job Kvalitet og metode

Is risk governance enough?

Håkan Jankensgård is Associate Professor at Lund University School of Economics in Sweden and holds a PhD in risk management. He is keenly interested in developing a practical approach to Enterprise Risk Management (ERM). We had an opportunity to ask Håkan a few key questions to sound out his approach to ERM.

Håkan, there is a negative perception of risk management, as focussing exclusively on what can go wrong and in reporting ancient history. Where has risk management gone wrong and how can this situation be remedied?

Many risk managers do indeed fall in the trap of acting like gatekeepers who only seem to focus on what could (or did) go wrong. While a certain aspect of control comes with the territory, truly useful risk managers are rather experts in methodology for assessing the risk-return consequences of business decisions and corporate policies. This way they support the businesses, helping them to make better decisions and to meet risk management expectations set by the executives and the board of directors.

This role does not mean risk management has to give up its independence vis-à-vis the board of directors. But it does require a thorough grasp of the firm’s value chain, as well as a holistic, forward-looking view of the firm’s financial performance.

Many risk managers do not analyse or communicate risk in terms of the financial numbers used by the rest of the business world, and therefore gradually fade into irrelevance.

Risk managers, taken as a group, need to become much more financially literate than they are today.

What value can a well-structured Enterprise Risk Management add to an organisation?  

I think there is great value from increasing an organization’s risk awareness so that a proactive attitude prevails, and in getting to where taking responsibility for one’s risks is self-evident and second nature. Experiencing fewer surprises is one of the primary goals of risk management.

Constantly being taken by surprise is not professional and an early sign that you might soon be outcompeted. There are also benefits in that high-quality risk information reaches the executives and directors of the board so that they can understand and be proactive about the firm’s overall risk-return profile.

A lot of corporate disasters have been preceded by the leadership of the firm simply not knowing the nature and extent of the risks their organization faced. ERM can also make the firm less disaster-prone by systematically addressing flawed incentives for risk management.

History has taught us that some of the worst risks are created by managers chasing short term financial goals which take priority over sound risk management.

Finally, there are a host of inefficiencies that can be reduced by looking at risk and return from the integrated perspective of the firm taken as a whole. A good ERM programme possesses the right tools and mindset to do precisely this.

I understand you believe risk management means quantifying uncertainty but aren’t there risks out there that a difficult or impossible to quantify for example cybersecurity?

The simple answer is that not even trying is worse. We need an estimate of the cost of risk to know how many resources we should be prepared to spend on mitigating it. We can easily over- or underspend on risk mitigation without this information. And we know that the cost of risk is given by probability and impact.

Subjective estimates are legit as long as they are based on the relevant facts and expertise where a conscious effort is made to remove known biases.

Not even trying to quantify these elements leaves us at the mercy of various biases we know affect decision-making in a big and sometimes dangerous way – people are often irrationally risk averse, or over-confident and prepared to take a large gamble. Quantification brings rigour to this process and allows us to make the right priorities. Colour codes and verbal descriptions are much too imprecise for this purpose.

Håkan, I understand you have authored a book together with Petter Kapstad from Equinor, what is the title and when can we expect it to be published?

Thank you for bringing this up. The book is called “Empowered Enterprise Risk Management: Theory and Practice” and it will be available on Amazon from January 2021.

We are pleased to announce that Håkon has accepted our invitation to hold a presentation as a keynote speaker at the risk management webinar on 25th November 2020 where he will speak on the subject “Is risk governance enough”. Followed by Håkons presentation you will also learn more about how Yara is coordinating risk respons in a crisis. Read more about the event and register HERE.