Out with the old, in with the new - transforming the approach to risk management

Why do companies collapse? We’ve all seen companies make poor strategic decisions that have led to either their demise or their reinvention. Take Kodak, for example. Kodak had an excellent pedigree in understanding risk to their strategy and making bold, yet completely informed decisions, based upon sound risk management principles. A great example of this was the investment they made in an, at that time inferior, colour film even when they completely dominated the black and white film market. They did, however, fail. They failed because as even when they knew digital photography was a risk to their strategic objectives (and had a number of excellent individuals within Kodak advising them of this) they focused on execution of, and investment in, their existing strategy. 

Like Kodak, organisations struggle because their strategies fail to align with their core mission or purpose and often focus completely on execution regardless of changes in the associated risk profile. In fact, according to a recent survey by Strategy&, 81% of the biggest-impact risks to organisations are risks associated with selecting, implementing and executing an overarching strategy. This is increasingly important because of the speed at which operating environments are changing and start-ups with minimal experience and limited capital are unravelling global brands strategies overnight. More frequently than ever, executives need to make bigger and increasingly wide-ranging strategic decisions and risk management needs to step up and help them understand the new risks they are taking.  

These rapid, global changes to business have created challenges that fall outside the scope of the old risk frameworks. The traditional tools in risk management cannot provide organisations with the strategic risk management advice they need. For example, it has been common for organisations to take the delegation approach to risk management. Often times, only one or a few select individuals, such as a chief risk officer, will be seen as ‘owning’ the organisation’s risks.  

The delegation approach to risk management is fundamentally flawed. In a worst-case scenario, leaders are making strategic decisions completely abstract from the associated risks. In the  best case, they make decisions on the limited view they get from their go-to risk person. This approach also often employs a cookie-cutter framework that produces generic output, such as a risk register, but does not deliver meaningful outcomes and the resultant strategic benefits. I am increasingly noticing that the emphasis shift to output over outcome is eroding value; exercises that were intended to be risk management are more often than not becoming administrative overhead and superficial boxes to tick. CEOs mention this to me on a daily basis; one recently commented: ‘Risk management is just something we dust off once a quarter for update and it’s the same everywhere.’   

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) has delivered a new framework that comes as a sweeping redemption for these increasingly outdated approaches and will hopefully transform how we approach risk management. The original COSO framework was published in 2004; it gained broad acceptance throughout many organisations and the industry, but it had its limitations. The newly renamed COSO framework, Enterprise Risk Management – Aligning Risk with Strategy and Performance, contains significant changes. Most notably, the new framework moves away from the administrative process of internal control and instead applies strategic capabilities to protect and create value. The framework helps boards and executives consider risk as part of the strategy-setting process to ensure they understand the risks and associated returns while considering strategic options for decision-making. It provides guidance on setting a risk profile for a selected strategy and on aligning an organisation’s strategy with its core purpose. This helps significantly in contextualising some of the more abstract terms such as risk appetite and risk capacity.  

Another significant change in the framework, reflecting the latest trends in management thinking, is the consideration of behaviour and culture on effectively managing risk. Many organisations I work with present me with complete management systems for enterprise risk management, ranging from policy to detailed step-by-step guides that align perfectly to ISO31000 or the previous COSO framework. They have files full of risk registers and quantitative analysis on execution risks all underpinned by an expensive enterprise risk management software tool. This is all too often undermined by a complete lack of risk culture: the embedded way of thinking and acting that ensures employees, partners, suppliers and other stakeholders make risk decisions on behalf of the organisation. The updated framework provides a structured approach to understand risk culture and suggests a basis through which organisational behaviours and personal accountability for risk can be increasingly incorporated to the equation over time.  

The updated framework moves risk management forward a long way to becoming a discipline that is treated with the same respect as legal, finance and other professional disciplines. It puts the accountability back where it belongs, with the organisation as an entirety and not with a lone risk professional. The framework creates a more simple and integrated approach that will protect and drive strategic value for an organisation. In an increasingly unpredictable world, there has never been a more important time to manage risk and with the updates to the COSO framework, organisations have an opportunity to do just that.

By: Thomas Keegan, Partner, Control Risks