Monthly Archives: October 2014
Over a career extending more than 30 years, Fishkin has held senior roles across the spectrum of financial services. He was hired by SEC Chairman William Donaldson to create and lead the agency’s Office of Risk Assessment, serving as its director from 2004 to 2007.
He is author of The Shape of Risk: A New Look at Risk Management (Palgrave, 2006). Fishkin Is an adjunct professor in the Masters Program in Financial Engineering at Bernard M. Baruch College of The City University of New York.
The Corporate Board: Risk has become a major concern for corporate boards, but companies still seem to fumble their risk management. Why?
Charles Fishkin: A key reason is the dynamic nature of risk. Companies change and evolve, sometimes very rapidly. They enter new markets and new jurisdictions, develop and sell new products, and hire new staff. Markets and industries change rapidly too.
The ways companies approach governance also need to evolve. Governance is a dynamic activity. It needs to be durable, adaptable and flexible. Too often, companies continue along with a governance structure that’s inadequate, or that hasn’t evolved sufficiently to adapt to changes.
TCB: How do companies and their boards assure this risk governance change happens?
Fishkin: An important starting point is to consider the wide range of decisions that companies have to make. When directors describe their governance, they usually talk about an organization chart that shows the reporting relationships of senior executives, and various governance committees — a risk committee, compliance committee, conflicts committee and other governance committees. They also describe the roles of the chairman, CEO, the board and the various subcommittees of the board, such as audit, risk, compensation and others.
These components are important, but they only speak to a small subset of the decisions about risk that any company makes. It’s important to distinguish between an oversight function and the people who make most of the decisions on a daily basis.
A board of directors meets a limited number of times per year. A risk committee may formally meet monthly or quarterly. Many meetings may last an hour or two, or at most a day. This means that only a few topics are discussed, and in a broad manner.
TCB: How can a board deal with this problem?
Fishkin: The board should adopt an approach to governance that anticipates potential problems. Will an existing governance process be effective under changing conditions? If not, what needs to be done at the earliest stages?
Governance involves setting strategy, allocating people and capital, making investments, designing products, hiring, paying, marketing and all the other activities that a company demands. It relies on data, the use of models and the size of a company’s risk taking. A particularly important aspect of governance is the role of process, especially as it relates to how decisions are made and approved.
TCB: Why is “process” so important to effective governance?
Fishkin: Process is structural. It involves approvals, checks, controls and scrutiny throughout an organization. Effective governance means that decisions can be made in a flexible way, but at the same time have appropriate limits and oversight. Process provides consistency and structure for these decisions that are made every day. If designed properly, process brings scrutiny and challenge that should be applied so decisions are made in a thoughtful manner.
Every decision can’t be analyzed by the senior-most management, but it defines the scope of decisions that require additional attention. Process also helps organizations act with agility.
People know what decisions they can make, and do so freely.
TCB: What about the role of company culture?
Fishkin: Culture is important too. These are the fundamental values that are important in a company. They’re expressed in various written documents, but more importantly culture also informs decisions and actions.
TCB: How does the board distinguish between reasonable risks and those the company shouldn’t take?
Fishkin: Taking the right risks is crucial to sound management. This means that a company must carefully understand the risks it’s exposed to. A decision to manage one risk may give rise to another. You need to weigh the ramifications of every decision.
TCB: How do you ensure your risk oversight system can handle that?
Fishkin: That’s a complex question. You have to work at it, every day, across all company units. Organizations need strong controls and “checks and balances.” That means oversight processes that have their own identity and will, with strong cultures of compliance and risk management.
There has to be alignment between what management says and what management does. You need to continuously be asking, “Do we have the right staff, the right business model, the right balance between revenue creation and franchise protection?” Look at companies that stumble, and those that consistently succeed.
The difference is often found in the elements that comprise a governance program and governance-centric culture. This includes clear messages from senior management, well-defined processes, and excellent people at all levels, thoughtful pay programs and a well-resourced infrastructure.
THE CORPORATE BOARD
4440 Hagadorn Road, Okemos, MI 48864-2414,
2014 by Vanguard Publications, Inc.
For Reprints contact: firstname.lastname@example.org
Reprinted in TheGRCBlueBook with permission from The Corporate Board
I was a risk manager before risk management was cool!
It seems that everyone wants to be a risk manager today. This is great news because with more people thinking about risks the better. But there is uneasiness with risk management today that swings between a necessary evil and Risk as a Service set of expectations. The truth, as usual, lies in the details.
To date, no central self-regulatory group has emerged in risk management with the mission of defining the language of risk. Risk management has developed from the ground up with a diverse and eclectic set of specialized risk standards that span industry, government, sovereign entities and the military.
Risk management has become “hip” and very confusing as well!
Should risk management be codified?
