3
WHY Is Risk Management Important to Us?
Reasons Why Formal Risk Management Is Vital to Success
“I take smart risks! That’s why we are successful.” Dana P.
New parents quickly discover that their child masters a one-word sentence that tests the parents’ wisdom: “Why?” No matter what you tell a child under the age of three, the response you get is, “Why?” The question itself is forceful because you are challenged to come up with a reasonable answer (other than, “Because I said so!”), and doing this keeps your brain synapses functioning.
It was a 41° Celsius May morning when I next met with PJ Investment’s (PJI’s) management team. I knew the managers of PJI were eager for me to answer the HOW question: “How do we practise risk management?” However this does not logically follow the WHAT question. You must accept the two reasons why formal risk management is vital to your business’s success before you learn the process and tools.
Reason 1
You already understand a generic reason using the mental image of a pitfall and the analogy of Murphy’s Law, but to correctly implement this strategy for longevity in business, you need more context or grounding. Children are always asking “why” questions because they know nothing about life as you the adult know it. So they ask you to provide them with an understanding (context) of the crazy, dynamic world they are encountering. Because you know very little about enterprise risk management (ERM), you too need a deep understanding of this perilous world you work in.
Reason 2
In an ERM system, every workday, you send all your employees on a search and destroy mission. You will empower and make them responsible to seek, assess and then eradicate the risks they encounter as they do their job. As soon as you “volunteer” them for this important assignment, guess what you will hear?
Why do I have to?
If you lack a sufficient understanding of why this responsibility is in their job description, you will be tempted to respond, “Because I said so!” That comment will sound professional (sarcasm intentional).
Reasons to Care about Formal Risk Management
Murphy’s Law of Risk Expansion
Catastrophe is a risk that was ignored by everyone.
My next assignment for nine PJI managers was to lead a small group brainstorming session on reasons why the entire leadership team needed to care more about formal risk management.
Here is why you and other managers in your organisation need to be concerned about implementing a risk management programme:
Protecting your profits
Protecting your assets
Protecting your employees
Protecting your investors
Protecting your stakeholders (bankers, vendors, customers and so on)
Protecting your reputation or brand
Ensuring the longevity or future of your organisation
Avoiding taking a bad or costly risk
Not Just Risk Avoidance
Some managers believe that one way to manage risk is to avoid it. This is impossible because a business cannot avoid taking a risks. Life is full of risk. Owning, leading or managing a business means you face risk every day.
I continued the meeting with a story about another client, Dana, who swiftly went from success to near failure because of unforeseen risks.
It’s a Small (Appliance) World
Dana started her growing enterprise Smaller is Better 17 years ago and, until last year, was running a distribution business with $39m in turnover and employing 50 people. Dana describes herself this way: “I like to take risks, but I am smart about it. Before I make a critical decision I do research and ask other people’s opinion before acting.”
Space is precious in Japan, so many of the appliances in Japanese residences are smaller than those we see in American homes. Dana saw the possibility of importing these products. To get started she established a relationship with a major Japanese appliance manufacturer. Together they designed an American version of a few products and jointly recruited appliance retailers in seven western states. With Dana’s permission the manufacturer made similar arrangements with other distributors, so they had outlets all across the United States.
As she built her company, Dana would do exhaustive research for each new product idea. She then travelled to Asia to find a manufacturer who was willing to work with her to add a new line of small appliances for the fickle American market. With each product line she added she became less dependent on the original Japanese manufacturer. Yet up until one year ago 55% of Smaller and Better’s sales came from those products.
Last year Dana nearly lost her business because of some hidden pitfalls she never saw as she travelled the road to success. Despite hearing rumours that the giant discount retailer Walmart was attempting to make inroads with her Japanese manufacturer, Dana ignored them as idle gossip. Then on June 1 of last year, this supplier announced to Dana and the other distributors that carried the American products that they would be dropped from its supply chain. Walmart would be the supplier’s exclusive retailer and distributor. Dana and her management team were devastated and felt betrayed. They knew they would have to quickly replace the business, or the company would have to drastically downsize.
A few weeks later, after putting in an exhausting schedule of nonstop meetings, Dana collapsed in her office. After numerous tests Dana learned she had contacted a rare deadly virus localised to southern Japan, probably during one of her frequent visits there. She required an immediate liver transplant and surgery. Because few Westerners contracted the disease, her medical team could not estimate how quickly she could recover or even if she could.
