Felix Kloman examines the state of risk management in 2004

What is the state of risk management in 2004? It is certainly not an industry, nor is it yet a profession. It remains a loosely defined discipline, one that has drawn increased international attention in the past five years. Its roots lie many years in the past, in finance, safety and loss funding, yet it has taken the bursting of the stock market bubble, the disclosure of associated corporate misbehaviour, and the advent of global terrorism to begin to bring together former fragmented tactics in risk analysis and risk response into a new and integrated effort.

Academic statureRisk management in 2004 is accepted as an integral part of the structure of any organisation, part of the progress over the past five years. It has academic recognition. The subject is taught worldwide in more than 100 universities and graduate schools, including such institutions as the London School of Economics, Glasgow Caledonian University, Harvard University, the University of Virginia, the University of Pennsylvania and Monash University. It has public recognition. Both the Canadian and UK Governments have embarked on broad risk management initiatives, and 'standards' are in effect in Australia, New Zealand, Japan, Canada, Norway and UK. In the US, a leading proponent of risk-benefit analyses, John Graham, formerly the director of Harvard's Center for Risk Analysis, is a leader in the Government's Office of Management and Budget. The US Congress now requires in-depth risk analyses before new regulations can be promulgated.Finally, it has organisational recognition. Profit-making and non-profit organisations alike practice risk management. Chief Risk Officers can be found in more than 150 major corporations, reporting to both the CEO and to the governing board. New public accounting and stock exchange guidelines in such diverse areas as North America, the UK, Germany, India and Malaysia, plus new laws (Sarbanes-Oxley in the US, for example) mandate risk analysis responsibilities for governing boards.In the past five years we've established a consensus on the basic structure and critical steps used to apply risk management in organisations:- goal - to build and maintain stakeholder confidence through improving stakeholder 'value', creating a healthy internal risk culture;
- board and senior management commitment;
- broad view of risk encompassing both reward and penalty;
- common framework for the integrated analysis of all risks;
- single independent leader or coordinator for the process;
- bottom-up risk assessments, continuing periodically;
- necessity for clear and timely data; and
- two-way communication with key stakeholders (this is the most often overlooked aspect of today's risk management).
Even as risk management has become a major factor in our world, we have some serious problems. They involve misunderstanding risk itself, creating complexity instead of simplicity, and continuing competition among practitioners instead of cooperation.First, take the word 'risk' itself. John Adams, in his 1995 book 'Risk', sees it as a cultural construct that "illuminates a world of plural rationalities".Risk, to him, is a "balancing act" in which the actors "balance the expected rewards of their actions against the perceived costs of failure" in a world in which expectations and perceptions are constantly changing, in large measure as a result of our multiple responses. In today's practical world, risk can mean chance of loss, a physical property that is insured, or "a measure of the possibility of unexpected outcomes" (the definition that I prefer). Unfortunately, the safety, public policy and insurance communities continue to use risk in its limited, negative sense, while most financial practitioners take a larger view that encompasses both upside and downside consequences. Without an internal consensus on its meaning, chaos is likely. The International Organisation for Standardisation (ISO) tried to resolve this problem, defining risk as "the combination of the probability of an event and its consequence," adding that "consequence may be either positive or negative." In a footnote, ISO suggests that, "in some situations, risk is a deviation from the expected."Second, over the years the process of risk management has been encrusted with many overlapping steps, complicating what should be simple. The process has two easily remembered components: risk analysis and risk response.Risk analysis includes the identification of possible unexpected events, their measurement in terms of likelihood, consequences and public perceptions, and their assessment in terms of an organisation's objectives. Risk response encompasses the controls adopted to balance risk, measuring and monitoring performance, and communication with stakeholders. The discipline answers the questions "what could happen?" and "what should we do about it?"Third, too many practitioners are intent on protecting their own traditional 'turf' such as financial hedges and derivatives (for credit, currency, interest rate and market risks), the environment, health and safety, security, contingency planning or insurance. This inevitably leads to a continued interest in tactical rather than strategic responses to risk (buying liability or property insurance; managing currency and interest hedges; reducing employee injuries; protecting environmental resources, etc). But who is watching the entire store? Cross-turf problems such as the recent examples of outrageous executive compensation and perks, excessively compliant accounting, governance riddled with conflicts of interest, and the failure to communicate intelligently with stakeholders call for a more integrated approach to risk management.

