1、Dont worry, its just your businessIn an uncertain world risk has never been more prevalent nor so misunderstood.Chris Nichols negotiates a route through the mire of theory and indifference insearch of a realistic contemporary approach to risk management.Chris Nichols is co-director ofthe Strategy an
2、d LeadershipProgramme at Ashridge, andis joint client director forAshridges work with clientsincluding Aventis andPricewaterhouseCoopers.He is also visiting strategyfellow to thePricewaterhouseCoopersEnergy Group in Australia andis a member of the visitingfaculty at City UniversityBusiness School in
3、 Londonand Fordham Graduate Schoolof Business, New York.Email: chris.nicholsashridge.org.uk In September 2001, Sun Microsystems ran atongue-in-cheek advertisement in the FinancialTimes. “Compaq is abandoning their Alpha chipfor a new unproven platform. Dont worry, its justyour business”. The adverti
4、sement is proof, if proof wereneeded, that uncertainty worries people. It makesfor a compelling and frightening sales line. Betterthe devil you know. But in a changing world thedevil you know can also do you harm. Managingin the face of change raises some tough issues forsenior teams bred on a diet
5、of planning, controland stability. At the heart of this is our attitude to managingrisk. In discussions with CEOs and risk managersin Europe and Australia, I found that manybusinesses consider risk too mechanistically,applying a single risk management approach torisks of varying kinds. These discuss
6、ions suggestthat, while there is no magic bullet, a morevariegated approach matching tools andperspectives to the kinds of risk and the differentrisk dimensions may win out. Maps and explorersMuch recent management writing makesuncomfortable reading as the inadequacy of themental models most manager
7、s bring to todaysbusiness challenges is exposed. As Ralph Staceysays: “Todays dominant mindset leads managersto think that they must find the right kind of mapbefore they embark upon the business journeyinto the future but the very idea that a mapcan be drawn in advance of an innovative journeyis it
8、self a fantasy The key to success lies in thecreative activity of making new maps, not in theimitating and following of already existing ones.”1Leading teams toward complex futures is moreakin to exploration than navigation. You have tolearn to load the pony and resource the team. Youdraw the map as
9、 you go, but find that the mapcannot be relied upon.But if we accept that innovative futures areunknowable and that planning for them is anillusion, where does that leave corporatemanagement? Do you ignore the future? Do youhope for the best? How do you meet yourgovernance requirements and engage yo
10、ur boardand top management team in decisions?The most essential step is to realise that not alldecisions, and not all activities, are identical. Thereare areas of business that are essentially routine,others that are risk-rich, others that are closer tothe edge of chaos, the frontier of innovation.A
11、pplying the same planning, evaluation and riskassessment to these different situations is likedancing the same dance to Strauss and the SexPistols. It isnt right and it doesnt do the job.The model I now use distinguishes between fourmajor dimensions of risk bearing activity:4DIRECTIONS Ashridge Jour
12、nalWinter 2001/20025 Day-to-day operations: dealing with the riskof regular operations Risk-rich operations: day-to-day decisions ofcompetitive consequence where risk is part ofthe product and process Stepping into “transitional space”: risk in new ventures, strategic investments and acquisitions St
13、epping out: risk in innovation, new productdevelopment and competitive repositioning.The first two I group together as types of“essential” or “structural” risk. The latter two Icharacterise as “transformational” risk. Its hardly surprising that the best assessmentand risk management approaches would
14、 differ forthese different types of activity. What is surprisingis that few companies risk managementframeworks acknowledge this. More of the sameDay-to-day operations can appear trivial andmundane. But accidents on public transport, toxicemissions from processing plants, and explosionsat major powe
15、r plants are all examples ofoperational risks which arise from day-to-dayactivity. In some cases corporations fail because theydont actively recognise or manage these risks. Inother cases, operational risks are logged andresponsibilities and probabilities allocated, butthey are not the correct ones.
