be “busy” with some other activity. Unless the risk framework allows the organization to differentiate its risk function, to show its creative abilities and how it can support, rather than hinder the organization’s activities, then the risk function will not be seen to be a competitive value-adding function. A rigid risk framework stifles out-of-the-box thinking, and thus, destroys the potential for unique value-adding functionality. This is particularly true if one of the standard risk frameworks is utilized.
Risk management should be a strategic tool for competitive advantage. In turn, a competitive advantage needs to be dynamic, not static. Risk frameworks by comparison tend to become bureaucratic monstrosities that take a life of their own. Risk management becomes a function that is done for the sake of the risk framework, rather than a function for risk management and competitive advantage.
Perhaps most troubling is that risk frameworks stifle having a complexity mindset. By definition, frameworks are rigid. Complexity is anything but rigid. Frameworks encourage processes and categorization, while complexity and emergence defy replicating processes and categorization. Frameworks are constructed for a solve mentality, while complexity requires a mange, not solve attitude. In essence, it is difficult to manage with a complexity mindset when the order and structure of a framework are being imposed.
Enabling Activities of Risk Frameworks
Risk frameworks are not only stifling, but they are also great enablers. To begin, risk frameworks enable laziness. One does not need to be engaged in thinking about risk if a comprehensive risk framework is in place, do they? As long as the framework is in place, all one feels that they need to do is follow the framework. This is an incredibly lazy way to engage in risk management. It also enables blind spots to risk to develop and grow. If one is following the framework, they feel safe, but no framework is comprehensive enough to cover all possible risks. It means that new or evolving risks are missed. Problems arise unnoticed, and opportunities are missed.
Related to laziness in risk thinking is the lack of accountability. With a prominent risk framework in place, if there is a problem in risk management, or a risk inefficiency, then everyone assumes it must be the problem of the framework. A strong risk framework can very quickly become an enabler for the shedding of accountability. Risk laziness and risk accountability are closely linked. If one believes that they play second fiddle to the risk framework, they are just going to follow the first fiddle—namely just follow the framework. In doing so, they automatically abdicate responsibility for risk, and with this abdication, it is extremely tempting to become lazy in one’s risk thinking, risk awareness, and risk creativity.
In a similar vein, risk frameworks are great enablers of risk management by box-ticking. Management to the framework almost always leads to managing to a process. The question of whether risk management should be process-based or judgment-based is covered in Chapter 7, but for now, it suffices to say that managing to a process implies that one is focusing more on complicated aspects of risk and misses those situations that are complex and require judgment. Additionally, the process becomes the end, rather than the means to an end.
Risk management by risk framework box-ticking leads to, perhaps, the two biggest enabling issues with risk frameworks; they encourage a focus on auditing, rather than risk management, and they encourage bureaucracy, rather than lean and mean efficiency.
In many organizations, auditing and risk management are synonymous. That is, a mistake; a big mistake. Auditing is checking that boxes have been ticked. It is a form of quality control. It says nothing about whether or not the right boxes are being ticked, and it adds little to nothing about what the definition of quality is. Auditing is an important task, and a necessary task, but it is not risk management. For starters, auditing is a passive task, while risk management is an active task. Auditing focuses on what was, and to a lesser extent on what is, while risk management is focused on the future. Auditing records; risk management creates. Auditing and risk management are totally different tasks and require totally different mindsets. They should never be confused for each other, and they should never be commingled.
John Fraser, former Chief Risk Officer at Hydro One, is a risk manager who many (including me) consider to be the Warren Buffet of enterprise risk management; he is a true leader in the field, who thinks very clearly and intelligently about risk management issues. While at Hydro One, he was also the firm’s Chief Auditing Officer. When one went into Mr. Fraser’s office, one saw two caps prominently displayed; one labeled Chief Risk Officer, and one labeled Chief Auditing Officer. John Fraser had the two caps to remind himself that the two tasks are very different and that one looks ridiculous if one tries to wear the two hats at the same time. Confusing or commingling auditing and risk management implies that one does not understand nor appreciate the importance of either of the tasks.
