Your Risk Program is Failing and You Don’t Even Know It
Your Risk Program is Failing and You Don’t Even Know It
You may be asking how anyone can make such a bold statement without knowing the details of your specific risk program. Actually, I know more about your risk program than you realize and that’s why I know its failing. I also know that as much as 55% of the cost of all risk programs are wasted! And more importantly, I can prove it.
Let me demonstrate: Your risk program (audit, risk management, compliance, ethics, IT and governance) is risk-based. You have assessed your risks and mapped your controls accordingly. You have policies and procedures tied to risks and associated internal controls and you monitor the effectiveness of controls on a periodic basis and provide some form of risk reporting using key risk indicators and metrics. You can effectively articulate the three lines of defense of your risk program.
Independently, internal and external auditors test your controls and you have created some form of management certification to demonstrate that management has signed off on the attestation of the operation of the effectiveness of these controls. In some cases, you use a combination of off-line and online systems to track the operation of your various risk program activities. You use one or more risk frameworks as a model for the operation of your risk program.
Some firms have augmented their program with Six Sigma and other quality control measures. Depending on the level of detail in your organization you have documented hundreds, no thousands, of controls and created heat maps, workflows and graphs to justify the millions of dollars spent on staff and other resources to monitor compliance of your controls.
Where required by regulatory mandate in your industry; Basel, FINRA, SEC, HIPPA, or some other governmental or quasi self-regulatory agency you may be required to measure or quantify risk capital in the event of losses in your operations or protect against financial fraud. You may even have advanced governance programs in place with risk committees, detailed reports to the board of trustees, and various board level committees focused on risk management. You have satisfactorily passed regulatory review and internal and external audit examinations.
These practices are confirmed in industry conferences, training programs and are included in a variety of skills certification courses. Risk professionals across all highly regulated industries globally say this is what they do with some variation of sophistication noted, yet something is missing.
The vast majority of these programs are failing!
This is a troubling development given the increase in global competition and rapid advancements in technology. The cost of failure is significant and rising! So what is the problem?
Before I tell you why your program is failing please answer the following questions about your program:
1. Do you use Probability or Likelihood versus Impact (or a similar variation) to assess and/or measure risks?
2. Do you use Risk and Control Self Assessments or operational self-assessments to measure risks?
3. Do you use surveys, interviews, or some other questionnaire to assess or measure risks?
4. Does your risk assessment program or processes frequently tell you something you didn’t ask it to tell you?
5. When you evaluate risks does it include a range of outcomes for each risk event with probabilities and confidence levels assigned to each outcome?
6. Do you maintain a dynamically updated stochastic library or database of risk incidents that can be used to run scenarios of statistical inference of risk?
If you answered yes to the first three and no to the next three questions your risk program may be failing to detect risks that are buried out of sight!
Here is why! If your risk program fits the descriptions above it has been designed to assess and measure uncertainty, not risks. The vast majority of risk programs are designed to assess the likelihood of an event that might occur!
There is a fine distinction made between a Risk and an Uncertainty. We know a Risk because it has been made tangible. The impact of a risk is recognizable by others even if one has not personally experienced it. However, each of us may perceive the same risk differently yet there is an understanding of the need to address it.
Uncertainties are harder to pin down. Hurricanes are a frequent occurrence and we know the risks BUT we don’t know what the actual impact will be, where the most severe damage will occur and there is little you can do but prepare the best you can. Fortunately, because of the risk of hurricanes we have learned to model their behavior to reduce the loss of life.
The tools that are used in risk programs to conduct the evaluation of uncertainty are subjective educated guesses with low statistical value because uncertainty is arbitrary and random by definition. In other words, uncertainty is nearly impossible to measure with accuracy.
On the other hand, risks are measurable. An operational loss or business disruption can be quantified. The frequency of a risk can be calculated and modeled with some degree of confidence, if historical patterns remain in tact. Risks can be reduced to more acceptable levels providing opportunities to save the firm money and improve operations. However, risks cannot be eliminated entirely yet the choices a firm makes for dealing with risks determines the success or failure of a risk program.
So why do nearly all firms spend 55% or more of its time assessing uncertainty? Wouldn’t the millions of dollars lost attempting to measure what might happen be better spent reducing real risks? Of course it would, but there is an insidious reason that risk professionals and business leaders avoid making the necessary changes to dramatically improve the odds of success in their risk programs. FEAR!
Plain and simple, we are afraid of uncertainty and the factors of surprise it entails. Uncertainty is hard to explain to management and it is even harder to justify why it happened on your watch. We have learned from behavioral scientist that losses loom larger than gains, which means that we are willing to spend $0.55 of every dollar to try to avoid uncertainty, rather than keep these savings and reduce risks.
It seems irrational to spend so much money assessing an immeasurable outcome but it is part of a phenomenon called intertemporal choice. Intertemporal choice is the process each of us uses to make decisions. It explains why we spend more time planning our vacation activities than saving for retirement. Or why we are willing to take $100 today rather than $125 one year from now.
Intertemporal choice also explains why our risk programs are failing. It is safer, we assume, to do what everyone else is doing and take comfort in the fact that it is called a best practice.
What’s needed? Robust diagnostic tools and education!
Medical doctors would be liable for medical malpractice if one common prescription is used to remedy all health risks. Likewise, risk professionals must develop a robust set of diagnostic tools to learn more about the real risks that exist in their business. The patient is the organization and it “presents” symptoms that send signals about the underlying risks.
Advancements in diagnostic tools and processes have accelerated in recent years and risk professionals must begin to become more familiar with how they work and can be used in their business. This is where education plays a significant role. The history of data science is still evolving but is critical to building sustainable and robust risk programs. As risk professionals become more comfortable with a range of diagnostic tools these processes can become operationalized and incorporated into business processes.
Until these tools and processes are in place risk professionals should begin to discuss the practical steps a business can take to better understand what is known and not known about risks. This is a journey, not a one shot process!
Uncertainty can also be modeled but not with precision. We must admit with humility that risk professionals are human and cannot see around corners. At least not clearly! When we reach the boundary of our understanding of risk and uncertainty caution is required. The proper use of data, diagnostic tools and education is enhanced where corporate culture is supportive of the learning process.
No one has solved uncertainty but you can benefit from it if you take measures to understand what you don’t know. Take Jeff Bezos‘ purchase of the Washington Post.
Bezos has confounded his competitors since the launch of Amazon.com. There is a great deal of speculation about what Bezos plans to do with the Post. Only Jeff knows for sure but he has taken the strategic use of uncertainty to an art form and created one of the truly great organizations in America.
Special thanks to Jerry D. Norton, Partner with Candela Solutions, a CPA firm targeting Governance