Handout to a presentation held in April 2009 at the University of Lugano, Switzerland, about the importance of communication within risk management. The paper provides also an overview on possible barriers within the communication about risks and within risk management.
- 1. Lets Talk about Risks Why Communication in Risk Management matters Handout to the presentation Lets Talk about Risks Why Communication in Risk Management matters, at the Universit della Svizzera Italiana (Lugano) on 14 April 2009. Thesis:Adequate and systematic communication in Risk Management is essential fororganizations to achieve their goals. Definition of relevant terms Communication (in particular: knowledge communication): (Deliberate) activity of interactively conveying and co-constructing insights, assessments, experiences, or skills through verbal or non- verbal means. Successful transfer of know-how, know-why, know-what and know-who through face- to-face (co-located) or media-based (virtual) interactions. Knowledge Communication process: Identification of experts Briefing to expertsAnalysis by expertsCommunication of results Decision taking Implementation. Risk: Uncertainty that influences the achievement of goals in a negative or positive way. Risk Management: Structured approach of assessing, improving, monitoring and reflecting about risks and risk management in order to minimize the effects of risks on an organization's goals (see Figure 1). Risk Communication is the deliberate activity of interactively conveying and co-constructing information, experience and insights about single risks, risk portfolios and risk management activities through verbal or non-verbal means. Risk Visualization designates the systematic effort of using (interactive) images to augment the quality of risk Figure 1: Generic risk manage- communication along the entire risk management cycle. ment processInternal communication about risksInternal communication about risks and riskactivities is required to govern and manage anSenior Management / Oversight /organization successfully. Board ofExecutive Board DirectorsAll relevant functions of an organization areinvolved in this communication (see Figure 2). External AuditFurthermore, external parties like investors,Risk MgtInternal Auditregulators or rating agencies are interested inrisk information.Business(Specialists)Discussions OrganizationInquiries/ReviewsFigure 2: Risk communication between internal functions Common enablers and tools for communication about risks: Formal Risk Management Committees and/or Audit & Risk Committees Standardized risk models and methodologies Regular risk and control issues reports; key risk indicator reports; ad-hoc analysis; early warnings 2009 by Markus Aeschimann | email@example.com | 06/04/2009 1/5 Let's talk about Risks - Handout - 20090406_1540_aem.docx
2. Pre-defined escalation procedures for crisis situations or important information exchange Focused reviews about risks/issues (e.g. by Internal Audit or risk functions) resulting in recommendations Alignment meetings between representatives of Business and Risk Functions Formal and informal ad-hoc meetings, phone conferences etc. regarding specific risks or issues Central model and possible communication problems To analyse potential communication problems within risk management we should focus on the various players taking part and their communication relationship between each other (see Figure 3). A relationship we dont look at here in detail is the constant exchange with the external environment regarding risk input and best practices (out-side-in perspective). Figure 3: Central model for knowledge communication in risk managementFollowing a selection of possible communication problems in risk management and some suggestions. A. Communication between Business Specialists and Risk Management Communication ProblemIdeas for Improvements No common risk language. Establish a Risk Model and use clearly definedterms consistently in all communication. Performance vs. risk perspective, e.g. inImplement standardized processes with toll product development, M&A, strategy gates and involve risk functions to enable development. holistic view (e.g. in product development). Information hiding by business due toTone from the top and positive role model by inadequate incentives and remuneration executives (leading by example) to foster open (neglecting long term effects or sustainability of communication culture. Anchoring in MbO. business). Risk Managers do not completely understand Risk Managers should get insights into the business or on the other hand are notbusiness processes, e.g. by being involved in independent enough and therefore can not internal audit assignments from time to time. challenge the business adequately to think Regular exchange with similar functions from about the risks of their business model. peer companies. Limits in risk documentation/communication toFocus on communication instead of be considered due to possible legal or securitydocumentation. If management is aware of impact (examples: product risks and liability, such risks they can take appropriate measures. security services). No or inappropriate usage of visualizations like Learn visualization techniques and include risk maps, driver maps etc. in the identificationappropriate visuals in discussions, and assessment phase of risk management. presentations and reports. 