I've been musing about the physical examinations, tests, audits and inspections that are common occurrences in our lives. We face them with trepidation, nervous anticipation and sometimes dread. I still remember the nightmares of entering a History examination without having attended one lecture or read one book. We usually prepare for these interrogations with frenzied activity. Remember all-nighters in the library, cramming for that exam. On my ship in the U.S. Navy, we spent days cleaning up files prior to administrative inspections, then lapsed into slothful ways as soon as the examining officers left. Each year, before my physical, I launch myself onto my ergometer, rowing extra miles and minutes, and, for a few meals, obey my wife's injunctions against fats, chocolate and other goodies. I want a clean bill of health and dread his arched eyebrows when he sees my belly. He punches, probes, questions my behavior and finally, almost reluctantly, gives me another ok. That wasn't the case last year, when he sent me on to a specialist, who confirmed evidence of early prostate cancer. All that led to surgery, recovery, and back to my rowing machine again this year in order to prove that I am again "perfect!"
This year's confirmation meant a post-examination orgy on turkey, stuffing, chocolate ice cream and chocolate sauce, undoing three weeks' efforts.
Annual audits, like annual physicals, are, regrettably, a necessary and important part of our lives. We need the therapy of the intelligent view of another professional, if only to persuade us to return temporarily to lapsed habits.
Organizational sloppiness, like inattention to your physical condition, can lead to life-threatening problems.
o Why crack down on the paper work, controls and procedures of that trader who made so much money in the past three years? All we'll do is discourage him and send him to a competitor.
o Our plant on the Mississippi River in Memphis is booming. Why worry about a possible New Madrid-fault earthquake? After all, the last big one occurred in 1811!
o With all of the stories on sexual harassment in the press in the past few years, everyone must be attuned to the problem. Let's cancel the next employee awareness seminar and save $20,000 in fees.
An annual physical, annoying as it may be, is indispensable.
Out of every hundred people
those who always know better:
fifty-two. . . . .
Wise in hindsight:
not many more
than wise in foresight.
Wislawa Szymborska, "A Word on Statistics," as re-printed in
|Integrated Risk Assessment|
Watch a player piano, its keys moving up and down with no visible evidence of control. Risks are like that. They don't appear to be connected, but, like piano keys controlled by an unseen paper roll, they produce music when coordinated, and cacophony when not. Striking a single key produces a single tone. Striking several blindly means dissonance. But striking a group of keys in a coordinated way produces a chord. This is the goal of managing organizational risk: creating harmony instead of atonality.
Several months ago I contacted risk managers in North America, Europe and Australia to ask about their progress in developing an integrated methodology for assessing all risks, for making the keys work together. Most organizations measure different risks using different tools. They use engineering estimates for property exposures, leading to MFLs (maximum foreseeable loss) and PMLs (probably maximum loss). Actuarial projections are employed for expected loss levels where sufficient loss data are available. Scenario analyses and Monte Carlo simulations are used when data are thin, especially to answer "how high is up?" questions. Probabilistic and quantitative risk assessments are used for toxicity estimates for drugs and chemicals, and to support public policy decisions. For political risks, managers rely on qualitative analyses of "experts." When it comes to financial risks (credit, currency, interest rate and market), we're inundated with Greek letters (betas, thetas, etc.) and complex econometric models that are comprehensible only to the initiated. The quantitative tools are often too abstract for laymen. The qualitative lack mathematical rigor. Like the player piano, we need a proper piano roll to produce music.
Organizations need a combination of both tools so that they can deliver sensible and practical assessments of their risks to their stakeholders: the Board (following the recommendations of the Cadbury, Dey and Treadway Committees), employees, customers, suppliers, regulators, investors, financial analysts, lenders, and, finally, the public and the communities where operations occur. Each stakeholder group has a different perspective on risks, possible outcomes, and desired responses. Each constituency requires a different description. Can we develop a common "language of risk" (see RMR, February 1995) that will enable us to communicate effectively with these various stakeholders?
