An Iconoclastic View of Risk
This article is a revised version of a speech that I gave to the UK Association of Risk Managers at its Convention 2000 in Gleneagles, Scotland, on November 2, 2000. It incorporates many themes familiar to readers of Risk Management Reports.
Challenging the accepted or conventional wisdom is always undertaken with considerable trepidation. Past challengers, like Galileo, Quixote and numerous heretics, met derision or, worse, a flaming stake. Recently weve turned to brainwashing and propaganda to enforce conformity. But the worst fate is probably being disregarded.
I want to attack four serious misconceptions about risk and risk management. Hence the title, "An Iconoclastic View of Risk." Today we know icons more as computer symbols than as the traditional representations of religious persons or images. An iconoclast is one who wants to destroy those symbols. According to the great Arnold Toynbee, in his A Study of History, "the essence of iconoclasm is an objection to a visual representation of the Godhead or of any other creature, lower than God, whose image might become an object of idolatrous worship." This idea is enshrined in the Second Commandment, which denounces the worship of "graven images," and it is also found in Islam.
I want to extend my personal iconoclastic fury to four "icons" that have grown insidiously and perniciously within our discipline of risk management, icons which, if not broken, may undermine what we are trying to accomplish. They are dangerously subversive.
The four icons that I challenge are the ideas, first, that "risk" is bad; second, that the primary goal of risk management is to benefit shareholders; third, that risk management is the responsibility of specialists; and, fourth, that risk can be transferred.
Icon # 1: Risk is Bad Why are we so afraid of risk and uncertainty? Consider that the greatest discoveries of the past five centuries have been stimulated by the willingness of explorers, inventors, politicians and scientists to take chances of great loss in return for even greater potential gain. That, to my mind, is the essence of the human spirit, this quest for the new and the unknown. Yes, we are faced by uncertainty whenever we make a decision. The decision itself creates uncertainty as to outcomes. But some of that uncertainty can be measured, thus becoming "risk," and through this measurement we position ourselves to make better decisions, pushing human boundaries outward.
The current problem is the prevailing definition of "risk" offered by some of the risk management sub-disciplines, a definition that is creeping into the vernacular. Safety, public policy and insurance professionals continue to see "risk" primarily as a negative, something to be avoided, reduced or shifted, despite the contrary and broader view of our financial and market brethren. First, this difference confuses those who study the discipline. Second, the more restricted view corrupts responses to risk situations. It forms an artificial blinder that constricts perspective. Our ever-increasing ability to measure risk, so thoroughly described in Peter Bernsteins Against the Gods, comes to naught if all we try to do is avoid it.
That risk and uncertainty are important stimulants for life has been trumpeted by wiser observers than me. ". . . Uncertainty, far from being a symptom of imperfection, is in fact a natural property of economics, indeed, probably of all life systems. . . . Uncertainty is the name of the game in the service economy." Thats from Orio Giarini, of the Geneva Association. Richard Feynman, the Nobel Laureate physicist adds: ". . . it is in the admission of ignorance and the admission of uncertainty that there is hope for the continuous motion of human beings in some direction that doesnt get confined, permanently blocked, as it has so many times before in various periods in the history of man." And John Adams, in his 1995 book Risk, sees risk as a cultural construct that "illuminates a world of plural rationalities." Risk, to him, is a "balancing act" in which the actors "balance the expected rewards of their actions against the perceived costs of failure" in a world in which both it and our perceptions of it are constantly being transformed by our effect on the world and its effect on us.
It therefore matters how we define risk for our discipline. The November 1, 2000, Draft of the ISO/TMB Risk Management Terminology Paper, currently under review and discussion, is a step in the right direction. Its authors define risk as "the combination of the probability of an event and its consequence," noting that "consequence may be either positive or negative." ISO adds a footnote suggesting that, "in some situations, risk is a deviation from the expected." Thats my preferred definition, one Ive been using since 1990. It is brief and it incorporates both the positive and negative, the yin and yang, the complimentary opposites, of risk.
