Download - Managing Risks- A New Framework_HBS_2012
![Page 1: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/1.jpg)
Copyright © President & Fellows of Harvard College
Managing Risks: A New Framework
Anette Mikes
Harvard Business School
IRM, Manchester, 25 April 2012
![Page 2: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/2.jpg)
A Case Study in Risk Management
![Page 3: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/3.jpg)
Risk Management is Non-Intuitive
3
![Page 4: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/4.jpg)
“JPL engineers graduate from top schools at the
top of their class. They are used to being right
in their design and engineering decisions. I have
to get them comfortable thinking about all the
things that can go wrong.” - Gentry Lee, Chief Systems Engineer, NASA JPL
![Page 5: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/5.jpg)
Risk Management and the Financial Crisis
Conflicting pressures?
• “Faster, better, cheaper”
• “Growth, profit, control”
The cultural position of the risk function
Companies that failed had relegated risk management to a compliance function, with no access to top management.
HBOS had "a cultural indisposition to challenge" and that the task of "being a risk and compliance manager … felt a bit like being a man in a rowing boat trying to slow down an oil tanker.” – UK Treasury Committee (7th report); Paul Moore
![Page 6: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/6.jpg)
Do complex organizations fail – inevitably?
![Page 7: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/7.jpg)
BP Deepwater Horizon: Post Mortem
“The disaster … can be attributed to an organizational culture and incentives that encourage cost cutting and cutting of corners – that reward workers for doing it faster and cheaper, but not better.”
“Management failure crippled “the ability of individuals involved to identify the risks they faced, and to properly evaluate, communicate, and address them.” -The National Commission’s Report to the President
![Page 8: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/8.jpg)
8
Individual and Organizational Biases
“Risk mitigation is painful; not a
natural event for humans to
perform.” Gentry Lee – Chief Systems Engineer, NASA, JPL
![Page 9: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/9.jpg)
• Individual biases:
• Overconfidence
• Tendency to anchor our estimates
• Confirmation bias
• Escalation of commitment
• Organizational biases:
• Groupthink
• Rather than mitigating risk, firms incubate risk through the normalization of
deviance
• Effective risk-management processes must counteract those biases
9
Individual and Organizational Biases
“Risk mitigation is painful; not a
natural event for humans to
perform.” Gentry Lee – Chief Systems Engineer, NASA, JPL
![Page 10: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/10.jpg)
What’s distinctive about risk management?
• A practice-based definition
(Kaplan & Mikes, HBR forthcoming):
• Active and intrusive processes
that…
• … are capable of challenging
existing assumptions about the
world within and outside the
organization
• ... communicate risk information with
the use of distinct tools (risk maps,
value-at-risk models, stress tests
etc.)
• …complement, but do not displace,
existing management control
practices
10
![Page 11: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/11.jpg)
• Risk management is too often treated as a compliance issue
• New categorization of risk
• Some risks can be managed through a traditional rules-based model and some
require alternative approaches
• Companies need to anchor risk discussions in their strategy formulation and
implementation processes.
11
Different Types of Risk Management
![Page 12: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/12.jpg)
Different Types of Risk
12
![Page 13: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/13.jpg)
• Risks arising from within the company that generate no strategic benefits
• Eg: risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect,
or inappropriate actions; risks from breakdowns in routine operational processes
• Companies should seek to eliminate these risks
• Active prevention: monitoring operational processes and guiding people’s
behaviors and decisions toward desired norms
13
Category I: Preventable Risks
![Page 14: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/14.jpg)
• Risks voluntarily accepted by the company in order to generate superior
returns from its strategy
• Eg: credit risk assumed by a bank when it lends money; risks taken on by
companies through their R&D activities
• Not inherently undesirable
• Reduce the probability that the assumed risks materialize and improve the
company’s ability to contain the risk events should they occur
14
Category II: Strategy Risks
![Page 15: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/15.jpg)
• Risks arising from events outside the company and beyond its influence or
control.
• Eg: natural and political disasters; major macroeconomic shifts
• Companies cannot prevent such events from occurring
• Management must focus on identification (obvious only in hindsight) and
mitigation of their impact
15
Category III: External Risks
![Page 16: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/16.jpg)
Managing Preventable Risks
16
![Page 17: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/17.jpg)
Failures in Controlling Preventable risks
Siemens Bribery and Corruption Scandal
o Pay $1.6 billion in fines and $850 million for internal investigations by
outside lawyers and accountants.
o Nine former members of Managing Board sued for $28.3 million for
breaching fiduciary duties
o Two former CEOs agree to pay more than $10 million to settle cases
brought against them.