16、In my risk assessment workshops, I take well-known examples of error, failure or catastropheand use these to illustrate how easy it is to mis-allocate causation. I use well known incidents, toensure that everyone in the workshop is familiarwith some or aspects of the case: most are eventsthat made t
17、heir mark on the world. Often,participants are able to identify a series of clearand evident immediate causes. But frequentlythese causes are misleading. Many times, majorfailures have deeper and complex systemic causesthat everyday risk management fails to recogniseand accommodate.Take the case of
18、the Challenger Space Shuttledisaster. We never fail in our sessions to get a clearexplanation of the cause: “O-Ring failure at lowtemperature brought down the shuttle”. But that isonly the proximate cause, the immediateprecursor. The subsequent Presidential Inquiryrevealed deeper complex organisatio
19、nal and policyfailings. The writings of Richard Feynman, the eminent physicist, and Edward Tufte, the Yale statistics professor, show the depth of thecausality that traditional risk assessment would commonly miss.This is not surprising. Linear models of simplecause and effect are often misleading. R
20、alph Staceyargues that businesses operate in a far from linearworld a world of non-linear feedback systems. Inthese systems “the dynamics are so complex thatthe links between cause and effect are lost in thedetail of what happens tiny changes escalate,leading to massive consequences, virtuous andvic
21、ious circles are generated. Consequently it istotally impossible to predict the specific long termfuture of such a system it is truly unknowable”.1Staceys “simple non-linear feedback systems”DIRECTIONS Ashridge JournalWinter 2001/2002Applying the same planning,evaluation and risk assessment todiffer
22、ent situations is like dancing the same dance to Strauss and theSex Pistols.are embedded in organisational communication,culture, structure and politics. We all know thesesystems. They underlie the messages that just cantbe delivered. They are the issues that dont see thelight of day, because they a
23、re too difficult for theorganisation to hear. When we are dealing with the day-to-day, thevery familiar, it is easy to look for the immediatecauses of risk and miss the underlying drivers. Butit is important to try to get behind these issues andinto the underlying causation (see Figure 1 for anexamp
24、le of my workshop methodology).As Staceys work suggests, you still cant predictoutcomes. But you can go beyond controlling theobvious cause of a risk just because it is obvious.Its like the old joke about the guy searching forhis car keys under the street light. Its not where hedropped them, but its
25、 too dark everywhere else. Often the causes unearthed are not factors thatfall easily into probabilistic models. A bettermethod focuses on the identification of areas ofrisk and the allocation of specific monitoring andcontrol responsibilities to named individuals.Specific risk monitoring tasks are
26、allocated also.Timed control and reporting events occur.Often a “pro-forma” control framework is used,identifying the risks, providing prioritisation,tracking control measures, timings andaccountability. The exact format of the pro-formais unimportant develop your own to suit yourrisk map. What real
27、ly matters is the resulting process and the quality of the discussion andcommunication about risk that is at its heart. Keysteps include: Use an “open-framing” technique a wide-ranging group based brainstorm to identifythe range of risks the company could face inrespect of a given area of operations
28、. Justleaving your risk identification to the internalteam is inadequate. Listen to other voices.Open the door to dissident messages. Test the impacts of the risks: whatconnections exist, what is contingent?Escalation is what we are looking for here. Ask what influences the development andcontrol of
29、 the risk? Ask what scenarios lead toits occurrence and how can you spot these asthey develop?6DIRECTIONS Ashridge JournalWinter 2001/2002Dont worry, its justyour businessWORKSHOP TECHNIQUE FOR IDENTIFICATION OF PROXIMATE AND UNDERLYING RISK CAUSALITYRISK IDENTIFICATION - STEP Using pre-arranged and
30、 researched cases from step one, then show by discussion-based method that proximate causes are not nececcarily a full reflection of cause. When group acknowledges existence of underlying causes, progress to groupwork to identify underlying causes of the top ten corporate risks.Further stages of gro
31、upwork can include initial solution identification and implementation/responsibility planning.In full assessment groupwork, output should be subject to further expert and “delphi” scrutiny and to comparison with output from other groups within the company.Failure of Ansett Australia airlineCAUSESEVE
32、NTSpace Shuttle Challenger explosionCAUSESEVENTMarconi market capitalisation slumpCAUSESEVENTCorporate risk 1CAUSESEVENTCorporate risk 2CAUSESEVENTCorporate risk NNCAUSESEVENTFailure of Ansett Australia airlineEVENTPROXIMATE CAUSESUNDERLYING AND COMPLEX CAUSESSpace Shuttle Challenger explosionEVENTP
