5
© 2009 by Markus Aeschimann | [email protected] | 06/04/2009 1 / 5 Let's talk about Risks - Handout - 20090406_1540_aem.docx Let’s Talk about Risks Why Communication in Risk Management matters Handout to the presentation “Let’s Talk about Risks – Why Communication in Risk Management matters”, at the Università della Svizzera Italiana (Lugano) on 14 April 2009. Thesis: Adequate and systematic communication in Risk Management is essential for organizations to achieve their goals. Definition of relevant terms Communication (in particular: knowledge communication) : (Deliberate) activity of interactively conveying and co-constructing insights, assessments, experiences, or skills through verbal or non- verbal means. Successful transfer of know-how, know-why, know-what and know-who through face- to-face (co-located) or media-based (virtual) interactions. Knowledge Communication process : Identification of experts Briefing to experts Analysis by experts Communication of results Decision taking Implementation. Risk : Uncertainty that influences the achievement of goals in a negative or positive way. Risk Management : Structured approach of assessing, improving, monitoring and reflecting about risks and risk management in order to minimize the effects of risks on an organization's goals (see Figure 1). Risk Communication is the deliberate activity of interactively conveying and co-constructing information, experience and insights about single risks, risk portfolios and risk management activities through verbal or non-verbal means. Risk Visualization designates the systematic effort of using (interactive) images to augment the quality of risk communication along the entire risk management cycle. Internal communication about risks Internal communication about risks and risk activities is required to govern and manage an organization successfully. All relevant functions of an organization are involved in this communication (see Figure 2). Furthermore, external parties like investors, regulators or rating agencies are interested in risk information. Common enablers and tools for communication about risks: Formal Risk Management Committees and/or Audit & Risk Committees Standardized risk models and methodologies Regular risk and control issues reports; key risk indicator reports; ad-hoc analysis; early warnings Figure 1: Generic risk manage- ment process Figure 2: Risk communication between internal functions Organization Oversight / Board of Directors Senior Management / Executive Board External Audit Business (Specialists) Internal Audit Discussions Inquiries/Reviews Risk Mgt

Let's Talk about Risk

Embed Size (px)

DESCRIPTION

Handout to a presentation held in April 2009 at the University of Lugano, Switzerland, about the importance of communication within risk management. The paper provides also an overview on possible barriers within the communication about risks and within risk management.

Citation preview

Page 1: Let's Talk about Risk

© 2009 by Markus Aeschimann | [email protected] | 06/04/2009 1 / 5 Let's talk about Risks - Handout - 20090406_1540_aem.docx

Let’s Talk about Risks Why Communication in Risk Management matters Handout to the presentation “Let’s Talk about Risks – Why Communication in Risk Management matters”, at the Università della Svizzera Italiana (Lugano) on 14 April 2009.

Thesis: Adequate and systematic communication in Risk Management is essential for organizations to achieve their goals.

Definition of relevant terms

Communication (in particular: knowledge communication): (Deliberate) activity of interactively conveying and co-constructing insights, assessments, experiences, or skills through verbal or non-verbal means. Successful transfer of know-how, know-why, know-what and know-who through face-to-face (co-located) or media-based (virtual) interactions.

Knowledge Communication process: Identification of experts Briefing to experts Analysis by experts Communication of results Decision taking Implementation.

Risk: Uncertainty that influences the achievement of goals in a negative or positive way.

Risk Management: Structured approach of assessing, improving, monitoring and reflecting about risks and risk management in order to minimize the effects of risks on an organization's goals (see Figure 1).

Risk Communication is the deliberate activity of interactively conveying and co-constructing information, experience and insights about single risks, risk portfolios and risk management activities through verbal or non-verbal means.

Risk Visualization designates the systematic effort of using (interactive) images to augment the quality of risk communication along the entire risk management cycle.

Internal communication about risks

Internal communication about risks and risk activities is required to govern and manage an organization successfully.

All relevant functions of an organization are involved in this communication (see Figure 2).

