fiogf49gjkf0d
Risk Management
1. Introduction :
Risk — we have been using this word frequently these days (or
more precisely in the last decade) particularly after the corporate scandals in
the early 2000. The word has legion synonyms and is perhaps one of the few words
in English taxonomy to have so many twins. Call it uncertainty, randomness,
chaos, entropy, volatility, catastrophe, threat, complexity, vulnerability or
‘black swans’ (a word coined by Nicholas Taleb in his book Black Swan to refer
to the impact of highly improbable events); or simply call it risk, the list is
long. Interestingly its thesaurus list is just as long as is the list of its
definitions. The avalanche in the definitions of ‘risk’ and ‘risk management’,
by different theorists, epistemologists, institutes, text books and consultants
makes ‘risk’ and ‘risk management’ one of the most debated concepts of
management literature. Ironically, the confusion and differences in the
understanding of this subject also makes it a lucrative business option for
consultants to leverage upon.
The debate is not restricted to the management hemisphere.
Even the physicists are busy doing auto-psy of this term (albeit in different
context) for more than half a century to find the answers of origin of this
universe and thereby refining our Weltanschauung. The Heisenberg’s Uncertainty
Principle, which is frequently used by Einstein in explaining ‘General
Relativity’, has for decades created a similar anxiety among physicists as it
has among the management literates. Stephen Hawkings, a renowned physicists and
noble laureate, quotes the following words in his book ‘A Brief History of Time
: From Big Bang to Black Holes’ in explaining the ‘uncertainty’ principle :
“Quantum mechanics does not predict a single definite result
for an observation. Instead, it predicts a number of different possible outcomes
and tells us how likely each of these is. That is to say, if one made the same
measurement on a large number of similar systems, each of which started off in
the same way, one would find that the result of the measurement would be A in
certain number of cases, B in different number and so on. One could predict the
approximate number of times that the result would be A or B, but one could not
predict the specific result of an individual measurement. Quantum mechanics
therefore introduces an unavoidable element of unpredictability or randomness
into science. Einstein objected this very strongly, despite the important role
he had played in the development of these ideas. Einstein was awarded the Nobel
Prize for his contribution to quantum theory. Nevertheless, Einstein never
accepted that the universe was governed by chance; his feelings were summed up
in his famous statement — God does not play dice.”
According to me, ‘risk’ is more a subject of behavioural
science and psychology than a subject of organisational management. This is
because each individual has its own definition of risk and has its own approach
of practising risk. We all have different risk appetites or risk taking
abilities. And this in turn is the function of the manner in which we have
grown, the environment to which we have been exposed to and myriad events that
have shaped our lives. Our society, beliefs, perceptions, value system and
culture have an equal role to play. It is not only that the risk taking ability
differs from individual to individual, but for one individual also it keeps
varying from time to time. Risk is not a word that is discussed only at board
and executive level; we have been frequently using this word or its twin even in
our day-to-day life to refer to different events that shape our ‘risk appetite’.
Not mooting as to what constitutes precise definition of risk
and narrowing its application to the theory of business organisation, this
article tries to initiate a discourse and provoke thought process on the
following two aspects of risk management :
- Integrated assessment of risk that considers interplay and interdependencies
of risks, and
- Significance of behavioural and group dynamics in risk management process that
may dilute the likely benefits from risk management exercise.
2. Risk Management :
Committee of Sponsored Organisation (‘COSO’) of Treadway
Commission, published a technical paper on risk management titled ‘Enterprise
Risk Management — Integrated Framework’, wherein it has extensively detailed the
approach, methodology and framework for managing risk across the enterprise.
Ever since its publication, the framework has been incorporated into policy,
rule, and regulation, and used by thousands of enterprises to improvise their
governance and risk management processes. According to the paper, the threads of
risk management include — Internal environment, objective setting, event
identification, risk assessment, risk response, control activities, information
and communication and monitoring.
Amongst the above, one of the most difficult thread to
implement is ‘risk assessment’. The paper provides a different perspective and
also a technique, to assess risk, be it in quality or quantity terms. While
quantification of risk is still in its nascent stage, the enterprises have been
largely assessing risk in quality terms based on the parameters of impact and
likelihood. While quantification of risk in numbers has its own advantages, it
is against the management wisdom that says that one should manage ‘business’ and
not ‘numbers’. Further, quantification has its limitations as it is subject to
number of assumptions and hypothesis, which may again become a matter of debate.