33、ROXIMATE CAUSESUNDERLYING AND COMPLEX CAUSESMarconi market capitalisation slumpEVENTPROXIMATE CAUSESUNDERLYING AND COMPLEX CAUSESRISK IDENTIFICATION - STEP Using familiar episodes of failure or error, ask group to brainstorm and select causes of each episode. Record on a flip-chart or OHP slide as s
34、hown.RISK IDENTIFICATION - STEP Using a similar brainstorm process, get the group to identify and prioritise main company risks. Then brainstorm causes.Record on flip-chart or OHP slide.213A STEP-BY-STEP EXAMPLEFigure 1 Ask what measures can be deployed to headoff the consequences of the risk if the
35、circumstances occur? What disaster recoverymeasures exist and are they adequate? Who should do what and when to effect thesesteps? Which individuals or teams can bringcontrol to bear on these operational risks? Dothey have the right, the power, incentives,reporting lines and authority, to exert thec
36、ontrol? Take seriously the monitoring and tracking ofthe output. Provide incentives. Create a topmanagement group to check performance. Beserious about operational risk. Develop a traffic lights regime to trackprogress on the control status of non-handledrisk. Adequately controlled risks show greenl
37、ights. Serious unmanaged risks flash brightred. Deal with them. In the risk-rich zoneThings can go horribly wrong in routine processes.Bringing to your business the discipline of theregime above will assist. But you cant rely on thisapproach in a risk-rich environment an area ofday-to-day business w
38、here handling risk is core tothe activity.Where do these areas lie? Energy trading is one.Areas of selling where products are “sculpted” areanother case such as outsource service providersolutions where the provider assumes and pricesin the risk of service. In these areas of activity riskis a core f
39、eature of the product and process. But an attempt to use an allocation andresponsibility framework will not work here. Theframework will never be comprehensive enough,or flexible enough, to cover the risks that need tobe assessed and to allow trading and sellingoperations to flourish.Something simul
40、taneously looser and tighter isneeded. I summarise this in Figure 2 (above). Itsnot a simple thing to get right. Several elementshave to be created and aligned.The starting point is to examine the values andculture of the organisation. Trading organisations,for example, need to have risk awareness i
41、n theirblood. This is a challenge for many energy utilities,moving into trading following deregulation. Theydont have values related to trading. They donthave stories about excellent traders as part of theirculture. But this has to be built and it can be amajor culture change challenge. Bringing in
42、experthires is fine, but the culture and values have to beon the right track, or theyll be gone in a flash.The other core element is to frame a statementof risk appetite appropriate to the strategy of thefirm and in line with its values. What sort of risksare we prepared to take? Who needs to make t
43、hejudgements and with how much discretion? The reporting, monitoring and communicationsframework is critical. Whatever specific metrics areused for example, revenue at risk, value at risk and whatever trading book system is used, it needsto generate reports that track compliance with theagreed frame
44、work. And the reports need to be used7DIRECTIONS Ashridge JournalWinter 2001/2002Board ensures corporate risk appetite isaligned to strategic goals and capabilitiesand established in governance regimeValues and cultureRisk control & reporting frameworkHiring and trainingReward and advancement aligne
45、d to values, culture and to risk frameworkBoardGOVERNANCE REGIMESuitable business unit structure: e.g.front/back office separationExecutive oversight and monitoring of risk framework and reportingFigure 2intelligently both in executive oversight andreview, and in their provision of useful intelligen
46、ceto other parts of the organisation. I have seen“excellent” risk pricing information that arrived atthe field sales team too late to influence theirnegotiations and pricing decisions. At its worst, disconnection is the source offailure in risk-rich activities. Effective trading andsales risk manage
47、ment is not only about softwareand systems. Its also, even mostly, about people,culture and communication. And its aboutaligning the activity, the strategy and the value ofthe business.You cant boil this down to lists of risks and theallocation of accountability. If trading is the heartof the busine
48、ss, managing this risk is a deep-setstrategic issue. Rose tinted valuationThe errors we see in the risk-rich areas are nothingcompared with those seen in the assessment ofstrategic initiatives, strategic investment projectsand acquisitions. Thats no surprise. Its common knowledge thatmost mergers fa
49、il. Its not that projects are hard toassess in principle. Everyone we work with appearsto be familiar with the basics of valuation. So whydoes so much go wrong?The fundamental answer is that the financialanalysis, while often detailed and elaborate, isfrequently flawed. Vital questions about strategygo unanswered. And these unanswered questionsmake a mockery of the apparent precision of thefina
