Risk Management Reports

January, 2001
Volume 28, No. 1

Issues for 2001

Sticklers for exactitude tell us that the Third Millennium actually begins this year: last year was a mathematical aberration. Risk Management Reports also begins its 28th year, a modest blip on this historical continuum. As is my custom, with no modesty for insignificance, I address what I consider to be some of the most important potential issues for the coming year.

Last year I suggested that we would see some serious rumblings in our critical financial institutions: the markets, banks and insurance companies. While the technology stock sector indeed lost more than 30% of its value, the overall market was a bit steadier, mesmerized perhaps by the gossamer threads of Greenspun. The Basle Committee (B.I.S.) continued its dance toward new guidelines of capital for credit, market and operational risks, providing a steadying force for global banks. The insurance market, the most fragile of the three at the year's outset, managed to survive with only two major casualties-Reliance and Conseco-and no critical natural disasters. It remains fragile, nonetheless. My second issue for last year, the improvement of trust in financial institutions, remains a goal yet to be achieved, although we made progress.

This year's single issue is governance and risk management. It involves developing answers to three critical questions: (1) how should the function be structured within an organization, (2) who should tend and coordinate it, and (3) how and with whom should risks and responses be communicated? The growing interest in risk management as a possible competitive edge and as response to new governmental and related requirements for corporate, nonprofit and public governance suggest that 2001 will be a bellwether year for change. An integrated approach is now necessary and stakeholders are looking for evidence of progress.

How should risk management be structured? A growing consensus confirms that the Board must accept final responsibility for and oversight of an organization's analysis of and response to risk. Standards (Australia; New Zealand, Canada and Great Britain) and guidelines (Germany, Great Britain, Canada, and USA) exert new pressures for a strategic and integrated response. Building a candid awareness of the potential opportunities and harms implicit in any decision-the risks-is the goal of a risk management function. It is the balance that is important. Financial institutions, utilities and energy companies have led the way toward this new coordinated structure with senior management support. 2001 will see other organizations moving in the same direction. Two US universities are in the process of building a new risk management structure. In England, another "standard" is underway, in addition to the earlier version introduced last year (see May 2000 RMR ). Proposed guidelines, standards and discussion papers are also being circulated in Sweden and Canada. All these initiatives accept some common principles for risk management:

  • Board and senior management commitment
  • A broad view of "risk" (both reward and penalty)
  • Common framework for risk analysis
  • Single leader or coordinator for the process
  • Bottom-up initial risk assessment
  • Two-way communication with key stakeholders, and
  • Goals of improving stakeholder value and building a healthy risk culture in 2001.

I see significant structural changes in risk management occurring in many global organizations.

Who should lead and coordinate risk management? Since the function is most commonly fragmented within many organizations, immediate turf problems surface when coordination is suggested. Some practitioners argue that they are uniquely equipped to lead the charge, while others claim that their skills are so specialized that they should be left to their own devices. Internal auditors, legal counsel, safety and health directors, insurance managers, environmental specialists, and others press their cases. Some organizations have moved to a Chief Risk Officer as the "champion" of the effort. Over 200 of this new breed now operate worldwide, and several academic studies of them are now underway. The CRO may yet be a temporary aberration, one that will die away like a fad, but the rising interest indicates that CROs will be with us for the foreseeable future. Whether the "leader" is a Board member, the CEO, a CRO, or some other officer, we acknowledge that the new risk management function requires a focal point in the organization. I've used the analogy of the coxswain of an eight-oared shell to help explain the role. In a rowing shell, the cox serves as a coach, starts the crew down the course, keeps the cadence for the stroke, exhorts the rowers to maximum effort, keeps the crew on course (steers), and calls the stop after crossing the finish line. The cox is an incremental part of the effort yet never pulls an oar. The coxswain does not need to be a skilled oarsman, only to have a solid knowledge of rowing and the skills of the boat. So too the CRO or its counterpart. The critical skills are consummate diplomacy, an overall understanding of the organization's goals, objectives, and resources, and an ability to communicate with all stakeholders, internal and external. A technical skill is not necessary. I forecast that we will see a dramatic increase in CROs this year.

