Process Vs. Capabilities: Part 1
If you asked most companies what their risk management processes are, you would likely get an answer--maybe not a best-in-class answer but, nevertheless, every company should be able to articulate the processes they have in place. However, if you asked the same companies to articulate their risk management capabilities, I am guessing that you would get a fuzzier and less concise answer because many companies are not accustomed to looking at their organizations from a capabilities point of view.
Maybe this distinction between process and capabilities is obvious to some; nevertheless, it is one worth exploring in more detail. This distinction recently caught my attention when I was discussing the interaction between strategy and risk management with my good friend Beth, a partner at a leading strategy consulting firm. Beth has recently been advising leading universal banks and asset managers as they navigate through the recent financial crisis.
Although a strategy consultant by trade, Beth admits that, over the past 2 years, she has become a risk management consultant by chance. The CEO of one of Beth's large investment clients called her in when the CEO found a little blip of a mistake in a part of his business during the early days of the financial crisis. Paranoid by nature, the CEO was concerned that, because this one mistake got through, that even more serious issues could occur without being caught or noticed before they materialized into a potentially significant issue.
When Beth first started evaluating the situation, she quickly discovered that there was no chief risk officer and risk management department. In addition, she was alarmed to find that that no one in the organization spoke about "risk" or could clearly describe the organization's "risk management process."
Beth's initial reaction was that the situation was a complete debacle and a potentially significant disaster just waiting to unfold. However, as Beth started meeting with people in the organization, to her surprise, she found that the organization was actually incredibly good at managing risk.
How was this possible? Doesn't this go against any sensible framework or sound practices for risk management?
First, the company hired very capable people. Then, it taught everyone to be paranoid (like the CEO) and to always think about what could go wrong. And third, it was a normal company practice at the end of meetings (regardless of the topic) for everyone to list all current and potential "issues"--their synonym for "risk"--then agree on who was responsible for resolving (and/or monitoring) each issue.
Beth did find that there was one problem related to risk governance, in that personnel did not clearly know what to do when a situation began to exceed their ability to manage it, which is precisely what allowed the original issue to sneak through. To address this, Beth simply worked with the company to create some basic governance mechanisms, including clearer roles and responsibilities for all employees and an escalation matrix that defined who needed to be involved at different levels of concern.
As a result of this, and similar experiences at other companies, Beth now realizes that a company can be incredibly good at risk management in terms of capabilities--yet lack formal processes.
One of my favorite quotes from Beth on this topic is, "In the end, risk management based on process and control makes you good at fighting the last battle. However, if you have an organization based on capabilities, and smart paranoid people who know when to involve the right people, you are going to be much better at anticipating and solving the next one."
M. WONG is director of enterprise risk management at CME Group, the world's largest and most diverse derivatives exchange.
March 16, 2010
Copyright 2010© LRP Publications