Changing the way you look at risk accenture article


Published on

Accenture article on changing a risk management culture - written by Mark Smith & Craig Mindrum

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Changing the way you look at risk accenture article

  1. 1. Risk Management Changing the way you look at risk By Mark Q. Smith and Craig Mindrum Most corporate risk managers are more concerned about potential catastrophes and financial risk than about operational risks like fraud and mismanagement. As recent events have shown, such inattention can be fatal. Is it time to change your company’s risk management culture?
  2. 2. T he title of a recent Accenture with the daily interaction among study, “Business in a fragile people, processes and tools as an world," seems to capture the organization works toward a goal. current mood of uncertainty per- In 2002, in an effort to encourage fectly. War and terrorism, economic debate and help close the gap gloom, corporate mismanagement between theory and reality in the and failure, plummeting markets: field, Accenture embarked on a If companies weren’t focusing ade- research and cross-industry bench- quately on risk management before, marking study focusing on opera- they clearly are now. tional risk management. But as the world has changed, has the Our research confirmed the premise concept and practice of risk manage- that operational risk management is, ment changed along with it? for now, at a less mature stage than financial risk management. However, It’s human nature to use the tools the companies that were our bench- and approaches we know best and marking partners in this study were that have been effective in the past. able to offer a number of important But are they still the right tools for principles, tools and approaches that the right job? Maybe not. It’s a little can be used to manage operational like the New Yorker who lost his risk more effectively. wallet on 54th Street but was look- ing for it on 42nd. Why? Because Sense of urgency the light was better. More significant, perhaps, our benchmarking partners shared a So where is the risk management general sense of urgency about light the strongest these days? In this subject. They were concerned the area of high-level financial, in particular about the potential strategic and hazard risk. For exam- threat that lower-level operational ple, the CFOs of most companies, risks increasingly pose to a key especially in the financial services corporate asset: the brand. Although industry, have at their disposal hurricanes and earthquakes can advanced thinking and increasingly damage bricks and mortar, and sophisticated computer-based tools interest rate and foreign exchange to monitor and manage financial fluctuations can wreak havoc with risk. Resources companies and the balance sheet, they seldom insurance companies can do com- threaten a company’s brand. But plex calculations about potential given the recent experience of a hazards and catastrophes. certain brash young energy trading company, inattention to the risk of The light doesn’t shine quite as fraud and mismanagement can be brightly, however, in the day-to- fatal to the brand. day management of operational risks, which can lead just as surely Clearly, a company’s operational to business problems and failures. risk management must be designed For the most part, corporate risk with brand equity risk foremost in managers have not yet applied mind. All executives—indeed, all the same sophistication embedded personnel—must understand exactly in their financial and catastrophe what the stakes are. risk management disciplines to the task of managing operational risks, An effective approach to operational which are generally those associated risk management is based on three 32
  3. 3. overarching principles. (For a more Sounds great, right? Too often, detailed look at the process of man- however, this approach doesn’t aging operational risk, see page 34.) work particularly well. Why not? In part because of the pressures of Develop the capability the day: People end up putting out to anticipate risk fires instead of preventing them. But it’s also because the anticipa- One of the obvious principles that tion of operational risks is actually informs the more mature fields a capability in its own right and, of financial and hazard risk manage- as with all capabilities, it must ment is anticipation—preventing be developed in managers (see box, situations from happening, or at page 36). least establishing procedures ahead of time for dealing with them if Manage risk in the they do happen. It’s surprisingly context of specific goals easy to overlook this basic principle, however, when it comes to opera- If organizations need to focus on tional risk. developing operational risk manage- ment as a capability, they must also Indeed, managers at one company help their people consider risk man- in our study came to the realization agement in the context of a clear that, in practice, they often were not objective or goal. Here is where tra- managing risks at all. Consider this ditional risk classification systems example. A team is working on a may inadvertently put organizations project—a new product release, per- on the wrong path. haps, or the creation of a new infor- mation system. Team members meet Different goals entail different each Monday morning to discuss risks. And by thinking of risk first events of the previous week—chal- in terms of goals, companies can lenges that came up, what was done set up risk identification and miti- to address them, and how they will gation procedures, or improve affect the budget and delivery dates. their existing ones, so that risks Are they managing risks effectively? become more relevant and real. Not really: They are managing prob- Consider the following three cate- lems or issues, but not risks. gories of goals. (The goals we describe here are not exclusive, Most companies do, in fact, have and different companies may well-defined procedures in place define their goals differently.) to identify and track risks at the operational level. Here’s what they • Execution goals: delivering a usually do: project or program; developing new products and services. • Identify possible risks against standard categories or with a • Relationship goals: maintaining checklist of known risks. effective relationships with customers, clients and business • Assign a numerical value to its partners. likelihood and its severity. • Opportunity goals: developing • Assign responsibility for manag- new business, opening new ing each risk to a function, a markets, expansion, new prospects department or a person. with customers or clients. Outlook 2003, Number 1 33
