Photo (C) Vladek from DepositPhotos.com Used with permission. |
The Strategic Objective of Risk Management
November 2024
The Skillful PM
The strategic objective of risk management is to align projects with strategy and manage the risks to maximize the probability of achieving those objectives.
This imperative to avoid wasting resources by aligning to enterprise strategy nearly has the power of natural law – meaning that the adverse consequences for disregarding it seem to be utterly inevitable regardless of any human opinions, intentions, or interventions.
Therefore, if we take the need for strategic alignment to be axiomatic, a law of nature and business, then it stands to reason that risk management activities must also be aligned to support the strategies of the enterprise.
Foundational to the efforts of risk management is the understanding that risk is inherent in all we do. Risk is not something which can be eliminated.
Over the course of millennia of financial history[2], the concept of reserves has emerged as a key means to help ensure the survival of an enterprise when, inevitably, a risk becomes an issue which incurs a cost. Reserves are the last line of defense ordinarily available[3] to an enterprise to offset the costs of failure.
And what is failure? It is when an enterprise must be sold or liquidated to pay off the debts it has incurred. Those debts may be the result of ordinary business activities with their associated risks, or from taking extraordinary risks and having those risks become issues.
The term “risk management” can be construed in more than one way. As a result, the role of any risk management department within an enterprise can be implemented in more than one way, in accordance with the understanding of what function(s) it is to serve.
Risk Appetite is managerially defined because it is a function of how much of the risk capacity management want to consume and whether or not they want to either decrease or increase safety margins in the reserves.
Risks, risk capacity, and risk appetite must be fully quantified or reserves are meaningless because they may or may not be aligned with the actual financial impact of the risks. This means that all qualitative risks must be transformed into quantitative risks which can be addressed in terms of monetary costs potentially or actually impacting the enterprise.
[2] Reserves are also a key concept of military history, providing a commander the capacity to preserve an army in battle when the enemy either breaks through. When defeat seems to be threatening, the commitment of reserves can change the tide of battle and allow the army to triumph, rather than to be overwhelmed and destroyed.
[3] During the financial crisis of 2007 some enterprises, notably AIG Insurance, were deemed “too big to fail” and the US Government stepped in with financial resources to keep certain companies from failing when the costs of failures were more than those companies could offset with their reserves. The alternative would have been to close those companies and liquidate their assets to pay their creditors – in other words to pay the costs of their failure.
Both study and experience has shown that for an enterprise to be most effective and efficient enterprises need to align their activities to support their strategic objectives and plans. Endeavors that are not aligned typically result in wasted expenditures – meaning the consumption of resources without producing sufficiently offsetting revenues or cost-savings.
Project managers have the opportunity to play an important role in this alignment. By understanding the strategic objectives of the enterprise, project managers can evaluate proposed and in-progress projects to determine their degree of strategic alignment. When project managers believe find evidence that a project is not aligned with strategic objectives, they have a professional and fiduciary responsibility to make management aware of this misallocation of resources.
Effective Resource Management
Therefore, if we take the need for strategic alignment to be axiomatic, a law of nature and business, then it stands to reason that risk management activities must also be aligned to support the strategies of the enterprise.
Foundations of Risk Management
- Risk can be avoided by not doing something.
- Risk can be moderated or mitigated, but never to zero or negative values.
- Risk can be transferred or shared, but even this cannot take the impact of risk to zero or negative, even when legal and financial premises argue otherwise, because legal premises can be changed.
- Risk can be accepted. However, acceptance does not imply a fatalistic bowing of the head and acceptance of seppuku[1].
Managing Reserves
And what is failure? It is when an enterprise must be sold or liquidated to pay off the debts it has incurred. Those debts may be the result of ordinary business activities with their associated risks, or from taking extraordinary risks and having those risks become issues.
Risk Management
If risk management is construed as having the function of somehow controlling the risks of the enterprise then its role will be directive, meaning risk managers make decisions about what the business will and won't do. And is likely to focus on either decreasing the risks of the enterprise, or increasing the capacity of the enterprise to bear risks.
Risk can be decreased either absolutely or relatively. Absolute risk reduction comes from the cessation of certain activities, or declining to start up certain activities. Relative risk reduction is achieved by increasing reserves as needed to align with increased, or additional risks.
Risk can be decreased either absolutely or relatively. Absolute risk reduction comes from the cessation of certain activities, or declining to start up certain activities. Relative risk reduction is achieved by increasing reserves as needed to align with increased, or additional risks.
Capacity Management
Increasing the capacity of the enterprise to bear risks is achieved by applying the three approaches listed above. However, ultimately the amount of inherent, non-transferable, irreducible risk must be accepted and adequate reserves established to offset it.
If, on the other hand, risk management is construed as having as its objective to advise management, rather than making the decisions, then it is likely to focus on rigorously identifying and quantifying the risks associated with the activities of the enterprise.
If, on the other hand, risk management is construed as having as its objective to advise management, rather than making the decisions, then it is likely to focus on rigorously identifying and quantifying the risks associated with the activities of the enterprise.
Decide or Advise
In point of fact, regardless of whether risk management is in a decision-making or advisory role, the need to rigorously identify and quantify risks is still a central process for successful risk management. Having quantified the risks of both business as usual (BAU) activities and non-routine efforts, it is the next function of risk management to make the decision-makers of the enterprise aware of the risks so that they can make informed choices about the activities to be continued, or discontinued, started, or not-started.
