Want to read more?
The Big Tax Index
This content requires a Croner-i Tax and Accounting subscription. Log in No subscription? Contact us to discuss your requirements.
You are attempting to documents. Close Next batch. Request a non-obligation demo to find out! Book a free 15 minute demo. When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action—throwing good money after bad. Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in groupthink : Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections—however valid—and fall in line.
Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority. Collectively, these individual and organizational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.
Effective risk-management processes must counteract those biases. National Aeronautics and Space Administration. The rocket scientists on JPL project teams are top graduates from elite universities, many of whom have never experienced failure at school or work.
In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches. We start by examining how to identify and mitigate strategy risks. Which model is appropriate for a given firm depends largely on the context in which an organization operates. Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information.
Some organizations—particularly those like JPL that push the envelope of technological innovation—face high intrinsic risk as they pursue long, complex, and expensive product-development projects. But since much of the risk arises from coping with known laws of nature, the risk changes slowly over time. For these organizations, risk management can be handled at the project level. The experts ensure that evaluations of risk take place periodically throughout the product-development cycle. Because the risks are relatively unchanging, the review board needs to meet only once or twice a year, with the project leader and the head of the review board meeting quarterly.
The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs. But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects. At JPL, the risk review board not only promotes vigorous debate about project risks but also has authority over budgets. The board establishes cost and time reserves to be set aside for each project component according to its degree of innovativeness.
The reserves ensure that when problems inevitably arise, the project team has access to the money and time needed to resolve them without jeopardizing the launch date.
- I Married My Best Friend.
- Sinners and Shadows (Brothers and Lovers Series Book 3)?
- Irene Dunne: First Lady of Hollywood (The Scarecrow Filmmakers Series)!
- Managing Risks: A New Framework.
- Weight Loss Diva Incredibly Delicious Diabetic Friendly Low Fat Low Calorie Hearty Soups And Stews Cookbook.
- Another World.
JPL takes the estimates seriously; projects have been deferred or canceled if funds were insufficient to cover recommended reserves. Many organizations, such as traditional energy and water utilities, operate in stable technological and market environments, with relatively predictable customer demand. In these situations risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time. Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers.
We observed this model in action at Hydro One, the Canadian electricity company. Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls. The rankings are discussed in the workshops, and employees are empowered to voice and debate their risk perceptions.
Hydro One strengthens accountability by linking capital allocation and budgeting decisions to identified risks. The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently. At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives.
Managing Extreme Financial Risk
Managers want their projects to attract funding in the risk-based capital planning process, so they learn to overcome their bias to hide or minimize the risks in their areas of accountability. The financial services industry poses a unique challenge because of the volatile dynamics of asset markets and the potential impact of decisions made by decentralized traders and investment managers. JP Morgan Private Bank adopted this model in , at the onset of the global financial crisis.
Risk managers, embedded within the line organization, report to both line executives and a centralized, independent risk-management function. Risk managers assess how proposed trades affect the risk of the entire investment portfolio, not only under normal circumstances but also under times of extreme stress, when the correlations of returns across different asset classes escalate.
Even if managers have a system that promotes rich discussions about risk, a second cognitive-behavioral trap awaits them.
Consumer Compliance Outlook
Because many strategy risks and some external risks are quite predictable—even familiar—companies tend to label and compartmentalize them, especially along business function lines. The risks that companies face fall into three categories, each of which requires a different risk-management approach. Preventable risks, arising from within an organization, are monitored and controlled through rules, values, and standard compliance tools.
In contrast, strategy risks and external risks require distinct processes that encourage managers to openly discuss risks and find cost-effective ways to reduce the likelihood of risk events or mitigate their consequences.
- Prison Tales;
- Karamjeet Paul (Author of Managing Extreme Financial Risk).
- Browse content.
- Greatest Works of Edgar Allan Poe: Narrative of A. Gordon Pym, The Murders in the Rue Morgue, The Black Cat, The Fall of the House of Usher, The Raven & all his works;
Such organizational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. Good risk discussions must be not only confrontational but also integrative. Businesses can be derailed by a combination of small events that reinforce one another in unanticipated ways. Managers can develop a companywide risk perspective by anchoring their discussions in strategic planning, the one integrative process that most well-run companies already have.
For example, Infosys, the Indian IT services company, generates risk discussions from the Balanced Scorecard, its management tool for strategy measurement and communication.
In looking at the goal and the performance metrics together, management realized that its strategy had introduced a new risk factor: client default. Infosys began to monitor the credit default swap rate of every large client as a leading indicator of the likelihood of default. To take another example, consider Volkswagen do Brasil subsequently abbreviated as VW , the Brazilian subsidiary of the German carmaker.
For each objective on the map, the group identifies the risk events that could cause VW to fall short of that objective. The team then generates a Risk Event Card for each risk on the map, listing the practical effects of the event on operations, the probability of occurrence, leading indicators, and potential actions for mitigation.
It also identifies who has primary accountability for managing the risk. VW do Brasil uses risk event cards to assess its strategy risks. VW do Brasil summarizes its strategy risks on a Risk Report Card organized by strategic objectives excerpt below. Managers can see at a glance how many of the identified risks for each objective are critical and require attention or mitigation.
Managers can also monitor progress on risk management across the company.
Karamjeet Paul | Weatherhead
Beyond introducing a systematic process for identifying and mitigating strategy risks, companies also need a risk oversight structure. Infosys uses a dual structure: a central risk team that identifies general strategy risks and establishes central policy, and specialized functional teams that design and monitor policies and controls in consultation with local business teams. The decentralized teams have the authority and expertise to help the business lines respond to threats and changes in their risk profiles, escalating only the exceptions to the central risk team for review.
For example, if a client relationship manager wants to give a longer credit period to a company whose credit risk parameters are high, the functional risk manager can send the case to the central team for review. These examples show that the size and scope of the risk function are not dictated by the size of the organization. Hydro One, a large company, has a relatively small risk group to generate risk awareness and communication throughout the firm and to advise the executive team on risk-based resource allocations. By contrast, relatively small companies or units, such as JPL or JP Morgan Private Bank, need multiple project-level review boards or teams of embedded risk managers to apply domain expertise to assess the risk of business decisions.
And Infosys, a large company with broad operational and strategic scope, requires a strong centralized risk-management function as well as dispersed risk managers who support local business decisions and facilitate the exchange of information with the centralized risk group. External risks, the third category of risk, cannot typically be reduced or avoided through the approaches used for managing preventable and strategy risks.