Because the surgery was risky, and she would be in quarantine for several weeks before the surgery, Dana was urged to give someone in her company a power of attorney regarding key business decisions. Believing he would do right by her she assigned it to her younger brother, Perry, who worked for her as a senior product manager.
Unfortunately Dana did not know that Perry, jealous of her financial success, believed he could run the business better than her and believed the Walmart problem was her fault. During his first ten days as temporary CEO, he had constant arguments with her management team and ended up firing several of them for insubordination. Because of his meddling and micromanaging, several key employees resigned.
After ten days of quarantine and a successful surgery and transplant, Dana was told about this mess. Ignoring her doctors’ warning Dana left the hospital in an attempt to repair the damage and revoke the power of attorney. She fired Perry, who threatened to sue, and quickly rehired key employees who quit or were fired. She appointed a trustworthy warehouse manager to act as CEO until she was able to fulfil that role again. These two stressful events caused a severe relapse, leaving Dana bedridden for four months.
Back at work today Dana and her management team are tirelessly working to repair the damage and replace the lost sales. The survival of Smaller is Better is still in question but not as perilous as it was. During a coaching session Dana admitted to me with tears in her eyes, “I guess I really goofed up and turned a blind eye to things I took for granted. It was a mistake to ignore the warning signs about Walmart and Perry. My brother’s recklessness hurts far worse than the surgery. In your opinion what should I have done differently?”
I responded, “Dana you are a good risk manager because you only took on the appropriate amount of risk that you felt you could handle with the successful track you were on. There were other risks outside of your immediate vision. These areas probably contained warnings, but since every key decision requires your input, you lack the bandwidth to see them. You neglected to heed these truisms of successfully surviving risks.”
Third, Fourth, and Fifth Principles of Risk Management
When it comes to proper risk management, expect the best and plan for the worst.
Each risk usually provides indicators of its existence. If these go unnoticed their negative impact exponentially increases.
The more people who are involved in monitoring a risk, the less likely its impact will be detrimental.
As a leader and business professional, Dana did a proper job of expecting the best from her people and suppliers. She failed to realise that she needed to plan for the unexpected. She did not foresee that carrying the company on her back blinded her to a holistic view of risk.
Murphy’s Law of Risk Awareness
A neglected risk goes from bad to worse. An addressed risk goes from bad to terrible.
Why Peril Awareness Is a Group Effort
I asked the nine senior managers of JPI to join me at the front of the ballroom where I had placed nine flipcharts. As I handed each person a marker this was my instruction “In the next three minutes write down all the risks you faced on your trip from your home to this hotel.”
They each rapidly wrote while I timed them. As I expected no one got past seven items. A few had only two or three written. They listed
being involved in an accident (nine responses).
getting a speeding ticket (nine responses).
arriving late (nine responses).
running out of gas (four responses).
forgetting to bring a notebook (three responses).
getting lost (two responses).
being here too early (one response).
You all did a great job, but there are some perils you missed. What about the risk of
assuming you carpooled here, the designated driver failing to pick you up?
backing your car over a toy left in the driveway?
hitting a pedestrian with your car?
having a heart attack or epileptic fit while driving?
having your car stolen from this parking lot?
your engine overheating or failing?
forgetting your cell phone?
spilling hot coffee on your lap while driving?
getting a flat tire and not having a spare?
experiencing mechanical difficulties?
having your insurance cancelled today?
failing to kiss your spouse or children goodbye?
getting carjacked?
being kidnapped?
finding out too late that this meeting was moved to another site, and you are not informed?
While going through my list I read their faces. Some rolled their eyes, and others giggled as my risks got a little more ridiculous. Kerry, a general manager, couldn’t take it any longer. “Mr. Rael, some of those aren’t risks. Why would someone want to take my car on the freeway, and why would I even consider driving without insurance? I fail to see your point.”
My point was that risks exist that you may not be aware of or that seem improbable from your point of view.