2009 by Markus Aeschimann | firstname.lastname@example.org | 06/04/20092/5 Let's talk about Risks - Handout - 20090406_1540_aem.docx 3. B. Communication within Risk Management Communication Problem Ideas for Improvements Risk functions (e.g. investment risk, operational Establish a Chief Risk Officer role as a head for risk, compliance, controlling) are organized in all risk functions. Appoint a Generalist as silos hindering risk information flow and impedeCRO, not a Quant. Foster regular information appropriate best practice transfer. exchange between risk functions. Poor data quality and/or tools for analysis and Perform regular internal and external best reporting.practice reviews regarding tools and quality. Inappropriate (calculation) models for risk Perform regular best practice reviews by assessments (e.g. stress testing), unrealisticexternal specialists. Always ask for alternative assumptions or inadequate calibrations to scenarios to get a feeling for ranges between please business requests. best and worst case. C. Communication between Risk Management and Senior Management Communication Problem Ideas for Improvements Tone at the top not fostering communication Tone from the top and positive role model by and/or risk culture; no common risk languageexecutives (leading by example). Anchoring in within the organization; focusing on facts that MbO. Establish Risk Model and use clearly support taken decisions.defined terms consistently in all communication. Managers tend to cover their lack ofTalk to executives beforehand if important understanding in front of colleagues (e.g. in a decisions have to be taken and get their committee). commitment before the board meeting. Inadequate setup of Risk Governance Initiate a best practice transfer from peers or (including silos, missing or ineffectiveother companies. Engage consultants to work management and risk committees, fragmentedwith executives and get their commitment to approval structures), e.g. due to gaps in riskchange the organizational structures. Improve management expertise. executives knowledge about risk management with adequate presentations and trainings. Senior Management does not ask for holistic Show interrelations between risks and between risk view but focuses on (wrong) details (big their decisions and possible consequences. picture problem). Departmental agenda of Senior Managers, ifIn a first phase for communication purposes also responsible for specific business areasdisconnect departments risk profile from overall (transparency on own risks not wished). risk profile. Link it again in a later stage. Inadequate risk reports due to high complexity, Reduce complexity dramatically. Focus on 3 to poor visualization or inaccurate timing.5 top issues per report/meeting, minor topics in Information overload. Low information quality.appendix. Use visualization techniques. D. Communication within Senior Management Communication Problem Ideas for Improvements Lack of transparency and alignment regardingFormalized meetings with Senior Managers risks, responsibilities and mitigation actions. from business and risk functions to get a common understanding on situation. Unclear communication of strategy within theIncrease awareness for this problem by organization; overall goals are not clear tomentioning it as major a risk. everyone. Lack of awareness; industry-wide issues are Document external events and establish link to not discussed (problem of others does notown company. Ask for detailed explanation why happen to us). this cannot happen to your company. Filtering of information and inappropriateUse direct communication channels to the aggregation method of risk information. appropriate executives. But keep confidential information confidential. 2009 by Markus Aeschimann | email@example.com | 06/04/20093/5 Let's talk about Risks - Handout - 20090406_1540_aem.docx 4. E. Communication between Senior Management and Stakeholders Communication Problem Ideas for Improvements Shareholders and Investors Risk of communication itself (e.g. profit Establish a communication policy and balance warnings); loss of trust after repeated poor information requirements with associated risks communication. consciously. Investors request more information on risks and Balance investors information needs with risk management approach than organizations internal confidentiality considerations. Studies are willing to provide. show that investors reward transparency. Public The public trusts in people (and media) instead Top Management must act in an authentic, of analyzing facts. open and trustworthy way, communicate about facts and experiences. Senior Management does not recognize shifts Establish a function for external monitoring. in publics perception regarding specific riskImplement standardized communication factors (e.g. corporate social responsibility). processes to provide management with meaningful insights and advice. Regulators, Rating Agencies and Analysts For banks: Problematic