How Risky is your Risk Management?

Risk Management is a highly specialized science today. Its widespread application has helped radically improve the management of businesses. Every company, therefore, strives to control its risks through robust systems for risk management. However, many times fundamental issues in the business processes revolving around the aspect of risk management actually put the whole concept of risk management to risk! What are these issues? Let us take a closer look.

Phases in Risk Management

The risks in any risk management system actually stem out of the risk management process. Broadly speaking, they occur in different stages:

  1. Risk assessment,
  2. Risk processing and
  3. Risk transition.

The risk assessment stage focuses on the definition of the risk and its implications to the business. The risk processing stage actually looks at the integration of the risk management processes with the overall strategy processes. It also looks at the interface between the strategy and the operations processes from a risk standpoint. The risk transition stage looks at the issues involved when a particular risk moves from the ‘probable’ domain to the ‘real world’. Each of these stages can be looked at from the process elements, process characterizations and process perspectives. We will elucidate to help understand how these work.

What is Risk?

In simplistic terms, a risk is a probable situation that is adverse to the business. The key words by definition being probable and adverse. The key parameters in risk management, therefore, revolve around two cardinal questions:

  1. How probable and
  2. How adverse the situation could be.

From a management perspective, there are three philosophies used to handle risks. These are

  1. Risk Mitigation: where one talks of reducing either the probability or the adversity of the risk,
  2. Risk Sharing: where the attempt is to share risks between businesses and
  3. Risk Transfer: where a complete transfer of the risk from one business to another is carried out.

These philosophies need to be carefully understood in the context of the business, the stakeholders and the business partners. Depending on the philosophy chosen, the company can optimize its risk exposure to meet the corporate strategy. While many companies operate on the risk sharing and risk transfer philosophies, the risk mitigation philosophy actually positions the business way ahead of the others! This is because a risk mitigation philosophy works at reducing the intrinsic probability and adversity of the risk. The other philosophies may not always achieve such an intrinsic reduction (depending on the way it is worked out). Is your company a believer of risk mitigation?

The other point that one needs to understand is the transient nature of the risk itself. In other words, the same risk assumes different magnitudes in different phases of the business cycle. Hence, any risk management methodology must address this issue specifically. This is particularly important because it could change the definition of the risk, the impact or the circle of influence of the risk and the containment or controlling variables.

Risk I: The Numerical Perspective

The idea of risk assessment is fairly easy to understand. However, determining the final deliverable of the exercise is often a big challenge. In the more rudimentary forms, one often encounters a qualitative treatment to assess the risk. While this treatment is good as an initial study, it is often one of limited potential for beneficial use. A quantitative assessment of risks gives a more robust understanding of the risks. Do you use a qualitative system for risk assessment? If yes, how do you ascertain the extent of the risks and the business impact each of these could have?business environment pertinent to the sector.

Risk II: The Extremes Perspective or the Extreme Axes that balance Risk Philosophies

Some companies use the Best Case-Worst Case scenario to assess risks. The challenge in these cases is the realistic definition of the Best and the Worst cases. How frequently do you find your ‘reality’ within the best and worst cases? Are all the parameters in your risk assessment system ‘external’ to the system or are they mostly determined from ‘within’ the system? If you are facing issues with defining the scenarios from this perspective, you might want to consider re-looking into your system. Do you have situations where your worst case is worsening progressively over time? Are there cases that are ‘worse’ than the ‘worst’? If your answer is yes, you might want to optimize your scenario definitions.

Risk III: The Measurement Perspective

If you are trying to freshly design and implement your risk assessment system, you might want to align your risk management philosophy with the processes within the company. While there are different options used by companies to express the assessed risks, the most popular ones are those translated into costs. Expressions in costs are often preferred because they are easy to ‘plug-into’ an accounting framework. However, these often fail the test of business logic due to the limitations of business applicability of such accounting instruments. It is similar to painting pictures that create an eyewash! Something that has to be avoided. It is, therefore, advisable to express risks in multiple parameters like time, money, goodwill, corporate image, operational reliability, environmental impact, etc. Does your company balance different parameters while assessing risks? If not, you might want to seriously reconsider your system. I have developed a tool by which one could look at risks from multiple perspectives, thereby enabling the understanding of the interplay of the different elements and constituents of the risk. However, that being said, it is also essential to understand how combinations of risks could affect the business. Most corporate find this to be a major challenge. Does your system see multiple levels of risks or does it deliver a relatively flat structure of risks?