Risk always involves a potential reward, whether real or imagined, tangible or intangible. Thats why we make decisions involving risk, our personal measure of the uncertainty. To deny the reward element is to distort any subsequent decision. This, to my mind, is why we must break the icon that "risk is bad."
I have three final thoughts on this subject. First, we should acknowledge that not everyone relishes risk and uncertainty as we hope they should. Anthony Storr wrote in 1996, "Doubt and uncertainty are distressing conditions from which men and women passionately desire release . . . . As a species, we are intolerant of chaos and have a strong predilection for finding and inventing order . . . . Certainty is hugely seductive." It is the seduction of imagined or promised certaintythe insurance policy that purports to cover everything; the religion that purports to give all the answersthat becomes so corrosive. Yet it is a human response, one that a risk manager must consider.
Second, risk management, our operational framework, thus becomes "a discipline for dealing with uncertainty," an acknowledgment that both risk and uncertainty are creative stimulants in our lives, and are all pervasive. Uncertainty is "the openness of possibility," according to Feynman. Jacob Bronowski phrased it perfectly: " . . . the realitythat, however delicately we work, the random still clings about the systematic, the fluctuations still blur the trend."
And third, I sum up this first icon-smashing effort with a rephrasing of René Descartes cogito ergo sum - "I think, therefore I am." I suggest it should be periclitor ergo sum - " I risk, therefore I am." Taking risk is the defining element in human existence. We should relish, not avoid it; balance, not eliminate it.
Icon # 2: The Goal is to Benefit Shareholders One of the most pernicious current beliefs of risk management is that its sole purpose is to serve shareholders, to increase share prices. A review of the literature of the last two decades reveals an overwhelming acceptance of this "icon." As one example, the cover of the September/October 2000 issue of InfoRM, the magazine of the Institute of Risk Management, trumpets the idol of "shareholder value." Much of this thinking was spawned by the University of Chicago approach to economics and the undeniable recognition that many corporations became bloated with excessive infrastructure, cheating stockholders of deserved wealth. Yet in the rush to worship the Mammon of share value, we have become short-sighted, Weve lost touch with the longer-term principles that support survival. If the focus is narrow "shareholder value," how do we then apply risk management to nonprofits, mutual companies, or governmental organizations?
Fortunately, the pendulum is swinging back to common sense. Two recent books support my contention. Allan Kennedys The End of Shareholder Value attacks the premise that shareholders are pre-eminent in the pantheon of corporate interests. He suggests that this misplaced emphasis has resulted in unnecessarily large staff cut-backs, a reduction in research and development expenditures, and a misapplication of stock option incentives to senior management, all of which contributed to the current irrational market boom. The result: an inevitable reaction from other disenfranchised stakeholders. Employees are no longer loyal to the firm. Suppliers, pressured by demands to reduce costs, reduce services. Customers, seeking only the lowest price, ignore respect for and loyalty to brands. Communities, faced with facilities easily uprooted without notice, respond with restrictive governmental regulations. Kennedy argues that "reconnecting" with these stakeholder groups will be the major mandate for the current decade, as we try and rebuild trust and confidence. Isnt this the primary role for risk management?
The second book is the natural follow-up to Kennedy, John Plenders A Stake in the Future: The Stakeholding Society . Plender asserts the ethical and economic benefits of running a company for the benefit of stakeholders rather than just shareholders. I readily admit that this idea still arouses considerable skepticism, even among economic liberals, but I suggest that it is the coming force.
