An agenda for improving corporate risk management

In the course of preparing a series of seminars we will be delivering in London this winter, we have focused on what an agenda or ‘manifesto’ for improving corporate risk performance would look like.  What should the firm do practically to improve its management of risk and uncertainty?

The agenda has five items.

1. Better focus & insight 

Focus in risk management needs to start at the strategic level rather than where it usually starts presently: in the operational bowels of a firm. At the strategic level, understanding risk means understanding the potential effects of assumptions about an uncertain market and competitive environment on the viability of the firm’s business model.

The focus of risk management should be to improve analysis of the potential impacts of uncertainty on the business model – to address known risks – and to bring attention to risks of which the firm is not presently aware: to improve anticipation of emerging trends and risks, improve detection and increase the firm’s resilience against these risks.

Understanding the parameters of the firm’s risk-taking and risk-holding capacity are vital and should routinely be compared to the firm’s changing risk position over time. Before considering any qualitative tolerances or compliance issues, the firm should understand its risk capacity and risk tolerance in quantitative, financial terms.  The board’s relative preferences for how close it should operate to those tolerances and the price it will pay to reduce risk – through avoiding risk, developing operating flexibility or transferring risk contractually – represent its risk appetite.

All risk is financial (except as it relates to threats to physical safety, which also has a financial impact).  Risk cannot and should not be separated (à la COSO) in to operational, financial and compliance issues; this just confuses things.

2. A greater emphasis on effectiveness

The starting point should be to examine the accuracy and reliability of the firm’s historic planning and project forecasting relative to what has actually occurred: how accurate were the firm’s business and financial plans and project plans?  Focusing on the error parameters in forecasting will tell the firm a lot about how much credence to place in the next forecast. How reliably a firm can understand and describe its expected future over relevant planning horizons and how well it prepares for and accommodates the unexpected defines the performance of its risk management system.

Firms should drop the use of pointless risk scoring.  If it is sufficiently unimportant that a score of 1 to 5 will suffice, it is not worth doing.  These provide no meaningful information and inhibit reflection about cause and effect – the most useful risk thinking of all in a firm.  Firms should eliminate risk matrices on the same basis (they are technically fundamentally flawed representations of risk anyway) and rename risk registers for what they are: ‘known risk control registers’.  They have their place; it is not at board tables.

3. Organisational reach

In order to understand risk at the firm level, the firm must adopt an ‘enterprise’ view.  This implies the ability to integrate analysis of risks through an understanding of inter-dependencies and correlations.  Of course, as the financial crisis demonstrated, such correlations are unstable.  Either way, that requires developing an integrated view of risk in the firm by risk type and across the firm, dependencies and transmission effects between risks.

For risk management to mature, firms must get considerably more ambitious about setting limits for risk analytically across the firm based on probabilistic measure of risk such as cashflow-at-risk and earnings-at-risk.  Wherever possible, these should be built in to executives’ accountabilities and performance assessments.

4. Behavioural realism

We need a far greater realism about the behavioural role of the board of directors.  Executives drive behaviour in a business; after all, they are in the business.  The role of directors is to ensure that executives recognize the potential impact of their actions and behaviours on the people working for them.

Firms must re-evaluate their corporate policies in light of revealed behaviours – they must assess objectively and understand the differences between expressed behaviours, modeled behaviours and revealed tolerances in terms of actual management practice in the firm.  They should re-evaluate sanctions in terms of policies and application of sanction regimes as they are applied rather than as they are espoused.  Nothing is more corrosive than appealing to policies that are routinely and visibly violated without sanction.

5. Improved operability

Many firms need a greatly expanded focus on data and risk analysis necessary to support decision-making.  Firms should acquire (internally or externally) or procure the data necessary to support understanding of the parameters of risk and uncertainty.  This includes what has gone wrong within the firm and outside the firm.

Analysis of risk can and must be linked to the firm’s forecasting and planning systems.  That will provide the base for building a limits system that works in the firm and which is applied consistently and robustly across the firm.  Linking tolerances to scenarios, stress testing and variance in performance versus plan provides a robust way of holding executive accountable for their management of risk; nothing less can sustainably be effective.  Whether in a financial institution or a non-financial corporate firm, limits, scenarios and stress tests should be linked to capital allocation and to tolerances around risk to capital.  The firm should charge business units for the use of at-risk capital as an essential performance discipline and as an indicator of executive performance.


Risk management is not an exercise to be conducted occasionally to provide assurance; it is a vital and on-going activity central to the health and sustained performance of a firm.  It should not be reduced to workshops (very seldom useful) and a tick-box effort.  Firms corporately and executives individually should determine which decisions require risk-based analysis, typically quantitatively, probably stochastically – if you don’t analyse it, it is a low-level management control.