Due to its simplicity and pragmatism and its advantage of providing better
perspective of risk, qualitative risk assessment is more favoured by risk
experts and business executives (sparing the banking and financial industry)
over quantitative risk assessment. The qualitative assessment score, when
plotted on 2 x 2 graph, assists in concocting risk response strategies.
Akin to any other decision-making activity, risk management is also a group and consensus seeking exercise, wherein the intelligence of many is preferred over wisdom of an individual. There are many social, behavioural and psychological factors that operate behind any such group exercise that can exacerbate it or invigorate it. The identification of risks and its assessments are culmination of ratings of different executives, divisional and functional managers (alias process owners or risk champions). As a corollary, the risk management exercise is also vulnerable to symptoms of behavioural decision-making, which in majority of cases in real world tends to dilute the real benefit that is purportedly expected from risk management exercise. This paper also discusses some of these symptoms, which a risk manager should be cautious of, for effective traction of benefits of risk management.
2.1 Risk Assessment: Measuring the Domino Effect of Risk:
In real world, risks seldom operate in isolation. A particular risk interacts with various other risks with varying intensities; these interactions further keep varying at different point of time and so does their intensities. The complexity, dynamism and frequency of change of the systems in real world, be it ecological system or financial system or economic system or company’s internal control system, contribute to these very characteristic, making accurate risk assessment an utopia.
This characteristic of risk is also colloquially referred to as domino effect of risk. The physicists also refer to it as the butterfly effect or chain effect and allusion of which is also reflected in Edward Lorenz Chaos Theory. The domino effect is a chain reaction that occurs when a small change causes a similar change nearby, either on linear trajectory or in skewed manner.
The integration of global financial and commodity markets, urge of world economies to adopt the capitalist framework, avalanche of cross-border acquisitions, spree of local companies to go global, emergence of black swan known to be cloud computing and information technology and various similar other black swans, increases the domino effect in an exponential manner, making the understanding of risk (in right spirit) similar to arranging of desks on a sinking Titanic. There can be myriad instances that can be quoted to exemplify the domino effect of risks:
- The recent sub-prime crises and financial melt-down creating cues of the Great Depression of 1930’s.
- The volcanic eruption in Iceland creating turbulence in network of flights.
- Greece crises dimming the hope of economic recovery and depressing corporate revival strategies.
- Threat of global warning compelling large corporate to re-engineer their strategies to make it more sustainable.
- The snow-balling effects of corporate failures of early 2000 on the entire fraternity of economists, accountants and directors.
- For a manufacturing operation increase in inflation adversely impacts cost of inputs and compels it to modify its marketing and pricing strategies to pass on additional cost to the customers; its inability to pass the burden of inflation to the customers, may force the companies to adopt lay-off and retrenchment strategies in order to sustain its survival — a phenomenon which we recently observed, particularly in west, before the recovery cues.
- Sporadic interest rates triggering volatility in exchange rates, which in turn may lead company to hive off its foreign investments or postpone is global expansion plans or cease its import or export transactions.
- A decision to enter a new line of business, with significant incentives tied to reported performance, can increase risks of error in application of accounting principles and of fraudulent reporting.
The combined effect of such interdependent risks, which although individually may be of low magnitude (low impact and low likelihood), may create apocalyptic massacre for a company. And rectifying such injury may either become impossible or would necessitate a complex surgery.
The following words of Nicholas Taleb from his book ‘The Black Swan — Impact of Highly Improbable Events’, are apt to exemplify the domino effect of risk, particularly in era of globalisation:
“Globalisation creates interlocking fragility, while reducing volatility and giving the appearance of stability. In other words, it creates devastating Black Swans. We have never lived before under the threat of a global collapse. Financial Institutions have been merging into a smaller number of very large banks. Almost all banks are interrelated. So the financial ecology is swelling into gigantic, incestuous, bureaucratic banks — when one fails, they all fall. The increased concentration among banks seems to have the effect of making financial crises less likely, but when they happen, they are more global in scale and hit us very hard. We have moved from a diversified ecology of small banks, with varied lending policies, to a more homogeneous framework of firms that all resemble one another. True, we now have fewer failures, but when they occur . . . . I shiver at the thought.
