An agenda for improving corporate risk management

Man on fire

In the course of preparing a series of seminars we will be delivering in London this winter, we have focused on what an agenda or ‘manifesto’ for improving corporate risk performance would look like.  What should the firm do practically to improve its management of risk and uncertainty? The agenda has five items.

1. Better focus & insight 

Focus in risk management needs to start at the strategic level rather than where it usually starts presently: in the operational bowels of a firm. At the strategic level, understanding risk means understanding the potential effects of assumptions about an uncertain market and competitive environment on the viability of the firm’s business model.

The focus of risk management should be to improve analysis of the potential impacts of uncertainty on the business model – to address known risks – and to bring attention to risks of which the firm is not presently aware: to improve anticipation of emerging trends and risks, improve detection and increase the firm’s resilience against these risks.

Understanding the parameters of the firm’s risk-taking and risk-holding capacity are vital and should routinely be compared to the firm’s changing risk position over time. Before considering any qualitative tolerances or compliance issues, the firm should understand its risk capacity and risk tolerance in quantitative, financial terms.  The board’s relative preferences for how close it should operate to those tolerances and the price it will pay to reduce risk – through avoiding risk, developing operating flexibility or transferring risk contractually – represent its risk appetite.

All risk is financial (except as it relates to threats to physical safety, which also has a financial impact).  Risk cannot and should not be separated (à la COSO) in to operational, financial and compliance issues; this just confuses things.

2. A greater emphasis on effectiveness

The starting point should be to examine the accuracy and reliability of the firm’s historic planning and project forecasting relative to what has actually occurred: how accurate were the firm’s business and financial plans and project plans?  Focusing on the error parameters in forecasting will tell the firm a lot about how much credence to place in the next forecast. How reliably a firm can understand and describe its expected future over relevant planning horizons and how well it prepares for and accommodates the unexpected defines the performance of its risk management system.

Firms should drop the use of pointless risk scoring.  If it is sufficiently unimportant that a score of 1 to 5 will suffice, it is not worth doing.  These provide no meaningful information and inhibit reflection about cause and effect – the most useful risk thinking of all in a firm.  Firms should eliminate risk matrices on the same basis (they are technically fundamentally flawed representations of risk anyway) and rename risk registers for what they are: ‘known risk control registers’.  They have their place; it is not at board tables.

3. Organisational reach

In order to understand risk at the firm level, the firm must adopt an ‘enterprise’ view.  This implies the ability to integrate analysis of risks through an understanding of inter-dependencies and correlations.  Of course, as the financial crisis demonstrated, such correlations are unstable.  Either way, that requires developing an integrated view of risk in the firm by risk type and across the firm, dependencies and transmission effects between risks.

For risk management to mature, firms must get considerably more ambitious about setting limits for risk analytically across the firm based on probabilistic measure of risk such as cashflow-at-risk and earnings-at-risk.  Wherever possible, these should be built in to executives’ accountabilities and performance assessments.

4. Behavioural realism

We need a far greater realism about the behavioural role of the board of directors.  Executives drive behaviour in a business; after all, they are in the business.  The role of directors is to ensure that executives recognize the potential impact of their actions and behaviours on the people working for them.

Firms must re-evaluate their corporate policies in light of revealed behaviours – they must assess objectively and understand the differences between expressed behaviours, modeled behaviours and revealed tolerances in terms of actual management practice in the firm.  They should re-evaluate sanctions in terms of policies and application of sanction regimes as they are applied rather than as they are espoused.  Nothing is more corrosive than appealing to policies that are routinely and visibly violated without sanction.

5. Improved operability

Many firms need a greatly expanded focus on data and risk analysis necessary to support decision-making.  Firms should acquire (internally or externally) or procure the data necessary to support understanding of the parameters of risk and uncertainty.  This includes what has gone wrong within the firm and outside the firm.

Analysis of risk can and must be linked to the firm’s forecasting and planning systems.  That will provide the base for building a limits system that works in the firm and which is applied consistently and robustly across the firm.  Linking tolerances to scenarios, stress testing and variance in performance versus plan provides a robust way of holding executive accountable for their management of risk; nothing less can sustainably be effective.  Whether in a financial institution or a non-financial corporate firm, limits, scenarios and stress tests should be linked to capital allocation and to tolerances around risk to capital.  The firm should charge business units for the use of at-risk capital as an essential performance discipline and as an indicator of executive performance.


Risk management is not an exercise to be conducted occasionally to provide assurance; it is a vital and on-going activity central to the health and sustained performance of a firm.  It should not be reduced to workshops (very seldom useful) and a tick-box effort.  Firms corporately and executives individually should determine which decisions require risk-based analysis, typically quantitatively, probably stochastically – if you don’t analyse it, it is a low-level management control.

Many firms spend far too little time understanding the linkage between strategy, uncertainty and risk. Most firm failures result from strategic errors or flawed strategic assumptions.  To be effective, risk management must address that problem.

In risk terms, many firms are ‘data deserts’; quantitative analysis of business risks is regarded as ‘too hard’ or not practicable.  Until firms move beyond this aversion and concentrate on the role of risk in corporate structure and accountabilities, systematic analysis of risk exposures and dependencies, developing resilience against the range of plausible risk scenarios (or make a conscious decision not to) and understand better the linkage between observed behaviour and risk, risk management will remain a peripheral exercise; it will remain a tick-box distraction.  We cannot afford to be so cavalier with other peoples’ money.

To learn more about the series of seminars in London between December 2012 and February 2013, visit