INTRODUCTION

A fable …

When Richard Preston drove into work, a sick feeling of dread gnawed at his stomach. The morning paper had a front-page article on Steelbelt Corporation, the company where he had been working for the past 18 months. It was more bad news—a fiery crash that killed a young couple and their two children. The article said that a Steelbelt-500 tire on the crashed vehicle had failed. The journalist rehashed details from four other recent accidents involving Steelbelt tires. It raised questions about the quality of Steelbelt-500 tires, the same model that was manufactured at the plant where Richard worked. Now customers were afraid to buy Steelbelt’s tires. Another article in the business section told of shareholders who were irate over a 50 percent drop in the value of the company’s stock over the past two months. Rumors of layoffs and cost-cutting were circulating among Richard’s co-workers. Two of Steelbelt’s biggest customers were threatening to tear up their contracts to put the company’s tires on 30 percent of their vehicles manufactured in North America and Europe.

Steelbelt Corporation had been in business for more than 50 years and had grown from a single plant in Detroit to a multinational company. Richard had joined Steelbelt’s internship program at the company’s flagship plant right after completing his MBA. He had enjoyed his stints in production, purchasing, and finance. Sometimes, at lunch, he would hang out at the company’s test track, watching the drivers and researchers from the lab. Richard loved working for Steelbelt—he loved the people, he loved the products, he loved the pioneering atmosphere. How could things have gone so terribly wrong?

Every organization exists to achieve its goals. A few organizations achieve their objectives flawlessly. Others fail miserably, to the point where the organization does not survive. And most organizations fall somewhere in between, achieving only lackluster results that are well below their performance potential. Why does this gap between potential and actual performance exist? It turns out that poor operational effectiveness is, in large part, caused by poor operational risk management (ORM).¹

This chapter explores the fundamentals of risk management in an operational setting and how ORM can be used to capture the full performance potential of an organization. The Steelbelt fable is used throughout the chapter to illustrate the answers to fundamental questions, including:

• What is operational risk and why should you care about it?
• Is risk all bad?
• How do you assess operational risks, particularly in a dynamic business environment?
• Why do you need to define risk tolerance for aligned decision making?
• What can you do to manage operational risk?
• How do you encourage a culture of risk management at the operational level?
• How do you align operational risk management with enterprise risk management?

WHAT IS OPERATIONAL RISK AND WHY SHOULD YOU CARE ABOUT IT?

Every organization exists to achieve its goals. The nature of those goals can vary widely between organizations; for example, “profit” goals for shareholders (corporations), “serving citizens and protecting the public good” (government), or “support for worthy causes” (not-for-profits). Whatever its goals, to achieve them an organization needs to set objectives (what targets and milestones it will pursue on the path to its goals) and strategies (how it is going to accomplish its goals). Enterprise risk management (ERM) focuses on ensuring that an organization manages the uncertainty that exists around the achievement of its objectives. Operational risk management (ORM) is focused on managing the risks that appear during its day-to-day activities of actually executing the organization’s strategy.

Thousands of decisions are made every day in every organization. A few are strategic decisions about what the organization wants to achieve in the future (i.e., its corporate objectives) and how it is going to achieve those objectives (i.e., its corporate strategy). These are corporate decisions, typically made infrequently and by the directing minds of the organization. Corporate decisions are about setting the destination and direction of the organization and defining the policies for how people will behave.

The central aim of operations is to perform, in other words, to effectively deliver on corporate objectives using corporate strategy. Failure to effectively and efficiently execute strategy is a major source of operational risk. The three main activities that executives must engage in to manage their operational risks are:

1. Establish clarity around objectives, roles, and responsibilities. This includes both a clear understanding by everyone of the corporate objectives that the organization as a whole is working toward and for each person a clear understanding of exactly how they will contribute and how that fits into the bigger picture. The organization’s leadership needs to ensure that people know what the corporate strategy is so that they can align to it, pulling together to achieve the organization’s goal and objectives.

   For example, when NASA decides to land a spacecraft on the moon—that is a clear goal. To achieve it every single person in the organization needs to know exactly how he or she is expected to contribute to the achievement of that goal.

2. Align resources to deliver excellent performance. There is no excuse for mismanaging the factors that are within the organization’s control. This includes amassing the right resources (people, business processes, and systems) and designing and applying effective and efficient processes that optimally configure and manage those resources toward the achievement of objectives, using the agreed strategy.

   The ability to perform consistently and to deliver high quality results in a dynamic business environment doesn’t just happen because of a perfect plan. That’s because life is uncertain and not everything will go as expected. Managers who achieve excellent performance are proficient in adjusting their plans based on these capabilities:

   • Understanding the factors within their control that drive performance (the interrelationships between people, business processes, and systems)
   • Monitoring performance indicators to know which factors need to be adjusted to achieve the desired performance results
   • Re-optimizing their resources toward the achievement of their objectives

   The resource optimization process encompasses constant monitoring of progress and adjusting the operational plans and business practices required to maintain alignment to strategy and ultimately to deliver excellent performance.

   Returning to the earlier example, NASA lands a spacecraft within a few yards of its target on the moon, which is 240,000 miles away from Earth. Although the NASA mission team starts with an excellent flight plan, they will spend 99 percent of their time during the flight monitoring the ship’s position and the status of its systems and making course corrections to ensure that the ship is tracking for its ultimate destination.

