Does Risk Management Increase Strategic Risk?
In most organizations, risk management is considered a vital function and attracts great attention from C-suite officers. However, according to Steven Denning, the author of "The Age of Agile
" and a senior contributor of Forbes, the traditional way of risk management not only is ineffective in turning risks into opportunities, but gives rise to the opposite—more risks. He gives the following 10 arguments:
- WRONG FOCUS:The most prevalent approach to risk management focuses on new investments. In this approach, risk managers evaluate and aggregate the risks of potential investments to ensure that only an appropriate level of risk is taken. But this approach is under the assumption that the existing business is risk free and can go on indefinitely "as is," which is completely at odds with the reality that in today's VUCA world where disruption is endemic, continuing the existing business "as is" is a sure recipe for disaster. As a matter of fact, the single biggest risk in most big firms today is not something "out there" that might affect the firms in the future, but their existing bureaucratic way of management, which is "here at home, right now, in the board room itself." Not acknowledging this fact poses a huge risk to the firms; and not addressing the problem puts them in even greater danger—the risk of losing sustainable competitiveness and prosperity in the future.
- COMPLEXITY: Risk management often wrongly assumes that the marketplace is a complicated world of linear changes, and that the risk of future investments can be analyzed and predicted by a central risk management function. While in reality, the marketplace is more complex than complicated today, and is hence inherently frivolous and unpredictable. The only way to understand a complex system is to continuously experiment , learn, and make adjustment as new information is gathered, which echoes agile ways of working.
- NON-ITERATIVE DECISION-MAKING: Traditional risk management applies "go vs. no-go" decision making, which can render investment returns completely off the mark. In a complex system, decisions need to be made iteratively over the course of continuous exploration of the investments' prospects while integrating along the way new information that becomes available from multiple experiments. In other words, to properly manage risk, decision making should be provisional and continuously revised in light of real-time data. Compare: Emergent Strategy.
- THE CUSTOMER: One of the most critical causes of the complexity of today's marketplace is that power has shifted from the seller to the buyer, which has effectually made fickle customers the bosses of the firms. Firms can only survive by being obsessed with customers and doing their utmost to understand their customers' changing behavior and needs and to figure out improved ways to meet them. This is a key risk factor that's often systematically de-emphasized by traditional risk management, which thereby increases the risk faced by the firms rather than the opposite.
- DESCALING: Dealing with complex contexts requires that work be descaled where possible so that small teams work on small chunks of tasks in short cycles, and continuously interact with customers and make adjustments in view of feedback. However, in traditional risk management, decisions on big projects are made in whole and centrally by staff far away from customers, which is bound to end up with low-quality decisions about both risks and opportunities.
- MULTIPLE PATHS TO YES: A classic risk management system often reflects a straight hierarchy in which any new idea has to be approved by the bosses at all levels, and any single 'no' in the steep ladder can kill the whole idea. This kind of risk management naturally increases the likelihood that good ideas will be killed by the system itself, which enhances risk-aversion rather than fosters opportunity. Instead, organizations should create multiple paths to yes, so that an idea can be green lighted by many different executives within "a culture of experimentation" that recognizes the possibility of frequent failures.
- DIFFERENTIATED REVIEW OF BIG BETS: Decisions of different scales need to be made in different ways. For instance, at Amazon, ideas for improvements or smaller investments have "many paths to yes"; but larger ideas that could inevitably change the whole company's direction will be approved or rejected by the "chief slowdown officer"—the CEO of Amazon, Jeff Bezos himself, who makes sure that only big bets with originality, scalability and profitability can pass through.
- ONE-DIMENSIONAL DECISION-MAKING: Traditional risk management usually only focuses on financial returns of projects, to the neglect of other value to an organization, such as the acquisition of new skills or strengthening relationships with customers that will generate long-term profitability for the organization. For example, at Haier Group Corporation, the world's leading appliance maker, customer ecosystems fostered by the organization's leadership and culture have generated value way beyond mere financial returns. Therefore, the short-sighted focus of traditional risk management exposes an organization to the risk of losing sustainable prosperity in the future.
- DEMYTHOLOGIZING THE CEO: Too many organizations assign a heroic role to the CEO in risk management, assuming that only top management is in the right position to decide on the overall "risk appetite" of an organization. The truth is, effective risk management should bring insights of the most competent people to assess the opportunities and the risks, wherever those people are located. In some cases, those can be even ordinary employees who are closest to the marketplace.
- NEGATIVE PERSPECTIVE: The term "risk management" implies a negative interpretation of opportunities. In light of the significant importance of fighting risk-aversion to stimulate innovation, the label of "risk management" itself might as well be changed to "opportunity management."
Denning concludes that traditional risk management is a remnant of the bureaucratic management from the previous century. It is time to replace it with the principles of organizational agility
and a mindset of nurturing opportunities.
⇨ What do you think?
Are companies still deploying a traditional, central risk management function like dinosaurs?
Source: Denning, S. (2020, Feb. 25). "Ten Reasons Why Risk Management Increases Risk"