Mon 13 Nov 2017
News - Risk Management : never say never by Benoit Paquay
Risk Management : never say never by Benoit Paquay

We all manage risk since the very beginning of humanity. In times past, risks were directly related to rewards that would enable an individual and the tribe to survive. Nowadays, the situation is roughly the same. People take risks, hopefully reasonable ones, for a reward and intuitively compare the respective levels of risks and rewards to assess whether it is worth taking the risk. It is in everyone’s nature to do so but hopefully tools can help people in general and specifically directors and executives of companies in the difficult exercise of risk management.

Risk should be understood as all potential negative outcomes one may imagine, defined in term of impact and likelihood, which can be assessed quantitatively or qualitatively while only representing a set of educated hypotheses. Some risks are essentially assessed quantitatively such as market exposures, counterparty risk or credit risk while others are more difficult to quantify, such as reputational or legal risks and will require qualitative or mixed approaches. In this regard the use of new tools such as “Big Data” could provide interesting solutions.

Risk management is both a science and an art as it is not just about numbers and defined outcomes.

First because risk is too often limited to predicting potential future events given present circumstances and past experience, but as we know, past events are rather poor predictors. It is also about events that may have never occurred in the past.

Second because even with quantitative approaches, errors are possible regarding data, methodologies or hypotheses. Tests (back-tests) are designed to improve predictive power of a quantitative model and thus reduce the gap between the predictions and the actual events.

Third because sometimes there is a lack of available data of adequate quality or because some risks are not easily quantified.

Board members and other executives generally use their risk knowledge in the course of their daily decisions as part of a “risk-based governance” approach. The main pillars that support this approach and contribute to the management of risks and the improvement of processes are well-known functions: Risk Management, Internal/External Audit, Internal Control and Compliance.

But to be efficient and trustworthy, a risk system requires a minimum set of elements some of which are directly related to the directors around the table:

Remember that no one has a crystal ball and that risk management is performed on a best effort basis in which gut feeling may also play a role with or without numbers.

Risk Appetite: What is the board/company risk appetite? Is it consistent with the long term value creation of the company? With its culture?
Data: Is the data of adequate quality (without errors, with enough depth and coverage)? For instance in the alternative investments sphere where data may be scarce.
Tools: Do we have the right tools for the job? Can their results be easily explained and communicated?
Profiles: Risk profiles are important. They define ex-ante the natures and expected levels of potential risks, their related limits and where any specific focus should be considered. Have we forgotten any risk nature? Do our limits make sense?
Approach: Adopt an open-minded approach when it comes to the different natures of risks that may have an impact on the business. Things are rarely pure black and white and all risks cannot be measured with certainty but it does not mean they cannot materialize one day.
  • Make use of judgment and positive criticism towards the methods, the data and the way experts handle numbers.
  • People who are not risk experts should not refrain from asking simple questions. It will be more useful than what it may seem among piles of numbers and hypotheses.
  • Also do not let numbers fool you (that may lead to either under or overstatements of actual risks) and challenge both scope of risks and results.
  • Use facts, tests and questions to continuously challenge and improve risk systems and risk approaches.

The board and the company will also have to consider the responses to be given should a risk become significant, a limit be reached or an alert be triggered. As in a battle plan with both strategic and tactical parts, those responses should be prepared in advance in procedures and processes (the risk profiles are particularly useful in this exercise) but should also allow some flexibility (and agility) as the events will probably be different in some ways from what was foreseen.

While risks with potentially critical impacts such as operational or reputational ones are still difficult to assess and contain, new risks are entering the room (cyber risks, technology risks/digital disruptions…).

Continuous improvement (the famous Japanese “Kaizen”) in terms of knowledge/training, techniques and tools but also in the risk culture we adopt will allow companies to face the risk challenge and make the risk management exercise a continuously demanding but exciting element of our professional lives.

“Never say never” because even the improbable can become reality.

Independent Director
Partner of Arkus Governance Partners