Competitive spiritThis continuing competition also involves the major risk management associations, which seldom include their competitive groups on joint panels. How often have you heard speakers from GARP, PRMIA, SRA, RMA, RIMS, FERMA, IIA or SOA at other than their own conferences? Can you even identify each of these groups?In addition, in the absence of any group leading enterprise risk management, the internal auditing profession moved into this vacuum, suggesting that its members help create the function. The Institute of Internal Auditors has published several intelligent and practical monographs on the process, conducted numerous global conferences and stimulated new training such as Control Self-Assessment (CSA). It is a natural role for internal auditors, who generally report to both the CEO and the governing board. A question remains, however. Does the practice of risk management conflict with the traditional requirement for auditor independence? So what are this year's critical risk issues? First is the US dollar.Its increasing volatility requires preparation of a variety of economic and political scenarios and new approaches to hedging. The New York Times reported that German car manufacturer Volkswagen lost more than $1.5bn in currency shifts last year. Any organisation trading in different currencies will be affected, especially as interest rates begin to change to reflect the enormous US budget and trade deficits.The second issue is greed. At first it appeared that this most common of human frailties might be restricted to the US, but it has now raised its ugly head in Europe and Asia as well. Enron, Tyco, WorldCom, Adelphia, the New York Stock Exchange, HealthSouth, Hollinger, HIH, News Corp, Parmalat, Royal Ahold and Elan are all examples of uncontrolled greed crippling stakeholder confidence. The Harvard Business Review quoted Judith Martin in its December 2003 issue: "When I look in my mail, it's clear that the number one problem facing American society today is greed." She really should not have been that surprised about the persistence of greed; it's a human instinct that has been and will always be with us. The risk management goal is to stifle it through the right combination of internal culture, controls, penalties and resulting publicity. New laws, rules of governance and leadership have started this process and organisations worldwide are on the path to correcting the imbalance.The third issue is flexibility, the capability of any organisation to rebound from whatever contingencies may occur in the next twelve to 24 months. Can a non-profit sustain a 20% reduction in donations and continue its beneficial work? Can a local, state or provincial government survive a 20% drop in tax revenues? Can a profit-making corporation take advantage of a 20% drop in the value of the dollar and expand its sales outside the US? Will outsourcing bite back with substantially higher costs from non-US operations?

Greater flexibilityIt is in enhanced organisational flexibility that risk management can make its greatest contribution. First, it can use the technique of scenario analysis to undertake broad and integrated risk assessments, particularly for organisational strategic planners. These scenarios will incorporate both quantitative and qualitative estimates. Second, risk management can encourage senior management to be prepared for all contingencies, however remote. Think about those events that fall outside the 95.5% estimate of probability. These 'outliers' and their consequences must be incorporated into planning. And third, it can stimulate the creation and use of enhanced financial reserves, using a combination of savings, credit, derivatives and insurance to assure adequate financing whatever occurs. That financing should be directed not only to recovering what might be lost but also to taking advantage of the new opportunities that present themselves in a rapidly-changing environment. Building and maintaining maximum flexibility in uncertain times means that organisations will have the natural resilience to overcome negative events and build on positive ones. After all, that is the real goal of solid risk management; to build and maintain the confidence of all stakeholders in the organisation.

Key disciplinesWhere is risk management going in 2004 and beyond? I believe that the discipline will become a key part of strategic planning. While the sub-disciplines of finance, safety, public policy, insurance, security and the like will be tactically linked, they will be coordinated so that an organisation can reach its overall goal of creating and maintaining public confidence. Given that we can never anticipate all possible outcomes in an increasingly volatile world, contingency or business continuity planning will become a major responsibility of the senior risk officer. Finally, organisations will acknowledge that risk management is not the privileged province of specialists but the responsibility of all employees. Risk management will become part of the organisation's culture.The greatest area of change will be improvement in communication with stakeholder groups, including employees, customers, suppliers, lenders, investors, regulators, communities and the public at large. It is now risk management's weakest link. When should we communicate? How do we do it? How do we create a two-way dialogue?Finally, risk management can help organisations solve three major current and future issues:- credibility - the events of the past five years, affecting governments, non-profit and for-profit corporations alike, demand new steps to re-establish stakeholder confidence;- resilience - today our organisations are even more vulnerable to the unexpected. How should they prepare? Can they react and survive? Is it time to recreate the idea of redundancies? and- perspective - for too many years corporations, particularly in the developed world, fostered the illusion that an emphasis on short-term results would satisfy their stakeholders. It hasn't worked. We now need to restore the long view and alter organisational culture accordingly.