Furthermore, external parties like investors, regulators or rating agencies are interested in risk information.

Common enablers and tools for communication about risks:

Formal Risk Management Committees and/or Audit & Risk Committees

Standardized risk models and methodologies

Regular risk and control issues reports; key risk indicator reports; ad-hoc analysis; early warnings

Figure 1: Generic risk manage-ment process

Figure 2: Risk communication between internal functions

Organization

Oversight / Board of Directors

Senior Management / Executive Board

External Audit

Business (Specialists)

Internal Audit

Discussions

Inquiries/Reviews

Risk Mgt

Page 2: Let's Talk about Risk

© 2009 by Markus Aeschimann | [email protected] | 06/04/2009 2 / 5 Let's talk about Risks - Handout - 20090406_1540_aem.docx

Pre-defined escalation procedures for crisis situations or important information exchange

Focused reviews about risks/issues (e.g. by Internal Audit or risk functions) resulting in recommendations

Alignment meetings between representatives of Business and Risk Functions

Formal and informal ad-hoc meetings, phone conferences etc. regarding specific risks or issues

Central model and possible communication problems

To analyse potential communication problems within risk management we should focus on the various “players” taking part and their communication relationship between each other (see Figure 3). A relationship we don’t look at here in detail is the constant exchange with the external environment regarding risk input and best practices (out-side-in perspective).

Following a selection of possible communication problems in risk management and some suggestions.

A. Communication between Business Specialists and Risk Management

Communication Problem Ideas for Improvements

No common risk language. Establish a Risk Model and use clearly defined terms consistently in all communication.

Performance vs. risk perspective, e.g. in product development, M&A, strategy development.

Implement standardized processes with “toll gates” and involve risk functions to enable holistic view (e.g. in product development).

“Information hiding” by business due to inadequate incentives and remuneration (neglecting long term effects or sustainability of business).

“Tone from the top” and positive role model by executives (leading by example) to foster open communication culture. Anchoring in MbO.

Risk Managers do not completely understand the business or – on the other hand – are not independent enough and therefore can not challenge the business adequately to think about the risks of their business model.

Risk Managers should get insights into business processes, e.g. by being involved in internal audit assignments from time to time. Regular exchange with similar functions from peer companies.

Limits in risk documentation/communication to be considered due to possible legal or security impact (examples: product risks and liability, security services).

Focus on communication instead of documentation. If management is aware of such risks they can take appropriate measures.

No or inappropriate usage of visualizations like risk maps, driver maps etc. in the identification and assessment phase of risk management.

Learn visualization techniques and include appropriate visuals in discussions, presentations and reports.

Figure 3: Central model for knowledge communication in risk management

Page 3: Let's Talk about Risk

© 2009 by Markus Aeschimann | [email protected] | 06/04/2009 3 / 5 Let's talk about Risks - Handout - 20090406_1540_aem.docx

B. Communication within Risk Management

Communication Problem Ideas for Improvements

Risk functions (e.g. investment risk, operational risk, compliance, controlling) are organized in silos hindering risk information flow and impede appropriate best practice transfer.

Establish a Chief Risk Officer role as a head for all risk functions. Appoint a “Generalist” as CRO, not a “Quant”. Foster regular information exchange between risk functions.

Poor data quality and/or tools for analysis and reporting.

Perform regular internal and external best practice reviews regarding tools and quality.

Inappropriate (calculation) models for risk assessments (e.g. stress testing), unrealistic assumptions or inadequate calibrations to please business requests.

Perform regular best practice reviews by external specialists. Always ask for alternative scenarios to get a feeling for ranges between best and worst case.

C. Communication between Risk Management and Senior Management

Communication Problem Ideas for Improvements

“Tone at the top” not fostering communication and/or risk culture; no common risk language within the organization; focusing on facts that support taken decisions.

“Tone from the top” and positive role model by executives (leading by example). Anchoring in MbO. Establish Risk Model and use clearly defined terms consistently in all communication.

