Strategic Risk Assessment-4/6

2010-07-29 / How to do Risk Assessment / 0 Comments

This is a series on the risk manager’s role in strategic planning. In parts 1/6 – 3/6,  I listed risk methodologies, reviewed mission statement examples, and addressed the question “What is an environmental scan?” – all to establish context.

Here I address reasons for poor risk assessment and the importance of risk facilitation skills.

Risk Methodology

Interviews are a common method of risk ID; surveys are also popular, and economy of scale of effort, in particular, recommends them. However, these two techniques commonly encounter methodological problems that invalidate their results.

I believe one reason for the use of interviews is that senior management and executive do not see a risk identification group session as worthy of their time. Organizations beginning an Enterprise Risk Management program will administer, if not interviews, then a survey to get the so-called “top 10 risks”. What can happen is that people responding to both interview and survey questions use very different language, frames of reference, time lines and definitions of risk. The shifting assumptions are not detected when the information is collected and aggregated.

The results of such risk surveys and interviews are not very compelling, and end up on a shelf. I have posted an introductory presentation on how to do risk assessment which quotes 5 studies from 2008 – 2009 in which firms of all types lament their poor risk assessment capability. Here is a screen shot:

risk-management-surveys

I wrote a piece for Canadian Underwriter coming out in September on yet more similar findings in 2010. Essentially, information collected without rigorous risk methodology is not worth the effort.

Risk identification must be done in such a wide variety of contexts. Interviews and surveys (if well designed) will continue to be useful. But in many respects, a facilitated round table of subject matter experts is preferred, and it is an important competency for risk managers.

Risk Facilitation

The benefits of a structured discussion with a measured degree of free interaction – provided you establish the context – are quite amazing. As one client remarked, “People need to hear others’ views of risk around common issues.” This is particularly helpful in contexts where you are trying to achieve consensus in complex and controversial topics. I wrote piece back in 2006 for Risk Management Magazine with a case study of the risk facilitation process.

Formal training in facilitation is good preparation, especially if the subject matter is highly controversial or emotionally charged. If you can chair a meeting and lead a group through a complex agenda, that’s a good start. The crucial difference is that you are carrying out an ordered method, and must meet its requirements.

At the beginning of this series of posts, we listed methods: business continuity and emergency planning; innovation; high quality risk ID and assessment, and risk scenarios. These activities are scarcely possible as solitary research or surveys; they require group sessions. I believe the risk practitioner can facilitate such processes, and transfer this skill to other managers to build organizational capacity.

The next post compares and contrasts two essential risk methodologies:  risk ID and assessment,  and future scenarios planning.

Read More

Strategic Risk Assessment–1/6

2010-07-20 / How to do Risk Assessment / 2 Comments

This is a revised series on the risk manager’s role in planning and strategic risk assessment. Here I discuss risk methodology and establishing the organizational context, including a review of mission statement examples.

Risk Methodology: Techniques to Meet High Uncertainty

Rational planning and risk forecasting are no good — this is the message that Nassim Taleb has recently reiterated. He seems to want to be highly risk-averse in the face of black swan (low frequency, catastrophic consequence) events. But I don’t think rational planning needs to be so extremely discredited, and excessive risk aversion is not the answer.

Despite inaccuracies in forecasts and unpredictable events, we can’t give up planning altogether. Risk managers can use several complementary methods to approach strategic risk assessment. Notice how each of them does require planning, but reduces reliance on a precise forecast of events:

1. Business continuity and emergency planning, of course, strive for preparedness against disaster risk. An all-hazards approach efficiently protects mission-critical functions.

2. Innovation. I believe in the role of the risk manager as innovator to lead a culture of invention, adaptability and flexibility. This is the pro-active identification of opportunity, and supports strategic objectives.

3. High Quality Risk Assessment. We need to check the assumptions underlying conventional forecasting, modeling and probability estimates. High quality risk assessment means identifying risk comprehensively and rigorously within a properly defined context

4. Future scenario planning contemplates extreme yet plausible futures: we can develop options, and improve strategic resilience.

All of these methods start with an exercise in establishing the organizational context, in terms of what I call Strategic Identity.

Strategic Identity

This is a diagram to help define the essence of an organization, as a preliminary step to planning and risk assessment. Notice that objectives do not appear in the model, because they are means to pursue the vision and will vary to suit circumstances.

Mission and Vision

Mission is the reason for being of an enterprise, public or private, describing how the organization is answering a need.

Consider the first few in this list of Fortune 500 mission statements examples.

Many mission statements use hyperbole and vague language (“the best…” “the most progressive…”). The mission statement for Aflac near the top of that page, for example, is a little too vague; it could almost apply to any business. It also states “aggressive strategic marketing” – which is a method towards an end, not the end itself, and so has no place in the mission.

Compare it with the one for Advanced Auto Parts, at the very top of that same page. That mission statement includes mention of the client group, the service staff and the nature of the products and services (“inspire, educate and problem-solve”) in terms that are recognizable and verifiable – without being actual performance measures, and without limiting the methods and delivery channels the firm might use to achieve those things. In other words, a good mission statement will galvanize and focus action, but not limit it.

Distinct from Mission is Vision, which is an eventual outcome, a picture of a future state towards which the organization is striving. If I were to invent one for Advanced Auto Parts, I could say: “A satisfied, diverse, extensive and well-informed clientele enthusiastically engaged with the firm as loyal clients, interested students, business partners and participants in our programs.” I just made this up on the spot, but I tried to make each element of the vision something fairly concrete to strive towards in one or another aspect of the business; it also describes a desired end state.

In the next post I’ll talk about the other elements of Strategic Identity.

Read More