Société Générale: The Jérôme Kerviel Affair
o Losses of about €7 billion (2007).
o Société Générale has to raise €5.5 billion in new capital.
![Page 18: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/18.jpg)
Situational forces: The fraud triangle
18
![Page 19: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/19.jpg)
Situational forces - How good people turn bad
19
•Organizational pressure
•Group pressure and the Lure of the Inner Circle
•Blind obedience to authority
•Not recognizing red flags and an exit opportunity
![Page 20: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/20.jpg)
What individuals can do - Step up to situational
forces
20
Stand firm on principle despite intense pressures
“I am responsible”
Whistle blowers: individuals who are aware of illegal or unethical
activities who report the activities without expectation of reward
Heroes’ risks:
• Career risk
• Professional ostracism
• Loss of status
• Financial loss
• Loss of credibility
![Page 21: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/21.jpg)
• Companies cannot anticipate every circumstance or conflict of interest that an
employee might encounter, but should clearly articulate their
• Mission
• Values
• Boundaries
• Top managers must serve as role models
• Importance of strong internal control systems and independent internal audit
department
21
What corporate leaders can do
![Page 22: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/22.jpg)
“Medicine is for people, not for
profits. The profits follow, and
if we have remembered that,
they have never failed to
appear.”
- George Merck, CEO and founder‘s son (1950).
The Mission
![Page 23: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/23.jpg)
Beliefs System
Domain for Search
and Empowerment
Boundary System
Boundary Systems
Opportunity Space
![Page 24: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/24.jpg)
Managing Strategy Risks
24
![Page 25: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/25.jpg)
“Building great things means taking risks.
This can be scary and prevents most companies from
doing the bold things they should.
However, in a world that’s changing so quickly, you’re
guaranteed to fail if you don’t take any risks. We have
another saying:
The riskiest thing is to take no risks.” - Facebook IPO prospectus
25
![Page 26: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/26.jpg)
• 3 distinct approaches to managing strategy risks
• “One size does not fit all” In terms of the structures and roles for the risk
management function
• However, all encourage employees to challenge existing assumptions and
debate risk information
26
![Page 27: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/27.jpg)
27
![Page 28: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/28.jpg)
• High intrinsic risk, but risk changes slowly over time
• Risk management handled at the project level
• Case: Risk management at JPL
• CRO
• Risk review board made up of independent technical experts
• Role is to challenge project engineers’ design, risk-assessment, and risk-mitigation
decisions (“culture of intellectual confrontation” )
• Authority over budgets: establishes cost and time reserves according to its degree
of risk
28
I. Independent Experts
![Page 29: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/29.jpg)
29
![Page 30: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/30.jpg)
30
![Page 31: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/31.jpg)
31
![Page 32: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/32.jpg)
• Risk stems largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time
• Risk management by a small central risk-management group that collects information from operating managers
• Hydro One
• CRO runs workshops with employees from all levels and functions
• Employees identify and rank the principal risks to the strategic objectives
• Capital allocation and budgeting decisions linked to identified risks
32
II. Facilitators
![Page 33: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/33.jpg)
33
![Page 34: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/34.jpg)
• Risk profile can change dramatically with a single deal or major market
movement
• Risk management by embedded experts within the organization to
continuously monitor and influence the business’s risk profile, working with
line managers
• Danger for the embedded risk managers to “go native”
• JP Morgan Private Bank
• Report to both line executives and a centralized risk-management function
• Continually ask “what if” questions
34
III. Embedded Experts
![Page 35: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/35.jpg)
• Companies tend to label and compartmentalize risk, especially along
business function lines
• Companies can achieve an integrated risk perspective by anchoring their
discussions in strategic planning
• Companies also need a risk oversight structure
35
Avoiding the Function Trap
![Page 36: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/36.jpg)
• Risk discussions generated from the Balanced Scorecard
• Eg: “growing client relationships” identified as a key objective,
• Management realized that strategy had introduced a new risk factor: client default.
• Implication: monitor CDS rates of large clients etc....
