Risk as strategic partner

Consider the current COVID-19 pandemic. Pharmaceutical companies - and society as a whole - had to reconsider the risks they were willing to accept in order to develop vaccines as fast as possible. This is where Risk can help the business to take a balanced approach - one that reflects the alignment between risk and your strategy, and your purpose and values guiding the way in which you serve customers and society. 

Previously I talked about risk management becoming an advisor and sparring partner to the business. In this blog, I am taking a practical approach to help you make this happen. I have formulated five questions you can use to assess the alignment and potential synergies between risk management and strategy execution. If the boxes tick ‘yes’ five times, chances are that the two are to a large extent on the same page. Though, I must say, if you told me that you do tick those five boxes, I am not sure I would immediately buy it. 

1. Is your business strategy translated into a ‘risk strategy’ and risk appetite framework, as the foundation for all risk management processes?

To start with, align your business strategy and risk management framework by translating your organisation’s strategy into a ‘risk strategy’. In this process, the business strategy and corresponding risk appetite should be drilled down all the way into the risk management framework, until the level of policies, processes and procedures. Simultaneously, the risk strategy needs to be harmonised with your organisation’s risk taxonomy and operate within your risk appetite. So this is not a one way street, but a two-way alignment.

To ensure that your risk strategy is not just another piece of (digital) paper, review it periodically, and adjust it when necessary, so that it reflects changes in the external environment and in your business model. 

There should also be feedback loops between various steps of the risk management framework and the business strategy: as Risk takes an enterprise-wide view, risk identification, assessment, mitigation and monitoring will have valuable outcomes for the entire organisation, and it is essential to feed these back to the business strategy so that you can adapt it. Sounds complex? Think of it as a circle, a continuous feedback loop, and definitely not as a straight line.

2. Is your risk appetite framework forward-looking and comprehensive, and does it align with your organisation’s purpose and values?

Your risk appetite framework, similarly to your risk taxonomy should be forward-looking, comprehensive, purpose-led and value-driven. You need to delimit your appetite for all risks - including new and emerging risks. Risk management will only be effective, and properly help to steer your business, if the amount of risk that can - and should - be taken is defined, and then adequately measured, monitored and reported back.

The appetite itself should be aligned with your company’s strategy, your purpose and values, your customers’ needs and the current business environment. So your risk appetite is no longer only dictated by short-term financial indicators, but by longer-term sustained outcomes. 

Should a retail bank lend to people with a low credit rating, but thereby giving them better access to participate in society? Should an asset manager invest in products that have a low return, but enable the energy transition? From a purely financial and traditional risk perspective, probably not. 

But when inclusion and sustainability are part of your organisation’s strategy and purpose, your appetite in these circumstances need to be more nuanced so that you can find ways to accept more risk in a responsible and controlled manner. And in the long run, you might actually be mitigating risks to your organisation, such as social disruption or climate change.

3. Is your risk appetite framework really put into practice, understood and implemented, and used to steer the day to day business?

Practice what you preach. Your risk appetite should be translated into quantitative and qualitative thresholds and metrics, per business line, product and geographic entity. There should be risk budgets linked to these, as a framework to determine the maximum but also the minimum amount of risk to be taken by business units. And if someone temporarily needs more risk budget, for example to invest in growth in a competitive market, someone else will need to take less risk. It’s a zero sum risk appetite game. Do you have the insight to manage this? Furthermore, the risk appetite should be translated into incentives and a remuneration structure for senior management and (especially commercial) employees.

I would instantly like to add that such metrics should not be followed blindly. While it is crucial to make them tangible, the underlying purpose driving these metrics should be frequently reiterated so that the numbers do not become a substitute for bringing the (risk) strategy, purpose and values to life. 

Ask yourself: are all of my people aware of the business strategy and the risk strategy which lie beyond the risk appetite and the corresponding thresholds, metrics and remuneration structures? And more importantly, do they understand what this means for their own day-to-day tasks?