Risk frameworks very quickly become “the process,” and a “process” quickly becomes a bureaucracy. Most of the popular risk frameworks were designed to be as general as possible and as widely applicable as possible. Thus, they tend to be much more cumbersome than necessary for most organizations. Add to that the fact already discussed that risk frameworks are ideal for creating long-lasting work for consultants, and one can see how risk frameworks become enablers of fat bureaucracies. Without any prioritization of parts of the framework, every part of the framework becomes mission-critical, which of course means that no part becomes mission-critical. What it does mean that each part of the framework develops its own bureaucracy which limits the integration, which was one of the main points of having a framework in the first place.
One of the most popular frameworks, the COSO framework, has a “cube” as its structure.3 On the front face of the cube are eight elements that a company should undertake for risk management: (1) internal environment, (2) objective setting, (3) event identification, (4) risk assessment, (5) risk response, (6) control activities, (7) information and communication, and (8) monitoring. Along the top face of the cube are four functions that an organization should conduct the eight elements on. They are: (1) strategic, (2) operations, (3) reporting, and (4) compliance. Finally, on the side face of the cube are four levels of the organization at which the elements for each of the functions must be conducted. These four levels are: (1) subsidiary, (2) business unit, (3) division, and (4) entity level. In total, there are 128 “boxes” that make up the “cube.” It quickly becomes obvious how such a framework becomes a bloated bureaucracy that can easily take on a life of its own.
My first exposure to the COSO cube was at a workshop conducted by a consulting group. The four-day workshop consisted of the facilitator giving a detailed analysis of each of the 128 boxes and a laundry list of details to be managed for each box. Seminar participants debated the nuances of managing one box versus another box. It was completely nauseating. No wonder organizations outsource their risk management to consultants!
While risk management needs to be thorough, it also needs to be practical. If something is so comprehensive and energy-consuming in its application that it sucks the life out of the rest of the organization, then it is obvious that it is overkill.
I believe that risk management is most effective when it has structure for the simple and complicated parts, and for everything else, very limited structure to enable the flexibility needed for dealing with complexity. I also believe that risk management should be as lean as possible. Leanness implies that everyone is responsible for risk. If the risk function is seen as a fully staffed and resourced standalone bureaucracy, then there is a high likelihood that risk management becomes an end to itself, and not a means for organizational success. If everyone is aware that they need to be managing risk because there is no special unit focused on it, then the overall focus on risk becomes much greater. Risk frameworks, however, by their nature, discourage leanness and promote and enable bureaucracy.
Ultimately, a strong risk framework actually decreases the risk effectiveness of an organization. Effectively, risk frameworks bring on risk homeostasis, the topic of Chapter 9. In essence, risk homeostasis means that if the firm has a prominent risk framework in place, then it is counterintuitively likely to be worse off in its risk management.
Concluding Thoughts
Risk frameworks have their place. However, risk frameworks have aspects that stifle those characteristics that are inherent in good risk management and enable characteristics that are bad for effective risk management. Risk frameworks are like management by recipe. As discussed in Chapter 3, recipes and checklists are fine when issues are simple in nature, but by nature, most risks tend to be complex. Complexity demands a more enlightened manager than one who is simply following a recipe.
As an organization matures in its risk thinking and in its risk management, the need for a risk framework diminishes. Ideally, I believe that many organizations would be better served by striving to wean themselves off of their risk framework and instead focusing on development of a more dynamic, in-the-moment, frameworkless mode of managing risk. While being frameworkless might seem a bit more chaotic, it is likely to be much more effective and much more efficient for risk management.
Are risk frameworks evil? Conceptually, the answer is no. Frameworks are not inherently evil, but they have become that way as they stifle many of the characteristics of positive risk management and enable other characteristics of bad risk management. Too often, a great sounding risk framework creates a risk mentality in an organization that makes it like the frog in water that is slowly heated. The frog never realizes it is being boiled to death, and likewise, an organization being taken over by a risk framework never realizes it is abandoning good risk management and replacing it with evil.
2 http://www.iso.org/iso/home/standards/iso31000.htm.
3 http://www.coso.org/documents/coso_erm_executivesummary.pdf. As this chapter is being written, a new, more simplified COSO framework is being developed and discussed.