Managing Risk; a new framework, by Robert S Kaplan and Anette Mikes, Harvard Business Review, June 2012

Ben Crowley2 Blogs Leave a Comment

Reading the June version of Harvard Business Review reminds me of the old parallel with a London bus; you wait for months for a decent article and then lots come along in the same edition. This is the third I have reviewed so far and all three have been practical and interesting.

It is no surprise that this article comes over as a good balance between the conceptual and the practical because one of its authors is that annoying example of academic and publishing success; Harvard Professor Robert Kaplan of Activity Based Costing and Balanced Scorecard fame. Why annoying to me? Mainly because of jealously that such simple but powerful concepts can be put over in such an engaging way, with such a high level of success! Kaplan makes us mortals say – now why couldn’t we have written that article or created that label?

This article does not contain such a major breakthrough in thinking as ABC or BS but it is an interesting take on a topic that most companies struggle to master and that those who teach the subject find hard to conceptualise. The traditional matrix of risk impact and likelihood is widely used by companies but does not provide enough guidance on how risks can be better managed; it is an analytical tool rather than a management blueprint.

The start of the article is brilliantly conceived though perhaps a little unfair to Tony Hayward of BP. It quotes his pre-disaster approach to risk management as writing emails to staff about texting while driving and using lids on coffee cups, while no proper plans were being made for the risks of the Deepwater oil exploration. The authors use this as a lead into one of their main points; that the overemphasis on compliance and box ticking is at the heart or many companies’ risk management problems.

The article’s main theme is that the best framework for effective risk management is to classify risks into three categories:
– Preventable risks, mainly internal
– Strategic risks, those taken consciously and for positive reasons
– External risks, uncontrollable and to some extent unpredictable

The argument is made that these three types of risks are fundamentally different and should be managed in different ways, whereas most companies deal with them through the same processes. In particular they adopt a compliance approach to all three when this is only applicable to the first category.

The authors then move on to link risk management to that other key concept that we are covering in increasing frequency on our courses, that of BIAS. They argue that there is a natural inclination to be over-confident in forecasting, particularly where there is a leader whose style is upbeat and positive. It creates a sort of ‘groupthink’ that suppresses objections and talks about successes but not failures. This encourages risks to be discussed with the different types of bias – anchoring, confirmation and over-confidence – which result in poor evaluation and unrealistic management plans.

The article therefore makes a convincing recommendation that companies with major investments and a high level of strategic and external risks should have independent experts to challenge the internal managers responsible. This is backed up by a number of examples of top companies who are already using these processes. These examples are interesting but it would have been more convincing if more of these companies had been global operators; only VW and JP Morgan fall into that category.

I assume that the article must have been written before the most recent JP Morgan debacle and that it was too late to change the content for, with hindsight, the reference to JP Morgan as a beacon of good risk management practice is laughable. The authors suggest that the Morgan model of risk management and control was a major reason why they fared better during the financial crisis than other banks and have stopped traders ‘going native’. Another comment which seems amusing in hindsight as their CEO fights for his career, is this quotation – ‘Preventing traders going native is the responsibility of the company’s senior risk officer – and ultimately the CEO – who sets the tone for a company’s risk culture.’

One particularly thought-provoking point is the authors’ view that companies make their risk management less effective by carrying out analysis on a functional basis – marketing risk, production risk etc. – when they should look at the assessment holistically, linked to the business strategy and using – surprise, surprise – the Balanced Scorecard approach as a framework. I’m less certain about the latter point but the general comment is valid; at MTP we have seen companies’ investment evaluation processes which use a functional framework as a checklist and it has exactly the impact that is described; another example of the compliance, box ticking approach which can get in the way of business judgment.

The article finishes by suggesting the tools and concepts which apply to each of the three categories of risk. The first category of Preventable Risk requires a combination of compliance and internal audit, supported by the company’s statement of values. Strategic Risk requires workshops run by independent facilitators and experts to challenge assumptions, supported by ‘risk scorecards’ linked to the strategic planning process. The uncontrollable External Risks require stress testing, scenario planning and war gaming exercises, also using independent people to facilitate the process. This was all good stuff though, as often happens with content in this area, there should be more on what is done after the analyses have been carried out, rather than seeing the tools as ends in themselves.

My overall assessment is that this is a valuable contribution to a topic that needs some fresh thinking in the light of events like BP’s Gulf Oil spill and numerous disasters in the financial sector during the recession. How many companies carried out evaluations of the impact of a Lehmann type crash and are now doing so for the various scenarios around the Euro? And if they are doing so, are they using the box ticking, compliance based approach that probably dominates the risk assessment methods in their audit and planning processes? Like all good articles in business magazines, this one should make major company CEOs think seriously about their current practices.

Read the article;

Leave a Reply