Many firms spend far too little time understanding the linkage between strategy, uncertainty and risk. Most firm failures result from strategic errors or flawed strategic assumptions.  To be effective, risk management must address that problem.

In risk terms, many firms are ‘data deserts’; quantitative analysis of business risks is regarded as ‘too hard’ or not practicable.  Until firms move beyond this aversion and concentrate on the role of risk in corporate structure and accountabilities, systematic analysis of risk exposures and dependencies, developing resilience against the range of plausible risk scenarios (or make a conscious decision not to) and understand better the linkage between observed behaviour and risk, risk management will remain a peripheral exercise; it will remain a tick-box distraction.  We cannot afford to be so cavalier with other peoples’ money.

To learn more about the series of seminars in London between December 2012 and February 2013, visit


3 thoughts on “An agenda for improving corporate risk management

  1. Peter,
    I broadly agree with the above but am struggling with Point 1:

    “Focus in risk management needs to start at the strategic level rather than where it usually starts presently: in the operational bowels of a firm.”

    Resilience, a fundamental for survival in “uncertain times” but a requirement to be able to thrive (through improving effectiveness and profitability) in more stable times, can only be built from within i.e. the operational bowels. True of systems whether man-made or found in Nature.

    Of course this is a much “deeper” subject that could, realistically, be covered in this brief comment but I hope that these links provides some further food for thought:

    Where is the incentive for risk and business managers to “step up to the plate” and become RISK LEADERS? After all, the prevailing business culture is dedicated to rewarding those who satisfy the lust for a quick return…and that is very rarely the case with a well constructed strategy aimed at mitigating risk.

    These risk areas are beyond the scope of insurance and mainly beyond the reach of traditional risk analysis and management techniques as they have evolved so far. In our view, they should be drawn into the risk management process.



  2. David

    Thanks for the detailed comment. After reviewing briefly the links, I realise that I actually need to bring you back to what I wrote, as opposed to the idiomatic interpretation of what I wrote. I meant to say exactly what I wrote: that “RM needs to START at the strategic level rather than . . . in the operational bowels.”

    Your point about resilience is well made. My point (though not made explicit in the space I had available – culled from 1800 words) is that starting with operational detail results in operational demands and presumed trade-offs dominating the focus of the firm’s risk system to the detriment of more strategic and firm-wide considerations. Without the perspective afforded by the initial forays in to firm-level trade-offs of analytic resource (cost) versus greater understanding of the impact of uncertainty on the business model (benefit) the benefit/cost ratio of investment in resilience will be distorted (typically under-valued) and more politicised as a result.

    Your risk leader point troubles me a little though, mainly terminologically. From your ensuing sentence I infer that you consider a risk leader as someone who is skilled, principled and courageous enough to align inter-temporal trade-offs with the interest of long-term owners. That I agree with. But the phrase ‘risk leader’ implies that one could lead in the risk sphere without leading elsewhere. All sorts of alarm bells ring in my mind. As I remind my daughter when splitting hairs, I need all the hairs I can get.

    Re your culture point, I think the same point is made more forcefully without using the word ‘culture’. Perhaps, ‘prevailing business expectations driven by asset managers whose performance is assessed relatively monthly’ is a more precise starting point.

    Re “beyond the scope . . .,” well, yes and no. I agree on the “traditional risk analysis” front but disagree on the “management techniques” front, at least partly. I started my career developing a balance-sheet-wide funds transfer pricing and allocation system to support risk-based profitability analysis. Most banks have not caught up, least of all corporate businesses. But that is just the sort of allocation system that supports decentralised decision-making in a complex environment, as I know you will agree. However, if the whole is not backed up by an understanding of the potential for system instability, risk will remain underpriced – with effects we observed in 2007 & 2008. On that fundamental point, of course, we will concur.

  3. Hi Peter

    You are right that effective risk management validates and informs strategy. This requires some irrigation of the ‘data desert’. Tactical execution of strategy similarly requires good information flow, although usually flowing at a much faster rate.

    Ideally, an integrated risk management system should be efficient in feeding updated information from tactical developments into the making of strategic decisions and vice versa. However, this seems to be beyond the maturity of most organisations – hence the compelling arguments you make around risk registers and behaviour.

    If you were to draw an Ishikawa diagram, would you identify financial data as the primary condition necessary for effective risk management? Absent many leaders who are “skilled, principled and courageous enough to align inter-temporal trade-offs with the interest of long-term owners”.is that realistic?

    Best wishes


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s