Risk Management 101
Introduction To Business Risk Management
Welcome to Risk Management 101, Titan Grey’s primer on the fundamentals of managing risk in business. The objective of this primer is to provide readers with a basic understanding of the fundamentals of risk management, including key vocabulary and select frameworks and techniques.
As a discipline, risk management can be difficult to write about. The subject itself can be dry, at times. When deployed in professional practice, there are unavoidable frameworks, guidelines and standards to adhere to. And in order to be effective at its purpose (i.e., mitigating / managing risk), the art and science of risk management has developed into something rather technical. And so, in our writing style for this primer, we’ve tried to keep things as easy and conversational as possible.
Business Risk Management
We’re all basically familiar with what the concept of risk management is, even if we might not call it that in our everyday lives. Nevertheless, it’s something we do constantly.
Have you ever looked both ways before crossing the street? Congratulations, you’ve managed risk. Do you have a routine before you leave the house so that you don’t forget your wallet, cell phone and keys? Again, bingo, that’s a form of everyday risk management. In the day-to-day, we’re all managers of risk.
When it comes to business, things get a little bit more intense. That’s mostly because the nature of the risks businesses face are more complicated and complex than those we might face in our everyday lives. But it’s also at least partly because putting things in a business context inherently subjects them to more scrutiny and a desire to expand and optimize. When it comes to risk management, at least, that’s not a bad thing.
Put simply, business risk management is the practice of:
1) creating an inventory of all reasonably possible risks a business might face;
2) mapping, to that inventory, all of the established ways in which that business plans to act in response to the occurrence of any inventoried risk;
3) making an assessment of the adequacy of each of the business’s current plans of action vis-à-vis industry best practices;
4) fixing the inadequacies in order of priority; and
5) coming up with a way to check-in on the overall set of action plans on a regular basis.
Now, is the above overly simplistic? Maybe, but not unfairly so. The above five steps are an accurate reflection of what business risk management is, it’s just that each of the steps is almost unfathomably deeper than our little list has made it seem. And the depth to which each step goes changes based on a variety of characteristics of the business whose risk is being managed. For example, a public company will have to manage risks that a private company won’t, a hospital will have to have better risk defenses than a car dealership, and so on.
Deploying Risk Management In Business
The process and “work” of professional business risk management is generally performed by a dedicated and centralized risk management function or business unit. The headcount size and skill-based composition of these units varies depending on the size, scope, and capabilities of the underlying business.
For instance, at a large public company, we’d expect to see a dedicated risk management function helmed by a Chief Risk Officer (“CRO”), with significant headcount broken down into generalists and specialists in various areas of risk, and the deployment of state-of-the-art technological resources aimed at augmenting the organization’s risk detection and monitoring capabilities.
For companies at smaller scales and scopes of operation, the above resource deployment might be out of reach. However, instead of opting for no organized risk management at all, risk-smart organizations find ways to activate similar functions on a resource-light basis.
For example, at startups and other small companies, we tend to find CEOs or COOs taking on the workstreams that would typically fall within the remit of a CRO. Instead of dedicated risk management staffing, line-level managers of the company’s various business units take on primary risk management responsibilities for various areas of risk, tending to generally correspond with their ordinary roles and responsibilities within the business. For instance, CTOs generally become the lead on cybersecurity-related risks, heads of human resource departments get tasked with managing workplace-related risks, and so on.
Scoping & Scoring Business Risk
Risk management isn’t an exact science. While there are quite a few ways in which to use data and quantitative analysis in the risk management process, there’s inevitably also a decent amount of qualitative elements and subjective judgments that factor in. And nowhere in the business risk management process is this more true than in the scoping and scoring of risk.
In the context of business risk management, risk “scoping” refers to the task of inventorying all of the risks to which a business may reasonably be subject. “Scoring” is a follow-on process, involving various methods of sorting the risk inventory into an order by priority. Typically, risk managers focus on sorting risk based on certain axes, e.g. likelihood, magnitude, existing control state, augmentation costs, etc.