Risk managements most important role is becoming the mechanism that corrects erratic steering, bringing the vessel back on a principled course. The proper course is to serve all stakeholders, from employees and customers, to suppliers, investors, lenders, regulators, and the community at large. An over-focus on any one set of stakeholders inevitably cheats others. The risk management function has a positive obligation to assess and respond to risks and to develop and maintain a continuing two-way dialogue with every stakeholder group. Our role is not to "reduce the cost of risk," the mantra that has consumed the discipline for almost twenty years, but to enable an organization to build a higher level of confidence and trust within each stakeholder group. That confidence is the most important asset of any organization. Much of this is recognized by the growing worldwide movement to re-configure organizational governance. It began with the adoption of a new set of risk management standards in Australia and New Zealand and has been followed by the work of the Dey
Committee in Canada, the Treadway Commission in the US, KonTraG in Germany and the Dey, Hempel and Turnbull Committees in the United Kingdom. The traditional system of representative governance through a board of directors, governors or trustees does not work. We see the same breakdown in government itself. We no longer trust elected representatives to solve problems, witness the declining participation in national voting, where often less that 50% of the registered electorate actually votes. More and more change occurs because of the money and efforts of special interests lobbying for their perks and because of the outright protests of other groups. The recent debacle in the UK and Europe over petrol/gasoline prices illustrates this point.
At the corporate level, boards fail to represent broader constituencies than just senior managers and larger shareholders. That is a reason why these commissions have mandated a serious re-structuring of board responsibilities, one of which is the assurance that major risks are understood, assessed and managed. We must move beyond the narrow construction of a directors obligations. I was pleased to see that a financial magazine, CFO, published by The Economist Group, this year offered a special award for "managing external stakeholders."
If we accept the principle that risk management, like general management, must serve all stakeholders, not just shareholders, it follows that the biggest single responsibility of the risk management function is intelligent communication with these groups. It is also the weakest area of our discipline today. Risk communication should build and maintain the trust of these groups and their confidence in the future of the organization. When this trust is high, the organizations ability to overcome misfortune is enormous; when it is low, no infusion of cash, however large, can save it.
The founders of the Global Association of Risk Professionals (GARP), Lev Borodovsky and Marc Loré, wrote in Risk Professional last year, "no matter what types of methods are used, the key to risk management is delivering risk information, in a timely and succinct fashion, while ensuring that key decision makers have the time, the tools, and the incentive to act upon it." These "decision makers" include outsiders as well as insiders.
Karen Thiessen, of the Conference Board of Canada, sums it up: "Communicating risks is the process of sharing information about an actual or perceived risk in an open and frank manner. It is essential to building trust with your audience, be it the community, public, employees, shareholders or other stakeholders."
Communication is not easy. Often we deal with stakeholders who lack the requisite knowledge and understanding of issues. Some are fixed on their agendas and dont want to listen or compromise. The experience of Shell with environmentalists on the Brent Spar decision arguably led to a conclusion that was worse for the environment than its original proposal of sinking it at sea. We also deal with arrogant and frightened managers, witness the recent problems at Mitsubishi, Ford and Firestone. It will not be easy breaking the instincts to cover up and hide misfortune, or to try and manipulate share price. These are exactly the instincts that proper risk management should work to overcome.
Icon # 3: Risk Management is the Responsibility of Specialists Over the years, numerous silos of risk management specialization have been erected on the premise that each specialty is so arcane, so based on long experience, that outsiders cannot appreciate, much less practice, the trade. We see this in credit, safety and health, financial derivatives, security, insurance, contingency planning, auditing, contracts and regulatory management. Each group has its own language, its own procedures, its own skill sets. Each wants to be left alone to do the job. Yet this has led to enormous gaps and overlapping and excessive costs in organizational risk responses. The recent move to strategic, integrated, enterprise, or holistic risk management is a recognition that the separation of risk functions is actually counter-productive.
Allowing the specialists to ply their trades separately does not work. That is one reason for the rise of a new executive, the Chief Risk Officer. This person is a generalist who reports to both the Chief Executive and the Board and coordinates the work of other risk specialists. According to a recent global Internet symposium conducted by eRisks in New York, there are almost 200 "CROs" in place, generally in financial institutions, energy and utility companies. They are beginning to adopt common risk languages and frameworks for their organizations. They chair multidisciplinary risk oversight committees and lead new efforts in stakeholder risk communication. Their annual reports now include extensive remarks on both risks and responses. One of the best that I have seen is the 1999 report from the Bank of Montreal. Taking seven of the Reports 72 pages, the risk section emphasized the Banks commitment to all stakeholders and described its efforts in credit, liquidity, market and operational risks. At the Bank of Montreal, its CRO is the Executive Vice President who reports to the CEO and chairs the Risk Management Group.