  4. 4. Managing risk: A holistic view Although the discipline of operational For example, consider the standard for atic, cross-industry approach to iden- risk management lags behind financial risk management developed by two of tify, analyze, evaluate, treat, monitor and hazard risk management (see the world’s leading standards organi- and review risk. As part of an Accen- story), there exists a great deal of zations, Standards Australia Interna- ture benchmarking study of opera- sophisticated thinking about how to tional Limited and Standards New tional risk management, we began bring rigor to the practice. Companies Zealand. A joint committee from the with the Australia/New Zealand stan- would do well to ensure that they are two organizations devised a system- dard and, based on interviews with availing themselves of the best the our partners, tailored the process flow profession has to offer, and that to include several additional elements. Begin their key people have been ade- The result is a more holistic view of quately trained in this area. the discipline, in line with the role operational risk management plays in Identify opportunity or goal the management of brand equity risk. • Establish strategic context • Establish organizational context At the beginning of the workflow • Establish risk management context is the opportunity or goal that be- • Develop risk evaluation criteria • Define delivery structure comes the context for the manage- ment of operational risk. Without this explicit goal, it is difficult for Identify risks • What can happen? • How can it happen? Analyze and evaluate risks Initiate risk assessment • Determine existing controls (job aids, tools, etc.) • Determine likelihood of risk occurrence • Determine consequences • Estimate level of risk No • Compare against criteria • Set risk priorities Goal Done Yes met? Conduct and improve Accept Perform work toward Report/ risks? Yes risk management goal and mitigate risks communicate training; refine tool sets • Identify, evaluate and select No treatment options Improve risk • Prepare and execute management culture treatment plans Monitor Continue? No Yes Create new controls Capture risk management experience and tools 34
  5. 5. Our study showed that of these three types of goals, managing risks during project execution is the least mature. This somewhat an organizational culture to focus surprising point was well made properly on the tasks necessary to by one of our benchmarking part- manage risk effectively. ners, an investment bank. This company has, of course, highly Once the goal is clearly identified, sophisticated tools for tracking those involved most closely with the in real time certain financial risks work identify, analyze and evaluate (in equity trading, for example). the associated risks. Then comes a Yet the factors that pose risks to big decision: Are the risks manage- project execution are not as tangi- able enough so that work toward ble. They can range from the the goal can continue? Are risk emotional well-being and morale mitigation plans in place, or do team of the project team to the effect- members need to create or locate iveness of the business vision new ones? The implicit lesson: Leave behind the project to the ability yourself an out; don’t be afraid to to track the project’s inner workings walk away. so that corrective actions can be taken. Tools and technologies to As a team works toward its goal, it manage execution risk better are owns the management of risks from being developed, but they are some a project viewpoint. But in the inter- years behind financial risk tools. est of balance, the process should also include an element of integrated Full participation oversight. Project activity may trigger Achieving relationship-oriented a regular external review by a quality goals often involves the early team, for example. Reporting and participation by all concerned communication take place both from parties in the identification and the project team perspective and by management of associated risks. the oversight review. One of the best practices identified in our study is one used by a Finally, all experiences, reports, new major software company. For techniques and communications are high-impact special projects, captured and fed back to the organi- especially those involving a number zation in the form of new training of clients, company employees and explicit efforts to improve the and vendors, the company will risk management culture. run a risk management workshop lasting several days. Although Why is this risk management process the explicit objective is simply flow important? Its primary value is to identify the areas that need to give the entire organizational cul- the most attention by the extend- ture a set of concepts and a common ed project team, the unspoken vocabulary to deal with risk. In addi- goal is just as important: over- tion, the process flow makes it easier coming the initial distrust of for companies to perform either a parties that have, at the least, quick assessment or a more in-depth competing agendas and are, at diagnostic about how efficiently they worst, actual competitors. are dealing with various components within the workflow. In the field of risk management, opportunity is often talked about Outlook 2003, Number 1 35