3. Develop capabilities to handle unexpected or uncontrollable factors. For those risks that are outside of the expected range or are imposed on the organization by external forces, the management stance shifts from one of prevention and control to one of readiness and resilience. The three strategies for dealing with uncontrollable and unpredictable risks are:
   1. 1. Cultivating awareness of factors and trends in the external environment. It is only by keen monitoring of the environment that managers can anticipate and detect new risks.
   2. 2. Building relationships with external stakeholders. Positive relationships can help the organization to influence stakeholder decisions that could prevent or diminish the impact of negative external factors on the organization and enhance the impact of positive factors that contribute to success. Establishing rapport with stakeholders prior to a crisis occurring can be critical in managing through a crisis.
   3. 3. Developing response capabilities. This encompasses both the development of crisis management plans as well as the development of the capabilities to quickly realign the organization’s resources so that it can respond with agility to massive or step changes or catastrophic events. To respond to events and conditions that are truly outside of the ordinary, a manager needs to be flexible, innovative, and improvising.

In the NASA example, this would mean identifying the expected conditions and factors that are beyond the organization’s control (e.g., weather, meteorites, funding) and putting in place strategies and capabilities to deal with them (e.g., developing weather monitoring and forecasting systems to increase awareness of risks, developing meteorite avoidance systems to respond in a timely manner, and cultivating relationships with funding agencies and stakeholders to ensure the perceived value of NASA remains high). It also means putting in place capabilities for dealing with “unexpected” factors or events or conditions that are outside of the normal range.

To fully manage operational risk requires paying attention to all three activities together, that is, clarifying objectives, aligning resources, and developing capabilities to prepare for the unexpected. If any of those three actions are ignored, the organization will perform below its potential.

This assertion is validated by research conducted in 2004 by Mankins and Steele² in which they surveyed 197 companies worldwide with sales in excess of $500 million. They assessed the actual performance achieved for each company and compared it to the financial forecast in the company’s business plan. On average, the companies were only achieving 63 percent of their objectives relating to financial performance. That amounts to an average performance loss of 37 percent.

Why does this 37 percent gap between potential and actual performance exist? The specific root causes that Mankins and Steele discovered are listed in Exhibit 16.1. Their research shows that poor operational performance is, in large part, caused by poor operational risk management. Note that the root causes they identified are all related to a failure to achieve one or more of the drivers of operational effectiveness:

• Establish clarity around objectives, roles, and responsibilities (15.8 percent of performance loss in the study is related to this ORM activity).
• Align resources to deliver quality in implementing strategy (15.4 percent of performance loss in the study is related to this ORM activity).
• Develop capabilities to handle unexpected or uncontrollable factors (6.3 percent of performance loss in the study is related to this ORM activity).

Based on the research, one can conclude that the core operational risk management activities are tightly aligned with performance drivers. If the research findings into financial performance shortfalls hold true for other organizational performance objectives, one can expect a tremendous cost associated with poor operational risk management in terms of the organization’s ability to meet or exceed its performance targets. Executives and managers need to ask themselves, can they afford to leave 37 percent of the organization’s performance potential on the table? If not, they need to care about and master operational risk management.

Returning to the Steelbelt fable, at the strategic level, the organization would have decided on its direction, for example, which markets to be in, which (and how much of each) products to make to meet market needs, and profit targets. At the operational level, those decisions would have been translated into sales, production and cost targets. Included in the production targets would be targets for quality and safety to meet the expectations of customers, regulators, and other stakeholders.

The main character in the fable at the beginning of the chapter, Richard Preston wondered, “How could things have gone so wrong?” The fable contains a powerful example of what can happen when the ability to deliver high quality fails. In the fable it led to substandard tires, accidents, fatalities, and lawsuits that collectively damaged the company’s reputation and threatened the survival of the organization. What could have led to that quality slip? The fable doesn’t give us enough information to know. We can guess at the reason(s). Perhaps the objective of product safety was not clear or was in conflict with other priorities such as cost cutting. Perhaps resources (people, business processes, and systems) were not aligned to produce a high-quality product. Perhaps the company was unable to maintain alignment of its resources to its strategy because of unexpected factors such as a hurricane causing an oil price hike, causing softening in car sales, and causing pressure to lower costs to maintain market share and profit margins. Whatever the reason(s) for Steelbelt’s predicament, the fable emphasizes the importance of appropriate management of operational risk and the impact it can have on the overall performance of an organization.

IS RISK ALL BAD?

For many people, the word “risk” has a negative connotation and is associated with losses or damages of some sort. But for some people, the word risk actually has a positive connotation. To them, risk is synonymous with the potential for benefit, reward, or a gain of some sort, in other words, an opportunity.

The fact is risk exists in all human endeavors. Risks (both threats and opportunities), benefits, and costs are inextricably linked. We take risks, not to avoid loss but to attain benefits. For people who see risk as something negative, the risk management mistake they most often make is to try to protect organizational value by avoiding, eliminating, or controlling all risk. This skews the distribution of resources toward value protection and away from value creation. The flaw in this risk-averse mindset is that in attempting to eradicate all threat of loss, the potential for gain is also diminished. But to take risks with no consideration or weighing of the possible losses can lead to unnecessary exposure to threats.

The trick is to find the level of responsible risk taking that avoids the extreme positions of reckless gambling and risk aversion. Taking responsible risks is a necessary part of business and life. In the words of Will Rogers “you’ve got to go out on a limb sometimes because that is where the fruit is.” Robert Mittelstaedt,³ business guru and Vice Dean and Director for Executive Education at the Wharton School, puts it this way “if you do not make any mistakes, you may not be taking enough risk, but failing to take any risks at all may be the most dangerous type of mistake that a business can make.”

Since risks, benefits, and costs are all inextricably linked, how do you strike the right balance between them? Finding the balance is central to determining the organization’s risk tolerance, which is covered in a later section. However, before discussing tolerance, the organization first must understand the magnitude of the risks it faces and what can be done about them.

