Three principles of risk management

War and terrorism, economic depression, corporate mismanagement and failures, volatility: these factors make up today's fragile market environment. If companies haven't paid enough attention to risk management in the past, they've clearly done so now.

So, what is the bright spot in risk management today? It lies in the management of high-level financial, strategic and unexpected risk. For example, executives at most companies, especially in the financial services industry, employ increasingly sophisticated computer tools to monitor and manage financial risk.

But the day-to-day management of business risks, which can be enough to cause operational difficulties or even bankruptcy, has not received the same attention. This risk is often associated with the interactions between people, processes, and tools as a company strives to achieve its goals.

To bridge the gap between theory and practice in this area, Accenture has conducted a cross-industry benchmarking study of operational risk management. Companies selected as Benchmark Partners for this study are required to provide a number of important principles, tools and methodologies that can be used to improve the effectiveness of risk management.

The following three basic principles can be used to effectively manage business risks: develop the ability to foresee risks; manage risks according to specific objectives; and create an atmosphere of "risk management is everyone's responsibility".

Develop the ability to foresee risks

An obvious principle is: prevent events from happening, or at least establish procedures to deal with them before they occur. But when it comes to business risk, this basic principle is all too easy to overlook.

In fact, managers of one company surveyed realized that they often forget about risk management in practice. For example, a team works on a work project -- perhaps to release a new product, perhaps to build a new information system. Every Monday morning, team members meet to discuss the previous week's progress -- what went wrong, what was done, and how those issues impacted budgets and delivery dates. Are they managing risk effectively? Not really: they manage problems or disputes, not risks.

In fact, most companies do have well-defined procedures in place to identify and track risks at the business level. Here's what they typically do:

Identify possible risks based on a standard classification or list of known risks; assign a numerical value to their likelihood and severity; designate a specific role, department, or person responsible for managing each risk .

Looks great, right? However, in practice, this method often fails to achieve significant results. why? Part of it comes from the stress of everyday work: people are often used to putting out fires rather than fires. At the same time, this is also because the ability to anticipate operational risks has its own development model, and like other capabilities, this ability must also be cultivated.

Manage risk based on specific objectives

If a company needs to focus on developing business risk management capabilities, it must also help its employees think about risk management based on clear objectives or objectives. At this point, traditional risk classification systems can unknowingly lead companies astray.

With different goals, there are correspondingly different risks. By following risk-first principles when considering objectives, companies can establish procedures for risk identification and resolution, or improve their existing procedures to make risks more relevant and realistic. Consider three common goals:

Execution goals: To provide a project or program; to develop new products and services. Relationship Objectives: Maintain effective contact with customers, clients and business partners. Opportunity Objectives: Development of new business, opening of new markets, expansion, future prospects with customers or clients.

The survey shows that of the three types of goals, risk management during the project execution phase is the least mature. The finding was a bit surprising, but it was well documented with an investment bank as a benchmark partner. Of course, this company has very sophisticated tools for real-time tracking of certain financial risks, such as in equity trading. But the factors that pose a threat to project execution are not necessarily tangible. These factors include both the emotional and ethical state of the project team, the validity of the business vision behind the project, and the ability to track the inner workings of the project to ensure the right actions are taken.

Many tools on the market allow analysis and simulation of execution or project risk. However, these tools are often limited by subjective inputs such as risk size, stealth, and severity. So the subjectivity inherent in these risk instruments is a risk in itself if too much reliance is placed on it.

In order to achieve relationship-oriented goals, the identification and management of associated risks often requires the involvement of all parties at an early stage. The survey found that the practices employed by a large software company were excellent. For high-impact special projects, especially those involving multiple customers, company employees and retailers, the company will hold a multi-day risk management workshop. The ostensible purpose is nothing more than to identify the areas where major effort is needed, but the underlying purpose is to overcome the initial mistrust of cooperation between parties who have competing proposals or even actual competitors.

Everyone Involved in Risk Management

Another problem frequently cited by benchmarking partners is that people within a company tend to hide business problems unless they get out of control. This is the so-called "hide and seek" syndrome. As one benchmarking partner put it, "When there is a risk, if my job is to find the risk, and you think it's your responsibility to hide the risk, then the system at hand is dysfunctional."

But, This problem often arises when responsibility for risk management is assigned to a specific person or team. If the responsible person raises a question, does one assume that means he or she cannot resolve the issue independently? On the other hand, if management ignores risks, then this approach will not necessarily work. For example, a benchmarking partner identifies projects of particular importance to the company in the form of a project monitoring sheet. But in practice, none of the leaders of the above-mentioned projects want their projects to be selected, because they think that this "honor" means more work and debate.

Lesson: It is not enough to rely on various reports and oversight from the leadership. Companies must also create a climate in which everyone has the ability and responsibility to manage risk. The CAO of one company surveyed put it well: "I think it's always my responsibility to make myself less and less important."

The key to this step is trying to strike a balance. If the company's leaders are not keen to participate in important projects, then we recommend that the company redefine the project list to include the leader. Leadership involvement does not mean more work, but shows the importance of the project and brings more resources and skills to the project. This practice shows that the company consistently supports employees in their efforts to take ownership of risk management.

The above changes emphasize the importance of creating a risk management work environment, rather than overseeing work like school teachers do during final exams.

One of the ways to increase awareness of risk management is to "pay attention". Companies that manage business risk effectively incorporate rigor and vigilance into their processes, mechanisms and tools.

For example, one interviewee stated that his project achieved effective risk management because "our supervisors had a simple requirement that risk records be submitted every Monday morning as soon as they went to work. Give it to him." Sounds straightforward, doesn't it? Of course, but the findings of this survey suggest that the practice is more welcome by the lawbreakers than by the adherents. Companies need to put in place mechanisms and procedures to ensure that employees do not need and have nowhere to hide risks.

In this way, the key to the problem lies in the company's corporate culture, and the actual situation is basically the same. Participants in the benchmarking survey also acknowledged this. A simple analysis of company culture shows that, among the companies surveyed, the gap between the current level of operational risk management and the level the company hopes to achieve is mainly in aspects affected by culture, such as knowledge acquisition and sharing, learning. And training, and continuous improvement, etc.

Today, companies must instill a sense of responsibility for risk management throughout the company -- every employee, every function, and at every level. The company must also support employees in terms of leadership, processes and resources as they carry out their responsibilities and in enhancing and maintaining the company's brand.

This text is reproduced with permission from Outlook, Volume 15, Issue 1, published by Accenture, January 2003. The company registered copyright in 2003. Translated by Su Yong.

This article is based on the findings of an Accenture benchmarking survey of business risk management practices. The two authors acted as project managers and research managers for the survey, respectively.

Mark Q. Smith is a partner in the corporate practice of Accenture Financial Services and serves as the global quality manager for the division. Craig Mindrum teaches institutional change and ethics at DePaul University in Chicago. As a strategic management consultant, he has worked closely with Accenture on workforce behavior, organizational change, and the impact of technology on human behavior.