Managers tend to cover their lack of understanding in front of colleagues (e.g. in a committee).

Talk to executives beforehand if important decisions have to be taken and get their commitment before the board meeting.

Inadequate setup of Risk Governance (including silos, missing or ineffective management and risk committees, fragmented approval structures), e.g. due to gaps in risk management expertise.

Initiate a best practice transfer from peers or other companies. Engage consultants to work with executives and get their commitment to change the organizational structures. Improve executives’ knowledge about risk management with adequate presentations and trainings.

Senior Management does not ask for holistic risk view but focuses on (wrong) details (big picture problem).

Show interrelations between risks and between their decisions and possible consequences.

“Departmental agenda” of Senior Managers, if also responsible for specific business areas (transparency on own risks not wished).

In a first phase – for communication purposes – disconnect departments’ risk profile from overall risk profile. Link it again in a later stage.

Inadequate risk reports due to high complexity, poor visualization or inaccurate timing. Information overload. Low information quality.

Reduce complexity dramatically. Focus on 3 to 5 top issues per report/meeting, minor topics in appendix. Use visualization techniques.

D. Communication within Senior Management

Communication Problem Ideas for Improvements

Lack of transparency and alignment regarding risks, responsibilities and mitigation actions.

Formalized meetings with Senior Managers from business and risk functions to get a common understanding on situation.

Unclear communication of strategy within the organization; overall goals are not clear to everyone.

Increase awareness for this problem by mentioning it as major a risk.

Lack of awareness; industry-wide issues are not discussed (“problem of others – does not happen to us”).

Document external events and establish link to own company. Ask for detailed explanation why this cannot happen to your company.

Filtering of information and inappropriate aggregation method of risk information.

Use direct communication channels to the appropriate executives. But keep confidential information confidential.

Page 4: Let's Talk about Risk

© 2009 by Markus Aeschimann | [email protected] | 06/04/2009 4 / 5 Let's talk about Risks - Handout - 20090406_1540_aem.docx

E. Communication between Senior Management and Stakeholders

Communication Problem Ideas for Improvements

Shareholders and Investors

Risk of communication itself (e.g. profit warnings); loss of trust after repeated “poor communication”.

Establish a communication policy and balance information requirements with associated risks consciously.

Investors request more information on risks and risk management approach than organizations are willing to provide.

Balance investors’ information needs with internal confidentiality considerations. Studies show that investors reward transparency.

Public

The public trusts in people (and media) instead of analyzing facts.

Top Management must act in an authentic, open and trustworthy way, communicate about facts and experiences.

Senior Management does not recognize shifts in public’s perception regarding specific risk factors (e.g. corporate social responsibility).

Establish a function for external monitoring. Implement standardized communication processes to provide management with meaningful insights and advice.

Regulators, Rating Agencies and Analysts

For banks: Problematic symbiosis between banks and regulators in general (importance of financial market and banks for Switzerland; regulator approves risk models but does limited challenging of results of these models only).

Do not focus on local regulator alone but also benchmark with best practices and regulations in other industries or jurisdictions.

Possible negative effects of full transparency (e.g. fines, special audits, withdrawal of license) may hinder organizations to communicate frankly about risks.

Sooner or later, transparency will be rewarded. E.g. rating agencies require full transparency. If companies block information, they will receive a poor rating.

Rating Agencies’ requirements framework regarding risk management not yet sophisticated enough (e.g. ERM framework S&P for Insurers).

Benchmark with best practices and other risk standards.

Form of communication with analysts not always adequate (e.g. analysts prefer analysts’ meetings or 1-to-1 sessions with Senior Management; organizations create reports and have large press conferences).

Balance the importance of this stakeholder group for your business with the additional costs for individual communication.

Summary and focus points to improve risk communication

The ultimate goals of risk communication are:

Common Language / Framework: Improving the understanding of risks and risk management process.

Holistic View: Ensuring that the views of all stakeholders are considered.