symbiosis betweenDo not focus on local regulator alone but also banks and regulators in general (importance ofbenchmark with best practices and regulations financial market and banks for Switzerland; in other industries or jurisdictions. regulator approves risk models but does limited challenging of results of these models only). Possible negative effects of full transparencySooner or later, transparency will be rewarded. (e.g. fines, special audits, withdrawal of license) E.g. rating agencies require full transparency. If may hinder organizations to communicate companies block information, they will receive a frankly about risks.poor rating. Rating Agencies requirements framework Benchmark with best practices and other risk regarding risk management not yet standards. sophisticated enough (e.g. ERM framework S&P for Insurers). Form of communication with analysts not Balance the importance of this stakeholder always adequate (e.g. analysts prefer analysts group for your business with the additional meetings or 1-to-1 sessions with Senior costs for individual communication. Management; organizations create reports and have large press conferences). Summary and focus points to improve risk communication The ultimate goals of risk communication are: Common Language / Framework: Improving the understanding of risks and risk management process. Holistic View: Ensuring that the views of all stakeholders are considered. Clear Responsibilities / Priorities: Ensuring that all stakeholders are aware of their roles and responsibilities within risk management. 2009 by Markus Aeschimann | firstname.lastname@example.org | 06/04/20094/5 Let's talk about Risks - Handout - 20090406_1540_aem.docx 5. A first step to achieve an adequate risk communication is to identify all relevant players, to make their information and communication relationships transparent and to be aware of the various possible communication problems. To improve risk communication, one should focus on the following points: Adjust organizational/functional setup; from silos to integrated risk functions. Build a common risk language and risk aware culture. Strive for a holistic risk view instead of focusing on detail issues. Use visualization techniques to improve communication in risk identification, risk assessment and risk reporting. Improve communication channels (e.g. committees, reports, escalation procedures). Start to improve internal communication, and then enhance external communication. References / Further Reading Eppler Martin: Jenseits der Folienprsentation: Wissenskommunikation zwischen Entscheidern und Spezialisten, April 2008. http://www.knowledge-communication.org/ICA_Workingpaper4- 08_Wissenskommunikation_Practice_Report.pdf (30.4.08) Eppler Martin: Knowledge Communication Problems between Experts and Managers, May 2004. http://www.bul.unisi.ch/cerca/bul/pubblicazioni/com/pdf/wpca0401.pdf (13.3.09) Eppler Martin / Aeschimann Markus: Envisioning Risk: A Systematic Framework for Risk Visualization in Risk Management and Communication, September 2008. http://www.knowledge-communication.org/envisioning- risk.pdf (13.3.09) Ernst & Young: Managing Risk Stakeholder Perspectives, November 2006. http://www.ey.com/GLOBAL/content.nsf/International/Global_Risk_-_Risk_Research_-_Stakeholder (13.3.09) Ernst & Young: Investors on Risk The Need for transparency, November 2005. http://www.ey.com/GLOBAL/content.nsf/International/Global_Risk_-_Risk_Research_-_Investor (13.3.09) FSA: Market Watch No 25 on Socit Gnrale case. http://www.fsa.gov.uk/pubs/newsletters/mw_newsletter25.pdf (13.3.09) Goto Shigeyuki: Study on Behavioral Risk Management Systems, November 2004. http://app.cul.columbia.edu:8080/ac/bitstream/10022/AC:P:65/1/fulltext.pdf (31.3.09) Selim Georges / McNamee David: The Risk Management and Internal Auditing Relationship: Developing an Validating a Model. In: International Journal of Auditing, 159-174 (1999). Senior Supervisors Group: Observations on Risk Management Practices during the Recent Market Turbulence, 6 March 2008. http://www.fsa.gov.uk/pubs/other/SSG_risk_management.pdf (13.3.09) SFBC: Subprime Crisis: SFBC Investigation Into the Causes of the Write-downs of UBS AG, 30.9.2008. http://www.finma.ch/archiv/ebk/e/publik/medienmit/20081016/ubs-subprime-bericht-ebk-e.pdf (13.3.09) Standard & Poors: Summary of Standard & Poor's Enterprise Risk Management Evaluation Process for Insurers, 26 November 2007. http://www2.standardandpoors.com/portal/site/sp/en/us/page.article/2,1,5,0,1148449517749.html (13.3.09) Stulz Ren: Six ways companies mismanage risk. In: Harvard Business Review, March 2009. Taleb Nassim Nicholas: The Black Swan. New York, 2007. UBS AG: Shareholder Report on UBSs Write-Downs, 18 April 2008. http://www.ubs.com/1/ShowMedia/about/news?contentId=140331&name=080418ShareholderReport.pdf (13.3.09) van Riehnen Bob / Schwaller Patrick: Risk Convergence From business pain to business gain. In: Ernst & Young Insight Financial Services, Autumn 2007. http://www2.eycom.ch/publications/items/fs/200703/ey_insight_fs_200703e.pdf (13.3.09) 2009 by Markus Aeschimann | email@example.com | 06/04/2009 5/5 Let's talk about Risks - Handout - 20090406_1540_aem.docx