.png)
Are you spending too much money into risk management activities that offer only a false sense of security, leaving your organisation vulnerable to unforeseen threats?
Or perhaps, you already benefit from extensive business insurance coverage, absorbing a significant portion of your annual turnover, leading you to question the necessity of further risk management initiatives.
Realistically, whether you operate a commercial enterprise or a non-profit organisation, whether you're entrenched in a highly regulated industry or not, allocating resources to risk management is an unavoidable reality. Yet, despite these investments, you might find yourself grappling with a lingering sense of uncertainty, wondering if your organisation's risk posture is truly optimised.
In this article you will find some pointers to help you to frame what could be improved. While some of the aspects discussed here might resonate with your organisation's current practices, others might help you to uncover overlooked opportunities for enhancement. You might not know and need to explore what your organisation does to ensure you are protected and are not draining your internal resources. Here is a list of 10 areas to consider for review.
Over-reliance on insurance
While insurance can protect you against financial losses, relying solely on insurance without implementing comprehensive risk prevention measures can lead to higher premiums and gaps in coverage as I explored in a recent insurance coverage case study.
A study by the Federation of European Risk Management Associations (FERMA) found that
“the ability of organisations to transfer risk remains a concern for corporate insurance buyers in the hard insurance market: 78% reported a significant impact from increased insurance pricing and 71% in terms of reduced capacity.”
Examples of key probing questions to ask:
What strategies are being considered to enhance the organisation's overall risk management approach, considering both insurance and risk prevention measures?
How does the organisation plan to adapt its risk management strategy in response to changes in insurance pricing, capacity, or market conditions?
What measures are in place to monitor changes in insurance pricing and capacity, particularly in response to market trends or conditions?
Complex risk modelling
Developing intricate risk models can be costly in terms of time, resources, and expertise. However, these models may still fail to capture all potential risks or accurately predict outcomes, leading to partial effectiveness.
Many financial institutions spent billions of dollars on risk modelling and management systems before the 2008 financial crisis. Despite these investments, many financial institutions' risk models failed to predict the severity and interconnectedness of risks during the crisis. In my experience, the situation has not materially changed, partially for reasons explored later in this article.
Examples of key probing questions to ask:
How does the organisation validate the accuracy and effectiveness of its risk models in capturing potential risks and predicting outcomes?
Are there any instances where the organisation's risk models failed to predict or adequately address significant risks or crises?
What measures are in place to ensure that risk models are regularly updated and refined to adapt to evolving risk landscapes?
Outsourcing risk management entirely
Outsourcing risk management functions to third-party firms can offer several advantages, particularly for smaller organisations with limited internal resources and expertise. By leveraging the specialised knowledge and experience of external professionals, these organisations gain access to comprehensive risk management solutions at potentially lower costs than maintaining an in-house team.
However, it's essential for organisations to approach outsourcing with caution and a clear understanding of its potential drawbacks. While outsourcing can provide access to specialised expertise and expand internal capabilities and capacity, it may also entail a loss of internal understanding and control over critical risks particularly critical for large and complex organisations.
Examples of key probing questions to ask:
How does the organisation currently handle risk management functions, and have they considered outsourcing as an option?
What specific areas of risk management are being considered for outsourcing, and what are the reasons for exploring this option?
What criteria are being used to evaluate potential third-party firms for outsourcing risk management functions?
Investing heavily in technology without proper integration
Implementing cutting-edge risk management technology without ensuring seamless integration with existing systems and processes can lead to inefficiencies and limited effectiveness. For instance, organisations can struggle with integrating risk management technologies with their existing systems and processes, limiting their effectiveness.
Examples of key probing questions to ask:
What measures are in place to address potential disruptions or downtime during the integration process?
How does the organisation prioritise the integration of risk management technology within its overall IT strategy and roadmap?
How does the organisation currently approach the integration of risk management technology with existing systems and processes?
Legalistic approaches
Overly relying on legal contracts and agreements to manage risks may provide a false sense of security. Legal measures alone may not adequately address operational or strategic risks as well as cater for emerging risks.
This approach has its drawbacks; legal protections do not actively prevent risks from materialising and can incur significant enforcement costs.
Examples of key probing questions to ask:
What efforts are made to mitigate risks before they escalate to the point of legal action being necessary?
How does the organisation address potential enforcement costs and other financial implications of relying on legal protections for risk management?
How does the organisation stay informed about emerging risks that may not be covered by existing legal contracts or agreements?
