Changing the way you look at risk accenture article
Changing the way
you look at risk
By Mark Q. Smith and Craig Mindrum
Most corporate risk managers are more concerned about potential
catastrophes and financial risk than about operational risks like fraud and
mismanagement. As recent events have shown, such inattention can be
fatal. Is it time to change your company’s risk management culture?
he title of a recent Accenture with the daily interaction among
study, “Business in a fragile people, processes and tools as an
world," seems to capture the organization works toward a goal.
current mood of uncertainty per- In 2002, in an effort to encourage
fectly. War and terrorism, economic debate and help close the gap
gloom, corporate mismanagement between theory and reality in the
and failure, plummeting markets: field, Accenture embarked on a
If companies weren’t focusing ade- research and cross-industry bench-
quately on risk management before, marking study focusing on opera-
they clearly are now. tional risk management.
But as the world has changed, has the Our research confirmed the premise
concept and practice of risk manage- that operational risk management is,
ment changed along with it? for now, at a less mature stage than
financial risk management. However,
It’s human nature to use the tools the companies that were our bench-
and approaches we know best and marking partners in this study were
that have been effective in the past. able to offer a number of important
But are they still the right tools for principles, tools and approaches that
the right job? Maybe not. It’s a little can be used to manage operational
like the New Yorker who lost his risk more effectively.
wallet on 54th Street but was look-
ing for it on 42nd. Why? Because Sense of urgency
the light was better. More significant, perhaps, our
benchmarking partners shared a
So where is the risk management general sense of urgency about
light the strongest these days? In this subject. They were concerned
the area of high-level financial, in particular about the potential
strategic and hazard risk. For exam- threat that lower-level operational
ple, the CFOs of most companies, risks increasingly pose to a key
especially in the financial services corporate asset: the brand. Although
industry, have at their disposal hurricanes and earthquakes can
advanced thinking and increasingly damage bricks and mortar, and
sophisticated computer-based tools interest rate and foreign exchange
to monitor and manage financial fluctuations can wreak havoc with
risk. Resources companies and the balance sheet, they seldom
insurance companies can do com- threaten a company’s brand. But
plex calculations about potential given the recent experience of a
hazards and catastrophes. certain brash young energy trading
company, inattention to the risk of
The light doesn’t shine quite as fraud and mismanagement can be
brightly, however, in the day-to- fatal to the brand.
day management of operational
risks, which can lead just as surely Clearly, a company’s operational
to business problems and failures. risk management must be designed
For the most part, corporate risk with brand equity risk foremost in
managers have not yet applied mind. All executives—indeed, all
the same sophistication embedded personnel—must understand exactly
in their financial and catastrophe what the stakes are.
risk management disciplines to the
task of managing operational risks, An effective approach to operational
which are generally those associated risk management is based on three
overarching principles. (For a more Sounds great, right? Too often,
detailed look at the process of man- however, this approach doesn’t
aging operational risk, see page 34.) work particularly well. Why not?
In part because of the pressures of
Develop the capability the day: People end up putting out
to anticipate risk fires instead of preventing them.
But it’s also because the anticipa-
One of the obvious principles that tion of operational risks is actually
informs the more mature fields a capability in its own right and,
of financial and hazard risk manage- as with all capabilities, it must
ment is anticipation—preventing be developed in managers (see box,
situations from happening, or at page 36).
least establishing procedures ahead
of time for dealing with them if Manage risk in the
they do happen. It’s surprisingly context of specific goals
easy to overlook this basic principle,
however, when it comes to opera- If organizations need to focus on
tional risk. developing operational risk manage-
ment as a capability, they must also
Indeed, managers at one company help their people consider risk man-
in our study came to the realization agement in the context of a clear
that, in practice, they often were not objective or goal. Here is where tra-
managing risks at all. Consider this ditional risk classification systems
example. A team is working on a may inadvertently put organizations
project—a new product release, per- on the wrong path.
haps, or the creation of a new infor-
mation system. Team members meet Different goals entail different
each Monday morning to discuss risks. And by thinking of risk first
events of the previous week—chal- in terms of goals, companies can
lenges that came up, what was done set up risk identification and miti-
to address them, and how they will gation procedures, or improve
affect the budget and delivery dates. their existing ones, so that risks
Are they managing risks effectively? become more relevant and real.
Not really: They are managing prob- Consider the following three cate-
lems or issues, but not risks. gories of goals. (The goals we
describe here are not exclusive,
Most companies do, in fact, have and different companies may
well-defined procedures in place define their goals differently.)
to identify and track risks at the
operational level. Here’s what they • Execution goals: delivering a
usually do: project or program; developing
new products and services.
• Identify possible risks against
standard categories or with a • Relationship goals: maintaining
checklist of known risks. effective relationships with
customers, clients and business
• Assign a numerical value to its partners.
likelihood and its severity.
• Opportunity goals: developing
• Assign responsibility for manag- new business, opening new
ing each risk to a function, a markets, expansion, new prospects
department or a person. with customers or clients.
Outlook 2003, Number 1 33
Managing risk: A holistic view
Although the discipline of operational For example, consider the standard for atic, cross-industry approach to iden-
risk management lags behind financial risk management developed by two of tify, analyze, evaluate, treat, monitor
and hazard risk management (see the world’s leading standards organi- and review risk. As part of an Accen-
story), there exists a great deal of zations, Standards Australia Interna- ture benchmarking study of opera-
sophisticated thinking about how to tional Limited and Standards New tional risk management, we began
bring rigor to the practice. Companies Zealand. A joint committee from the with the Australia/New Zealand stan-
would do well to ensure that they are two organizations devised a system- dard and, based on interviews with
availing themselves of the best the our partners, tailored the process flow
profession has to offer, and that to include several additional elements.
their key people have been ade- The result is a more holistic view of
quately trained in this area. the discipline, in line with the role
operational risk management plays in
Identify opportunity or goal the management of brand equity risk.
• Establish strategic context
• Establish organizational context At the beginning of the workflow
• Establish risk management context
is the opportunity or goal that be-
• Develop risk evaluation criteria
• Define delivery structure comes the context for the manage-
ment of operational risk. Without
this explicit goal, it is difficult for
• What can happen?
• How can it happen?
Analyze and evaluate risks Initiate risk assessment
• Determine existing controls
(job aids, tools, etc.)
• Determine likelihood of risk
• Determine consequences
• Estimate level of risk No
• Compare against criteria
• Set risk priorities Goal
Conduct and improve Accept Perform work toward Report/
risk management goal and mitigate risks communicate
training; refine tool sets • Identify, evaluate and select
No treatment options
Improve risk • Prepare and execute
management culture treatment plans Monitor
Create new controls
Capture risk management
experience and tools
Our study showed that of these
three types of goals, managing
risks during project execution is
the least mature. This somewhat
an organizational culture to focus surprising point was well made
properly on the tasks necessary to by one of our benchmarking part-
manage risk effectively. ners, an investment bank. This
company has, of course, highly
Once the goal is clearly identified, sophisticated tools for tracking
those involved most closely with the in real time certain financial risks
work identify, analyze and evaluate (in equity trading, for example).
the associated risks. Then comes a Yet the factors that pose risks to
big decision: Are the risks manage- project execution are not as tangi-
able enough so that work toward ble. They can range from the
the goal can continue? Are risk emotional well-being and morale
mitigation plans in place, or do team of the project team to the effect-
members need to create or locate iveness of the business vision
new ones? The implicit lesson: Leave behind the project to the ability
yourself an out; don’t be afraid to to track the project’s inner workings
walk away. so that corrective actions can be
taken. Tools and technologies to
As a team works toward its goal, it manage execution risk better are
owns the management of risks from being developed, but they are some
a project viewpoint. But in the inter- years behind financial risk tools.
est of balance, the process should
also include an element of integrated Full participation
oversight. Project activity may trigger Achieving relationship-oriented
a regular external review by a quality goals often involves the early
team, for example. Reporting and participation by all concerned
communication take place both from parties in the identification and
the project team perspective and by management of associated risks.
the oversight review. One of the best practices identified
in our study is one used by a
Finally, all experiences, reports, new major software company. For
techniques and communications are high-impact special projects,
captured and fed back to the organi- especially those involving a number
zation in the form of new training of clients, company employees
and explicit efforts to improve the and vendors, the company will
risk management culture. run a risk management workshop
lasting several days. Although
Why is this risk management process the explicit objective is simply
flow important? Its primary value is to identify the areas that need
to give the entire organizational cul- the most attention by the extend-
ture a set of concepts and a common ed project team, the unspoken
vocabulary to deal with risk. In addi- goal is just as important: over-
tion, the process flow makes it easier coming the initial distrust of
for companies to perform either a parties that have, at the least,
quick assessment or a more in-depth competing agendas and are, at
diagnostic about how efficiently they worst, actual competitors.
are dealing with various components
within the workflow. In the field of risk management,
opportunity is often talked about
Outlook 2003, Number 1 35
in terms of “upside risk." That people within an organization tend
is, the risks associated with not to conceal operational problems
seizing an opportunity to move until they get out of hand. Call it
into a new area or to make a new the “hide-and-seek" syndrome. As
kind of deal. In this sense, oppor- one of our benchmarking partners
tunity is, in many respects, the put it, “If there is risk occurring, and
great unknown. my job is to find it and you think
your job is to hide it, we’ve got a
A company may have a structure in dysfunctional system on our hands."
place to support its people in their
attempts to meet strategic goals. But More often than not, however, this
does that structure also support their breakdown is the natural conse-
work in expanding those goals? In quence of a system that has assigned
moving into new opportunities? It risk management to specific individ-
can be difficult to tell, because the uals or teams. If the responsible
structures that help companies suc- person raises a concern, will this be
ceed at one level may impede their perceived as an indication that he or
ability to succeed at the next. In she cannot solve this problem alone?
this light, one of the observations
from a benchmarking partner in On the other hand, it doesn’t neces-
our study is instructive (and com- sarily work when executive manage-
forting): Effective operational risk ment takes a Big Brother approach.
management procedures, when For example, one of our benchmark-
implemented well, do not restrict ing partners uses the concept of
a business or its growth; in fact, project oversight lists to identify
they make that growth possible. projects of particular importance to
the organization. In practice, how-
Create a culture in which risk ever, the leaders in charge of those
management is everyone’s job projects do not want to be on those
lists, because they perceive that
Another common problem cited by “honor" as one that just means more
our benchmarking partners is that work and hassle.
Anticipating operational risks: A simulation tool
How can companies increase their ability to anticipate issues and therefore
manage risk better? Consider one simulation tool developed by Accenture and
used for workshops and educational purposes.
Built according to the principles of system dynamics (that is, on the complex
set of causes and effects that come into play, for example, in ecosystems), the
tool allows a user to create a computer model of the social environment of a
project (including "softer" factors like clarity of vision, employee burnout and
morale, and team experience). Based on the model created by the user, the
tool simulates the performance of the project against schedule and budget.
Then the user can go back in and adjust the settings of the model to see what
impact different leadership actions could have on the success of the project.
The tool is not a predictor of success; its primary benefit is in teaching leaders
to anticipate the sorts of complex factors that can derail a project team.
The lesson: Adequate reporting and it’s a technique more honored in
oversight from leadership is not the breach than in the observance.
enough. Companies must also create Companies need structures and
a culture in which individuals have procedures that ensure that there
the capability and the responsibility is 1) less need to hide and 2) no
for managing risk. The chief audit place to hide.
officer of one of the companies
in our study put it quite well: The challenge then, as is so often
“I see my ongoing responsibility the case, is primarily cultural.
as one of making myself less and This, too, was affirmed by par-
less important." ticipants in the benchmarking
study. A simple cultural diag-
Striving for balance is key here. nostic showed that, for those
One recommendation we made to taking the survey, the primary
the company whose leaders were gaps between current capabilities
not eager to be on project oversight and where the company wanted
lists was to redefine those lists so to be with regard to operational
that they didn’t mean more work, risk management were in culture- Craig Mindrum teaches organizational
but rather that more resources and influencing areas such as know- change and ethics at DePaul University
expertise would be made available ledge capture and sharing, learn- in Chicago. As a strategic management
because of the importance of ing and training, and continuous consultant, he works closely with
their project. Instead of focusing improvement. Accenture in the areas of workforce
exclusively on oversight, such an performance, organizational change
approach would signal that the Companies today must infuse the and the effects of technology on human
company was there to support its entire organization—every employee, performance. Dr. Mindrum has studied
people in their effort to take owner- every function, every level—with the risk management best practices for
ship of risk management. responsibility to manage risk. And large, complex development projects,
they must provide the right mix of and he also directed the creation of a
To be sure, we don’t believe that leadership, processes and tools to simulation tool for Accenture to teach
such a change will transform the support people as they perform their anticipatory skills in managing risk.
oversight list concept overnight. jobs and as they both enrich and
But it does underscore the impor- protect the brand. s email@example.com
tance of working with the culture
to manage risk, rather than over- This article is based on the findings of an
seeing the work like a schoolteacher Accenture benchmarking study, com-
during final exams. pleted in August 2002, on operational
risk management practices. The authors
One thing that encourages broad served as project director and research
ownership of risk oversight is director, respectively, for the study.
the concept of “attentiveness."
Companies that are effective at
managing operational risk have Mark Q. Smith is an associate partner in
built rigor and watchfulness into the Accenture Financial Services operating
their processes, structures and tools. group, where he serves as global director
For example, one interviewee of quality. In this role, he focuses on client
stated that the reason his project satisfaction, operational risk management
had been so effective at managing and business process improvement. Mr.
risk was that “our supervisor Smith is also responsible for maintaining
simply demanded that our risk logs external quality certifications for the
be on his desk first thing every practice. He is based in London.
Monday morning." Sound obvious?
Sure, but according to our study, firstname.lastname@example.org
Outlook 2003, Number 1 37