“You all listed only the low-hanging fruit or most obvious perils. Yet each of mine is an actual risk you faced. Each one has its own probability and surrounding assumptions. For example, if you were a billionaire, your risk of getting kidnapped is higher than someone in your income bracket. The risk of your insurance being cancelled is very low, assuming you pay your premiums on time. A risk of going to the wrong location depends upon whether or not you are in the communication link. So each risk has a degree, a probability and a context for it, but you cannot exclude or ignore them, even when they do not appear on your leadership radar.
“As senior leaders, you generally have a focus. Tracy looks at risk through the CFO’s point of view. Kerry, you look at risk through a business unit perspective. Shauna, as human resource director, sees risk through the employee context.
“There is an infinitesimal number of risks that PJI faces, but you might miss them because of your singular or limited focus. Consider the PJI employee who, because of their specific job, will only perceive what might be risky through that window. Kerry, what happens if all of you combined fail to pay attention to costly risk?”
He responded, “We would look like we were clueless.”
“Do any of you sometimes feel clueless or out of the loop when it comes to executive decisions made by Justin or Paul?” Several of them nodded their heads. “Please don’t take my question as a criticism,” I said, noting that Paul was about to object. “In risk management, synergy, cooperation and interdependence are vital to the success of the programme.”
I turned towards Justin and inquired, “Justin are these traits—synergy, cooperation and interdependence—something you want from this team?” I pointed to the nine people standing by the flipcharts.
“Yes,” he responded.
I continued.“Therefore managing risk is an important management responsibility. Do you agree Justin?”
Pausing to consider this, he replied, “Yes, I see that it is.”
Why Risk Management Is a Leadership Responsibility
Assume I gave you the custody of my very precious 6-year old granddaughter to watch over while I was out of the country for an emergency. In asking you to do this favour, I take a major risk and assume several things, such as
you are trustworthy.
you will know how to protect my granddaughter while she is in your care.
you have adequate protection measures (a secure house, the wherewithal to watch her and meet her needs, and so on).
you won’t take advantage of her or me.
When you run or manage an organisation, those who place their trust in you—employees, investors, lenders, creditors and customers—have similar assumptions about you. They believe and demand assurances that you and your fellow managers
are trustworthy.
will know how to protect and look out for their interests.
will have adequate protection measures.
will not take advantage of them.
For these reasons, especially the third, you are obligated as the leader and manager to protect yourself and others from the repercussions of unwanted, unwarranted or unforeseen risks. Because of these next items your obligation does not stop there. As a manager your responsibility is to protect and foster the growth of your organisation. The following are areas where a formal risk management programme will support your obligations as a leader.
Desire for Innovation and Creativity
Organisations undertake four sources of risks when they believe themselves to be innovative and desire a culture where employees think for themselves. In an organisation that desires innovation and creativity, the four sources of innovation risk are as follows:
Your strategy risk. This requires clear direction setting and involvement to help your entire organisation know where you are going and the ability to measure your progress.
Out of the loop risk. This is the fear that you fail to be in touch with your customer’s needs and demands. To lessen the risk you must stay in constant contact with past and present customers.
Your capability risk. This is a fear that you will not be able to execute your carefully designed plans and use the innovation to generate income. Mitigating this risk requires an independent evaluation of your plans before they are implemented.
Unclear expectations risk. All too often senior leader’s expectations for new products or services go largely unspoken. They are in someone’s mind but frequently not communicated well enough to others. Most importantly of all, there is no way to measure innovation and creativity. Managing this risk requires the need to develop and explicitly publish agreed-upon expectations for all your innovations.
Defining your innovation risks up front will allow you to take the critical first step towards successfully managing them.
Need for Fraud Prevention and Detection or Proper Governance
Almost every business leader believes that only people with high ethical standards work for them, yet the latest research shows that 30% of today’s workers are always looking for ways to steal from their employers, and another 30% will steal if given the opportunity. Fraud is most likely to occur when an employee serves as the sole contact with a particular vendor or when one person performs several incompatible functions. Once fraud schemes begin they are hard to detect and even harder to stop.
Detecting fraud is difficult even for professional investigators. Your best option is to mostly concentrate on prevention. Therefore having a risk management structure in place forces you and other leaders to seek out areas that are at risk and areas vulnerable to fraudulent activity. Then threats easily will be uncovered.
Need Adequate Checks and Balances
A comprehensive system of controls will not prevent fraud, but one will increase the likelihood of both the deterrence and detection of fraudulent activities.