Banks hire dull people and train them to be even more dull. If they look conservative, it’s only because their loans go bust on rare, very rare occasions. But (. . .) bankers are not conservative at all. They are just phenomenally skilled at self-deception by burying the possibility of a large, devastating loss under the rug. The government-sponsored institution Fannie Mae, when I look at its risks, seems to be sitting on a barrel of dynamite, vulnerable to the slightest hiccup. But not to worry : their large staff of scientists deemed these events ‘unlikely’ ”.
The COSO framework categorically emphasises that looking at interrelationships of risk likelihood and impact is an important management responsibility, since it can significantly impact company’s perspective of risks. However, the framework does not explicitly discern the techniques to measure and assess the interplay of risk, as it does for assessment of individual risks. In practice, consideration of risk interplay becomes a paper exercise and is seldom implemented while performing risk assessments. Due to limited guidance on the measurement of risk interactions, risk assessments are often performed for individual risks only, which in all probability is likely to give deluding picture of risk, if not incorrect.
This domino effect can be measured using statistical tool viz. correlation coefficient (r). This would, of course, envisage the following additional threads in addition to those in existing COSO framework.
Identification of Risk Baskets :
Identifying interrelated risks (i.e., the risks that are interdependent on each other) and creating risk baskets or risk portfolios.
Measuring Risk Correlation
Measuring the correlation between the risks within a risk basket. For establishing such correlation, individual risk scores for reasonable period in the past would be necessitated. Using the historical individual risk scores and establishing the trend in their manoeuvrability, we can measure strength of nexus between risks in the risk baskets.
Assessment Matrix and Risk Response Strategy:
Plotting of consolidated scores of a risk basket and its correlation coefficient on a 2 x 2 matrix, provides better perspective of entity’s risk exposure and also assists in prioritising risks and strategising risk responses. Such prioritisation of risk baskets based on correlation coefficient can lead to different risk strategies, as against prioritisation of individual risks without measuring their interrelation.
Allusion is drawn to an article on risk management published by Wharton on the cloud (www.knowledge.wharton.upenn.edu)
“. . . . Risk management has no silver bullet. As a result, many companies need to develop a more integrated view of risk. ‘We have seen a tendency to separate risks into rigid silos — operational risk, market risk, credit risk and so on,’ says Wharton’s Herring. ‘But what we have found is that major shocks and problems do not come that way. For instance, in the financial world, you would see trading desks staffed with people who were experts in market risk, but they were trading instruments that were laden with credit risk. The skills you need to think about each of those kinds of risk are very distinctive, and unless you have an integrated view of risk, you could encounter major problems.’ . . .
. . . Historic data does not shape the future anymore, given how rapidly the world is changing. We usually look at the known issues and make a nice diagram with probability on one axis and impact on the other. That’s Risk Management 1.0. Risk Management 2.0 is (going) beyond the known issues to look at the links and interdependencies. You can no longer look at the risks independently of each other …”
2.2 Breaking the Abilene Paradox:
The Abilene anecdote goes something like this:
On a hot afternoon visiting in Coleman, Texas, the family is comfortably playing dominoes on a porch, until the father-in-law suggests that they take a trip to Abilene (53 miles north) for dinner. The wife says, ‘Sounds like a great idea.’ The husband, despite having reservations because the drive is long and hot, thinks that his preferences must be out-of-step with the group and says, ‘Sounds good to me. I just hope your mother wants to go.’ The mother-in-law then says, ‘Of course I want to go. I haven’t been to Abilene in a long time.’
The drive is hot, dusty, and long. When they arrive at the cafeteria, the food is as bad as the drive. They arrive back home four hours later, exhausted.
One of them dishonestly says, ‘It was a great trip, wasn’t it?’ The mother-in-law says that, actually, she would rather have stayed home, but went along since the other three were so enthusiastic. The husband says, ‘I wasn’t delighted to be doing what we were doing. I only went to satisfy the rest of you.’ The wife says, ‘I just went along to keep you happy. I would have had to be crazy to want to go out in the heat like that.’ The father-in-law then says that he only suggested it because he thought the others might be bored.