To make informed decisions managers need to not only understand the nominal risk associated with an effort. They must also understand that effort in context with all the other activities and associated risks of the enterprise. Without a clear view of aggregated risk, management is forced to “play the odds” or guess which direction to take the business. Likewise, if risks are presented qualitatively rather than being quantified in terms of financial commitments for both expenses and reserves, then managers are again forced to guess.
I suggest that Risk Management is essentially an advisory function to management. This is because line management, rather than risk management is more likely to be subjected to indictment by regulators if risks are not appropriately addressed. This indictment would still likely land on line management even if the problem was that risk management regimens were faulty or inadequate. Essentially, “the buck” stops with line managers.
To make informed decisions managers need to not only understand the nominal risk associated with an effort. They must also understand that effort in context with all the other activities and associated risks of the enterprise. Without a clear view of aggregated risk, management is forced to “play the odds” or guess which direction to take the business. Likewise, if risks are presented qualitatively rather than being quantified in terms of financial commitments for both expenses and reserves, then managers are again forced to guess.
I suggest that Risk Management is essentially an advisory function to management. This is because line management, rather than risk management is more likely to be subjected to indictment by regulators if risks are not appropriately addressed. This indictment would still likely land on line management even if the problem was that risk management regimens were faulty or inadequate. Essentially, “the buck” stops with line managers.
Working with Management
Because the primary accountability for making good business decisions rests with line management, rather than with risk management, the appropriate strategic focus for risk management is to enable appropriately risk-informed decision making by management. Making risk-informed decisions can only occur in the context of reliable risk monitoring and reporting mechanisms.
Monitoring Risk
The value of a reliable risk monitoring and reporting mechanism is to support informed management decision-making with accurate and timely views of current and impending risks and rewards both in absolute terms and in relation to the management defined risk appetite and operationally defined risk capacity. To enable such an objective requires fully quantified values for both risk capacity and risk appetite.
Risk Capacity is the maximum amount of adverse risk the enterprise can endure without failing.
Risk Capacity is the maximum amount of adverse risk the enterprise can endure without failing.
Risk capacity is operationally defined because it is a function of the extent of existing and projected reserves are needed to offset existing and projected risks. This includes both the minimal reserves required by regulations and any safety margin imposed by management.
Risk Appetite is managerially defined because it is a function of how much of the risk capacity management want to consume and whether or not they want to either decrease or increase safety margins in the reserves.
Risks, risk capacity, and risk appetite must be fully quantified or reserves are meaningless because they may or may not be aligned with the actual financial impact of the risks. This means that all qualitative risks must be transformed into quantitative risks which can be addressed in terms of monetary costs potentially or actually impacting the enterprise.
- As an example, if the risk of litigation is low and the cost of litigation ranges from $100k to $100mm, then a reserve of 0.05% of $100mm may be appropriate. If the risk of litigation rises to medium, a reserve of 20% may be appropriate. If the risk is high, it may be necessary to reserve 50% or more (up to 100%) of the $100mm potential cost. In this manner the appropriate capital reserve needed to offset the risk is calculated and appropriately set aside to offset the potential risk. The amount of the required reserves can be adjusted by management based upon their risk appetite from either a minimal amount to a maximum amount.
Conclusions
- Financial reserves are the only reliable means to offset accepted risks.
- Risk management exists as a function to inform decision-makers, not to become decision-makers.
- Until risks are fully and realistically quantified, decision-makers are left to doing guesswork rather than making truly risk-informed decisions.
Endnotes
[1] Seppuku is a suicide ritual from the Bushido (warrior) codes of Japan which was intended as a way to preserve some degree of honor in the face of a looming dishonor such as defeat.[2] Reserves are also a key concept of military history, providing a commander the capacity to preserve an army in battle when the enemy either breaks through. When defeat seems to be threatening, the commitment of reserves can change the tide of battle and allow the army to triumph, rather than to be overwhelmed and destroyed.
[3] During the financial crisis of 2007 some enterprises, notably AIG Insurance, were deemed “too big to fail” and the US Government stepped in with financial resources to keep certain companies from failing when the costs of failures were more than those companies could offset with their reserves. The alternative would have been to close those companies and liquidate their assets to pay their creditors – in other words to pay the costs of their failure.
Tom Sheppard specializes in managing large ($10mm+), high-risk, high-profile projects in the US Financial Services market.
Author of "The Art of Project Management." More than 20 years experience in project management in banking and financial services with a PMP and MPM. More than 25 years experience in systems design, development, and management with a BSCS/MIS. Former US Marine and a former missionary. Fluent in English and Spanish. Experienced instructor. Successful business owner, international author and public speaker.
His LinkedIn Profile is: http://linkedin.com/in/tsheppard
Specialties: Program management, project management, change management, process design, business case development, negotiation, multi-tier system architecture, real-time parallel distributed databases, private placements and creative finance.
(c) Copyright 2024 A+ Results LLC. All Rights Reserved.
Your comments are welcome... Please observe some ground rules. No profanity, vulgarity, or personal attacks. Profanity, vulgarity and personal attacks not only betray a lack of vocabulary and imagination, they also are the hallmarks of bigotry, and bigotry is the hallmark of someone who is fundamentally insecure in their views. Facts are always welcome.