If someone is trying to cheat you, there is clear evidence of fraud right in front of you, but you need to know where to look. In managing your perils, awareness begins in simple actions that are powerful internal controls, such as
analysing patterns.
looking for photocopied or altered forms.
analysing credit invoices for excessive activity or unusual patterns.
checking that the vendor was properly approved.
looking for complaints from outsiders and employees.
conducting address checks and site visits more often.
Desire to Maximise Profits
Firmwide risk management allows you to examine all the risks that you potentially face, allows you to measure the impact of those risks on the organisation and helps you identify appropriate steps to manage or mitigate those risks. The range of risks that businesses face includes hazard risks, such as property damage and theft; financial risks, such as interest rate and foreign currency exchange; operational risks, such as supply chain problems or cost mismanagement; and strategic risks, such as misaligned products or overly aggressive strategies. The key to your programme is to address all those risks in an integrated fashion because each challenge can cause profits to disappear
One reason that an ERM programme protects profits is due to the process of identifying, quantifying, and prioritising risks, making them more real and visible to leaders who normally fail to give risk management the attention it deserves. Another reason is that a firm-wide awareness requires a holistic approach to risk management beyond the traditional parameters of things that are insurable. This cultural discipline greatly expands your company’s definition of risk to include anything that threatens its continuity. A company-wide approach helps you to sort risks into those that can help the company grow and those that will only lead to loss. In the rush of every growing competition, sometimes this differentiation is not easy to spot.
Need for Good Stewardship of Corporate Assets
When I put my granddaughter in your care, I believed you would know how to practise good stewardship and that you would treat my very precious darling as if she were your own child by taking special care of her and her welfare.
Whether you own or manage a company or serve on an organisation’s leadership team, you are watching over and protecting a wide spectrum of assets. Proper formal risk management is simply living up to your stewardship obligation.
Stewardship entails the act of serving as a guardian, protector or person legally responsible for someone’s entrusted assets or affairs.
Ten Ways ERM Can Make an Impact
Notice how this list mirrors the reasons why you and others need to care about risk management. When you invest in a structured firmwide risk management programme, you will automatically enhance
governance and leadership over the entire entity.
sustainability or continuance into the future.
the firm’s mission or purpose.
shareholders’ investment in you.
the trust that various stakeholders place in you.
financial operations or check and balances known as internal controls.
your firm’s reputation and brand.
the ability to simultaneously stay focused and be flexible.
the bottom line, however your organisation defines that.
firm integrity.
Murphy’s Law of Opportunity Impact
Just as you expect the unexpected, everything turns upside down.
Onward
To sum up the day this is what I shared with PJI’s leaders:
“Global perils can come from any place within your business model, your strategy or your marketplace. Each one can deeply affect this firm’s
profits.
creativity.
continuity.
brand or reputation.
leadership team’s integrity.
employees’ ethical conduct.
internal capabilities.
goal execution and completion.
“This is why the firmwide plan for anticipating and dealing with suspected perils must become part of your everyday managing and leading.
“I know you are anxious to get to the HOW of risk management. In order to prepare you, this is your assignment. You must spend time over the next two days listing all the potential risks that this company or your department faces. After your own list is complete, sit down with at least two non-management employees, and ask them to describe specific risks or obstacles that they experience within the scope of their job. Please go deep and wide just as we did on the exercise regarding your risks of arriving here today. List each and every one no matter how ridiculous or far-fetched the risk or obstacle might be. I will award a prize to the person with the longest list of possible risks.
“The rest of our meetings will be devoted to the process of managing risk.”
I closed the session by sharing another favourite quotation because it also summed up the day.
“Risk varies inversely with knowledge.” Irving Fisher
Your Action Plan
Step One
Spend time over the week listing all the potential risks that your organisation, business unit or department faces.
Step Two
After your own list is complete, sit down with at least several non-management employees, and ask them to describe specific risks or obstacles that they see within the scope of their job. Please go deep and wide, meaning look beyond the obvious big risks.
List each and every one no matter how ridiculous or far-fetched the risk or obstacle.
Step Three
Cite at least five specific and personal reasons why you and other managers in your organisation need to be very concerned about implementing a risk management programme.