Returning to the Steelbelt fable, there appears to be a classic risk (law suits and reputation damage triggered by lower quality) versus benefit (lower costs to protect market share and profit margin) tradeoff. The story doesn’t tell us what led to the drop in quality. It does tell us that the company had a pioneering “atmosphere.” Hindsight after a risk has materialized often makes it easy to forget how important that pioneering atmosphere would have been in fueling the company’s growth for 50 years. Did they go too far with cost reductions this time? In the Steelbelt example, it would appear that the risk reward tradeoff might have been skewed toward reducing costs over maintaining quality.

HOW DO YOU ASSESS OPERATIONAL RISKS, PARTICULARLY IN A DYNAMIC BUSINESS ENVIRONMENT?

The reality of life is that every manager faces many, many risks in the course of a day but can only devote attention to the most significant few. To decide which risks are the “significant few” that merit attention, a manager can choose among several approaches, including: guessing; relying on gut feel based on intuition and experience; applying a disciplined approach to assessing the magnitude of the risks; or using some combination of these approaches. Regardless of the approach used to estimate the size of a risk exposure, at the end of the day, a value judgment must be made about whether the risk exposure is tolerable or if the organization needs to take on more risk or reduce its risk exposure to successfully meet its objectives and risk tolerance criteria.

Most operational environments are characterized by change. Change brings with it risks and crafting an appropriate response to change is a major aim of operational risk management. Some changes are within the organization’s control, that is, those that emanate from within the internal environment (e.g., new or modified business processes, new systems, new people that bring new relationships, new leaders that bring new priorities). Other changes originate from the external business environment (e.g., new customers, new competitors, new regulations, changing demographics, changing economics, evolving stakeholder expectations, weather, climate). Although the organization can’t control these external factors, it can control its response to and preparation for them.

In such a dynamic environment, how can one understand and appropriately assess operational risks? The key is to start with the objective that is to be achieved. The next steps are to identify the factors that drive performance and risk, to understand which of these factors are most likely to impact performance, and then to understand the size of the potential impact on the achievement of the objective(s). The simple definition of risk “more things can happen than will happen”⁴ is a salient reminder of why it is good practice to consider the range of potential impacts rather than focusing on a single scenario or potential outcome. A simple way to accomplish this is to envisage both the extreme (or worst) case and the typical (or expected) case. Based on this analysis, a manager can decide which factors are most significant and concentrate his or her efforts on them. Finally, it is important to note the assumptions made in identifying, assessing, and selecting performance and risk factors.

Risk cannot be measured directly. It can only be estimated because it involves predicting a future outcome. Therefore, all risk estimates involve judgment. This is true whether they are based on quantitative assessment and well-established facts or strictly on intuition. Because there is no way to estimate a risk without making some assumptions, it is extremely important to clearly distinguish between assumptions and facts in the analysis. It is also wise to test assumptions to ensure they are still valid as changes occur in the business environment and as new information becomes available. If, over time, the assumptions prove to be incorrect or invalid, the entire analysis will need to be revisited.

The effort invested in risk assessment should be commensurate with the risk and with the information available. Large risks usually warrant a detailed risk assessment, perhaps even the construction of risk models. This is because large risks normally demand more resources for risk mitigation, and therefore it is advisable to gather enough information to make good resource allocation decisions. For smaller risks, managers generally rely on past experience and judgment because even if they are wrong, there is not a lot at stake. In cases where it is not possible or cost-justified to model the risk, it is necessary to rely on judgment.

To illustrate the principles of operational risk assessment, consider another chapter in the Steelbelt fable. When Richard Preston worked in the production department, he was responsible for reviewing and revising manufacturing procedures to ensure they were compatible with the company’s new sustainability policy. Here are the seven steps Richard used to assess the operational risks associated with this task.

1. Clearly define the objective. In this case, Richard’s objective is to ensure that manufacturing procedures are compatible with the company’s new sustainability policy.
2. Understand the performance drivers. The achievement of this objective will be dependent on:
   • Richard’s ability to gain accurate knowledge of the existing manufacturing procedures.
   • Richard’s ability to develop a strong understanding of the expectations of the sustainability policy.
   • Richard’s ability to put that knowledge together to make revisions to the written manufacturing procedures that reflect the new sustainability policy.
   • Richard’s ability to update the manufacturing procedures such that the production unit can and wants to adopt them as part of their business practices.
3. Understand the risk drivers. What factors drive uncertainty around achieving objectives?
   • Richard’s ability to gain accurate knowledge of the existing manufacturing procedures is dependent on his ability to gain the cooperation of the production department.
   • Richard’s ability to develop a strong understanding of the expectations of the sustainability policy is dependent on his ability to educate himself and on the clarity of the policy.
   • Richard’s ability to put that knowledge together to make revisions to the written manufacturing procedures that reflect the new sustainability policy is dependent on his ability to integrate and apply his knowledge.
   • Richard’s ability to update the manufacturing procedures such that the production unit can and wants to adopt them as part of their business practices is dependent on his ability to work with the production department and understand the culture and other relevant factors that would motivate the business personnel.
4. Identify the factors most likely to impact objectives. Richard reviewed the performance and risk factors. He determined that the second and third risk factors above are within his control and he was confident in his ability to acquire and apply knowledge, so he decided that these two factors are not relevant. However, remaining risk factors are not entirely within his control. He quickly recognized that his ability to work collaboratively with the production department is key for both of those risk factors.
5. Estimate the size of the impact. The range of scenarios includes: full, partial, or no cooperation from the production department. Richard estimates that for the worst case scenario, that is, if the production department doesn’t cooperate at all, he would be completely prevented from achieving his objective. The expected scenario is that the production team cooperates enough for him to be able to revise the written procedures but that they put up some resistance to applying the revisions in practice. With only partial cooperation Richard would only partially achieve his objective.
6. Select the significant few. Richard decided the most significant operational risk factor was obtaining the cooperation of the production department in actually adopting the revisions that introduce sustainability considerations into production procedures.
7. Identify the underlying assumptions. The key assumptions Richard made are:
   • That he will correctly understand and interpret the sustainability requirements.
   • That he can win the cooperation of the production department in the renewal process.
   • That his estimation of his ability to integrate and apply knowledge is accurate.
   • That the production department will adopt the changes if he communicates well.

This example of a simple risk assessment illustrates how one can quickly identify the key factors to focus on in order to effectively manage risk and ensure success in the pursuit of operational performance objectives.

WHY YOU NEED TO DEFINE RISK TOLERANCE FOR ALIGNED DECISION MAKING

Every decision or action carries within it both the potential for positive and negative effects on operational objectives and ultimately for the organization’s corporate objectives. The challenge of effective management at both the enterprise and operational levels is to take decisions and actions that strike an appropriate balance between potential upside and downside effects. This balance is reflected in the organization’s risk appetite and risk tolerance.

Risk appetite refers to how much risk an organization is willing to take on to ensure it has ample opportunity to achieve its objectives. When making a decision, managers and employees need to understand the organization’s risk appetite in order to distinguish between which are the good risks and which are bad risks to take, in other words, where the organization will and will not go in the pursuit of its objectives. It is somewhat analogous to deciding if you want to go fishing on a small lake or the ocean. The larger body of water has more fish and therefore offers more opportunity than if you were to fish in a lake. But it also requires more equipment and has more perils. To use another sporting analogy, deciding the organization’s risk appetite is akin to deciding in which baseball league you wish to play—pick-up, amateur, or professional. Each league has different expectations of players and also offers different potential benefits. A consumer analogy is deciding whether to shop at a store that offers deeply discounted prices but doesn’t allow a refund versus a different store that has higher prices but provides a refund option.

Risk tolerance is used to communicate the appropriate level at which a risk must be managed to be considered acceptable. Risk tolerance is not defined as a single finite number, but rather as a tolerable zone or range of values where an operational risk is neither under-managed nor over-managed. When a risk is under-managed, existing management activities and practices around that risk do not produce enough certainty that operational objectives will be achieved. When a risk is over-managed, the amount of certainty produced by existing management activities and practices does not merit the investment of time, effort, and resources dedicated to the risk and would be better applied elsewhere. Employees and managers need to understand the organization’s criteria for risk tolerance to ensure that their decisions lead to the most efficient and effective use of resources and balance potential upside and downside effects.

Risk appetite and risk tolerance are not usually derived empirically. They are statements of the organization’s (and the decision maker’s) values about what is appropriate, fair, and desirable behavior. An explicit understanding of risk appetite and risk tolerance is fundamental to enable an organization to implement systematic operational risk management. Yet many organizations (or more precisely their leaders) find it difficult to explicitly define and actively communicate about risk tolerance.

There are three common reasons that organizations fail to articulate their risk appetite and/or risk tolerance. The first reason is that many executives fall prey to the mistaken belief that articulating risk appetite or tolerance actually gives permission for risky behavior. The second reason is they don’t know how to develop a reliable gauge of risk tolerance. The third challenge is that it is not always clear how to align risk tolerance and risk appetite with organizational objectives and strategies at the operational level. How does an organization overcome these barriers and define risk tolerance and appetite in a manner that sets out appropriate guidance for decision making and behavior?

The first step is to replace any vestiges of a risk-averse mindset with one that embraces risk management as the foundation of stewardship. For many people, risk is seen as negative, and any level of risk is seen as unacceptable, particularly when it comes to issues involving human health and safety. The rationale is that tolerance of any level of risk is not acceptable. However this frame of thinking is faulty. Of course, damage to humans, the environment, and society are all unacceptable. The job of risk management is not to decide how much damage can be sustained. Rather, it is to make the best use of resources. Stewardship is about deciding how to best allocate scarce resources (and attention) to ensure the achievement of objectives for performance while also meeting criteria for other valued outcomes such as employee health and safety, environmental sustainability, and corporate citizenship. Managers and employees cannot be expected to uphold the organization’s values around risk appetite and risk tolerance if they are not clearly and explicitly communicated.

In order to communicate about risk appetite and tolerance, most organizations begin by gauging their de facto risk tolerance and appetite. The fact is that whether or not its leaders have formally articulated the organization’s risk tolerance and risk appetite, they have done so tacitly in their decisions and in the business practices that they encourage and condone. Therefore, a logical way to measure risk appetite and tolerance is to estimate the level of risk that the organization is exposed to given its current objectives, strategies, and management practices. This is the de facto risk appetite and risk tolerance of the organization.

To illustrate, let’s revisit the example of deciding whether to shop at a store that offers deeply discounted prices but doesn’t allow a refund, versus a different store that has higher prices but provides a refund option. An organization might have a policy that for purchasing office supplies under a certain amount (say $500) employees can shop at the store with the discounted prices, but purchases of items that cost more than $500 must be made at a store that offers a refund. This policy shows that the de facto risk tolerance for office supply purchases is to put no more than $500 at risk to pursue the opportunity for savings. The threshold of $500 is an indication of the value the organization places on its cash. Upon reflection, executive management may decide that the threshold is too low, especially if it also considers the value of the time that employees would spend on returning items, particularly if the time spent on returning a purchase costs the organization more than $500.

Once senior leaders have an assessment of the organization’s de facto risk appetite and risk tolerance, they can critically examine it to see if there are any gaps between the de facto, or actual values, and the espoused values. Actual values are how managers and employees behave based on the values that actually underpin the interpersonal dynamics of the organization.⁵ Espoused values are what senior leaders aspire to and communicate both orally and in written form. If there are gaps between actual and espoused values, senior leaders may wish to make adjustments to bring them back into alignment. For example, as a result of assessing current risks and risk management practices, it is not uncommon for senior managers to be surprised to discover the high level of risks that some of their people are taking on behalf of the organization, or conversely, that their people are foregoing good opportunities because they are afraid to take on risk. As a result, senior leaders will typically seek to clarify policies and expectations around decision making by making risk appetite and risk tolerance explicit.

To improve the alignment of risk tolerance and risk appetite with organizational objectives and strategies, it is important to weave them into performance management and reporting systems. For instance, risk appetite can be worked into operational performance management by ensuring that performance targets encourage people to take on the amount of risk necessary to achieve the organization’s objectives. Risk tolerance levels can be woven into the reporting system by using the boundaries of the tolerable zone as the triggers for escalating and reporting on problems and opportunities.

In the Steelbelt fable, we learn that Richard “loved the people, he loved the products, he loved the pioneering atmosphere.” A pioneering atmosphere is a sign that the company had a healthy risk appetite. However, the risk tolerance is not clear in the case study. Was risk considered in the organization’s cost-cutting measures? Were risk indicators around product quality established? Particularly at times of change, it is important to articulate how much risk the organization is willing to take on in order for employees to know how much latitude they have to innovate as they implement the change. It’s also important to establish and monitor risk indicators that provide early warning signs that a risk is moving outside of the tolerable zone.

WHAT CAN YOU DO TO EFFECTIVELY MANAGE OPERATIONAL RISK?

All organizations manage operational risk to some degree or they would not survive. However, in many organizations risk management practices are ad hoc or patchy. This unnecessarily exposes the organization to unplanned risk and can have a negative impact on performance as described earlier. Whereas at the enterprise level, risk management is focused on selection of the best strategy, at the operational level the focus of risk management is on successful execution of strategy.

An earlier section provided some insight into how to systematically identify and assess risks. The previous section showed how to articulate risk appetite and tolerance. This section will address how to evaluate risk management effectiveness and how to develop effective risk response capabilities.

The systematic management of operational risk requires applying discipline to the tasks of:

• Identifying and quantifying the risks associated with implementing a particular strategy, so that the potential impact that these risks can have on operational objectives can be understood.
• Evaluating the organization’s risk management effectiveness by assessing the ability of existing risk treatment efforts to maximize upside effects and minimize downside effects on objectives. If this evaluation reveals that the risk exposure is not within the bounds of the organization’s risk tolerance, then the existing suite of risk treatments needs to be modified.
• Developing an adaptive risk response capability to bring the risk within the defined risk tolerance range and to keep it there when changes occur either in the level of risk (normally caused by changes in the internal or external business environment) or in the organization’s risk tolerance.

To analyze the effectiveness of the organization’s existing risk response, a good way to start is to inventory what is currently being done to treat each key risk identified. Next, the organization should compare the level of risk exposure under the existing risk treatments to the organization’s risk tolerance. If the risk is tolerable, then no additional treatment is required. If the risk is under-managed, additional risk treatments are to be considered. If the risk is over-managed, then it may be advisable to reallocate some of the risk treatment resources to other more significant risks.

Typical risk response activities fall into one of two categories:

• Monitoring to detect changes in risk levels. This information is used to trigger risk treatment action.
• Action to change the potential likelihood of the risk (i.e., reduce or increase prevention activities) and/or the potential impact of the risk (i.e., reduce or increase mitigation activities).

For each risk that is either under- or over-managed, the person responsible needs to decide what can be done and how much needs to be done to bring the risk back within tolerance. Periodically, as changes are detected in either the level of risk exposure or the tolerance for risk, risk treatments will need to be reevaluated and if necessary modified to adapt to the new conditions.

Before launching into a description of how to manage risk, it is helpful to first understand the relationship between:

• A risk factor (also called a cause or issue or underlying condition), which is the precursor of a risk event.
• A risk event (also called a problem or opportunity) that occurs when a risk becomes manifest.
• A consequence (also called an outcome) that results when a risk transcends from possibility to actuality.

The Bowtie model shown in Exhibit 16.2 is used to map out the progression of a risk from underlying cause, to risk event, to consequence. In the middle, the knot of the bowtie represents an event with the potential to affect the achievement of objectives. The left half of the bow represents the underlying conditions or causes that trigger the event, including any prevention capabilities that are in place. Prevention capabilities (e.g., risk controls or risk treatments) focus on limiting the probability that a risk event will occur. The right half of the bow represents what unfolds after the event occurs, including any mitigation capabilities that are in place and the consequences of the event in terms of the ultimate impact on objectives. Mitigation capabilities (e.g., risk controls or risk treatments) focus on limiting the nature and extent of the effects that the event has on the achievement of objectives.

Exhibit 16.3 contains three illustrative examples of the relationship among cause, risk event, and consequence. In example #1, the risk event is an employee who trips and falls. The cause is a broken shoelace. The consequence of the event is the employee’s wrist is sprained. To prevent falls, one would focus on eliminating the underlying cause, for example, avoiding broken shoelaces by monitoring shoelace wear and by making new shoelaces available. To mitigate the consequences of the risk event (i.e., falls), one could have employees wear protective equipment (e.g., wrist, elbow, or knee pads). Exhibit 16.4 illustrates how the Bowtie model is applied.