My canvass of organizations covers less than twenty firms, but it indicates that real progress is being made in integrating risk assessments and developing coherent communications for stakeholders. I've focused on corporations, even though leadership in assessments also comes from consultancies, such as Arthur D. Little, Towers Perrin ("enterprise risk management"), Arthur Andersen ("integrated risk management"), Andersen Consulting, Aon Risk Services, Willis Corroon, Coopers & Lybrand ("Generally Accepted Risk Principles"), Ernst & Young, Deloitte Touche (also "enterprise risk management"), KPMG Peat Marwick, Boston Consulting Group, Stern Stewart ("Economic Value Added") and Goldman Sachs. American, Canadian and UK accounting associations are developing analytical procedures. The Australasian and Canadian risk management standards outline holistic assessment techniques, and OECD is developing a generic approach to risk assessment, beginning with environmental and chemical accident events.
Separating risk into compartments no longer makes sense. We need to address the total uncertainty facing an organization, at any instant, and how risks correlate, before we take responsible action.
I see nine common elements in the work being undertaken by leaders in integrated risk assessment.
1. Incorporate all forms of risk. The ultimate goal is creation of a single overall picture of uncertainty facing an organization. How do we describe and define it? Last month, I printed a graphic called the "Risk Spectrum" that identifies "global risks" and four types of "organizational" risks: financial/market, political/regulatory, legal liability and operational. Many financial organizations use similar descriptors. Freddie Mac, in McLean, Virginia, integrates "market, credit, legal, and operational" risks. Canada Trust calls them " market, credit or customer, pricing leverage, and operational." It also explicitly acknowledges that "all risks are interrelated." Bankers Trust uses "market, credit, funding/liquidity, and business operational." The term "operational" is gaining advocates, based in part on its use by the Basle Committee on Banking Supervision ( see RMR, July 1997). While financial institutions lead the wholly integrated analysis movement, others, such as energy and petro-chemical companies are beginning their efforts. Bill Chan, at Petro-Canada, advocates "cracking the easy nuts first," dealing with data that are easily available and quantifiable, before moving on to the more qualitative risks. Canada's NOVA Corporation started an "IRAP" (Integrated Risk Assessment Project) covering what it calls "SHER" (safety, health, environmental and risk management) and will move later to incorporate currency, commodity and interest rate uncertainties. Pulling together all risks is difficuclt but necessary.
2. Include all elements of risk. While the focus remains on the traditional elements of potential frequency and potential severity (consequence) of an event, some companies are beginning to incorporate other factors such as its timing, the public's changing (and often fickle) perception of and response to it, the correlation of the possibility of an event occurring with others, and the confidence in the estimates. The latter are difficult to quantify, when they change from day to day. Some models acknowledge the other face of risk, "reward," as well as the more common "harm."
3. Board and senior management support No risk assessment can be effective without the requirement of the Board for a periodic report and without the strong encouragement of senior management. The mandates of the Cadbury (UK) and Dey (Canada) Committees, the Treadway Commission (US), the new Canadian and Australasian "Standards," and the growing interest in the risk analysis of governmental regulations in the US contribute to this understanding and encouragement. Success requires these twin supports.
4. Risk assessment needs a "champion." As with any departure from conventional practice, integrated risk assessment requires a dedicated individual with the vision and the diplomatic skills to forge a new approach. In some financial institutions, this person becomes the "Chief Risk Officer." James Lam, in Boston's Fidelity Management and Murray Corlett, in Toronto's Royal Bank Financial Group, are two of this new breed, reporting directly to their CEOs. In other organizations the CEO actually becomes the "CRO." Successful leadership efforts require collegiality. Many organizations form "risk groups" to oversee the initial assessment effort and to continue work as operating committees. Canada Trust has a centralized "Risk Management Group" that includes a "Risk Integration Management Committee" and encompasses the Treasury, Entity Risk Management and Credit Risk Departments. In the United Kingdom, Diageo (formerly Guinness and Grand Met) uses a "Group Risk Advisory Committee," chaired by the Finance Director (also a Board member), whose participants include representatives from the main businesses, the Treasury and Risk Management Director, the Head of Risk Management, the Head of Risk Analysis, and the Director of the Division of External Affairs, for crisis management. Risk assessment is a multi-disciplinary effort.
