ORM isn’t about “No.” It’s about “Yes, if…”

You’ve spent weeks crafting the most spectacular PowerPoint proposal ever formed by the hand of man.  A technical and visual work of art, replete with charts and data and glorious income projections.  You greet your audience and the symphony of your genius is played out – victory is sure. The visceral embrace is palpable, you own them. Conditional approval for your project is, of course, granted.

All that is left is…(cue ominous music)…the risk people.

The “Risk Group” is a terrible, foreboding place where there is no oxygen and the landscape is littered with the corpses of great ideas. It is a soul-crushing anti-universe where only one word is ever uttered.

“No.”

Do you know this group? Are you this group? If so, you are probably missing opportunities and, more importantly, you are missing the real point of operational risk management.  One of the most dangerous things that you can ever do as a risk manager is become known as the “No” guy.  Because, sooner or later, people will try to figure out ways to maneuver around you.  You will ensure the old adage comes true, “Sometimes it’s better to ask forgiveness than to ask permission.”

Let’s face it, how many initiatives have gone forward because someone did a great job selling it internally to the key stakeholders in the middle of the night (figuratively) who signed off without really understanding the risks?  The fact is that someone understood the risks, but they kept it to themselves while secretly praying that everything went ok. This is not a healthy risk management structure.

When you think about it, the temptation to error on the side of “No” is actually fairly understandable.  For someone working around risk management, it doesn’t take very long at all to develop a pretty good instinct for risk. For many initiatives, once you hear the specifics you can almost immediately rattle of fifteen different ways that this brilliant plan can go sideways.  You simply learn what “risky” looks like and it becomes all too easy to just error on the side of “No.”

But the fact is, ORM is not really about “No.” It’s about “Yes, if…”  Some of those “if’s” may include:

• The proposal is consistent with the company’s strategic vision and plan
• Funding is available
• It doesn’t violate known laws or regulations
• A comprehensive analysis of the real risks involved has been done
• A determination has been made as to whether those risks fall outside of acceptable tolerance
• Additional controls necessary to mitigate some of that risk can be implemented, and finally
• Management is willing to accept the residual risk profile, with open wide eyes

It’s important to understand that, in this sense, operational risk is a bit unusual. Within the other risk disciplines, (credit, market, etc.), once policy has been set there really are a very limited number of things that people can do. The policies establish pretty closely what is acceptable and new initiatives are really not that common. For the few that do come down, the risks are fairly easy to quantify and it doesn’t take a lot of analysis to determine whether a given course of action falls within acceptable tolerance. But operational risk is a bit different. We establish an approximate risk tolerance (since there is no absolute value in ORM) and then within that there are literally millions of possible actions that may or may not be allowed take place. And, believe me, people will try and try and try.

Now the fact that the discipline has matured to where many organizations even have people dedicated to analyzing operational risk is very good. We need people like that.  But what we need is these individuals serving as subject matter experts and guides in the analysis process, not the “risk police.” And while it is true that understanding and assessing operational risk should become more intuitive over time, we can’t make decisions just on that intuition.  When we do, we are basing our decisions on our own risk tolerance instead of the corporate tolerance. In effect, we’d be making it up as we go along. Risk management is always about consensus.

Therefore, in order to build a healthy, collaborative relationship between business owners and risk managers, keep the following points in mind.

• Both tone and oversight from executive management are critical here.  If executive management even implies that risk analysis is optional (or can be done later), then you’ve already failed.  In addition, if management determines that risk managers only seem to know one word (“no”) then they need to step in and redefine roles and responsibilities.
• Once a business owner gets an idea there’s something funny that happens that can make them temporarily blind to the risks. This is normal – part of what makes us human is our ability to rationalize. It usually takes an independent set of eyes to tell us what might go wrong. This is not a burden, it’s a balance. People can only manage the risks that they understand, so awareness is a good thing.
• Honesty and transparency are the most critical aspects of effective risk management. Anything that impacts people’s willingness to be open and accountable will only weaken the program.
• A risk manager’s real value is not in being the big bad parent with a quick “no” trigger finger. His real value is in his ability to help diagnose the potential risk and in thinking through what options are available to reduce that risk to within an acceptable tolerance level.
• Risk managers should do everything they can to be seen as partners in the process.  Trust me, you can lose your seat at the table much faster than you realize and getting it back is really, really hard.
• A template should be developed that business areas can use to facilitate the assessment process.  Even if the template only captures 80% of the risk profile, the rest can be fine-tuned throughout the proposal process. But if the business feels like they have to re-invent the wheel every time they have a new proposal, they will eventually grow tired of the process.
• When evaluating individuals for risk manager positions, never overvalue quantitative ability over interpersonal and communication skills. The fact is the latter is much more important.
• Risk assessments must be done before any proposal is made to management. This is non-negotiable.  Proposals to management should always include: benefit, cost and risk. To only present one side of the equation, even in a straw man, is a very poor management technique.
• To the initiative proposer, you need to realize that just because you think that your initiative will make the company rich or famous or better or stronger does not mean that it does not have risk and you don’t get to bet the company. You need to be willing to accept the reality of the risk just as openly and honestly as you do the potential benefit. Your risk managers are trying to help you do that. Don’t hate them (or worse, avoid them) for it. Instead, use them as a resource.
• Finally, (and this point is absolutely critical), in order to fully assess the risk profile of a proposed change you must have established a meaningful measure of risk tolerance. If you haven’t developed a framework that is sufficient to be able to articulate operational risk in terms of tolerance, than you haven’t developed a risk framework. This may be tough to hear, but you need to hear it.

We have to remember that risk management is about risk acceptance, not risk avoidance. But in order to accept a risk you have to understand it and that requires some teamwork and cooperation.  Once you understand the risk, then you can make informed decisions about risk avoidance, transfer or acceptance.  As we often say, we’re trying to use these tools to create guardrails, not speed bumps.  Once you know the risks, build the right controls and consciously accept the remaining risk, then you are free to move, and move quickly.

The OpRisk Advantage: By building healthy collaborative relationships between business owners and risk managers, organizations can bring products and services to market quicker with more confidence and acceptance of the possible outcomes.  This translates to business resiliency, management confidence and better risk transparency.

For more information about developing an effective risk management program contact Eric Holmquist at Accume Partners at (856) 793-1581 or eholmquist@accumepartners.com. Visit accumepartners.com