Risk IV: Method of Capture

The most interesting aspect in risk assessment is the concept of the hidden risk… A good system actually gives astounding results due to the fact that it helps one ‘look beyond what one sees’. A well-implemented system also helps in the aggregation of these elements to enable this ‘unique’ feature. While posturing to risk management is a top management prerogative, the capture of risks becomes most effective when it starts ‘low’ in the organization. For it is often the operational level that actually sees the risks of the system the best. Do you have a bottom-up orientation towards risk assessment? Are middle managers and line managers actively contributing to your risk identification process? If not, you might want to re-engineer your risk assessment system completel

Risk V: Periodicity

It is extremely important to maintain the right periodicity to assess the risks. A good system revisits the risks assessed and ensures that they are within the right limits for ensuring successful business. This helps in addressing the transient nature of the risks. Many corporate fail to understand this concept. Further, in addition to the transient nature of risks, it is often important to understand the dependence of a particular sequence of events. Systems tend to behave differently to different sequences of the same set of events, a concept that is beyond most accounting treatment of issues. One must, therefore, understand the transient nature and the temporal nature of the factors that drive the risks in the business. Does your system incorporate the transient and the temporal nature of risks? My team has developed a unique method to identify and incorporate these issues in your overall risk management system.

Risk VI: Control System

The next issue, that is probably the most challenging of them all, is that of the control mechanism. While it is a very fundamental issue that one must control some parameters to get desired results in other parameters, most companies have difficulty in defining their control mechanism. This actually leads to several issues. It calls for a good understanding of the controlling parameter and its relationship with the controlled parameter. Most often, the control mechanism is a ‘hard to define’ and a ‘harder to implement’ system. There are many simple tests to identify the robustness of the control system. Has your company increased sales or made profits during periods of recession? Ask any employee if he knows which of his actions help contain which kind of risks and to what degree? How much have you changed in your working style and orientation between the risk profile of the company last year and now? Can the changes be explained and justified fully? If you are having issues answering these questions, you might want to improve your controlling methodology.

Risk VII: Quality of Information

The skill in any management system lies in the process of decision-making. Management science revolves around the art and science of making sound business decisions based on in-complete information. As information forms the basis of good decisions, it is of utmost important to understand the quality of the information that one is dealing with. Many factors decide the quality of information provided to the risk management system. However, having said that, it is essential to understand if the information is actually of good quality. Do you see many situations where there are ‘big surprises’ causing huge risks over short time horizons? Short strategic time windows or getting informed ‘after the fact’ are typical phenomenon encountered in poor quality situations. Is pessimism undervalued in your organization, thereby providing an overly optimistic picture? Does the management often plead ignorance while escalating risk factors? Do you see significant ‘movements’ in your targets over time (even if they occur in small incremental steps)? If your answer is yes, you might want to seriously consider an improved reporting methodology involving greater objectivity.

Risk VIII: Spread of Analysis

Most management systems are extremely limited to the knowledge pool of the management. However, learning organizations have now become increasingly popular, especially in technology companies, as they provide for more efficient ways to go beyond the knowledge pool of their management into the talent pool of the organization. A good spread of the risk analysis actually helps improve the understanding of the key elements and provides adequate insight to effectively manage the process.

Risk IX: The Transition

The Transition: The biggest challenge from a business perspective is when a risk actually becomes a reality for the business! While many companies have good risk assessment and risk management processes, they fail at identifying the rules of the game when the risks transform into reality. A risk transformed into reality most times, gets converted into another ‘fire fighting measure’ or just another ‘challenge in the real world’ and is often dealt with in that way. This actually defeats the purpose of having a risk management system. A good risk management system helps one identify the drivers and have a good handle on the drivers of the risk thereby, steering the process and maneuvering the business to success, even when it becomes a reality. It ensures that there are adequate feasibility checks to understand how this issue would be tackled in reality.


While there is a lot of sensitization to issues like the culture of the corporate, the strategic postures and the outlay of the management process, it is essential to understand that risks in most cases, start ‘low’ in the business. The term ‘low’ has two fold meaning in this context: (a) low from the organizational hierarchy and (b) low in magnitude or value. Management must realize this fact and en-cash on this aspect when they design their risk management system. While insurances, service providers and lawyers are some of those agencies that actively assess risks in monetary terms, a corporate must understand how its risks are characterized from not just monetary or financial terms, but also from the elements of time, image, goodwill, etc.

The simple test of the efficacy of the risk management system would be the situation where one would have ‘no surprises’ at the operational level! Improve your risk management system. Contact us for more details.

{Originally published in 2009. The whitepaper is accessible here}

How Risky is your Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top