5. Clear and measurable goals Understanding uncertainty isn't enough. The process must deliver tangible results to critical stakeholders. The goal is a balance that produces the optimal blend of rewards and losses. Swiss Bank Corporation terms it "optimization not minimization." At Freddie Mac, understanding these issues and their interrelationships means that a new culture of risk awareness occurs, leading to better decisions by all employees. Canada Trust sees the process producing competitive advantage. So does Microsoft. Accountability is also a common theme: understanding risk means acceptance of ownership by business units and responsibility to balance it intelligently.
6. Assessments begin at the bottom. This theme occurs in almost all projects that I've seen. It echoes the suggestions of earlier authors (see Vernon Grose's Managing Risk: Systematic Loss Prevention for Executives and Peter Schwartz's The Art of the Long View) for the construction of business-based scenario analyses. Operating people know their own risks best. Lloyds-TSB and NatWest banks in London use the CRSA tool (Control Risk Self-Assessment). LVMH, in France, schedules two hour assessment sessions for operating units, using cross-functional analyses, a moderator, and a "facilitator," who completes a written report within 24 hours. The cost of the "facilitator" is covered by its captive insurance company, an interesting twist. At LVMH and other organizations, these initial assessments are reviewed by expert and specialist teams, after which a "Risk File" is created and maintained for each business unit. The "bottom-up" approach means a greater chance that operating staff will accept ownership of their risks and take action on them. Mike Oswald, of Australia's Context Risk Management, recommends that business units be assigned responsibility for managing risks within their capabilities. Some situations may require a more sophisticated and centralized response, especially for possible "catastrophes." "Extreme value theory" says that the infrequent and potentially catastrophic event requires a different control response.
7. Collect data and construct models. A successful risk assessment effort depends on accurate information fed into econometric models that provide guidance for decision-making. Freddie Mac constructs "Risk Inventories" for its units, incorporating key questions, indicators of performance, goals, and a simple "scoring" table. Canada Trust relies on mapping that shows sources, loss drivers, exposures, and loss events, leading to final combined probability distributions of credit, market and operating risks for an "enterprise risk profile." NatWest uses a model called GRAPE (General Risk Analysis Profiling and Evaluation) and RATE, a new pilot from the Bank of England. US and Canadian companies use the COSO (Committee of Sponsoring Organizations) and COCO (Criteria on Control Committee) processes developed by the accounting profession. J. P. Morgan has developed some of the most sophisticated financial risk econometric models, such as RiskMetrics and CreditMetrics. The single, overall, model that describes all risks remains elusive, although we may see a breakthrough in the next three years.
We have two problems. First, no model is any better than its input (data and critical assumptions). To compensate for the possibility that operating staff may fail to report critically important data, Paul Dorey, of Barclays Bank, suggests that otherwise embarrassing events should be labeled not "mistakes" but "process improvement opportunities." Second, if laymen can't understand the model, then we face the greater chance that it will be interpreted only by the "experts," putting decisions squarely in the wrong hands. That's an abrogation of senior management and Board responsibility.
8. Communicate risk assessments. Assessments are not and should not be "black boxes" for the sole enlightenment of the cognoscenti. If we are to build a culture of awareness and responsibility, the results require simplicity. Mike Oswald calls for a "consistent matrix to quantify risk, using a log scale, but simple." Cynthia Smith at Freddie Mac gives each unit a simplified "Risk Report Card." Queensland Industrial Development Corporation uses "riskmaps" developed by Mike Oswald. Tillinghast-Towers Perrin constructs three-dimensional "riskscapes." Graphics are useful communication devices for showing the multiple levels of these assessments. Others compare all units within an organization using risk/reward ratios, and build benchmarks to outside organizations with whom they share data. Morgan's "FourFifteen" report may be a precursor to daily reports of an overall position to senior management. Data and assessments are now placed on line, on company intranets, allowing instant updating and access. Confidentiality, however, remains a concern, especially for those organizations that believe that sophisticated risk assessment is a competitive advantage.
