Anyone who has had professional dealings with me already knows that I have been lovingly accepted as the risk management "Word Nazi." It is incredible to me how we all revolve intimately in this risk world and yet so few of us actually have the same understanding of the words that we use everyday.
The word "risk" to an underwriter means something totally different than the word "risk" to a financial adviser. The word risk in a hospital is different than the word risk my mother refers to when she refers to her fear of flying. Because of this, I usually spend the first 20 minutes or more of most risk discussions establishing a base understanding of we are talking about.
This linguistic torture regrettably extends further to popularized risk categories or buckets. I was recently in discussions with a senior management team who adamantly wanted to categorize their "risks" by categories such as operational risk, strategic risk, financial risk, just to name a few. The effort intended to be dedicated to this was mind-boggling.
Warning--please read the label. It is just a label. It is just a filing system, an arbitrary classification scheme, a visual tool, nice packaging, an organizational technique and that is about it. Consider the effort you are willing to expend choosing your file folder colors or writing file tabs for your files in your filing cabinet?
What is somewhat comedic to me is if I were to ask 100 people what these categories actually meant, I guarantee that very few would actually agree and the definition of these labels might even be opposing. So what is the point of doing it? How much time are we willing to waste arguing whether one particular concern or "risk" actually belongs in one bucket over another?
Too often, I see organizations paralyzed by this very problem. They tend to miss the whole point of the risk identification process. When working with a natural gas company, I recall discussions around a key "risk" being a large gas explosion in a city center. Agreed, it is a scary event. But what bucket does this event fall into? Operational? Reputational? Financial? All of them? None of them?
The explosion event as stated meant little and did not fall easily into any category. The trick to meaningful risk identification is the ability to break down events in a more granular way so that risk solutions become more naturally evident.
So, for instance, with such an explosion, the company may be concerned about negative media coverage. The solution to mitigating this is much clearer and intuitive now. With an explosion, they may be concerned with loss of a specific plant. Again, the solution is different but clear. With an explosion, they may be concerned about third-party liabilities, property damage, penalties, business interruption. Look at the risk list now.
It is the degree of specificity that drives meaningful risk identification. Being specific about the events that are affecting company goals is critical and as an added bonus, it saves you from having to force risks into buckets unnaturally or even awkwardly. If we agree that the point to risk identification is to eventually rank and set priorities on instituting real risk solutions, please leave labeling your buckets as one of your last tasks.
JOANNA MAKOMASKI, the former risk manager for a global energy company, is a leading specialist in innovative Enterprise Risk Management methods and implementation techniques for ERM Quickstart. She writes on risk management.
September 1, 2009
Copyright 2009© LRP Publications