Risk Management Reports

September 2001
Volume 28, Number 8

"How to Manage Risk"

For the past six years, Iíve included John Adamsí inspiring book, Risk (University College London Press, 1995), in my list of essential volumes for practicing risk managers (see RMR March 2001 for the entire list). One reason is his concluding summary of "modest suggestions" for those who manage risk. Here is his wisdom:

    • "Remember, everyone else is seeking to manage risk, too.
    • They are all guessing; if they knew for certain, they would not be dealing with risk.
    • Their guesses are strongly influenced by their beliefs.
    • Their behavior is strongly influenced by their guesses, and tends to reinforce their beliefs.
    • It is the behavior of others, and the behavior of nature, that constitute your risk environment.
    • Safety interventions that do not alter peopleís propensity to take risks will be frustrated by responses that re-establish the level of risk with which people were originally content.
    • In the absence of reductions in peopleís propensity to take risks, safety interventions will redistribute the burden of risk, not reduce it.
    • Potential safety benefits tend to get consumed as performance benefits.
    • For the foreseeable future, nature will retain most of her secrets, and science will continue to invent new risks.
    • Human behavior will always be unpredictable because it will always be responsive to human behaviors - including your behavior.
    • It will never be possible to capture "objective risk", however powerful your computer, because the computerís predictions will be used to guide behavior intended to influence that which is predicted.
    • In the dance of the risk thermostats, the music never stops.

These insights should send you to your computer or your local bookseller to buy this book, or, if you already have it, convince you to re-read it.

If the selection of risk is a matter of social organization, the management of risk is an organizational problem. Since we do not know what risk we incur, our responsibility is to create resilience in our institutions. But by choosing resilience, which depends on some degree of trust in our institutions, we betray our bias toward the center.

Mary Douglas and Aaron Wildavsky, in Risk and Culture, as quoted by John Adams in Risk, University College London Press, 1995


New Guides to Integrated Risk Management

Three new workbooks on my favorite subject came out earlier this year, two from Canada and the third from the United States. All reflect the growing consensus on the meaning, framework and potential benefits of a more holistic approach to risk. All acknowledge the necessity of addressing both the up and downsides of risk. They are concise, clear and well-written, in contrast to many of the earlier tomes that litter the landscape. Add them to your risk managerís bookshelf.

In April, the Secretariat of the Treasury Board of Canada gave us a bilingual (French and English) contribution reflecting several years of work. Integrated Risk Management Framework aims to strengthen risk management practices in the public sector in Canada. It emphasizes four management commitments: citizen focus, values, results and responsible spending, incorporating two elements that I have supported for some time, consultation and communication. At a time when citizens around the world are questioning the validity of big government, an eager audience should respond to the possibility that risk management can make government more affordable and effective.

The Canadian Framework supports a governmentís governance responsibilities, improves results, strengthens accountability and enhances stewardship. The booklet (a brief 42 pages) defines three "critical concepts," risk itself, risk management and integrated risk management. It sees risk as the "uncertainty of outcomes," being the common element in all current definitions. It acknowledges, however, that some sub-groups still address only unwanted or adverse consequences. It defines "risk management" as a "systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues." This is unnecessarily wordy, but it captures the esential idea. And it considers "integrated risk management" as a "continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective." I support its strong emphasis on communication, often over-looked in the rush to quantitative models and sophisticated financing arrangements. Risk is the combined perception of different people. Organizational responses therefore require a continuing dialogue with them. This is true in the public sector, where regulatory decisions affect many people and organizations. The Framework recognizes that risk management cannot succeed within a specialistís vacuum.

The Canadian Framework synthesizes the process into four elements. Developing the Corporate Profile requires the identification of both threats and opportunities arising from the external and internal environment of an organization. This is followed by a review of the current risk management capacity and an awareness of the risk tolerance of key stakeholder groups. This emphasis on understanding the interests and biases of all those with a stake in the organization moves risk management well beyond former boundaries. Establishing an Integrated Risk Management Function requires strategic direction from senior management (and the governing board), melding risk management into all decision-making, building the capacity to carry it out through human resources, tools and processes, and reporting on performance to governing boards and stakeholders. Practicing Integrated Risk Management requires a common process (identification, assessment, response, and evaluation), practices, tools and methods (all summarized in the Framework), leading to that all-important conclusion, communication and consultation. The final element is Ensuring Continuous Risk Management Learning in the work environment. It supports the idea that risk management remains an evolving discipline.

The Canadian Centre for Management Development produced a companion booklet, also bilingual, entitled A Foundation for Developing Risk Management Learning Strategies in the Public Service. It is based on a roundtable on risk management with representatives from both the public sector and academia in Canada. It calls for a culture shift in the public sector to accept the importance of the practice of risk management, the creation of a government center of risk management expertise and improved education and training in the discipline. This booklet also includes a summary of organizations, academic institutions and reference materials on the subject.

