How often have we heard that risk management has to be everyone’s business, or that tone at the top is integral to risk management? I take no exception to either of these concepts, as both are very important and have been incorporated by many organizations as key components to their risk management strategy. Having said that, when businesses fail to achieve organizational objectives, 90% of the time it is because of implementation. The plan can be great and management can be fully supportive, but invariably something seems to go astray between the good idea and its completion. Only about 7% of employees understand how they fit into the strategy and risk management of their organizations. Again, the idea can be great but the organization needs to clearly articulate what it expects and manage to that outcome.
In risk management this often plays out with individuals understanding that risk is important but with vague notions of what that practically means for the conduct of their work. VaRs are calculated and limits are set but on the front line – these often translate into things that you cannot do. In this scenario, risk management is done by the experts in the middle office who do the majority of the risk assessment, tracking, and measurement. Often those on the front line try to get around what they cannot do rather than work with the risk managers to optimize risk taking. This sort of positive risk optimization would require the front-line risk takers to have a clear idea of the type of risks they are managing and the overall risk tolerances of the organization, perhaps even translated into personal or unit KPIs for risk.
Instead of this positive risk optimization, the separation of the risk takers from the risk manager combined with cash bonuses and short term and/or bottom-up goal setting has created incentives geared to short term gains rather than sustainable growth. The contribution of goal setting and performance management is an overlooked aspect of this negative incentive structure. The most successful organizations work hard at cascading strategy and risk from the top down, but in many organizations goal setting and performance management come from the bottom up. I myself have succumbed to the expedient when feeding the performance management beast. Rather than really taking the time to set meaningful targets and evaluating performance against those measures, I would ask my staff to start the process from the bottom up by telling me what they are going to do or what they did. This wouldn’t be so bad if the bottom-up approach was simply the starting point, but way too often the meaningful evaluation of the input provided by staff to get the process moving is given short shrift because of the need to move fast and get performance management done.
There are firms that are tackling better alignment of incentives and goal setting to risk management objectives either as a strategic imperative or a regulatory mandate. These efforts usually start with compensation and the reduction of cash bonuses in favor of deferred compensation like restricted stock or options. The next step, however, is more difficult and firms often struggle to create meaningful risk goals and guidance for all staff and cascading strategic objectives throughout the organization. Why is this? Because it can be an extremely heavy lift without a thoughtful job and risk architecture and a means of managing that architecture on a go forward basis.
At the beginning of this article, I spoke of the importance of implementation. How then do you implement a plan to make risk management everyone’s responsibility? Organizations need to build reusable tools for cataloging roles and responsibilities, creating and documenting their risk framework including risk weightings and then finally linking these risks to roles so that they can be utilized in performance management. I stress the importance of being able to establish a reusable framework so that each year roles, goals and risks can merely be updated rather than recreated and that time can be used analyzing data to ensure the appropriate resource mix to mitigate a risk or ensuring those assigned a risk are meeting their responsibilities. At Meritarc we have built a configurable framework with tools and expert content to help you assemble your framework regardless of where you presently sit.