Example of risks that are rated and where mitigation measures are identified
Our research finds that business makes 4 mistakes when identifying risks
Don’t get caught by surprises. Be prepared by having identified the most likely risks. Risk identification is considered a first stage in most approaches to risk management.
Doing business in the most difficult places of the world demands much of risk management.
This article looks at how risk management frameworks are applied in global enterprises that engage in frontier markets. We discuss important shortfalls in their application.
Large business, attuned to operate in high risk environments, have structured risk management frameworks tailored for the purpose. These frameworks serve to guide project level staff, their management, provides input to investment decisions, and implementation.
The systems also provide information on the overall risk exposure of the corporation, as the detailed project level risk assessments, can be aggregated. This gives the Senior management and the Board an opportunity to understand the exposure.
Business makes 4 mistakes when identifying risks:
Finding 1: Risks that affect future performance are not typically identified
Finding 2: Risk identification is incomplete
Finding 3: Developments in the risk profile are not detectable, and much less measurable
Finding 4. Risk elements and mitigation measures focus only on high risk areas
We have analyzed the application of world class risk management frameworks in sophisticated organizations. The frameworks correspond to global standards, i.e. the ISO 31000 , and are accompanied by relevant guidance materials and training for staff. These are high capability organizations.
The application of risk-management is analysed bottom-up. Our team identified each risk element and how they have been applied across multiple projects at clients. There is much granular data behind this. The actual organizational practices, at project levels, are matched against the internal corporate risk guidelines and standards (that are also very similar across global corporations).
1. Risks that affect future performance are not typically identified
To manage risks effectively during implementation, it is important that the risk identification is based upon residual risk, as opposed to the initial risk that existed prior to the program intervention. This enables management to understand the current and ongoing exposure, as the program is implemented, and watch for developments of risk elements and execute strategies to treat the risks if they materialize.
The alternative, focusing on initial risks which the program will address, does not give an accurate picture of the remaining risks as the project becomes active. Instead, a focus on residual risks should take into account the impact of mitigation measures that have already been implemented.
Corporate risk frameworks are also mostly designed to identify residual risks. This is also consistent with global risk management standard ISO 31000.
However, there is a clear tendency in corporations to focus on initial risk. As can be seen I the exhibit below, across several risk areas in this business, the teams had largely focused on initial risk, and less on residual risks.
On average, 86 percent of the risks identified are “initial”. These are identified as risks before considering the impact of mitigation measures. There is variation across the categories but such a low share of residual risk identification creates challenges for active management of the risks during implementation.
Exhibit 2: Mapping of initial risk versus those that affect future performance
Why this tendency to focus on initial risks?
The dominant hypothesis in these cases is that the practitioners mostly prepared the risk assessments as part of an investment decision process. These formalized decision processes considered the investment at several points, either at stage gate reviews or for final sign-offs. As such, staff tend to balance (i) providing a picture of (high) risks perceived as realistic; (ii) while also providing comfort to management that the risks are addressed in the program.
Managers often experience great information asymmetry in these types of processes, in that most of their information comes through the project teams. As such, biases from motivated project teams may influence the information presented to management. A focus on initial risks only further reduces the transparency of the basis of the decision. Some organizations use outside third-party for reviews of major investments to ensure independent due diligence.
Corporations often update the risk assessments at regular intervals. However, in the portfolios reviewed, this update was almost entirely non-substantial and essentially rolled over the first, initial, risk assessment. Years into the portfolio, many of the risk elements and mitigation measures were substantially and logically outdated, yet the corporate review processes overlooked this.
2. Risk identification is incomplete
Corporations may have invested considerable resources in developing risk identification guidance. Consistent application of this, at project level, allows the corporation to assess its risk profile over time, across portfolios, functional lines and geographies.
However, we find that the application of the detailed guidance is far from complete. Project teams frequently overlook quite specific guidance for major risk elements to be reviewed under each element. In the data below, only about 28 percent of the risk elements identified in the risk management standard, were actually articulated at the project levels.
This could speak to either a corporate risk map that could be made more relevant, or it could speak to poor application. Corporations may find different answers to that question depending upon the quality of their frameworks or the diligence of implementation.
Exhibit 3: Completeness of risk identification
3. Developments in the risk profile are not detectable
Two key questions are critical when managing risks:
Is the risk profile evolving, whether positively or negatively; and
What are the risk tolerance levels, a specific maximum level that the corporate portfolio is willing to take for each element of risk?
In order to make reasoned judgments about either of those two issues, it is necessary that the risks are identified with qualities that make it possible to detect developments. The detectability can be expressed in either quantitative or qualitative terms.
Overall, as many corporations have extensive risk identification maps, there is opportunity to develop a risk assessment that has more detectable qualities.
However, we find that at project approval stage, about 14 percent of the risk elements have detectable qualities. This is likely to differ across industries, i.e in financial services many elements are more easily quantifiable, and indeed prescribed by regulators, i.e capital ratios and performing loans ratios. In many other areas however, the risk elements may not be inherently easy to define with detectable qualities.
By not identifying detectable qualities, it is substantially impossible to understand how the risks evolve across the portfolio. Project managers have access to other types of information that in reality impact their risk assessments. They may rely upon much more specific information, and intangible qualities such as relationships and knowledge, to actually manage the risks. At the portfolio level however, these qualities are difficult to transmit and as such at the corporate level, developments of the risk profile are not detected.
Exhibit 4: Detectability of risk profiles
4. Risk elements and mitigation measures focus only on high risk areas
A first, is the tendency to focus on high risk areas. The identification of each risk element, and its classification as high, substantial, moderate or low, is typically based upon detailed guidance provided at the corporate level. This is based upon detailed guidance material, identifying risks specific to the corporation and business lines. There is much experience behind the corporate level risk maps, identifying elements that are specific and tailored to the business.
Staff prioritizes identifying high risk elements and articulates corresponding risk mitigation measures, often more than one per risk element, and especially so for the high risk elements.
Exhibit 1: Risk identification and mitigation measures ratio
Ivar founded Abyrint in 2013. He is trained in public administration and economics including at Johns Hopkins University where he attended with a Fulbright Scholarship. Ivar worked for years at the World Bank in Washington D.C and also served as a Director with PwC advising corporate and government clients.