As video gaming has become more and more sophisticated, and as the hardware to support those games has become capable of playing movies and other media, video game consoles have now become “Entertainment Systems”.
An Entertainment System is a very capable computer system and often allows groups of people to use the system together. Nobody expects any tangible benefit from an Entertainment System. It simply provides a way to enjoy non-productive time. That is what it is designed for.
But have you noticed that in some firms, the risk management system comes close to being an Entertainment System? A typical picture of a risk management system focuses on risk appetite, identifying and assessing risks, risk measurement, monitoring risks, risk reports, risk committee meetings, stress and scenario testing. People spend hours and hours making tiny (and sometimes major) adjustments to the system, then peering at and discussing the output. Does that list sound familiar?
Go back now and read the list again. Not a single item on that list is an action step. Quite a number of people can be very busy doing the tasks listed above without there being any direct connection to the decisions that drive the work and ultimately the risk profile of an organization.
In many organizations, that is the path of least resistance for developers of a new ERM program – stay away from action and stick to risk “entertainment.” Often managers bring this information to their boards and communicate about all of this “activity” to the board.
When asked what happens when there is a problem indicated by the risk system, some of these firms would say that when a problem is found, they put it on the agenda for the next risk committee meeting, which may well recommend that a study be performed and the study would be reviewed at the next committee meeting.
The committee might then decide to move that risk to the top of the next report into the highlighted section of the report, where it will stay until the situation is resolved. With the passage of time, and the attention of management completely unaware of the risk entertainment system, many of these situations resolve.
Below is a flow chart depicting a risk management system that a company adopted after reading the ISO 31000 Risk Management Standard.
There are six parts of this risk management system. But five of the six parts are inactive and internal to the risk management system: Establish Context, Identify Risks, Analyse and Evaluate Risks, Monitor and Review, Communicate and Consult. Only “Treat Your Risks” requires an action that changes anything outside of the risk management process.
But a risk manager could easily decide to skip treating risks and claim to be more than 80% in compliance with the standard. They would have developed nothing but a Risk Management Entertainment System without an active risk management process. Good discussions and insightful reports, but no actions.
Implementing active risk management will not be an easy transition for an organization; it adds additional explicit considerations to strategic decision-making. It also adds concerns about the day-to-day decisions that might lead to excessive concentrations of risk. By focusing on return on risk, active risk management may conflict with the prevailing view of the corporate winners and losers.
But active risk management is the only kind of risk management that is worth paying for. It’s the only risk management approach that produces any results; a risk management process that will be much more productive than an entertainment system.