4. Is your risk appetite calibrated in such a way that it enables sound risk taking, whilst steering away from undesired risk?

The thresholds and metrics derived from the risk appetite statements are meant to enable a healthy amount of risk taking, whilst of course always avoiding unacceptable risks. However, I see too often that the risk appetite calibration lacks a threshold (for each material risk and each quantitative or qualitative risk metric) saying: ‘when going through this barrier, you are too prudent and should actually be taking more risk’.

In a bank’s risk appetite, statements such as ‘our objective is a liquidity coverage ratio larger than 160 percent’ are omnipresent. But what is often missing in my view is ‘a LCR higher than 180 percent is too expensive and needlessly risk-averse, so when this threshold is breached, we will enlarge our risk position and generate some additional income’. It is allowed. Or, if you prefer, make an investment in creating additional societal value.

Also consider the example of regulatory risk, or let’s call it ‘risk of non-compliance’. It is simply too costly to really have a zero appetite for it and to stick to that in practice. Zero tolerance for regulatory breaches may sound compelling, but to be honest, it is not feasible.

A more realistic approach is to tolerate some level of risk and simultaneously ensure that robust and adequate mechanisms are in place to address potential violations swiftly and effectively, using a system of early warning signals, for example based on ‘near misses’ or small and immaterial instances of non-compliance. They do signal a pattern of behaviours that can be addressed. Steering away from undesired risk in this manner makes your risk management objectives more attainable and brings them closer to reality. You do not have limitless Risk budgets.

5. Does your risk reporting reflect the impact of risk on the achievement of your strategic objectives, and is it used to support decision making?

To close the circle, let’s contemplate risk reporting for a bit. Risk reports should not just be there for the sake of being there - they should be directly and explicitly linked to strategic targets. My concern is that a majority of board discussions of the monthly risk reports zoom in on the amber and red outliers, defining actions for how to enhance controls, but don’t debate what these red flags mean for achieving the organisation’s strategy. Risk reporting (and risk management for that matter) is a means to an end, not an objective in itself. You need to close the loop. 

As such, risk reports will immediately signal cases when strategic targets have not been - or might not be - met. That is crucial information, and it may lead to very different interventions, also on the side of the business. Without an explicit link, risk reports cannot be used for decision-making and business steering. Risk reporting should enable risk management to support the business to stay healthy, sharp-eyed and competitive. Tightening controls without asking fundamental questions on costs-versus-benefit - in relation to strategic targets - is not the kind of conversation that you want to have.

Choose your battles wisely - and fight them brightly

As I outlined in the introduction, you clearly need to steer away from some risks. But always ask yourself: do your risk practices truly help you avoid or mitigate risks? I often come across risk reports with indicators that have turned red or amber a while ago, but in practice, no commensurate actions have been taken. As a matter of fact, in many instances no-one seems really concerned.

This might be a symptom of the root cause that the risk appetite calibration was too risk-averse and that in reality, the risk appetite - or risk bearing capacity - appears to be larger than on paper. I think you should only use red flags if you really require immediate and decisive intervention. If you only had three red cards to show, which problems would you pick? And how would you follow through once picking those, so that you can issue those red cards again elsewhere in the future?

Going back to strategy and our example of the current global pandemic: could you imagine where we would be standing now if pharmaceutical firms, governments and society had decided to stick to their smaller appetite for risks, whereas the world so desperately needed the opposite?

If strategic objectives are properly reflected within the risk management framework, and risk is truly able to steer upon them, healthy risk-versus-return considerations can be made, especially when taking a longer-term perspective and a purpose-driven lens. And vice-versa: when results from risk processes are fed back into strategic decision-making, risk enables the business to take an enterprise-wide view on where to go next.

How many of these five boxes do you tick? And let me know what you think!

Also read the earlier parts of this blog series:

• Reimagine risk
• The seven ingredients of risk transformation
• Cost out, value in
• The marketing of risk management
• The taxonomy's role in transforming risk management
• Making Risk work
• Your future Risk workforce