9. Apply risk assessment knowledge. At the end of every assessment project lies the goal: application of what we have learned, not to eliminate risk, but to balance it responsibly, within the established constraints of societal and stakeholder interests.
The process of integrated risk assessment continues to grow, as firms experiment with new approaches. I expect some exciting conclusions and new techniques in the next three to five years.
There is a history in all men's lives
Figuring the natures of the times deceased;
The which observed, a man may prophesy,
With a near aim, of the main chance of things
As yet not come to life.
William Shakespeare, King Henry IV, Part II, Act. 3, Scene I
|Past and Future|
One of the delights of writing in RMR is the steady counterpoint of comment from my readers. I present two sets of reflections this month.
The first is from that octogenarian in body but not mind, Douglas Barlow, in Toronto. Douglas, the creator of the "cost-of-risk" idea and a member of the new Risk Management Hall of Fame in London, sent me some observations on defining the discipline:
I was interested in the reference to your definition of risk management as a "discipline for living with uncertainty." I have always liked the phrase, for its epigrammatic elegance. There is a place for it in communication among initiates, but I also see a need, perhaps more pressing, for a definition in popular dictionaries, giving more information. . . .
I see that all management is risk management. It is an expression of an instinctive and constant drive for defense of an organism against the risks that are a part of the uncertainty of existence. I read an author's statement that the evolution of life forms in the Cambrian period (500 million years ago) "was an ever-escalating arms race, and new offenses followed new defenses." There, as I saw it, was primeval risk management: offensive and defensive efforts to guard and promote life. . . . So I concluded that risk management could reasonably be defined as a "disciplined response to risks, expressive of an innate pro-life drive."
Douglas went on: I see the rewards-harm gamut as a continuum in which the categorizing of the figure concerned, as "reward" or "harm," is determined by its measurement from the place at which you choose to put the datum or zero point. For example, the first five years of a new enterprise might describe dismaying harm, in terms of the actual loss figure, or vast potential profit, if measured by the long-term expectations of the enterprise-founder.
In other words, between reward (or gain) and harm (or loss) there is not a break in continuity reflecting a difference in kind. I would like to avoid the terms "reward," "gain," "harm," and "loss," because of their emotional charge, which proverbially may endanger accurate thinking. I have found no unemotional alternatives, but maybe it is enough that one recognizes the charge and thereby "grounds" it.
The second comment comes from Asia, or, as Steve Huntley calls it, the "Wild East." Responding to my article "Words, Words, Words" (February 1998), Steve writes:
I am insistent that risk is a phenomenon. We know its exists. Though it cannot be tasted or touched, its effects can be seen. I believe that risk should be described as: the possibility of an outcome different to the one expected. Such a definition does not tie itself down to only two outcomes (i.e. loss or no loss). There is the possibility of a positive one. Not does it limit itself to one or the other of the environments in which it operates to the exclusion of others. Every part of a company's operations can be included in such a definition.
Too often authors try to define and interpret just the effects of risks rather than their parents. None of the publications you discussed, even those that tangentially touch the broader definition of risk, realise the opportunities presented by re-orienting our minds. . . . There is the possibility of developing tools of assessment that quantify the effects of risk according to the same empirical scale, irrespective of the arena in which it is used. All risks have common parents. Do you see the possibilities?
Yes, I do. Both experienced ( I dare not say "old"!) and younger observers, from Canada to Asia, are engaged in the same continuing effort to put our descriptive hands around this elusive idea. We search for the right words.
History is not Chronology, for that is left to lawyers, - nor is it Remembrance, for Remembrance belongs to the People. History can as little pretend to the Veracity of the one, as claim the Power of the Other, - her Practitioners, to survive, must soon learn the arts of the quidnunc, spy and Taproom Wit, - that there may ever continue more than one lifeline back into a Past we risk, every day, losing our forebears in forever, - not a Chain of single links, for one broken Link could lose us All, - rather a great disorderly Tangle of Lines, long and short, weak and strong, vanishing into the Mnemonick Deep, with only their Destination in common.
Thomas Pynchon, Mason & Dixon, Henry Holt and Company,
Copyright 1998, by H. Felix Kloman and Seawrack Press, Inc.