How an organization defines its risks shape the expectations and duties of a risk manager. How one measures a risk management program depend, in large part, on the success of its outcomes? All too often organizational risk programs start with a definition of risks but fail to clearly define the expected outcomes of the program.
Vague definitions of risk outcomes are easily identified by statements such as “no surprises”, “proactive” and “look around corners”. Even regulatory prescriptions such as “prevent, detect and correct” are less than informative.
Are these realistic outcomes or the wishes of management and regulators to not deal with uncertainty and the messiness of bad judgment?
Uncertainty, by definition, cannot be anticipated including the vagaries of human behavior and random events that can disrupt operations. When unexpected events happen is it a failure of the risk program or a chance event? Risk happens, but all to often the inevitable second guessing of the risk program has become a competitive sport inside and outside of many organizations.
The imprecise use of the language of risk has led to unrealistic expectations of risky outcomes. Codifying risk management may be easy in theory but impractical in the real world.
There are benefits to standards and a common language in risk management. The development of risk standards and frameworks has broadened risk awareness. Less well understood is the difference between a risk and uncertain events.
Humans, including risk managers, are still prone to judgment error and have not evolved the skills to “prevent and detect” uncertainty before it happens. Judging a risk program when it fails to anticipate an uncertain event is like expecting risk management to accurately predict the weather 100% of the time. We joke when the Weather Channel over states adverse conditions but careers are not ruined if the storm is more or less severe than expected.
Is the next milestone in risk management a fuller recognition of human behavior? Standards and frameworks are less responsive to real-time risks. The Bill Gross/Pimco dilemma is an interesting example of uncertainty. And Gross is not the only example. It is instructive that human behavior is hard to anticipate. Maybe more instructive is the fact that most organizations don’t anticipate that uncertainty, not risk, is the big disruptor of organizational outcomes.
What is risk management?
Not surprisingly, if you research the definition of Enterprise Risk Management you will get more than two dozen slightly different versions. What other profession has 24 or more different definitions for one fundamental concept?
Risk, it’s complicated.
Let me give you one example of a definition for Enterprise Risk Management from a consultant in the Healthcare Industry. A true quote:
“Healthcare Risk management’s role was formally focused on claims & loss control. Over time the risk manager graduated to an expanded focus on clinical risk in-hospital. Unfortunately the position remained reactive versus proactive with a focus on [inspection check-off lists].” “Today’s Enterprise Risk Management approach must be system-wide, include a multidisciplinary approach and incorporate an integrated application designed to address risk across the continuum of care. ERM’s goals must assist the organization in achieving its objectives, reduce uncertainty, minimize process variability, promote patient safety, maximize return on assets and enhance asset preservation while recognizing the diversity of risk possibilities.”
There are brilliant risk managers in every organization and a few may actually have many of the skills described above but let’s assume that you are this person. Would you be given the leverage and decision-making ability to accomplish all of the expectations described in this job description? Risk management is seldom critical-path to strategic financial and business objective setting.
In reviewing each of the two-dozen or more definitions of enterprise risk management it is easy to understand why there would be some confusion given obtuse descriptions like the one above.
Risk management isn’t an effort conducted in the isolation of one department. Risk management is an outcome of grounded decision-making across an organization. Even great firms struggle with the challenge of coordinating the efforts of risk management and prioritizing the diversity of risks that are becoming more transparent.
Not all risks deserve the same attention
When things go badly in companies “culture” is typically cited as the true cause. Corporate culture may be overrated as a governance control. Who is responsible for an organization’s culture?
In most organizations senior management sets the tone for how aggressive or conservative an organization pursues risky ventures. Management incentives often determine which route is pursued yet risk management is often judged by the outcome of the decisions that work out versus the ones that fail.
The uncertainty of choosing between the two is the real challenge!
Risk, is in the eye of the beholder!
Research has shown that we each see risks differently. Heads of state must deal with different risks than their counterparts in non-profit organizations. Is it realistic to expect a framework to account for the nuisance inherent in all organizations? Some managers are risk adverse while others are risk takers. Aligning the organization with the risks taken is the art of risk management.
Removing the Tower of Babel
Let’s simplify the language of risk. If risk is in the eye of the beholder we must be able to discuss risk using terms that everyone understands. The importance of developing a common understanding of risks should not be underestimated. A lack of agreement on risks is one of the leading causes of a failure to execute.
But in order to simplify the language of risk it is important to talk in terms of how we each experience risk. Even very powerful people like Bill Gross have fears. Would things have turned differently if communication had not broken down? We will never know the answer but it is clear that risk management is as intimate as a broken relationship.
Sometimes, risk management is just about listening and being heard.
James Bone is a Behavioral Risk Consultant with more than 20 years of experience in senior risk management roles across a variety of complex industries. Follow James at TheGRCBlueBook.com