Clear Responsibilities / Priorities: Ensuring that all stakeholders are aware of their roles and responsibilities within risk management.

Page 5: Let's Talk about Risk

© 2009 by Markus Aeschimann | [email protected] | 06/04/2009 5 / 5 Let's talk about Risks - Handout - 20090406_1540_aem.docx

A first step to achieve an adequate risk communication is to identify all relevant players, to make their information and communication relationships transparent and to be aware of the various possible communication problems.

To improve risk communication, one should focus on the following points:

Adjust organizational/functional setup; from silos to integrated risk functions.

Build a common risk language and risk aware culture.

Strive for a holistic risk view instead of focusing on detail issues.

Use visualization techniques to improve communication in risk identification, risk assessment and risk reporting.

Improve communication channels (e.g. committees, reports, escalation procedures).

Start to improve internal communication, and then enhance external communication.

References / Further Reading Eppler Martin: Jenseits der Folienpräsentation: Wissenskommunikation zwischen Entscheidern und Spezialisten,

April 2008. http://www.knowledge-communication.org/ICA_Workingpaper4-08_Wissenskommunikation_Practice_Report.pdf (30.4.08)

Eppler Martin: Knowledge Communication Problems between Experts and Managers, May 2004. http://www.bul.unisi.ch/cerca/bul/pubblicazioni/com/pdf/wpca0401.pdf (13.3.09)

Eppler Martin / Aeschimann Markus: Envisioning Risk: A Systematic Framework for Risk Visualization in Risk Management and Communication, September 2008. http://www.knowledge-communication.org/envisioning-risk.pdf (13.3.09)

Ernst & Young: Managing Risk – Stakeholder Perspectives, November 2006. http://www.ey.com/GLOBAL/content.nsf/International/Global_Risk_-_Risk_Research_-_Stakeholder (13.3.09)

Ernst & Young: Investors on Risk – The Need for transparency, November 2005. http://www.ey.com/GLOBAL/content.nsf/International/Global_Risk_-_Risk_Research_-_Investor (13.3.09)

FSA: Market Watch No 25 on Société Générale case. http://www.fsa.gov.uk/pubs/newsletters/mw_newsletter25.pdf (13.3.09)

Goto Shigeyuki: Study on Behavioral Risk Management Systems, November 2004. http://app.cul.columbia.edu:8080/ac/bitstream/10022/AC:P:65/1/fulltext.pdf (31.3.09)

Selim Georges / McNamee David: The Risk Management and Internal Auditing Relationship: Developing an Validating a Model. In: International Journal of Auditing, 159-174 (1999).

Senior Supervisors Group: Observations on Risk Management Practices during the Recent Market Turbulence, 6 March 2008. http://www.fsa.gov.uk/pubs/other/SSG_risk_management.pdf (13.3.09)

SFBC: Subprime Crisis: SFBC Investigation Into the Causes of the Write-downs of UBS AG, 30.9.2008. http://www.finma.ch/archiv/ebk/e/publik/medienmit/20081016/ubs-subprime-bericht-ebk-e.pdf (13.3.09)

Standard & Poors: Summary of Standard & Poor's Enterprise Risk Management Evaluation Process for Insurers, 26 November 2007. http://www2.standardandpoors.com/portal/site/sp/en/us/page.article/2,1,5,0,1148449517749.html (13.3.09)

Stulz René: Six ways companies mismanage risk. In: Harvard Business Review, March 2009.

Taleb Nassim Nicholas: The Black Swan. New York, 2007.

UBS AG: Shareholder Report on UBS’s Write-Downs, 18 April 2008. http://www.ubs.com/1/ShowMedia/about/news?contentId=140331&name=080418ShareholderReport.pdf (13.3.09)

van Riehnen Bob / Schwaller Patrick: Risk Convergence – From business pain to business gain. In: Ernst & Young – Insight Financial Services, Autumn 2007. http://www2.eycom.ch/publications/items/fs/200703/ey_insight_fs_200703e.pdf (13.3.09)