A culture where risk is understood

Dealing with risk in an informal manner might seem appealing. No time-consuming meetings, no up-front costs, as no problems are ever found. And there is a reassuring idea that, if you aren’t aware of problems, then maybe, just maybe, they’ll go away.

It’s a position which gets a dramatic thumbs-down from risk practitioners. As not only do you leave your firm open to disaster, even the alleged benefits of a laissez-faire approach aren’t real.

Suzanne Fribbins, risk specialist at the British Standards Institution (BSI), puts it thus: “Dealing with risks in an informal and reactive manner is not only resource intensive, it promotes an inconsistent approach to managing risk, and takes up a great deal of management time.”

So what is the best way to deal with risk? How can you really make it part of your entire firm’s ethos?

Healthcare multinational Roche needed to find out. As the maker of in-vitro diagnostics and drugs for cancer and transplants, Roche needs to take the most rigorous approach possible to risk management. So in 2007, it set up a risk management function to consolidate all the risk departments across its many divisions.

The new group risk management team at Roche installed similar processes in all 25 business units, from HR and legal, to R&D and finance. Each unit appointed a risk manager. Information is collected via a mix of methods, including workshops, face-to-face meetings and questionnaires.

All risk data is handled on a single platform, Sword Active’s Active Risk Manager (ARM). Dr Daniel Imhof, risk director at Roche, says: “Once the information is gathered the risk manager enters it into ARM with details of review dates and risk owners. The information is consolidated for each business unit and then sent to group risk management where information for the entire organisation is consolidated and ultimately presented to the executive committee and the board of directors.”

To ensure risks are assessed with the utmost vigilance, Roche uses ISO 31000 from the International Organization for Standardization. It’s an approach used by the majority of multinationals.

Organisations that really know how to embed risk management deep into their company culture understand that box-ticking is no substitute for real understanding

Engineering consultancy BMT Group, which has worked on projects from Apache attack helicopters to gas terminals, uses ISO 31000 to mechanise its processes. Jayne Matthews, BMT’s head of risk, says there are four main methods at work. “There is protection of reputation in the marketplace. We monitor the brand in the public domain, and have a procedure for press and media contact,” she says.

For market risk, sector directors, who monitor the marketplace and assess risks, mitigate the effects of market uncertainty and downturn by working with operating companies. For contractual risk, BMT uses formal risk analysis tools for bids, applicable across whole organisation. The bid assessment process is aimed to ensure that expert help is available to mitigate risks, such as bonds or guarantees, terms and conditions, foreign exchange, and the supply chain.

“And fourth, we have human resource risk,” says Ms Matthews. “Our HR function monitors trends and provides strong people-management culture. Staff satisfaction surveys are used to check that these policies work.”

And does it work? Ms Matthews lists the achievements: “No serious personal injury claims in past three years, no significant adverse publicity and good performance during market downturns.”

One thing common to organisations that really know how to embed risk management deep into their company culture is an ability to understand that box-ticking is no substitute for real understanding.

Travel agent Ian Allan Travel specialises in sending charity workers into war zones and disaster areas. Managing director Pat O’Neill says: “It’s common for our risk manager to verbally brief the traveller on all the extreme risks, rather than asking them just to read and sign a document. Keeping travellers alert and aware on all levels is key.” Clearly, letting workers enter South Sudan with nothing but some leaflets in their luggage is not going to cut it.

Creating a culture where risk can be discussed openly is vital. Paul Moore, former head of regulatory risk at HBOS and now chairman at peer-to-peer lender Assetz Capital, warns: “Risk managers must never report to the executive over whom they exercise oversight.”

And group think must be crushed. “Getting the mathematics right is often the easiest part of the equation. What is far more important in managing risk is understanding human psychology, which proves how much cognitive bias we have when money is involved, and anthropology, which proves the power of the herd,” says Mr Moore.

BSI’s Ms Fribbins says ultimately a systematic approach to risk will maximise your chances of thriving, adding: “Risk management is not intended to eliminate risk altogether. There is a direct relationship between risk and reward, and all companies must accept some degree of risk.”

The point is to squeeze that risk as hard as possible. Not to try or to improvise and ignore proven methods seems nothing short of masochistic.