Risk Management - Kaplan

7/31/2019 Risk Management - Kaplan

1/52

Copyright President & Fellows of Harvard College

Managing Risks: A New Framework

Anette MikesHarvard Business SchoolIRM, Manchester, 25 April 2012


2/52

A Case Study in Risk Management


3/52

Risk Management is Non-Intuitive

3


4/52

JPL engineers graduate from top schools at the

top of their class. They are used to being right

in their design and engineering decisions. I haveto get them comfortable thinking about all the

things that can go wrong.

- Gentry Lee, Chief Systems Engineer, NASA JPL


5/52

Risk Management and the Financial Crisis

Conflicting pressures?

Faster, better, cheaper

Growth, profit, control

The cultural position of the risk function

Companies that failed had relegated risk management toa compliance function, with no access to topmanagement.

HBOS had "a cultural indisposition to challenge" and thatthe task of "being a risk and compliance manager felt abit like being a man in a rowing boat trying to slow downan oil tanker. UK Treasury Committee (7threport); Paul Moore


6/52

Do complex organizations fail inevitably?


7/52

BP Deepwater Horizon: Post Mortem

The disaster can be attributed toan organizational culture and incentives

that encourage cost cutting and cutting of corners

that reward workers for doing it faster and cheaper,but not better.

Management failure crippled the ability of individuals

involved to identify the risks they faced, and to properly

evaluate, communicate, and address them.

-The National Commissions Report to the President


8/52

8

Individual and Organizational Biases

Risk mitigation is painful; not a

natural event for humans to

perform.Gentry Lee Chief Systems Engineer,NASA, JPL


9/52

Individual biases:

Overconfidence

Tendency to anchor our estimates

Confirmation bias

Escalation of commitment

Organizational biases:

Groupthink

Rather than mitigating risk, firms incubate risk through the normalization of

deviance

Effective risk-management processes must counteract those biases

9

Individual and Organizational Biases

Risk mitigation is painful; not a

natural event for humans to

perform.Gentry Lee Chief Systems Engineer,NASA, JPL


10/52

Whats distinctive about risk management?

A practice-based definition

(Kaplan & Mikes, HBR forthcoming):Active and intrusive processes

that

are capable of challenging

existing assumptions about the

world within and outside the

organization

... communicate risk information with

the use of distinct tools (risk maps,

value-at-risk models, stress testsetc.)

complement, but do not displace,

existing management control

practices

10


11/52

Risk management is too often treated as a compliance issue

New categorization of risk

Some risks can be managed through a traditional rules-based model and some

require alternative approaches

Companies need to anchor risk discussions in their strategy formulation and

implementation processes.

11

Different Types of Risk Management


12/52

Different Types of Risk

12


13/52

Risks arising from within the company that generate no strategic benefits

Eg: risks from employees and managers unauthorized, illegal, unethical, incorrect,

or inappropriate actions; risks from breakdowns in routine operational processes

Companies should seek to eliminate these risks

Active prevention: monitoring operational processes and guiding peoples

behaviors and decisions toward desired norms

13

Category I: Preventable Risks


14/52

Risks voluntarily accepted by the company in order to generate superior

returns from its strategy

Eg: credit risk assumed by a bank when it lends money; risks taken on by

companies through their R&D activities

Not inherently undesirable

Reduce the probability that the assumed risks materialize and improve the

companys ability to contain the risk events should they occur

14

Category II: Strategy Risks


15/52

Risks arising from events outside the company and beyond its influence or

control.

Eg: natural and political disasters; major macroeconomic shifts

Companies cannot prevent such events from occurring

Management must focus on identification (obvious only in hindsight) and

mitigation of their impact

15

Category III: External Risks


16/52

Managing Preventable Risks

16


17/52

Failures in Controlling Preventable risks

Siemens Bribery and Corruption Scandalo Pay $1.6 billion in fines and $850 million for internal investigations by

outside lawyers and accountants.

o Nine former members of Managing Board sued for $28.3 million for

breaching fiduciary duties

o Two former CEOs agree to pay more than $10 million to settle cases

brought against them.

Socit Gnrale: The Jrme Kerviel Affair

o Losses of about7 billion (2007).

o Socit Gnrale has to raise5.5 billion in new capital.


18/52

Situational forces: The fraud triangle

18


19/52

Situational forces - How good people turn bad

19

Organizational pressure

Group pressure and the Lureof the Inner Circle

Blind obedience to authority

Not recognizing red flags andan exit opportunity


20/52

What individuals can do - Step up to situationalforces

20

Stand firm on principle despite intense pressures

I am responsible

Whistle blowers: individuals who are aware of illegal or unethical

activities who report the activities without expectation of reward

Heroes risks:

Career risk

Professional ostracism

Loss of status

Financial loss

Loss of credibility


21/52

Companies cannot anticipate every circumstance or conflict of interest that an

employee might encounter, but should clearly articulate their

Mission

Values

Boundaries

Top managers must serve as role models

Importance of strong internal control systems and independent internal audit

department

21

What corporate leaders can do


22/52

Medicine is for people, not for

profits. The profits follow, and

if we have remembered that,they have never failed to

appear.

-George Merck, CEO and founders son (1950).

The Mission


23/52

Beliefs System

Domain for Searchand Empowerment

Boundary System

Boundary Systems

Opportunity Space


24/52

Managing Strategy Risks

24


25/52

Building great things means taking risks.

This can be scary and prevents most companies from

doing the bold things they should.