Turning back to the dichotomy of quantitative versus qualitative analysis, there are some risks that are best evaluated using data, and others for which a more nuanced, experience-based approach is more appropriate.
For an example of a typically data-driven risk management area, think about how a global manufacturer might hedge its exposure to spikes in raw materials pricing using algorithmic trading of commodity futures. A trading algorithm analyzes data, and makes decisions based on parameters set in accordance with the business’s risk tolerance. The process here is almost entirely data-driven.
For the opposite, consider that same manufacturing business trying to figure out its state of risk for violations of the FCPA. Sure, there might be some data involved, but by and large, these decisions are typically made, and rightfully so, by consultants and lawyers leveraging years of experience and knowledge of current industry best practices.
Conducting a scoping and scoring process, also known as an “Enterprise Risk Assessment,” can be incredibly challenging, both because of the breadth of the workstream, and the depth of experience required in order to conduct it successfully. It’s no surprise, then, that risk management tends to draw the attention of multi-faceted business personnel, attracting those with interdisciplinary capabilities and widespread professional interests. Well-rounded, seasoned business risk managers must possess a relatively high level of fluency in areas such as finance, law, technology and data science, as well as competence in soft skill areas such as interviewing, data collection and data presentation. The application of these skills begins in scoping and scoring, and continues throughout the business risk management process.
Risk Matrix / Risk Management Dashboard
For most any business, the scope of risk will be fairly broad. The number of risk factors will be large. And oversight over the lot of it will be vital. While there are a number of ways in which to lay out the data gathered in the scoping and scoring processes, the most common, and simplest, way in which to do so is via a risk matrix or “dashboard.”
A dashboard, much like that in a modern car, offers the user a summary picture of the status of the various systems at work. Unlike vehicle dashboards (at least for now), though, a risk management dashboard is typically created in the form of a spreadsheet. The spreadsheet dashboard lists out the risk factors identified in the scoping exercise, typically with toggles based on the relative priority of each factor within the overall risk picture for the business. This alone—reflecting the work product of the scoping and scoring workstreams—is often referred to as a “risk inventory.”
From the risk inventory, risk managers document, on a risk-by-risk basis, the control or controls positioned by the business to mitigate or prevent, to the extent possible, each specific inventoried risk. The mapping of a business’s existing controls to its inventoried risks, otherwise known as a “Risk Control Assessment,” forms the foundation of a risk dashboard, and an overall risk management program within a business.
In its simplest form, a risk control is something that deters or attempts to prevent a risk from occurring. In many cases, a control may also serve to mitigate the potential harm posed by the applicable risk.
For instance, with respect to the risk of employee litigation arising out of workplace sexual harassment, having a written policy on sexual harassment would be an example of one control in the risk’s overall control environment.
However, it’s not enough to just establish that a control exists. For risk management to be effective, controls must be regularly tested, evaluated and augmented, if needed.
The testing and evaluation of risk controls typically warrants professional assistance, owing to both the extent of work and depth of knowledge required in order to be truly effective.
Taking the above example of an anti-harassment policy, a professional adviser may look into, among other things:
1. whether the policy is properly drafted, with a particular eye to employee comprehension;
2. whether the policy effectively tracks federal, state and/or local law, as applicable;
3. when and how is the policy distributed to employees;
4. whether employees are given further training on the policy and its requirements; and
5. whether records of employee training and attestation are being appropriately stored and internally audited.
Of course, there’s still more to look into when investigating the adequacy of a corporate policy. Moreover, having a sound and well-tailored corporate policy is usually just the tip of the iceberg when it comes to establishing a proper control environment for any particular risk. It naturally follows, then, that a well built-out risk management dashboard takes into account not just a business’s inventoried risks and the controls in place for the same, but also information about the state of those controls and the immediacy with which they may require augmentation.
Identifying controls and control environments requiring augmentation involves a comparison of a business’s current state of controls / control environments versus a professionally determined ideal or “target” state of controls given a business’s specific risk profile. This comparison process is often referred to as a “Risk Control Gap Analysis.”
