Process Vs. Capabilities: Part 3
In Part 1 and Part 2 of this discussion, I highlighted the point that a company can have two approaches to risk management, being very capabilities driven or formal processes-driven. I also noted that, whether your program is process-driven or capabilities-driven, you also have to apply an appropriate amount of focus to the other approach. Put simply, balance is required between process and capabilities.
Between process and capabilities, companies have paid much greater focus to risk management processes over the past few years, especially with added pressure from the likes of COSO, Sarbanes-Oxley, S&P's ERM rating, Basel II, and other various regulations and outside pressures. In addition, there has been no shortage of consulting firms and software companies offering to help enhance companies' risk management processes ... for a fee, of course.
So why do companies and boards often feel that the end result of these types of initiatives is below their initial hopes and expectations?
Because these types of initiatives often overly focus on improving risk management process and only modestly (if at all) focus on actually improving the risk management capabilities of the leadership, management and staff of the companies.
So now it is time for me to put my money where my mouth is. I have been quick to critique these process-driven approaches and slow to share any specific thoughts on, first, what risk management capabilities companies should also bring into focus and, second, what individuals and companies should do to improve their own risk management capabilities.
If you have not figured out already, I learn best by example and illustration. As I reflected on what core risk management capabilities differentiate those who have excellent risk management track records verses those who do not--and on which people have made the greatest impression on my views and career in risk management--a number of characteristics and people stuck out.
But there is only one person I will directly introduce you to in this column, Mr. Winston Wolfe.
"I SOLVE PROBLEMS"
It has been quite a while since I have thought about Mr. Wolfe. It is just now hitting me that he is one of the primary reasons I pursued a focus on risk management in my career. Rather than describe him to you, meet him for yourself. Go to youtube.com and search "Winston Wolfe I solve problems"; the first hit should give you a four-minute clip of Mr. Wolfe at his best. Please be warned that this clip includes some vulgar language, so if you feel that you or others might be offended, please skip the clip and read on.
What you will see is that Mr. Wolfe clearly exhibits mastery of three core capabilities that I believe are critical to being a successful risk manager. They are:
1. High aptitude for understanding, framing and evaluating situations quickly and robustly
2. Broad knowledge, with significant depth in critical areas, and ability to anticipate
3. Outstanding social interaction and communications skills
In short, I am confident that with these capabilities Mr. Wolfe could help effectively manage risks in a wide range of situations, whether it be in a bank dealing with overexposure to subprime or in an out-of-control college party breaking up a monkey knife fight.
As a shareholder of a public company, would you want Mr. Wolfe as your company's chief risk officer? I would.
AS IS VS. TO BE
So what can individuals and companies do to improve their own risk management capabilities, especially the three core capabilities above? Use a basic "as is" versus "to be" approach.
First, I think we all need to look in the mirror and self-evaluate where each of us stands in regards to these capabilities today ("as is"). Sure, you can hire someone to help you do this; however, I find that, if you do the evaluation yourself, you are far more likely to believe in the results you come up with and therefore more likely to do something about it.
Surely, some may inflate their self-assessments, but these same individuals would also just discount or dismiss anything that an outsider told them. So better to just lie to yourself than to pay someone to tell you something that you are not going to believe and do anything about anyways.
Second, identify where you want and need "to be" in regards to these capabilities in a given amount of time (e.g., in 12 months). Then note the gap between your self-evaluation and this target. This should help focus you on where your biggest areas of improvement lay.
Third, map out how you could go about improving each capability and then commit to a plan. Write the targets and plan down, then share them with others to ensure that you are committed and accountable for striving towards them.
Fourth, regularly measure your progress to the plan and determine if there are any additional paths worth considering.
Finally, redo the self-evaluation regularly (e.g., in 12 months), set new targets and do it all over again.
This basic approach can work for either individuals looking to improve their own capabilities or for a company looking to improve the capabilities of its people or the collective capabilities of its organization.
In the end, the quality of a company's or individual's risk management practices is a function of both process and capabilities. By improving focus on the capabilities component of this function, we will see significant improvements in the overall risk management practices both within and across organizations.
So, yes, I have Quentin Tarantino to thank for introducing me to the iconic Mr. Winston Wolfe my senior year in high school (making me 33 years old this past April). I idolized Mr. Wolfe, and he became one of the catalysts for my career in risk management.
So ... "if I'm curt with you, it's because time is a factor. I think fast, I talk fast and I need you guys to act fast if you want to get out of this. So pretty please, with sugar on top, clean the (flippin') car" by getting your risk management capabilities in order!
Read Part 1 and Part 2 of David's discussion about distinction between risk management process
M. WONG is director of enterprise risk management at CME Group, the world's largest and most diverse derivatives exchange.
May 19, 2010
Copyright 2010© LRP Publications