Ignoring cultural factors
Neglecting to consider organisational culture and employee behaviour in risk management efforts can undermine effectiveness, despite potential heavy investment in risk management as Credit Suisse discovered. Cultural factors can significantly impact risk perception, decision-making, and adherence to risk management protocols.
Research published in the Harvard Business Review found that companies with strong risk cultures are more likely to make risk-aware decisions and achieve better financial performance. I found this paragraph particularly telling:
Collectively, these individual and organisational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.
Examples of key probing questions to ask:
How does the organisation encourage open communication and feedback regarding risk-related concerns among employees?
What steps are taken to identify and mitigate potential risks stemming from cultural factors, such as resistance to change or complacency?
How does the organisation currently assess and incorporate organisational culture into its risk management processes?
Failure to update risk management strategies
Markets, technologies, and regulations evolve over time. Failing to regularly review and update risk management strategies can result in outdated practices that are ineffective against emerging threats.
Examples of key probing questions to ask:
How frequently does the organisation review and update its risk management strategies?
What processes are in place to monitor changes in markets, technologies, and regulations that could impact risk?
What mechanisms are in place to ensure that risk management strategies remain aligned with the organisation's overall goals and objectives?
Excessive focus on compliance
While compliance with regulations is essential, solely focusing on meeting regulatory requirements is likely to overlook broader risks specific to the organisation's operations and industry. Regulations provide a framework for managing certain risks, they are designed to cater for the “masses” and as a result often fall short in addressing all potential threats and vulnerabilities unique to an organisation's specific context and strategic objectives.
This approach is especially pertinent considering the regulatory landscape's reactive nature. Regulators typically enact new laws, rules, and regulations in response to major issues or crises within industries. As history has shown, some of the most significant regulatory changes in sectors like the financial services industry have followed major incidents or market disruptions (e.g. operational resilience)
Examples of key probing questions to ask:
What mechanisms are in place to ensure that the organisation stays informed about emerging regulatory requirements and changes in the regulatory landscape?
How does the organisation currently prioritise and allocate resources between regulatory compliance efforts and broader risk management strategies?
How does the organisation assess the effectiveness of its regulatory compliance efforts in mitigating broader risks specific to its operations and industry?
Ignoring non-financial risks
Some risks, such as reputational, environmental, or social risks, may not directly impact financial performance but can have significant long-term consequences. Ignoring these non-financial risks can lead to incomplete risk management strategies.
Examples of key probing questions to ask:
How does the organisation currently identify and assess non-financial risks, such as reputational, environmental, and social risks?
What efforts are made to monitor and anticipate emerging non-financial risks that may impact the organisation's reputation, operations, or stakeholder relationships?
How does the organisation measure the effectiveness of its risk management efforts in addressing non-financial risks?
Overemphasis on quantitative analysis
While quantitative analysis is valuable for assessing certain risks, it may not capture qualitative aspects or emerging risks that are difficult to quantify. Relying solely on quantitative analysis can lead to blind spots in risk management. This is issue is highly connected to issue #2.
Examples of key probing questions to ask:
How does the organisation currently approach risk analysis, and to what extent does it rely on quantitative methods?
Can you provide examples of how quantitative analysis has been used to assess risks within the organisation?
What mechanisms are in place to ensure that qualitative aspects and emerging risks are also considered in the organisation's risk analysis processes?
Effective and efficient risk management practices are critical to ensure the long-term sustainability of an organisation. To be protected, an organisation must invest in building, and/or accessing, risk management capabilities and capacity. However, as organisations grow larger and more complex, costly inefficiencies often sneak in unnoticed over time.
Understanding how your organisation truly manages its risks and ensures compliance with relevant laws, rules, and regulations is the crucial first step in addressing these inefficiencies. Here are some actionable steps to guide you in this process:
Follow the money trail and understand on what and how much your organisation spends for risk and compliance management.
Request a benchmark of your risk profile against peers to identify potential gaps.
Collaborate with external partners, industry peers, and regulatory bodies to stay informed about emerging risks, best practices, and regulatory developments.
Engage stakeholders from across the organisation, including senior leadership, department heads, and frontline employees, in regular discussions and workshops to foster a culture of risk awareness and accountability.
Conduct a comprehensive review of your organisation's risk management framework, policies, and procedures to identify areas for improvement and optimisation.
Ultimately, effective risk management is a continuous process of learning, adaptation, and improvement that requires commitment and engagement from all levels of the organisation. By fostering a culture of risk awareness and accountability across all levels of your organisation and embracing collaboration with external partners and industry peers, organisations can enhance their resilience and agility in facing uncertainties while optimising its costs.