However, in a world thats changing so quickly, youreguaranteed to fail if you dont take any risks. We have

another saying:

The riskiest thing is to take no risks.- Facebook IPO prospectus

25


26/52

3 distinct approaches to managing strategy risks

One size does not fit all In terms of the structures and roles for the risk

management function

However, all encourage employees to challenge existing assumptions and

debate risk information

26


27/52

27


28/52

High intrinsic risk, but risk changes slowly over time

Risk management handled at the project level

Case: Risk management at JPL

CRO

Risk review board made up of independent technical experts

Role is to challenge project engineers design, risk-assessment, and risk-mitigation

decisions (culture of intellectual confrontation )

Authority over budgets: establishes cost and time reserves according to its degree

of risk

28

I. Independent Experts


29/52

29


30/52

30


31/52

31


32/52

Risk stems largely from seemingly unrelated operational choices across acomplex organization that accumulate gradually and can remain hidden for along time

Risk management by a small central risk-management group that collects

information from operating managers

Hydro One

CRO runs workshops with employees from all levels and functions

Employees identify and rank the principal risks to the strategic objectives

Capital allocation and budgeting decisions linked to identified risks

32

II. Facilitators


33/52

33


34/52

Risk profile can change dramatically with a single deal or major marketmovement

Risk management by embedded experts within the organization tocontinuously monitor and influence the businesss risk profile, working with

line managers

Danger for the embedded risk managers to go native

JP Morgan Private Bank

Report to both line executives and a centralized risk-management function

Continually ask what if questions

34

III. Embedded Experts


35/52

Companies tend to label and compartmentalize risk, especially along

business function lines

Companies can achieve an integrated risk perspective by anchoring their

discussions in strategic planning

Companies also need a risk oversight structure

35

Avoiding the Function Trap


36/52

Risk discussions generated from the Balanced Scorecard

Eg: growing client relationships identified as a key objective,

Management realized that strategy had introduced a new risk factor: client default.

Implication: monitor CDS rates of large clients etc....

36

Infosys As we asked ourselves about what risks we

should be looking at, we gradually zeroed inon risks to business objectives specified in

our corporate scorecard.MD Raganath, CRO, Infosys


37/52

Risk discussions generated from the companys strategy map

Risk events identified for each objective

Risk Event Card prepared for each risk

High-level summary of results presented to senior management

37

Volkswagen do Brasil


38/52

38

Volkswagen do Brasil: Risk Event Card


39/52

39

Volkswagen do Brasil: Risk Report Card


40/52

Hydro One:

Large company, but small risk group

JPL / JP Morgan Private Bank:

Small companies/units, but multiple project-level review boards or teams of

embedded risk managers

Infosys:

Dual structure: central risk team; specialized functional teams

40

Organizing the risk function


41/52

Managing External Risks

41


42/52

Some external risk events sufficiently imminent for managers to manage themlike their strategy risks

Eg: risk of increased protectionism at Infosys

Most external risk events require a different analytic approach

Probability of occurrence very low

Difficult to envision them during the normal strategy processes

42


43/52

Natural and economic disasters with immediate impact

Eg: 2010 Icelandic volcano eruption; bursting of a major asset price bubble; 2011

Japanese earthquake and tsunami

Geopolitical and environmental changes with long-term impact

Eg: political shifts; long-term environmental changes; depletion of critical natural

resources

Competitive risks with medium-term impact

Eg: emergence of disruptive technologies; radical strategic moves by industry

players

43

Sources of External Risk


44/52

Tail-risk stress tests Assess major changes in one or two specific variables whose effects would be

major and immediate, although the exact timing is not forecastable

Depends critically on the assumptions (may themselves be biased)

Scenario planning

Systematic process for defining the plausible boundaries of future states of the

world

Long-range analysis (typically 5-10 year)

War-gaming

Assesses a firms vulnerability to disruptive technologies or changes in

competitors strategies

44

Dealing With External Risks


45/52

Wrap-up

45


46/52

Risk management focuses on uncertainties that could impair mission andstrategic objectives

Mitigating risk involves dispersing resources and diversifying investments

Most companies need a separate function to handle strategy- and external-

risk management

46

Risk Management is Not Strategy Management


47/52

Smart questions or dumb questions?

Do you have an embedded risk management system?

Do you have a strong risk culture?

Do you have a risk appetite policy that is well understood by every member of

the organization?

47


48/52

Dumb questions

Lack traction, and is relatively easy for a CEO or CRO to answer and deflectwithout revealing much of substance

Invite busy executives to rehearse risk management clichs

The answers to banks of dumb questions are more likely to be self- reinforcing

and reveal little about the real risk management.

They will tend to produce an illusion of control.

Power, M., Smart and Dumb Questions to Ask About Risk Management.Risk Watch, May 2011

48


49/52

Smart questions to the CEO

What are the processes by which you satisfy yourself that risk appetite is a realconstraint on action?

Is the organization good at stopping bad projects that have gained

momentum?

When was the last time something was stopped in the organization because itwas considered too risky?

How do you feel about meetings with the chief risk officer? Do you feel you talk

to your chief risk officer enough?

What are the three most important bits of management information that you

use each day? What do they tell you, if anything, about risk?

49



50/52

Smart questions to the CRO

Have you ever been excluded from meetings that you felt you ought to attend?

What did you do about it?

Do you feel you have enough contact with the CEO?

Can you envisage being able to veto developments? Did you ever try, and why?

Are you involved in product development from the beginning? If not, why not?

50


Its an evolution: Risk managers shape their


51/52

It s an evolution: Risk managers shape their

own fate too!

Taking responsibility or shifting blame

Competing with other staff groups

Expanding or limiting boundaries

Working on the relationship with the business

51


52/52

Thank you!

Documents

Risk Management - Kaplan