The Inaugural Post

The views and opinions expressed on this account are my own and do not reflect the official policy or position of my employer.  Any content provided is for informational purposes only and should not be considered or relied upon as professional advice.

The Limitations of the "Standard" Risk Management Toolset

I’ve worked in and around risk management in the London insurance industry for over 20 years.  During those years, the basic tools of risk management have remained largely unchanged. We still rely on tools like risk registers, control frameworks, risk appetite statements, and risk metrics. While there have been some advancements - such as increased ownership of risk frameworks by decision-makers, better integration of strategy and actuarial analysis, more quantification, and the evolution of the Chief Risk Officer role - the core practices of risk management have not fundamentally shifted.

This risk management toolset tends to understand the business through business artifacts such as documented processes, governance frameworks, MI packs, and financial reporting.  This has huge value during periods of stability. However, these artifacts often require significant time and political will to create and maintain. As a result, during times of change or stress, when organizational risk is at its peak, risk frameworks may be less effective. This is because the artifacts that risk teams rely on can quickly become redundant, or even ignored or circumvented by the business, during these periods of stress.

Bringing Organisational Psychology into Risk Management Teams' remit

If risk management teams are unable to understand the (sometimes messy) individual, interpersonal and group dynamics that exist within organisations (the "grass growing round the back"), then they will always be playing catch-up during periods of flux. Organisational Psychology is a discipline that studies how individuals, groups, and the overall organisational structure interact.  Its insights can empower risk management teams to understand how periods of change and stress could impact the effectiveness of organisational risk management, and of anticipating how the decision-making process could become corrupted.

The best Risk Management teams already take these factors into account, to at least some extent. However, where this analysis is done, there are often signification limitations, for example:

• Information used to support the analysis is captured informally, and so lost with when people leave the risk management team.

• The analysis is often conducted without an organisational “social license”.  This means that the analysis is useful as a diagnostic tool, but the risk management team is only empowered to use its standard toolset to formally communicate any conclusions to the business, limiting effectiveness and, often, timeliness.

• There is no standardised terminology across the industry, meaning that where risk teams do experiment with these techniques it is done in isolation, limiting innovation.

There may be some readers (if there are any readers!) who are sympathetic to these ideas, but who are sceptical that their business would be willing to invest additional resource into the risk management function – administering the current framework is already a full-time job.  This is a valid concern, however I think that the introduction of AI will create a paradigm shift in the nature of risk management work.  AI is fundamentally a surveillance technology, allowing a rigorous automated interrogation of unstructured data, and presents a significant challenge to the ongoing relevance of many of the activities traditionally undertaken by risk management teams.  This provides both an opportunity and a threat and, I hope, will push our discipline to rethink the value that risk management brings to organisations.

Regulation can also act as a barrier to innovation.  Financial services regulation tends to push risk management teams to prioritise a “completist” view of the organisation using a narrow toolset.  This makes sense from a regulator’s “low trust” viewpoint – it is harder for organisations to hide issues if every area of the business is captured within a standardised risk framework.  However, this approach is kind of crazy from a Financial Services company’s perspective.  A risk framework can create a huge amount of organisational value, particularly during process design and implementation, and to support decision-making. But the content of risk frameworks should be primarily owned and developed by decision-makers.  Financial Services firms hire high-flying graduates who develop decades of experience in their areas of responsibility, who tend to be pretty good at their jobs, and who tend to be well motivated to effectively manage risk.  If risk management teams, who will never match the decision-makers’ knowledge of specific risk areas, are restricted to using the same narrow formal lenses, they are less likely to identify novel organizational issues or blind spots. They are also less likely to spot the structural, behavioural, and cultural issues that are often the root cause of risk management failures.

Enhancing the Risk Management toolset

"Risk management framework pluralism” is required to enable risk management team to be effective.  This approach allows risk teams to formally vary the methods, models and frameworks they use to challenge each area of the business.  One diagnostic tool that I like to use is a stability / maturity / data adequacy matrix, which can be used to tweak the risk management methodology to refocus activity and best meet the needs of the business:

• A stability score assesses the consistency of internal objectives and performance targets (such as strategy, revenue, expenses, etc).

• A maturity score evaluates the continuity and embeddedness of key processes, systems and staff.

• A data adequacy score measures the robustness and completeness of information available to support decision-making and oversee performance.

The stability / maturity / data adequacy matrix can be completed at an organisational level, as well as at an individual function, enterprise risk, or even decision-level. 

When all three scores are high (i.e. strategy is stable, competitor activity is benign, processes and people are well embedded, and data is complete, appropriate and robust), the “first line” should be well placed to manage their risk and control frameworks largely independently. In this case, the risk management function can primarily focus on validating first-line assessments and challenging the stability/maturity/data adequacy matrix scores (for instance through horizon scanning. methodology review, and cross-silo challenge). 

However, if any of these scores are low, the risk management function should pivot to a more active role in assisting first line functions on a more tactical basis. For example, if the data adequacy score is poor, the risk management team could seek greater visibility of underlying processes. Where the stability score is low risk the management teams could seek more visibility of the decision-making process, recognising that the control and governance framework is less likely to be fit for purpose to adequately manage business risk. Where the maturity score is low, the risk management team could reduce the threshold for reporting risk events.

In Conclusion

The integration of organisational psychology into risk management can enhance the effectiveness of risk frameworks. By acknowledging and addressing the dynamic and often complex human factors underlying organisations, risk management teams can better anticipate and mitigate risks, especially during periods of change and stress.

Hopefully that has intrigued you.  I am hoping to start a discussion with this blog.  If you find it interesting, please share! If you would like to contribute or share feedback, please comment below or message me on LinkedIn!

The next post will explore the idea of "Social License" as it applies to Risk Management teams.