Example #2 in Exhibit 16.3 recasts the earlier Steelbelt example in which Richard Preston was charged with reviewing and revising manufacturing procedures to ensure they were compatible with the company’s new sustainability policy. Recall the main risk factor that Richard identified was resistance by production personnel to adopting the sustainability enhancements to the manufacturing procedures. The potential risk event would be that sustainability principles are not integrated into manufacturing practices. The potential consequences are damage to the company’s reputation as a good corporate citizen and an associated weakening of the Steelbelt brand. To prevent this risk event, Richard would need to understand the root causes of the production department’s resistance to change and design a response to overcome resistance.

The Bowtie model can be used in a proactive way to delineate the root causes that may lead to a risk event and the potential impacts the risk event may have on the achievement of objectives. The Bowtie structure makes it easy to list the existing risk prevention and mitigation capabilities. With an inventory of its current risk treatments in hand, the organization can evaluate if it is able to manage the most significant risks to a tolerable level. Through the lens of the Bowtie structure, gaps in existing risk treatments become immediately apparent. Further, because the Bowtie method is structured around the relationship between root causes, risk events, and potential consequences, the analysis pinpoints what elements of the existing risk treatments require enhancement.

The Bowtie method helps to draw the direct link from cause, to risk event, and to consequence. It is important to understand this progression because risk management efforts can either focus on prevention (i.e., eliminating or reducing the underlying cause thereby preventing the risk event from occurring) or on mitigation (i.e., eliminating or reducing the consequences after the risk event has happened).

The Bowtie approach can also be used as a learning tool after an incident—whether the event results in downside effects on objectives or is only a “near miss.” The learning is gained by comparing the expected performance of the prevention and mitigation plans against their actual performance. This comparison will reveal risk treatments that are not effective and will also provide insight into how they might be enhanced to manage risk to a tolerable level.

In most cases, the risk response (or risk treatment) regimen will be some combination of prevention and mitigation measures. To make the most efficient use of resources, it is important that the risk treatment strategy should be tailored to the nature and magnitude of the risk. Exhibit 16.5 shows criteria for the selection of an appropriate combination of risk treatments based on level of risk.

• The upper-right quadrant represents risks that have both a high likelihood of occurring and potential for a large impact on objectives. For risks in the upper right quadrant, it is advisable to use both risk prevention and mitigation strategies.
• For risks in the lower-right quadrant where there is a low likelihood of occurrence but potential for large impact, it makes sense to steer any additional investment into risk mitigation, that is, to be prepared to respond if the risk event does happen. A preparedness stance is particularly important when the source of the risk is external to the organization, in which case the organization cannot prevent the risk event.
• For risks that fall into the upper-left quadrant, that is, where there is a high likelihood of occurrence but the potential impact is small, it makes sense to focus on preventing the risk event. Often operational risks in this quadrant are related to weaknesses in quality management and minimizing these risks will also lead to improvements in performance.
• Finally, risks in the bottom-left quadrant are either too small or sufficiently well managed that it usually unwarranted to implement additional risk treatments. Instead for risks in the bottom-left quadrant, it is prudent to maintain existing risk treatments and to monitor these risks to see if they are migrating toward one of the other quadrants. In addition, over-managed risks tend to be in the bottom left quadrant and they can represent a hidden supply of resources. By taking resources allocated to over-managed risks in the bottom-left quadrant and reassigning them to under-managed and significant risks in the three other quadrants, an organization can optimize its risk exposure and maximize the effectiveness of its resources.

Because prevention efforts are generally more cost-effective than mitigation efforts, it is wise to emphasize prevention where possible. To design effective prevention measures, it is necessary to uncover and address the underlying root causes. The “5 Whys” is a question-asking method that can be used to explore the cause-and-effect relationships underlying a particular risk event or problem. To use the 5 Whys method, one starts with the risk event and asks “Why did (or would) this happen?” and then repeats the question until the root cause(s) is revealed. It usually doesn’t take much digging to get the root cause(s) of a risk event.

To illustrate how the 5 Whys method works, let’s return to example #3 “cost reduction directives,” which is found in Exhibit 16.3. The sequence from risk event to root cause might look like this:

• Fatal vehicle accidents (the problem).
• Why?—Tires failed (first why).
• Why?—Quality of tires not up to standard (second why).
• Why?—As a result of cost reduction measures, there was a switch to a lower cost supplier of materials, which led to a reduction in the quality of tires (third why).
• Why?—Changes to supply arrangement made exclusively on cost considerations, not on quality (fourth why).
• Why?—Risk not factored into quality assurance processes around new suppliers (fifth why).

The last answer reveals a systemic issue that would affect much more than just this particular supplier. If corrected, for example, by incorporating risk into quality assurance criteria, many other risk events would also be prevented.

The key with the 5 Whys method is to keep asking Why until you get to the underlying, root cause(s), which studies have shown is generally a combination of failures or weaknesses in the organization’s system of management and business practices.⁶ It may take from three to seven Whys to get to a systemic weakness. Typical management system weaknesses from an operational risk perspective are:

• No identification of risk.
• Insufficient resources allocated to manage the risk.
• Standard operating procedures not established or followed.
• Inadequate oversight of risk treatments (including communication and feedback).

Of course, no prevention program can guarantee that it will be 100 percent effective all of the time or that all underlying risk factors will be identified and controlled. Therefore, for risk events that have a large potential impact on objectives, it is wise to ensure that mitigation measures are in place. When used in a predictive way, the Bowtie model can help to identify risk events with major potential impacts on the achievement of objectives for which the organization is not adequately prepared. If existing risk mitigation capabilities would reduce the potential consequences to a tolerable level, then no additional risk mitigation treatments are needed. However, if the evaluation reveals that existing risk mitigation capabilities would not reduce the potential consequences to a tolerable level, the organization should improve its readiness to respond to and recover from the risk event should it occur.

In the Steelbelt fable, Richard asked, “How could things have gone so terribly wrong?” Inevitably, after any crisis, the next question that arises is: “Who is to blame?” In many organizations, the “culprit” is punished and things go back to normal. An organization with solid operational risk management will use the crisis as an opportunity to learn and enhance its risk management capabilities. For example, since most catastrophic losses are usually the result of failures in the system of management as opposed to an individual manager, the more useful questions from a learning perspective are:

• What gaps in our management system led to this negative outcome?
• What organizational blind spots prevented us from seeing this coming?
• How can we avoid a similar loss in future?

A variety of analytical methods (including the Bowtie model and the 5 Whys) can be used to answer these questions and learn from experience. Analyzing successes also provides an opportunity to learn from experience and to validate that the success is a result of careful management of the performance and risk factors versus sheer luck. Establishing a culture of learning is a key component in the drive for enhanced operational risk management and maximizing performance.

To summarize, the key concepts for the evaluation, selection, and design of an effective program of operational risk management treatments are:

• Determine if risk exposure is within tolerance limits. If not, adjust risk response activities.
• To determine how to best manage a risk, you need to first understand how it arises. The Bowtie method helps to map out the sequence from underlying cause, to risk event, and ultimately to consequences (i.e., impact on objectives).
• There are two main types of risk treatments: Prevention activities—aimed at reducing likelihood of occurrence of the risk event—and Mitigation activities—aimed at reducing magnitude of the impact should the risk event occur.
• Management of most operational risks consists of a combination of prevention and mitigation measures. In general, it is advisable to focus on prevention because it is more cost-effective. However, because no prevention regimen is perfect, for risk events with the potential for a significant impact on objectives, it is prudent to also put in place strong mitigation capabilities. Failures and successes need to be analyzed to identify opportunities for enhancing both individual risk treatments and the organization’s ability to anticipate and manage risk.

HOW DO YOU ENCOURAGE A CULTURE OF RISK MANAGEMENT AT THE OPERATIONAL LEVEL?

To encourage a culture of risk management, leaders throughout the organization need to communicate about risk. The primary mode of communication required is action, that is, leadership by example. Spoken and written communication, while necessary, is secondary to action. This is because culture is primarily established through the actions of the leaders of the organization.

Specifically there are three ways leaders need to communicate to encourage a culture of risk management at the operational level:

1. Model good risk management behavior.

   Leaders must live risk management themselves. Statements of corporate values and ethics and business policies represent the organization’s espoused risk management culture and are important tools in communicating what kind of culture the organization’s leaders wish to instill. However, these written documents will be invalidated the instant that the organization’s leaders act in a way that contradicts the espoused values.

2. Articulate expectations for risk management behavior.

   In particular, leaders need to communicate what constitutes good risk management behavior (i.e., what to strive for) versus poor behavior (i.e., what to avoid). These expectations need to be reflected in policy documents, procedures, and business practices. Most importantly, operational risk management expectations need to be integrated into performance management and reward systems. It is important to frequently reinforce written expectations with spoken messages in both formal communications and informal conversations.

   Rather than passively “pushing” risk management expectations on their people, leaders need to actively “pull” desired risk management behavior. This is accomplished by asking the people who report to them about how they are meeting risk management expectations. For example:

   • How are they integrating risk thinking into their decision and management processes?
   • What are the significant risks they face?
   • What they are doing to manage risks to within a tolerable range?
   • What risk indicators are they monitoring to ensure their most significant risks are under control?
3. Be clear about the consequences and follow through on them.

   Human behavior is driven by consequences. People are motivated to act because they want to achieve positive consequences and/or avoid negative consequences. Therefore, it is important for leaders to “engineer” and clearly articulate both the positive consequences of meeting risk management expectations and the negative consequences of not doing so.

   Then, leaders need to follow through with the consequences. This includes acknowledging good risk management behavior in others, particularly those who report to them. And it includes addressing situations where employees are not meeting risk management expectations. If poor risk management behavior is ignored, it will send a message that risk management is not important. The organization will pay twice for this. First, it will expose the organization to unnecessary risk; and second, it will demotivate those individuals who are making a genuine effort to meet risk management expectations.

Taken together, the above three actions communicate the “tone-from-the-top.” Without strong and consistent leadership support, it is difficult, if not impossible to create a strong risk management culture.

HOW DO YOU ALIGN OPERATIONAL RISK MANAGEMENT WITH ENTERPRISE RISK MANAGEMENT?

At the enterprise level, decision makers are focused on what to achieve (strategic objectives) and how to get there (strategic direction). Therefore, executives must take a long-term perspective, looking out into the future to identify opportunities for sustaining or growing the organization. To do this, executives need to have a good read on the organization’s current capabilities and capacity to execute. With a solid assessment of existing capabilities in hand, executives can identify the critical capabilities that the organization needs to develop (or acquire) to continue to meet its objectives and sustain the organization over the long term.

At the operational level, managers are focused on execution of strategy. Their focus is the present, the current planning and reporting cycle. To do this, managers need to focus on aligning their resources to effectively and efficiently deliver on their objectives.

Alignment of the enterprise and operational levels requires a translation of long-term enterprise objectives and strategies into short-term operational strategies and objectives. The key to aligning risk management at the operational and enterprise levels is to establish accountability through a clear line of sight between the enterprise and the operational levels. This line of sight is created by embedding risk management thinking into the organization’s performance management and reporting systems.