Overall, the Canadian emphasis on the plus and minus of risk and on the importance of communication reflects the leadership we expect from the Great White North. The Framework mentions the precautionary principle only obliquely, I suspect because it remains a contentious issue, especially in the public policy arena. Risk management decisions in government must consider those who believe that we cannot and should not take any action with even a minimum chance of injury or loss of life. Unfortunately, to carry this "precaution" to its extreme, as is too often done, curtails creativity and growth. Risk, as the authors correctly note, is not only unavoidable, but essential to our progress.

For copies of the Framework, contact the Treasury Board of Canada Secretariat at www.tbs-sct.gc.ca or call at 613-957-9654. The mail address is: Risk, Procurement and Asset Management Policy Sector, Secretariat, Treasury Board of Canada, LíEsplanade Laurier, 8th Floor, West Tower, 300 Laurier Avenue West, Ottawa, Canada K1A 0R5. The Roundtable report is available from the Canadian Centre for Management Development. Its website is www.ccmd.ccg.gc.ca. The phone is 613-947-3682.

The third new booklet is Enterprise Risk Management: Trends and Emerging Practices. Its principal authors are Jerry Miccolis, Kevin Hively and Brian Merkley, of the consulting firm of Tillinghast-Towers Perrin (my old firm), with assistance from The Conference Board of Canada. The publisher is the Institute of Internal Auditors Research Foundation.

The authors carried out a survey of 130 senior officers of global profit-making organizations, mixing these results with a thorough literature review and personal interviews to create an overview of the current state of enterprise risk management (their term for the "integrated risk management" used by the Canadians). They developed a consensus set of "success factors" and added case studies of eight major corporations, two from Canada, two from the US, and one each from Germany, Australia, Great Britain and Switzerland. RMR reported on two of theseóHydro-Quebec and Bradford & Bingleyóin earlier issues (July 1999 and January 2001 respectively). The others in this valuable list of cases include Clarica Life, KeyCorp, Infineon Technologies, Holcim, Wal-Mart Stores and an un-named Australian communications company.

Miccolis et al begin with view similar to the Canadians: "risk" is "dealing with uncertainty" and ERM is "a rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organizationís strategic and financial objectives." They cite as primary motivating factors for ERM the recent governance and standard initiatives in Australia, New Zealand, Canada, the United Kingdom, Germany, the Netherlands and the United States (and now Japan as of July 2001).

Others include the desire for a unifying framework, a mandate from the governing board, competitive pressure and a desire for earnings stability. All but the last I consider warranted. I fear that trying to stabilize earnings is chasing a will oí the wisp, especially in our global and highly competitive economy. Volatility is a natural part of our economic life.

The authors identify two major approaches to ERM. One is measurement-driven and the second is process/control-driven. Both have weaknesses and strengths and this work attempts a synthesis. The survey results provide a rich set of potential benchmarks for organizations building an ERM program. Fifty percent of the survey respondents have "started" ERM, a not unexpected result since the organizations selected for the survey are the leaders in the field. They are large, transnational, and predominantly financial, energy and mining in nature. They report a discernible move toward a single coordinating executive for the process, the Chief Risk Officer (CRO). CROs are in place in 31% of the companies who already have full or partial ERM and in 19% of those where ERM is in the planning stage.

Earnings growth leads the list of the risk issues mentioned by respondents. Earnings depend on customers. Nowhere, however, did any respondent list "customer confidence" as an asset to be protected. A Mercer Consulting chart shows that the single largest cause of loss of shareholder value is "customer demand shortfall" but there is little in the questions or responses to address this issue. Only 9% of respondents use continuing focus groups with key customers, 8% with key suppliers and a bare 2% with local communities and the public. The emphasis on risk communication shown in the earlier Canadian booklets is sadly absent from this effort. I found this surprising since 74% of the respondents indicate that "communicating risk assessments and responses to key stakeholders" is important. Firty-three percent say they now do it but their answers to later questions deny this. The authors list eighteen ERM "procedures" in the questionnaire, one of the better checklists for those interested in a complete enterprise risk management program.

But the most valuable insights from this study are the success factors gleaned from the most progressive ERM programs:

    • Strong and visible support from senior management
    • A dedicated group of cross-functional staff to drive implementation and continuity
    • Close linkage of ERM to key financial and strategic objectives and processes
    • ERM as an enhancement to existing processes rather than a new, stand-alone process
    • Importation of ideas from outside the organization
    • Proceeding incrementally, leveraging "early wins"

This IIA booklet includes an extensive bibliography, but one that strangely lacks any input from the public policy risk arena. It is entirely financial and insurance in origin, save for one reference to a Yacov Haimes text, drawn from the Society for Risk Analysis, which demonstrates the continuing gulf between these two major areas of study and research. The earlier Canadian study was equally skewed in the opposite direction: all academic and public policy texts and papers and nothing from the world of GARP and RIMS! Each segment should draw on the other.

Copies of Enterprise Risk Management are available from the IIA Research Foundation at www.theiia.org or by telephone at 407-830-7600. Its address is 249 Maitland Avenue, Altamonte Springs, FL 32701-4201 USA.

. . . ERM is more than another management fad or buzzword of the moment and more than an academic theory. . . . ERM will become an integral part of the management process for organizations in the 21st Century. It will influence how organizations are structured, with some appointing a chief risk officer that reports to the CEO or board of directors. It will influence how strategic planning is done. And it will certainly influence how internal auditing is performed.

Jerry Miccolis, Kevin Hively and Brian Merkley, Enterprise Risk Management: Trends and Emerging Practices, The Institute of Internal Auditors Research Foundation, Altamonte Springs, FL 2001



Saying "Iím sorry" has been an important part of the news this year. Commander Scott Waddle, the Captain of the USS Greeneville, the US submarine that surfaced and sank a Japanese research vessel with the loss of nine lives, tearfully apologized to both Japan and the affected families. The Pope apologized in Greece and Syria for the rift between the Roman Catholic and Orthodox churches. US officials spent days in constructing apologies appropriate to the circumstances of the downing of an American surveillance plane near China, so that the crew and the plane might be returned to the US. And the Westchester Medical Center, in Valhalla, New York, took full and immediate responsibility for the death of a six-year-old boy who was killed when an oxygen tank, improperly placed in an examination room, struck his head as he underwent a routine magnetic resonance imaging test.

Admitting errors of omission or commission can be difficult acts for any organization. In the US especially, in its highly litigious atmosphere, lawyers automatically counsel against any admission of contrition or guilt. This, they say, will be an immediate path to the bank for potential plaintiffs. That view is too short-term, too protective of todayís pocketbook. It inevitably leads to long-term damage to reputation, a more important asset. We need more than stonewalling, silence and denials. A ready and contrite admission of responsibility, an effort to uncover the circumstances, and creation of conditions to prevent recurrence will do more to re-establish the confidence of customers, suppliers, shareholders, employees and the public than all the back-pedaling and evasions that personify conventional attempts to avoid responsibility and legal liability.

Roger Rosenblatt analyzed it correctly in a Public Broadcasting Newshour program on May 22 when he suggested separating "guilt" from "responsibility." Itís an important distinction. Janet Reno famously accepted responsibility for the disaster in Waco, Texas, even as she obviously had no personal guilt. Executives of corporations facing a public outcry over a product failure, employee fraud, or internal discrimination should heed these examples. Simply saying "Iím sorry" and that "I will do my best to prevent a recurrence" should not mean the opening of the floodgates to the treasury but rather the start of an important healing process and the rebuilding of trust.

RMR published an important contribution to this idea in December of 1998 with Doni Haasí article, "In Memory of Ben." In it she recounted the tragic and accidental death of another small boy in a hospital in Florida, a death where the hospital and its staff responded immediately with "integrity, compassion, and teamwork" to accept full responsibility and to share fully with the boyís parents the results of their investigation. She described an "environment of error" that surrounds all organizations, no matter how well managed. Mistakes are inevitable. How we respond is the critical factor.

When a mistake occurs, the future of the organization and the trust of its stakeholders rest on the form of the response. The very wording of the response affects the publicís perception. In 1998 a subsidiary of Johnson & Johnson was accused of failing to notify the US Food and Drug Administration of a software mistake in a diabetes diagnostic program. This eventually led to a plea of guilty to three misdemeanor charges in Federal Court and the payment of a $60 million fine in late 2000. How did Johnson & Johnson respond initially? Its chief executive, Ralph S. Larsen was quoted as saying, "Mistakes were made in the Lifescan situation. There were errors in judgment. We did too little too late." (The New York Times, January 15, 2001) Is that taking responsibility? I think not. It is a passive evasion implying that "others" in the organization are responsible. What Mr. Larsen should have said is, "I take full responsibility, as chief executive of Johnson & Johnson, and I will make sure that this type of event does not happen again." Would this have changed the financial penalty? Possibly not, but it would have started to rebuild confidence in J&J.

Another more recent example from The New York Times on July 9, 2001: W. R. Grace & Company allegedly started selling a fireproofing material some 30 years ago, claiming that it was "completely free of asbestos." It was not. While the amount of asbestos in its Monokote material was minor, and possibly not even harmful to humans, Graceís deliberate mislabeling and its reluctance to provide fuller disclosure led directly to the adverse news reports. Grace is now in bankruptcy, a result of other problems, but this latest revelation does nothing to help the confidence of customers in the organization.

Supported by the latent conservatism of legal and insurance counsel, the initial and instinctive corporate reaction to bad news is denial and defensiveness. Evidence shows that this is exactly the wrong response. Delay, denial, obfuscation, cover-up, and statements that the case is in the hands of lawyers and insurers can irretrievably damage the reputation and "brand" of a company. An immediate and full acceptance of responsibility, the assignment of an independent working team to uncover all the facts of the situation, and complete disclosure to key stakeholders, the press and the public are the best approaches. Nothing less will protect an organizationís long-term image. A company can stonewall, pay out less and even win in court, but it risks losing its most important asset, the trust and confidence of its stakeholders in its future.

Copyright H. Felix Kloman and Seawrack Press, Inc.

Return to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives