As organizations emerge from the financial crisis, CEOs are shifting their focus from crisis management back to strategic growth. As part of strategic growth planning, risk management is an integral process for the attainment of board approval. Often, the internal audit department is called on to provide assurance that a sound foundation of risk management has been established. The challenge to establishing a sustainable risk management process is finding a practical, yet substantive, approach to identifying and managing risk.
Many organizations continue to spend valuable resources in response to mounting pressures to manage risk. Those organizations are chasing the panacea of enterprise risk management (ERM). Unfortunately, current ERM practices often promote a "check the box" mentality that results in management focusing most of its capacity on unfocused and redundant enterprisewide control measures. Hence, rare, hard-to-predict but high-impact "black swan" events are not considered.
An alternative to traditional risk management methods is to align risks to enterprisewide strategy. This strategy-based approach truncates the process by first understanding what the organization is trying to achieve (strategy). Once the key drivers of an organization's strategy are defined, it is easier to identify and understand the motivations and the decisions that management is willing to take (the risks).
The experiences of three diverse organizations demonstrate the benefits of a strategy-based approach to risk management. The organizations include a global, not-for-profit humanitarian organization; a publicly traded global retailer; and a large, private equity-owned cruise line. While the risks that threatened each organization varied dramatically, the process they used to analyze risk was consistent. Analyzing the impact of compounding risks and identifying risk patterns reframed how these organizations think about their risks and better prepared each business for black swan events.
Strategic Risk Alignment
Identifying and aligning risks to the organization's strategy and specifically to the goals that measure the performance of that strategy is of paramount importance. The old phrase: "don't let the tail wag the dog" is appropriate. In this instance, the strategy is the "dog," and the "tail" comprises the risks that threaten the organization's ability to achieve its strategy. Risks within an organization only exist as a result of its strategy and goals.
The first step to understanding the organization's strategy is to align the achievement of strategy to measurable units or strategic goals. For example, one component of the cruise line's three-part strategy was to increase revenue. One of the goals set to achieve this component was to focus specifically on increasing passenger ticket sales, rather than on other revenue line items. Another part of the strategy was to enhance customer satisfaction, which was measured by analyzing customer feedback responses. The third area of the strategy was to decrease operating costs, which was measured by decreasing general and administrative expenses such as marketing.
However, there were potential conflicts among the three parts of the cruise line's strategy. To increase passenger ticket sales volume, the organization may have to invest more in marketing, which would increase costs. In addition, increasing passenger ticket sales could conflict with increasing passenger satisfaction. For example, customer overbooking may become a service risk.
By using the strategy-based approach to assessing risks, the internal audit department advised the risk committee to address how these goals may have conflicting outcomes. As a result, the risk committee came up with recommendations to increase the volume of passenger ticket sales by increasing customer satisfaction. This low-cost solution was attained by providing bell ringer customer service incentive training. In addition, the committee recommended optimizing the call center staffing model to reduce the wait time for callers who were put on hold without increasing head count.
To find low-cost ways to increase passenger ticket sales volume, the marketing team was asked to brainstorm on how to leverage social media to find alternative solutions. This process resulted in new social media campaigns, a raffle giveaway, and other initiatives. By identifying the strategy and the specific goals measured, conflicting risks were avoided and mitigated — before the risk assessment even began.
Aligning risks with strategy can yield a deeper understanding of potential risks. In addition, the strategy-based approach tends to be less threatening to executives and business-unit managers. Asking an executive "what could go wrong?" — or even worse, "what keeps you up at night?" — could be a loaded question, depending on the political climate and the organization's financial position. However, asking "what are we trying to achieve?" sets a cooperative tone. Keeping the executive team focused on the goals at hand also avoids pet project deviations, finger pointing, and other nonproductive risk-related discussions.
Asking the right question takes just as much skill as giving the right answer. Once goals are established and key measurements are identified and understood, the next step is to understand the specific threats to achieving the goals.
The global humanitarian organization received great value in this exercise. Before adopting the strategy-based approach, the organization had identified more than 300 risks. However, once the risks were aligned with the strategy and goals, the organization quickly realized the 300 risks identified under the "what could go wrong?" approach only focused on five out of the seven goals the organization had set out to achieve. The other two goals were not strongly correlated with the 300 risks identified. In short, the organization did not ask all the right questions. Instead, the humanitarian organization's lack of focus on strategy led it down an exhausting list of "what could go wrong" questions.
To further discover the threats to its goals, the organization turned to the internal audit department to facilitate a workshop session. This session enabled management to condense its list of risks into 25 categories that had a direct impact on all seven goals. Categorizing risks allowed management to design a targeted risk mitigation strategy that leveraged the existing controls in place without requiring further capital investment.
A great vehicle for assessing the impact of each risk on each goal is a survey. Because surveys have no limit to the number of participants, they can produce a large, statistically significant data sample. This enables a large population of managers — who are responsible for managing the risks to the strategy — to assess the level of impact each risk has on the organization's ability to achieve its strategy. In addition, surveys allow for anonymous — and hopefully forthcoming — communication about an organization's risks. An important factor to consider when drafting the right-fit survey is determining who is best suited to assess such risks. It is essential that participants have a pervasive knowledge of the organization to understand the interconnections of each goal and respective risk.
Another advantage of conducting surveys is that they enable multiple participants around the world to respond simultaneously. This was important for the humanitarian organization, because most of its risks needed to be assessed by people in field missions located worldwide. Face-to-face workshops would have been too time-consuming and expensive, and most of the organization's field missions lacked technology for teleconferences. Writing a well-crafted survey was the only viable option to attain the highest degree of cultural and language affinity.
Risk surveys proved beneficial for the retailer as well. Traditionally, the company limited the risk management program to just senior-level executives, given the complex and global structure of the organization. Obtaining a statistically significant sample size via interviews or workshops was impractical, as was manually tabulating hundreds of responses from management. By using the risk survey, the retailer obtained a statistically significant data sample. Additionally, the risk model quickly tabulated the voluminous data from the survey and provided insightful analysis by detecting risk patterns that warranted management's attention.
Cruise Line: Ticket Sales and Satisfaction Ratings
does increasing passenger ticket sales impact the capacity to increase
guest satisfaction when considering the following risks? (Rate impact on scale of 1–5)
Down Economy 5
Overbooking Cabins 4
Global Terrorism 3
Rising Fuel Costs 2
Limited Port Capacity 3
Surveys are where the skill of performing the risk management process under the strategy-based approach comes into play. The art of crafting a right-fit survey is striking a balance between portraying the seemingly conflicted goals within the strategy and the relationships of each risk to each goal. "Cruise Line: Ticket Sales and Satisfaction Ratings" at right shows the survey question the cruise line asked to address its conflicting goals — increasing ticket sales while increasing customer satisfaction and decreasing costs. The survey participants were asked to assess the impact of each risk as it relates to both goals on a numerical scale.
Although situations never seem to happen the same way twice, history does seem to repeat itself. Therefore, it is prudent to analyze risk patterns and identify the relationship between goals and the impact compounding risks may have on achieving the goals.
Analyzing the Results
Once the survey responses have been received, the data analysis begins. Reviewing a plethora of survey responses manually is overwhelming and ineffective. For example, the global humanitarian organization sent surveys to 150 field mission workers. Analyzing that number of survey responses and attempting to associate patterns among seven goals and 25 different risk categories manually would be impractical. This is where applying models of risk impact can be effective in analyzing data trends and patterns in the assessment results.
Most emergency response professionals will agree that accidents occur as the result of a combination of multiple risks happening at the same time. Organizations are no different. Most organizations can handle isolated risks when they happen. However, a combination of multiple risks occurring simultaneously within the same area may have a catastrophic impact on the organization. For example, multiple risks happening simultaneously can have a compounding impact if the organization is undergoing a financial restatement due to suspected foul play by executives, compounded by a revised reported loss during a down economy. This scenario would have a systemic impact on the course of the organization's strategy. In this case, focusing on risk patterns can expose risks that would be overlooked if risks were analyzed in isolation.
An effective risk response involves defining and implementing an appropriate risk mitigation strategy. In analyzing its risk patterns, the cruise line discovered that the risk of overbooking cabins has a negative impact on enhancing revenue in addition to the negative impact on guest satisfaction. Collectively, these two risks combined had a more significant impact on the achievement of two different goals. Viable recommendations would include enhancing the sophistication of the cruise line's online booking system and implementing more accurate measures to forecast demand.
Risks and controls should be monitored continually, as their impact on a goal can vary over time. For instance, during peak season the risk of cabin overbooking may be greater than at any other time of the year. The simplicity of the survey approach allows the organization to gather timely information as needed.
Typically, risks and controls do not have a one-to-one relationship. A failure to achieve a goal is not the result of one risk occurring or the failure of one control. Instead, a failed goal usually is the result of multiple risks occurring, compounded by the simultaneous failure of multiple controls. Identifying risk combinations over an organization's life cycle enables it to discover risk patterns. Identifying and understanding these patterns increases its ability to mitigate risks that have not yet occurred. Risk relationships can be tracked by performing periodic risk assessments.
On the Brink of Predictive Analysis
A long-term benefit of analyzing risk patterns over time is the basis for formulating predictive analytics. Risk models that analyze and track risk patterns also can identify re-occurring patterns. The more of these patterns the model has to analyze, the stronger the correlation between risks and goals will be. When the correlation is strong, managementwill have more confidence that the model provides predictive analytics and can detect black swan scenarios. However, to have an effective risk-pattern analysis over time, the organization's goals must be consistent; creating a new goal will change the risk landscape and require a new assessment.
By promoting the strategy-based approach, internal audit can be instrumental in assuring a more effective and comprehensive risk management program. The results of analyzing risk patterns increases management's capacity for sensing and responding to risks.
Using risk modeling in conjunction with survey analysis can enable quick mitigation responses and optimize the deployment of resources. As a result, organizations are able to strengthen enterprise risk-resilience, protect customers and stakeholders, and improve profitability.