How do we communicate, and with whom? Since decisions create risks, and risks provide both benefits and harms to different groups, it is understandable that we must communicate these potentials, both up and down, to those affected. A failure to do so threatens the confidence of both internal (employees) and external (suppliers, customers, investors, regulators, etc.) stakeholders. Confidence, translated into reputation, is easily the most important asset of any organization. The Bridgestone-Firestone-Ford fiasco of 2000 is a classic case in point. These companies failed to communicate in advance some of their critical risks and risk decisions, making their denials, protestations and counter-claims after the fact simply unbelievable. I have argued for some time in these pages that better risk communication is the key part of the risk management process. It is one that is imperfectly carried out. As one reader (Mike Murphy, of Cadmus Consulting, in Canada) recently noted, "Candid assessments of downsides in advance of an event may insulate an organization from excessive adverse reaction when something actually goes awry." He went on, "If you make enough deposits in the bank of credibility, you may be able to draw some out in an emergency." True, but how do we manage the communication of potentially bad news, when today's financial officers are scared to death of the transmission of even the smallest bit of black cloud fearing that shareholders will rush for the exits? J. P. Morgan's Bill Kelly had it right when he suggested that you "make sure that your laundry is clean before you air it!" But if it's always "clean," is it candid?

Dealing with stakeholders intelligently and honestly is a difficult art. Last year I cited Warren Buffett's candid mea culpa in Berkshire Hathaway's annual report, but his track record gives him considerable leeway for bad news. CFO Magazine created a new award last year for "Managing External Stakeholders," given to Jeff Henley, the CFO of Oracle Corporation. Henley noted that he spent "much

more time with customers" than with securities analysts. That's a key point. If a CRO is to be successful incommunicating what an organization knows, and doesn't know, about risk, customers must be at the top of the pile.

An excellent dissertation on practical risk communication is "Principles of Communicating Risks," by Jean Mulligan, Elaine McCoy and Angela Griffiths, published by the Macleod Institute for Environmental Analysis of the University of Calgary, in March 1998 (macleod@acs.ucalgary.ca). The authors suggest that stakeholders do not "consent to risks so much as select options . . that strike a tolerable balance between desirable and undesirable factors." These are value judgments that may change, even radically, from one day to the next. While the authors address primarily environmental, health, and safety issues, their conclusions apply to all risks. Their description of the multiplicity of stakeholders, messages, information content, and the nature of risk cogently summarize some of the critical factors in effective communication. They conclude, "Communicating risk successfully is neither a public relations nor a crisis communications exercise. Its aim is not to avoid all conflict or to diffuse all concerns. Risk communication seeks to improve performance based on informed, mutual decisions with respect to . . . risks." Good communication must acknowledge good faith and basic comprehension capabilities on the part of all parties.

Yet this fixation with risk communication, especially as an issue for 2001, may need a reality check. I was "brought up, all standing," using Patrick O'Brian's nautical phrase, by Roger Kasperson's recent editorial in the RISK Newsletter (Fourth Quarter 2000), of the Society for Risk Analysis. Kasperson, a professor at Clark University and a past President of the Society (rkasperson@clarku.edu), warned that we may have elevated risk communication to "the holy grail of risk management." He went on, "We are on the stakeholder-involvement express, barreling down the rails of well-intentioned but often naive efforts to address growing public concerns over risks, changed public expectations over the functioning of democratic institutions, and historic declines in social trust in those responsible for protecting public safety." He sees the word "stakeholders" itself as a misnomer, one that leaves out "those who do not yet know that their interests are at stake, whose interests are diffuse or associated broadly with citizenship, who lack the skills and resources to compete, or who have simply lost confidence in the political process." We still do not known what communication interventions are likely to be successful: ". . . participatory effectiveness is a learned skill that requires resources, it is cumulative and long-term in nature, (and) it is cultural in that it requires participatory domains in the various spheres of one's life (family, community, social networks, work, etc.)." Kasperson calls for a brake "on the current stakeholder express" or at least a "switch to the local" so that we can be more reflective and self-critical in our risk communication efforts. A wise admonition, and one with which I must agree.