Evaluating Control Environments
There is no such thing as a perfect control environment. The innumerable variations among business organizations—for instance, in industry, business model, operational scope, headcount, footprint, etc.—fundamentally warrants narrow, specific and unique tailoring in the development of a target state of controls.
Perhaps the most vital objective in developing a comprehensive business risk management program is that of integration within company culture and capabilities. It is essential to ensure that, once developed, a business risk management program can be melded in to the day-to-day workflow of the underlying organization, and not simply sit on a shelf as a “paper tiger.”
It’s indisputably true that, in order for a risk management program to be successful, the very notion of risk management must become an intrinsic part of the underlying organization’s DNA. The easiest way to ensure that this doesn’t happen is by putting forth in front of employees a risk management program that is untailored to the underlying business, and typically therefore extremely overwhelming on the business’s people.
For example, at large financial services organizations, and particularly with respect to compliance risk areas, one would expect to find risk controls organized into typically three lines of defense (“LoDs”). In such a system, the 1st LoD would be the front-line business unit, utilizing desktop policies and procedures to govern employee conduct and overseen by the manager or leader of that business unit. The 2nd LoD would be a compliance department function or group tasked with overseeing the business unit’s compliance with the policies and procedures, as well as augmentation / remediation of those documents on an as-needed basis. The 2nd LoD would also be tasked with developing and deploying training for front-line employees, and capturing attestations regarding having received the same. The 3rd LoD would be an internal audit function tasked with assessing the effectiveness of and adherence to the systems deployed in the 1st and 2nd LoDs and preparing reports regarding the same. And, it should go without saying, this is a high-level simplification of what should be, at each stage, a rigorous and often complex process. Nevertheless, even at a high level of abstraction, this framework doesn’t always work for organizations operating at smaller scales and/or in other industries. And, in our view, that’s perfectly okay.
At Titan Grey, when working with a new client, the first and most crucial step is developing a keen understanding of the underlying business organization from the perspective of four key facets:
1. People – The number (“headcount”), their core competencies, their roles, their business units, their workload / availability, etc.;
2. Processes – The ways in which the people of an organization work together, on what, when, how often, determined by whom, escalated to whom in case of emergency, documented how, etc.;
3. Documents – The policies, procedures, desktop manuals, and other written materials which may inform or govern an organization’s people and processes; and
4. Technology – The hardware and software used to store data, convey information, ensure security, etc.
We view the above four facets as the “raw materials” with which we are able to develop risk controls for a business. Additionally, these facets allow us to develop fine-tuned, narrowly tailored solutions for our clients. In some instances, this is a matter of developing controls which are actionable given a client’s unique set of abilities and constraints. In still others, it is a basis to recommend to a client that they augment their resources with respect to one or more of the above key facets, in order to be able to achieve an appropriate level of risk management.
Business risk management can be a complicated and complex task. The required workstreams can be broad, dense and time-consuming. However, with the proper tools, advice and approach, a more stable business environment is well within reach.
Business risk management processes begin with a scoping and scoring exercise, the results of which form a risk inventory.
The subject business’s state of pre-existing controls is surveyed in order to produce a risk control assessment.
A risk control assessment, when mapped to a risk inventory, forms the foundation of a risk management dashboard.
The advice of professional advisers is often sought in the process of developing a business’s target control state.
The risk control assessment is analyzed against the target control state in order to identify areas for augmentation.
In planning for the augmentation of risk controls, it is imperative to take into account the underlying business’s unique characteristics with respect to its people, processes, documents and technology. Controls must be actionable within the constraints imposed by the business’s state of affairs and capabilities. Occasionally, resource augmentation is also necessary.
A risk management dashboard pairs the output of the risk inventory exercise with the output of the risk control assessment, mapped on a controls-to-risk basis. The dashboard should also contain further information about the likelihood and magnitude of each inventoried risk, as well as the current state of affairs of each individual control.
This information should inform a regular update cadence, in order to shore up areas warranting specific improvement and to ensure that the overall risk management program continues to accurately reflect the risk environment facing the subject business. In this way, the risk management dashboard is the backbone of an organization’s risk management program, and should guide risk managers in creating and executing on a culture of continuous improvement within their organizations.