The group sits back, perplexed that they together decided to take a trip which none of them wanted. They each would have preferred to sit comfortably, but did not admit to it when they still had time to enjoy the afternoon …”
The Abilene paradox is a paradox in which a group of people collectively decide on a course of action that is counter to the preferences of any of the individuals in the group. It involves a common breakdown of group communication in which each member mistakenly believes that their own preferences are counter to the group’s and, therefore, does not raise objections. A common phrase relating to the Abilene paradox is a desire to not ‘rock the boat’.
This is what typically happens in any management meet, particularly when it is discussing intricate subject such as risk. A risk, which each individual process owners may perceive as high, may get rated as low or medium as each process owner may think that his/her risk perception is counter to that of the group. The paradox may also be contagious during risk identification and risk mitigation threads, rendering the exercise to be fragile. The snowballing effect of such Abilene’s assumption may significantly dilute the benefits of risk management exercise, keeping the board & executives under self-deluding folly of having effective risk management framework.
2.3 Handling Delphi carefully:
Qualitative risk assessment is essentially based on average score of risk ratings perceived by each process owner, within risk management team. The scores (be it in terms of 1 to 5 rating scale or in terms of high, medium or low) by selected process owners are consolidated and averaged out to derive singular risk rating.
This technique, which is theoretically termed as Delphi technique, is widely used in any group decision-making process. However, a major limitation of Delphi which can rob all its benefits is that it tacitly tends to avoid the extremes and mild the ratings of a risk, which purportedly was a black swan. The resultant risk score and big picture becomes distorted. It brings in a myopic and conservative sense of ‘All is well’, when in fact the company is boarding on sinking Titanic. It blinds the management from potential and actual black swans, satiating them with complacency syndrome. Delphi tends management to satisfy itself with non-existence of black swan and then landing them with surprise of ‘How did we, suddenly, landed in such complex situation?’, when potential black swan triggers.
While Delphi continues to gain favours of risk managers, it should be used with caution of its tendency to preclude traction of extremes.
2.4 Avoiding GroupThink syndrome:
GroupThink is yet another syndrome that carries with it the bacteria, similar to Abilene & Delphi and has potential to brittle risk management process. The term was first coined by Irvis Janis in early seventies and occurs when a group makes faulty decisions because group pressures lead to a deterioration of mental efficiency, reality testing, and moral judgment. Groups affected by GroupThink ignore alternatives and tend to take irrational actions. A group is especially vulnerable to groupthink when its members are similar in background, when the group is insulated from outside opinions, and when there are no clear rules for decision-making. The psychologist has prescribed following symptoms of GroupThink, which a risk manager must be aware of:
GroupThink occurs when groups are highly cohesive and when they are under considerable pressure to make a quality decision. When pressures for unanimity seem overwhelming, members are less motivated to realistically appraise the alternative courses of action available to them. This leads to carelessness and irrational thinking.
A risk group is also often diagnosed of the above GroupThink symptoms, which a risk manager and risk group should be careful about.
3. Conclusion:
Following cues can be drawn from the above:
- It is imperative to realise that interdependencies of risks can be more jeopardising than individual risk/s. A couple of interrelated risks with medium rating can be together become a potential black swan and can be more jeopardising than an individual risk with high rating
- There is need to have an integrated view of risk and measure the risk domino effect using the ‘r’ factor. The Board/CEO today can have only 5-10 key risks on tips of fingers, rather than have a plethora and long list of risks in their risk register, which lends them nowhere
- A risk manager should be cautious and aware of behavioural & psychological factors that can paralyze any group & consensus seeking exercise like risk management. These factors alone can risk the risk management exercise, despite of having contemporary frameworks and models
- A risk management team should comprise of members who can independently and emphatically put forth their opinions and assessments, without getting carried away by group opinions
- A risk manager should be aware of limitation of Delphi and should not be oblivion of extremes that often gets buried under shelter of law of averages
- It is desirable to have an independent and external perspective during risk management exercise who can constructively challenge the decisions, thinking and assumptions of risk management team and break their self-deluding complacency.
Risk management, like any other science of management, is function of intuition, imagination, pragmatism and leadership. There is greater need to change the organisation mindset and culture towards risk, rather than change systems and adopt new models and frameworks, which many times may be appealing and glittering but are seldom gold.
God not only plays dice, but He also sometimes throws the dice where they cannot be seen . . . . He still has few tricks up His sleeves.
— Professor Stephen W. Hawking