My good friend Tony Benson, the retired risk manager for UK's Guinness (now Diageo), also warns of the possible repercussions of appearing to favor other stakeholders than shareholders. He argues that risk managers, among others, "owe a primary duty to those who employ them," the owners (shareholders) of the business. I acknowledge that is the prevailing opinion. Where I disagree is with the word "primary." Just as we must work with all risks together, avoiding over-focus on any one, so too must we try to balance the needs, requirements and perceptions of all stakeholders, without over-concentrating on just one. Yes, investors are important, but so too are customers, suppliers, and the public! I believe that 2001 will see increased discussion of risk communication as an important organizational exercise.

One communication method gaining favor is the internal risk management intranet. First suggested by Scott Lange when he was Microsoft's Risk Manager, intranets are now in use in several major corporations, including Schlumberger, in France, and Bradford & Bingley, in England (see following article). Clive Moffatt, writing in StrategicRisk in September 2000, summarized some of the practical ingredients of a successful intranet. His keys: "(1) be interactive, (2) be easy to use, (3) have features that allow development of simple measures of awareness levels and how particular risk exposures at a functional or cross-functional level are being managed over time, and (4) be promoted off-line to all members of the target audience as a part of a campaign to secure management buy-in and maximise usage." A risk management intranet will be an essential part of any internal communication platform.

The Nonprofit Risk Management Center in Washington has just introduced a CD-ROM-based program for the application of risk management practices to smaller nonprofits. Called CARES (Computer Assisted Risk Evaluation System), it addresses a variety of key risk issues for nonprofits, allows the nonprofit to conduct its own internal risk assessment, produces a summary with practical approaches and strategies for managing these risks, and permits the aggregation of data into a nonprofit database. This is an intranet on a disk. (For information, go to www.nonprofitrisk.org or send email to info@nonprofitrisk.org) These intranets allow individual operating units to develop their own risk analyses, store and share key data, review information from other units, and obtain analytical and control assistance from elsewhere within the organization. For the future, we may find that some form of "intranet" allowing similar effective communication with other stakeholders.

While governance is the primary risk management issue for 2001, we remain encircled by other critical risks, many of which I've mentioned in prior years. The pandemics of AIDS and tuberculosis are waxing, not waning. Tensions in the Middle East, Northern Ireland, sub-Saharan Africa, the Balkans, Central Asia, Sri Lanka, and Indonesia continue with only modest improvements. E-commerce escalates with imperfectly understood risk implications. This is a subject that I will address in RMR later this year. And the effects of public hysteria and panic are all too evident in the current BSE crisis in Europe. The Basle Committee's guidelines on operational risk will become effective this year, with ripple effects for other organizations.

How do others see risk issues? Last June, Marsh, Inc. published an analysis of questionnaire responses from 26 major global companies (contact Chris Mundy at Chris.Mundy@marshmc.com for a copy). While this is a small sample, and one that is necessarily insurance-oriented, the "important risk issues over the next five years" identified by the respondents indicate a broader range of risk thinking:

  • Environmental liabilities
  • Replacement of assets
  • Base commodity price changes
  • Political risks
  • Decommissioning
  • Dread disease

2001 promises to be a risk odyssey!

An effective risk communication policy includes commitments to: open and honest communication; early release of information; meaningful processes for explaining risks; processes for incorporating community concerns and values; shared decision-making; and a relationship built on trust.

Jean Mulligan, Elaine McCoy and Angela Griffiths, Principles of Communicating Risks The Macleod Institute for Environmental Analysis, University of Calgary, Calgary, Alberta 1998

Copyright H. Felix Kloman and Seawrack Press, Inc.

Return to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives