Managing Risks- A New Framework_HBS_2012


Published on

Published in: Business, Economy & Finance
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Risks- A New Framework_HBS_2012

  1. 1. Managing Risks: A New FrameworkAnette MikesHarvard Business SchoolIRM, Manchester, 25 April 2012Copyright © President & Fellows of Harvard College
  2. 2. A Case Study in Risk Management
  3. 3. Risk Management is Non-Intuitive 3
  4. 4. “JPL engineers graduate from top schools at thetop of their class. They are used to being rightin their design and engineering decisions. I haveto get them comfortable thinking about all thethings that can go wrong.”- Gentry Lee, Chief Systems Engineer, NASA JPL
  5. 5. Risk Management and the Financial Crisis Conflicting pressures? • “Faster, better, cheaper” • “Growth, profit, control” The cultural position of the risk function Companies that failed had relegated risk management to a compliance function, with no access to top management. HBOS had "a cultural indisposition to challenge" and that the task of "being a risk and compliance manager … felt a bit like being a man in a rowing boat trying to slow down an oil tanker.” – UK Treasury Committee (7th report); Paul Moore
  6. 6. Do complex organizations fail – inevitably?
  7. 7. BP Deepwater Horizon: Post Mortem“The disaster … can be attributed toan organizational culture and incentivesthat encourage cost cutting and cutting of corners –that reward workers for doing it faster and cheaper,but not better.”“Management failure crippled “the ability of individualsinvolved to identify the risks they faced, and to properlyevaluate, communicate, and address them.”-The National Commission’s Report to the President
  8. 8. Individual and Organizational Biases “Risk mitigation is painful; not a natural event for humans to perform.” Gentry Lee – Chief Systems Engineer, NASA, JPL 8
  9. 9. Individual and Organizational Biases• Individual biases: • Overconfidence • Tendency to anchor our estimates “Risk mitigation is painful; not a • Confirmation bias natural event for humans to • Escalation of commitment perform.” Gentry Lee – Chief Systems Engineer,• Organizational biases: NASA, JPL • Groupthink • Rather than mitigating risk, firms incubate risk through the normalization of deviance• Effective risk-management processes must counteract those biases 9
  10. 10. What’s distinctive about risk management?• A practice-based definition (Kaplan & Mikes, HBR forthcoming): • Active and intrusive processes that… • … are capable of challenging existing assumptions about the world within and outside the organization • ... communicate risk information with the use of distinct tools (risk maps, value-at-risk models, stress tests etc.) • …complement, but do not displace, existing management control practices 10
  11. 11. Different Types of Risk Management• Risk management is too often treated as a compliance issue• New categorization of risk • Some risks can be managed through a traditional rules-based model and some require alternative approaches• Companies need to anchor risk discussions in their strategy formulation and implementation processes. 11
  12. 12. Different Types of Risk 12
  13. 13. Category I: Preventable Risks• Risks arising from within the company that generate no strategic benefits • Eg: risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions; risks from breakdowns in routine operational processes• Companies should seek to eliminate these risks• Active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms 13
  14. 14. Category II: Strategy Risks• Risks voluntarily accepted by the company in order to generate superior returns from its strategy • Eg: credit risk assumed by a bank when it lends money; risks taken on by companies through their R&D activities• Not inherently undesirable• Reduce the probability that the assumed risks materialize and improve the company’s ability to contain the risk events should they occur 14
  15. 15. Category III: External Risks• Risks arising from events outside the company and beyond its influence or control. • Eg: natural and political disasters; major macroeconomic shifts• Companies cannot prevent such events from occurring• Management must focus on identification (obvious only in hindsight) and mitigation of their impact 15
  16. 16. Managing Preventable Risks 16
  17. 17. Failures in Controlling Preventable risks Siemens Bribery and Corruption Scandal o Pay $1.6 billion in fines and $850 million for internal investigations by outside lawyers and accountants. o Nine former members of Managing Board sued for $28.3 million for breaching fiduciary duties o Two former CEOs agree to pay more than $10 million to settle cases brought against them. Société Générale: The Jérôme Kerviel Affair o Losses of about €7 billion (2007). o Société Générale has to raise €5.5 billion in new capital.
  18. 18. Situational forces: The fraud triangle 18
  19. 19. Situational forces - How good people turn bad•Organizational pressure•Group pressure and the Lureof the Inner Circle•Blind obedience to authority•Not recognizing red flags andan exit opportunity 19
  20. 20. What individuals can do - Step up to situationalforcesStand firm on principle despite intense pressures“I am responsible”Whistle blowers: individuals who are aware of illegal or unethicalactivities who report the activities without expectation of rewardHeroes’ risks:• Career risk• Professional ostracism• Loss of status• Financial loss• Loss of credibility 20
  21. 21. What corporate leaders can do• Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter, but should clearly articulate their • Mission • Values • Boundaries• Top managers must serve as role models• Importance of strong internal control systems and independent internal audit department 21
  22. 22. The Mission“Medicine is for people, not for profits. The profits follow, and if we have remembered that, they have never failed to appear.”- George Merck, CEO and founder‘s son (1950).
  23. 23. Boundary SystemsOpportunity Space Boundary System Domain for Search and EmpowermentBeliefs System
  24. 24. Managing Strategy Risks 24
  25. 25. “Building great things means taking risks.This can be scary and prevents most companies fromdoing the bold things they should.However, in a world that’s changing so quickly, you’reguaranteed to fail if you don’t take any risks. We haveanother saying:The riskiest thing is to take no risks.”- Facebook IPO prospectus 25
  26. 26. • 3 distinct approaches to managing strategy risks• “One size does not fit all” In terms of the structures and roles for the risk management function• However, all encourage employees to challenge existing assumptions and debate risk information 26
  27. 27. 27
  28. 28. I. Independent Experts• High intrinsic risk, but risk changes slowly over time• Risk management handled at the project level• Case: Risk management at JPL • CRO • Risk review board made up of independent technical experts • Role is to challenge project engineers’ design, risk-assessment, and risk-mitigation decisions (“culture of intellectual confrontation” ) • Authority over budgets: establishes cost and time reserves according to its degree of risk 28
  29. 29. 29
  30. 30. 30
  31. 31. 31
  32. 32. II. Facilitators• Risk stems largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time• Risk management by a small central risk-management group that collects information from operating managers• Hydro One • CRO runs workshops with employees from all levels and functions • Employees identify and rank the principal risks to the strategic objectives • Capital allocation and budgeting decisions linked to identified risks 32
  33. 33. 33
  34. 34. III. Embedded Experts• Risk profile can change dramatically with a single deal or major market movement• Risk management by embedded experts within the organization to continuously monitor and influence the business’s risk profile, working with line managers• Danger for the embedded risk managers to “go native”• JP Morgan Private Bank • Report to both line executives and a centralized risk-management function • Continually ask “what if” questions 34
  35. 35. Avoiding the Function Trap• Companies tend to label and compartmentalize risk, especially along business function lines• Companies can achieve an integrated risk perspective by anchoring their discussions in strategic planning• Companies also need a risk oversight structure 35
  36. 36. Infosys “As we asked ourselves about what risks we should be looking at, we gradually zeroed in on risks to business objectives specified in our corporate scorecard.” MD Raganath, CRO, Infosys• Risk discussions generated from the Balanced Scorecard • Eg: “growing client relationships” identified as a key objective, • Management realized that strategy had introduced a new risk factor: client default. • Implication: monitor CDS rates of large clients etc.... 36
  37. 37. Volkswagen do Brasil• Risk discussions generated from the company’s strategy map • Risk events identified for each objective • Risk Event Card prepared for each risk • High-level summary of results presented to senior management 37
  38. 38. Volkswagen do Brasil: Risk Event Card 38
  39. 39. Volkswagen do Brasil: Risk Report Card 39
  40. 40. Organizing the risk function• Hydro One: • Large company, but small risk group• JPL / JP Morgan Private Bank: • Small companies/units, but multiple project-level review boards or teams of embedded risk managers• Infosys: • Dual structure: central risk team; specialized functional teams 40
  41. 41. Managing External Risks 41
  42. 42. • Some external risk events sufficiently imminent for managers to manage them like their strategy risks • Eg: risk of increased protectionism at Infosys• Most external risk events require a different analytic approach • Probability of occurrence very low • Difficult to envision them during the normal strategy processes 42
  43. 43. Sources of External Risk• Natural and economic disasters with immediate impact • Eg: 2010 Icelandic volcano eruption; bursting of a major asset price bubble; 2011 Japanese earthquake and tsunami• Geopolitical and environmental changes with long-term impact • Eg: political shifts; long-term environmental changes; depletion of critical natural resources• Competitive risks with medium-term impact • Eg: emergence of disruptive technologies; radical strategic moves by industry players 43
  44. 44. Dealing With External Risks• Tail-risk stress tests • Assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable • Depends critically on the assumptions (may themselves be biased)• Scenario planning • Systematic process for defining the plausible boundaries of future states of the world • Long-range analysis (typically 5-10 year)• War-gaming • Assesses a firm’s vulnerability to disruptive technologies or changes in competitors’ strategies 44
  45. 45. Wrap-up 45
  46. 46. Risk Management is Not Strategy Management• Risk management focuses on uncertainties that could impair mission and strategic objectives• Mitigating risk involves dispersing resources and diversifying investments• Most companies need a separate function to handle strategy- and external- risk management 46
  47. 47. Smart questions or dumb questions?“Do you have an embedded risk management system?”“Do you have a strong risk culture?”“Do you have a risk appetite policy that is well understood by every member ofthe organization?” 47
  48. 48. Dumb questions•Lack traction, and is relatively easy for a CEO or CRO to answer and deflectwithout revealing much of substance•Invite busy executives to rehearse risk management clichés•The answers to banks of dumb questions are more likely to be self- reinforcingand reveal little about the real risk management.•They will tend to produce an illusion of control. Power, M., Smart and Dumb Questions to Ask About Risk Management. Risk Watch, May 2011 48
  49. 49. Smart questions to the CEO•What are the processes by which you satisfy yourself that risk appetite is a realconstraint on action?•Is the organization good at stopping bad projects that have gainedmomentum?•When was the last time something was stopped in the organization because itwas considered too risky?•How do you feel about meetings with the chief risk officer? Do you feel you talkto your chief risk officer enough?•What are the three most important bits of management information that youuse each day? What do they tell you, if anything, about risk? Power, M., Smart and Dumb Questions to Ask About Risk Management. Risk Watch, May 2011 49
  50. 50. Smart questions to the CRO•Have you ever been excluded from meetings that you felt you ought to attend?What did you do about it?•Do you feel you have enough contact with the CEO?•Can you envisage being able to veto developments? Did you ever try, and why?•Are you involved in product development from the beginning? If not, why not? Power, M., Smart and Dumb Questions to Ask About Risk Management. Risk Watch, May 2011 50
  51. 51. It’s an evolution: Risk managers shape theirown fate too!•Taking responsibility or shifting blame•Competing with other staff groups•Expanding or limiting boundaries•Working on the relationship with the business 51
  52. 52. Thank you!Copyright © President & Fellows of Harvard College