  6. 6. in terms of “upside risk." That people within an organization tend is, the risks associated with not to conceal operational problems seizing an opportunity to move until they get out of hand. Call it into a new area or to make a new the “hide-and-seek" syndrome. As kind of deal. In this sense, oppor- one of our benchmarking partners tunity is, in many respects, the put it, “If there is risk occurring, and great unknown. my job is to find it and you think your job is to hide it, we’ve got a A company may have a structure in dysfunctional system on our hands." place to support its people in their attempts to meet strategic goals. But More often than not, however, this does that structure also support their breakdown is the natural conse- work in expanding those goals? In quence of a system that has assigned moving into new opportunities? It risk management to specific individ- can be difficult to tell, because the uals or teams. If the responsible structures that help companies suc- person raises a concern, will this be ceed at one level may impede their perceived as an indication that he or ability to succeed at the next. In she cannot solve this problem alone? this light, one of the observations from a benchmarking partner in On the other hand, it doesn’t neces- our study is instructive (and com- sarily work when executive manage- forting): Effective operational risk ment takes a Big Brother approach. management procedures, when For example, one of our benchmark- implemented well, do not restrict ing partners uses the concept of a business or its growth; in fact, project oversight lists to identify they make that growth possible. projects of particular importance to the organization. In practice, how- Create a culture in which risk ever, the leaders in charge of those management is everyone’s job projects do not want to be on those lists, because they perceive that Another common problem cited by “honor" as one that just means more our benchmarking partners is that work and hassle. Anticipating operational risks: A simulation tool How can companies increase their ability to anticipate issues and therefore manage risk better? Consider one simulation tool developed by Accenture and used for workshops and educational purposes. Built according to the principles of system dynamics (that is, on the complex set of causes and effects that come into play, for example, in ecosystems), the tool allows a user to create a computer model of the social environment of a project (including "softer" factors like clarity of vision, employee burnout and morale, and team experience). Based on the model created by the user, the tool simulates the performance of the project against schedule and budget. Then the user can go back in and adjust the settings of the model to see what impact different leadership actions could have on the success of the project. The tool is not a predictor of success; its primary benefit is in teaching leaders to anticipate the sorts of complex factors that can derail a project team. 36
  7. 7. The lesson: Adequate reporting and it’s a technique more honored in oversight from leadership is not the breach than in the observance. enough. Companies must also create Companies need structures and a culture in which individuals have procedures that ensure that there the capability and the responsibility is 1) less need to hide and 2) no for managing risk. The chief audit place to hide. officer of one of the companies in our study put it quite well: The challenge then, as is so often “I see my ongoing responsibility the case, is primarily cultural. as one of making myself less and This, too, was affirmed by par- less important." ticipants in the benchmarking study. A simple cultural diag- Striving for balance is key here. nostic showed that, for those One recommendation we made to taking the survey, the primary the company whose leaders were gaps between current capabilities not eager to be on project oversight and where the company wanted lists was to redefine those lists so to be with regard to operational that they didn’t mean more work, risk management were in culture- Craig Mindrum teaches organizational but rather that more resources and influencing areas such as know- change and ethics at DePaul University expertise would be made available ledge capture and sharing, learn- in Chicago. As a strategic management because of the importance of ing and training, and continuous consultant, he works closely with their project. Instead of focusing improvement. Accenture in the areas of workforce exclusively on oversight, such an performance, organizational change approach would signal that the Companies today must infuse the and the effects of technology on human company was there to support its entire organization—every employee, performance. Dr. Mindrum has studied people in their effort to take owner- every function, every level—with the risk management best practices for ship of risk management. responsibility to manage risk. And large, complex development projects, they must provide the right mix of and he also directed the creation of a To be sure, we don’t believe that leadership, processes and tools to simulation tool for Accenture to teach such a change will transform the support people as they perform their anticipatory skills in managing risk. oversight list concept overnight. jobs and as they both enrich and But it does underscore the impor- protect the brand. s tance of working with the culture to manage risk, rather than over- This article is based on the findings of an seeing the work like a schoolteacher Accenture benchmarking study, com- during final exams. pleted in August 2002, on operational risk management practices. The authors One thing that encourages broad served as project director and research ownership of risk oversight is director, respectively, for the study. the concept of “attentiveness." Companies that are effective at managing operational risk have Mark Q. Smith is an associate partner in built rigor and watchfulness into the Accenture Financial Services operating their processes, structures and tools. group, where he serves as global director For example, one interviewee of quality. In this role, he focuses on client stated that the reason his project satisfaction, operational risk management had been so effective at managing and business process improvement. Mr. risk was that “our supervisor Smith is also responsible for maintaining simply demanded that our risk logs external quality certifications for the be on his desk first thing every practice. He is based in London. Monday morning." Sound obvious? Sure, but according to our study, Outlook 2003, Number 1 37