Implicit in the CRO movement is the assumption that risk management is no longer the sole province of specialists. It is now the responsibility of each and every person in the organization. The new goal is to build a culture of risk understanding so that better decisions may be made at every level, every day.
Where will we find these new CROs? To answer this I looked at the various global organizations that represent the risk management discipline. Public policy risk managers belonging to the Society for Risk Analysis and its sub-groups in Europe and Japan number about 4,000. In the insurance arena, the combined worldwide members of RIMS, AIRMIC and their fellow associations in IFRIMA, probably total less than 10,000. GARP, growing rapidly, now has over 13,000 members in 80 countries. Compare these numbers, however, to the 72,000 global members of the Institute of Internal Auditors, and you begin to see how a dramatic predominance of numbers may lead to internal auditors becoming CROs and commanding the risk management discipline. The IIA is shifting its emphasis from a more narrow focus on control to broader and comprehensive risk-based planning in much of its literature, research and training. Given the existing direct contact of internal auditors with boards, we may have an irresistible force.
Icon #4: Risk can be Transferred Almost thirty years ago, at a luncheon meeting of the board of directors of a major insurance broking firm, I suggested the idea that "insurance is a pre-funded line of credit." This heresy met uniform derision, as they explained that insurance is a risk transfer mechanism. I persisted in my belief, however, coining Klomans First Law of Risk Management in the mid-1980s: "There is no such thing as risk transfer; there is only risk sharing." I believe that risk is created by decisions of individuals or organizations. The potential rewards and penalties accrue to those decision makers. Risk remains their responsibility. Some risk, however, may be shared. An entrepreneur shares both reward and loss with investors who buy stock. Some risk may be diversified. A trader sells a derivative. An insurance buyer shares risk with an insurance company, a pooling of funds given to a fiduciary in return for dispensing them under certain circumstances. Yet most of the risk remains with the original decision maker, and the sharing actually creates a new risk, that the counterparty may be unable to meet its obligations.
One of the worst fallacies foisted on the public by the insurance industry is that insurance actually solves a risk problem. It does not. It simply provides the possibility of some sharing, some spreading of the risk.
I recently uncovered a classic case of misplaced reliance on insurance. The CFO of a US firm was asked about his organizations dependency on its website and electronic media. The CFO responded: "If the security or privacy of our Website or network were compromised, it would blemish our brand and cause irreparable harm. So our feeling was, lets not spend time thinking about this; lets protect our capital investors and buy an insurance policy." This attitude not only subscribes to the fallacy that risk can be transferred, it also blindly follows as well Icon Number 2, substituting shareholders for stakeholders. This ostrich-like approach is a patent denial of managerial responsibility.
My point is that we must accept full responsibility for the risk decisions that we make. We can find partners with whom to share some portion of the risk but the final outcome is ours.
The Icons Revisited My objective has been to challenge four serious misunderstandings of risk and risk management. Ive tried to shatter some cherished but mistaken beliefs, as a good iconoclast should. If we do not break the delusionary icons that lead us in the wrong direction, toward false gods, we may remain buried in risk illiteracy. If we continue to accept the former "gospel," we may find ourselves mired in a dangerous form of risk management fundamentalism. Risk involves the potential for both reward and harm. The goal is to benefit all stakeholders. Risk analyses and responses must be coordinated, and risk is never transferred, only shared. Risk management then becomes, in the words of Sheila Jasanoff of Harvard University a "framework for learning in the face of uncertainty."
There is, of course, the possibility that my interpretation is also flawed. Thats your challenge: to think seriously about what I have suggested, not just accept it as you may have accepted the previous icons.
I conclude with an appropriate haiku from the Japanese poet Issa. He wrote this after seeing an itinerant monk preaching on the side of the road:
A wayside sermon
Dont necessarily accept my serenity as truth!
Copyright H. Felix Kloman and Seawrack Press, Inc.