36
Infosys
“As we asked ourselves about what risks we
should be looking at, we gradually zeroed in
on risks to business objectives specified in
our corporate scorecard.” MD Raganath, CRO, Infosys
![Page 37: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/37.jpg)
• Risk discussions generated from the company’s strategy map
• Risk events identified for each objective
• Risk Event Card prepared for each risk
• High-level summary of results presented to senior management
37
Volkswagen do Brasil
![Page 38: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/38.jpg)
38
Volkswagen do Brasil: Risk Event Card
![Page 39: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/39.jpg)
39
Volkswagen do Brasil: Risk Report Card
![Page 40: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/40.jpg)
• Hydro One:
• Large company, but small risk group
• JPL / JP Morgan Private Bank:
• Small companies/units, but multiple project-level review boards or teams of
embedded risk managers
• Infosys:
• Dual structure: central risk team; specialized functional teams
40
Organizing the risk function
![Page 41: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/41.jpg)
Managing External Risks
41
![Page 42: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/42.jpg)
• Some external risk events sufficiently imminent for managers to manage them
like their strategy risks
• Eg: risk of increased protectionism at Infosys
• Most external risk events require a different analytic approach
• Probability of occurrence very low
• Difficult to envision them during the normal strategy processes
42
![Page 43: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/43.jpg)
• Natural and economic disasters with immediate impact
• Eg: 2010 Icelandic volcano eruption; bursting of a major asset price bubble; 2011
Japanese earthquake and tsunami
• Geopolitical and environmental changes with long-term impact
• Eg: political shifts; long-term environmental changes; depletion of critical natural
resources
• Competitive risks with medium-term impact
• Eg: emergence of disruptive technologies; radical strategic moves by industry
players
43
Sources of External Risk
![Page 44: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/44.jpg)
• Tail-risk stress tests
• Assess major changes in one or two specific variables whose effects would be
major and immediate, although the exact timing is not forecastable
• Depends critically on the assumptions (may themselves be biased)
• Scenario planning
• Systematic process for defining the plausible boundaries of future states of the
world
• Long-range analysis (typically 5-10 year)
• War-gaming
• Assesses a firm’s vulnerability to disruptive technologies or changes in
competitors’ strategies
44
Dealing With External Risks
![Page 45: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/45.jpg)
Wrap-up
45
![Page 46: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/46.jpg)
• Risk management focuses on uncertainties that could impair mission and
strategic objectives
• Mitigating risk involves dispersing resources and diversifying investments
• Most companies need a separate function to handle strategy- and external-
risk management
46
Risk Management is Not Strategy Management
![Page 47: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/47.jpg)
Smart questions or dumb questions?
“Do you have an embedded risk management system?”
“Do you have a strong risk culture?”
“Do you have a risk appetite policy that is well understood by every member of
the organization?”
47
![Page 48: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/48.jpg)
Dumb questions
•Lack traction, and is relatively easy for a CEO or CRO to answer and deflect
without revealing much of substance
•Invite busy executives to rehearse risk management clichés
•The answers to banks of dumb questions are more likely to be self- reinforcing
and reveal little about the real risk management.
•They will tend to produce an illusion of control.
Power, M., Smart and Dumb Questions to Ask About Risk Management.
Risk Watch, May 2011
48
![Page 49: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/49.jpg)
Smart questions to the CEO
•What are the processes by which you satisfy yourself that risk appetite is a real
constraint on action?
•Is the organization good at stopping bad projects that have gained
momentum?
•When was the last time something was stopped in the organization because it
was considered too risky?
•How do you feel about meetings with the chief risk officer? Do you feel you talk
to your chief risk officer enough?
•What are the three most important bits of management information that you
use each day? What do they tell you, if anything, about risk?
49
Power, M., Smart and Dumb Questions to Ask About Risk Management.
Risk Watch, May 2011
![Page 50: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/50.jpg)
Smart questions to the CRO
•Have you ever been excluded from meetings that you felt you ought to attend?
What did you do about it?
•Do you feel you have enough contact with the CEO?
•Can you envisage being able to veto developments? Did you ever try, and why?
•Are you involved in product development from the beginning? If not, why not?
50
Power, M., Smart and Dumb Questions to Ask About Risk Management.
Risk Watch, May 2011
![Page 51: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/51.jpg)
It’s an evolution: Risk managers shape their
own fate too!
•Taking responsibility or shifting blame
•Competing with other staff groups
•Expanding or limiting boundaries
•Working on the relationship with the business
51
![Page 52: Managing Risks- A New Framework_HBS_2012](https://reader033.vdocuments.net/reader033/viewer/2022052619/555d1841d8b42ab2228b4bd7/html5/thumbnails/52.jpg)
Copyright © President & Fellows of Harvard College
Thank you!