The key performance management and reporting system elements that need to be clearly articulated for each person and coordinated across the organization are:

• Objective(s) or what it is that the person has to achieve. The concept of having a strategic goal for the organization and measurable objectives for each individual is fundamental to risk management. One can’t begin to manage risk until one knows what is required to achieve each staff member’s objective and the factors that create uncertainty around the achievement of that objective. In many public and private sector organizations, objectives are more like a list of hopes and dreams than they are meaningful and measurable targets that both inspire and hold people to account.
• Strategy or how the individual is to go about achieving each of their objectives. Strategy is sometimes referred to as a direction or path that the person is to pursue.
• Risk appetite or how much risk the organization is willing to take on to ensure the person has ample opportunity to achieve his or her objective. This may be incorporated into the strategy by defining which are the good risks and which are bad risks to take, that is, where the organization will and will not go in the pursuit of its objectives.
• Performance measures and targets that will be used to assess the individual’s progress toward their operational objectives, and the organization’s progress toward its strategic objectives.
• Risk indicators and risk tolerance levels that articulate the key conditions that will be monitored to provide an early warning that a significant risk event may be imminent or that a risk is about to move outside of the tolerable zone.

To systematically manage performance requires developing an understanding of the relationship between the drivers of performance and risk, including the development of measures to track risk factors and quantify their impact on performance. For example, imagine “knowledgeable staff” is a key performance driver for a specific objective and the associated risk factors are the ability to hire and train staff to the required level of knowledge. If the manager accountable for the performance driver notices a downward trend in the knowledge level of new recruits or that employees are completing training programs without achieving the level of knowledge required, that manager could intervene in a timely manner. But if he or she does not know about or turns a blind eye to the facts of reality, performance will inevitably suffer.

Exhibit 16.6 illustrates a mechanism for alignment between enterprise and operational levels. At the top level is the chief executive officer of the organization. The CEO’s objectives are the enterprise objectives. His performance targets are translated into objectives for the people who report directly to him, that is, the vice president level. Then, each vice president translates his performance targets into objectives for his direct reports, that is, the director level. This translation of performance measures into objectives continues down the line and in doing so, enterprise objectives are translated into operational objectives. This creates a top-down mechanism for alignment.

Exhibit 16.6 also illustrates a bottom-up mechanism for alignment between operational and enterprise levels. Starting at the bottom of the figure, the performance measures of the director feed into the risk indicators for their vice president. In turn, each vice president will report his performance measures to the CEO who will monitor them as part of his suite of risk indicators. This creates a bottom-up mechanism for alignment.

To contribute to alignment, each person needs to do two things:

1. Ensure that each of their objectives corresponds to one of their boss’s performance measures. This includes ensuring there is agreement on the desired risk appetite and risk tolerance around each of their objectives. This top-down perspective creates alignment through strategic and operational planning.
2. Ensure that the risk indicators they monitor include the performance measures of the people who report to them. This bottom-up perspective creates alignment during the ongoing execution of strategy.

The performance management system is a key tool in aligning risk management at the enterprise and operational levels. Start by establishing clarity around objectives and strategies. Next, understand how risk can affect your objectives and manage key performance drivers. Then, track key risk factors to give you adequate warning that a risk is reaching an intolerable level so that you can do something about it before if has a negative impact on the achievement of your objectives.

CONCLUSION

Every organization exists to achieve its goals. In many organizations, risks to the achievement of objectives are managed inconsistently or in an ad hoc fashion. As a result, many organizations experience a significant gap between their potential performance and their actual results. The aim of ORM is to manage the risks that emerge during the day-to-day activities of executing the organization’s strategy thereby capturing the full performance potential of the organization. To do this, executives and managers need to do three things:

1. Establish clarity around objectives, roles, and responsibilities.
2. Align resources to deliver excellent performance.
3. Develop capabilities to handle unexpected or uncontrollable factors.

Risks (both threats and opportunities), benefits, and costs are inextricably linked. A key challenge for executives is articulating the organization’s risk tolerance and appetite in a way that strikes the appropriate balance between potential upside and downside effects.

Effective ORM involves a systematic and disciplined approach to:

• Identifying and quantifying the risks associated with implementing a particular strategy.
• Evaluating and optimizing the organization’s risk management effectiveness, including the selection of the appropriate mix of detection, prevention, and mitigation actions.
• Developing an adaptive risk response capability.

ORM is more than the development of risk management policy and the application of risk analysis tools. To be successful, it needs to become part of the organization’s culture and seamlessly integrated into business practices. The culture of risk management can only be created through committed leadership on the part of the senior executive team.

The key to aligning risk management at the operational and enterprise levels is to establish accountability through a clear line of sight between the enterprise and executive levels. This line of sight is created by embedding risk management thinking into the organization’s performance management and reporting systems. Specifically the key drivers that represent the root causes of success and failure need to be identified, monitored, and managed to ensure that:

• Corporate and operational objectives are achieved.
• Resources are employed effectively and efficiently.
• The organization is ready to handle the risks that arise in the course of its day-to-day operations.
• People are accountable for their performance.

ABOUT THE AUTHOR

Diana Del Bel Belluz is the President of Risk Wise Inc., a management consulting firm that helps executives and management teams implement systematic and sustainable risk management practices. Since 1990, Diana has been doing leading-edge risk management work for companies in a wide range of industries and for government organizations. Examples of client organizations that she has worked with are: Bombardier, British Columbia Safety Authority, Dofasco, Health Canada, the Nuclear Waste Management Authority, and the Toronto Transit Commission. In addition to helping individual organizations to enhance their operational risk management practices, Diana has advanced the field of risk management by serving on numerous industry committees, teaching university courses and management training seminars, speaking at conferences, and authoring publications on a wide range of risk management topics. She publishes the Risk Management Made Simple E-Zine, a free online newsletter (available at www.riskwise.ca) with tips on how to implement systematic risk management. She served as a core member of the founding faculty of the Centre of Excellence for Enterprise Risk Management at the Schulich School of Business at York University. She holds Bachelor’s and Master’s degrees in Systems Design Engineering from the University of Waterloo and is a Professional Engineer.