Another week, another “Top 10” risk list. All the “Top 10” risks are disasters waiting to happen. They attract nods and sighs from the risk managers and risk pundits of the world. What would happen if we developed a list of the “10 Best Risks”? Is there even such a thing as a good risk? If there is no such thing as a good risk, we’re in trouble, because we are taking (and benefiting from) a lot of great risks.
Bad risks add little to no value if managed well, but can result in a loss of value if controls fail. These risks are the focus of most risk-management practitioners, auditors, and others today, to the detriment of the profession. Because good risks, when managed correctly, add competitive value to the organization.
What’s a bad risk?
So, what’s a bad risk? An oil company involved in refining, distributing, and marketing petroleum products faces several risks, among them spills, leaks, and thefts of product inventory as it moves through the system. Imagine a news release titled,“Oilco reduces spills leaks and theft of oil by 10%.” I suppose if Oilco had a terrible record of spills and leaks, then perhaps the stock market might reflect an uptick in share price for the progress made. But reducing unnecessary operating losses is usually rewarded with a shrug by the market. But the market – the true measure of value – gives you nothing for the effort.
How about an airline that says “We are #2 in safety – so we try harder”? Or an auto manufacturer that claims to achieve “average” reliability ratings?
Operational excellence is generally expected in core business processes. Stock markets don’t reward excellent operational performance on its own. But they will penalize failure. I have seen Standard and Poor credit ratings that penalize companies for operational losses
Generally, businesses don’t undertake operational risks to add value. They undertake operational risks to support the activities that do add value.
Is it a mistake for risk management practices to consider a reduction in operational losses a worthwhile goal? Of course not. But for risk managers to add value, they need to look at where the value is created. Operating management is accountable for operational risks.
What’s a good risk?
A good risk is one undertaken in the expectation of gain. Acquisitions, new product development, exploration and production activities, and geographic expansion are all undertaken with the expectation of economic reward. Failure is penalized, but success is rewarded in proportion to value created.
In reality, the line is not quite so clear cut. In some cases, a company can add value through operational excellence. Think of an airline that uses a simple business model and a specific aircraft across its fleet to drive down costs and drive customer satisfaction.
But there is a line, and risk managers need to find it.
Good risks are hidden in plain sight
Companies registered with the SEC are required to file a 10-K report. Section 1A of the 10-K is includes information about the most significant risks that apply to the company or to its securities. Companies generally list the risk factors in order of their importance. These risks include non-value-adding operational risks as well as additional risks that the company is undertaking to create and realize economic gain. These are the good risks. To add value, risk managers need to provide the insight needed to help manage these risks in a way that provides a competitive advantage.
Throughout my career (and as recently as the 2017 Compliance Week conference in Washington, D.C.), I have seen risk managers, auditors, and other GRC professionals dismiss their own companies’ risk disclosures as irrelevant to their work. Only bad risks get the attention of auditors, risk managers, and other GRC professionals. Risk factors are dismissed as boilerplate mandatory disclosures. Real risk managers don’t even get involved. But they do wonder why their work is often considered irrelevant.
Here are some good risks I have seen recently reported in a selection of 10-Ks and annual reports.
- “Failure to attract and retain employees”
- “Failure to offer innovative and competitively priced products”
- “Inability to complete and integrate acquisitions successfully”
- “Failure to successfully negotiate new collective agreements”
Get involved with your good risks
I don’t think I have ever seen a risk assessment on risks like these or the hundreds of others in published risk factor reports. Most risk professionals spend their time on “bad” risks.
Ask yourself: What are the “Top 10″ risks my company must manage to be successful, and how can I contribute to improving the value added? Make a Top 10 Best Risks list. Add them to your audit universe and your risk register. Understand exactly what drives those risks and how they can be managed better.
Good risks add value. Bad risks do not. Learn the difference and adjust your efforts. Most of the technology supporting risk management will only provide a ROI if applied to “good” risks.
Let me know what you think. Does your risk management team (or for that matter any of your GRC practitioners) participate in the identification and disclosure of reported risk factors?