The Redemption of Regulatory Risk Management from Meaningless Ritual
Key Takeaways
- Regulatory Pressure’s Impact on Risk Management: Regulatory requirements, designed to improve risk management, have inadvertently led to the rise of RM1 – ritualistic, compliance-driven practices that often lack meaningful decision support.
- RM1 vs RM2: RM1 focuses on fulfilling regulatory obligations with minimal value beyond compliance, while RM2 aims to provide decision-actionable insights and improve strategic decision-making.
- Methodological Challenges: Tools like heat maps fail to provide actionable insights or meaningful comparisons at the enterprise level due to their subjective and fragmented nature.
- Improving RM1 with RM2 Approaches: By applying RM2’s decision-making models to RM1 practices, organizations can turn regulatory obligations into valuable opportunities, offering more strategic insights and improving risk governance.
- Quantitative ERM: A simplified, quantitative approach to enterprise risk management (ERM) can bridge the gap between regulatory requirements and decision support, offering clearer insights for better decision-making at the enterprise level.
Deep Dive
In today's risk landscape, regulatory-driven practices often fail to deliver meaningful value. In this article, Graeme Keith examines the challenges and opportunities presented by the dichotomy between Risk Management 1 (RM1) and Risk Management 2 (RM2). By exploring the unintended consequences of regulatory pressure on risk management systems, Keith presents a case for evolving traditional risk practices into a more strategic, decision-supportive approach.
The Reality Behind RM1 and RM2
In his blog last week, "How Risk Management Turned into a Meaningless Ritual," Alex Sidorenko describes the disintegration of risk management practice in response to regulatory pressure and its migration outside the world of finance. Alex tells a characteristically compelling story that effectively charts the rise of the dichotomy between what he has coined Risk Management 1 (RM1) and Risk Management 2 (RM2), as described in his earlier, highly influential blog "RM1 vs RM2 – Which Side Will You Choose?"
This is, I think, more the rise of ritual (RM1) than a fall in decision analytics (RM2). But Alex makes a strong point that the ritual, apart from just draining resources, also undermines efforts to evangelize decision analytics more broadly in companies. The risk management box is checked—the argument goes—time to move on.
Alex—rightly, I believe—lays the blame for this (d)evolution at least partly at the door of regulatory pressure following corporate scandals and the demand for better risk management governance from stock exchanges. This is deeply ironic. The very initiatives designed to improve risk management were a substantial cause in its inexorable decline.
The challenge for regulatory bodies, boards, and investors, though, is that the measures they must impose to ensure that everyone is doing risk management in no way guarantee that everyone is doing it well. And, as Alex again rightly points out, the regulations set a low bar on quality. Indeed, it is an unavoidable consequence of efforts to force as many people as possible to do risk management that the bar is set low enough that as many people as possible can clear it.
Alex and I agree that RM1 and RM2 have very different goals. Alex doesn't seem very willing to attribute any value at all to the goals of RM1 other than satisfying regulatory imperatives, and if we understand RM1 as ritualized regulatory risk reporting, as is so often the reality in practice, then it's hard to argue against that. Similarly, if we distinguish between RM1 and RM2 methodologically—RM1 all meaningless matrices and inscrutable registers of risk, RM2 exclusively hoarding all the rational decision apparatus to itself—then, again, RM1 comes very poorly out of the comparison.
I argue here that a more nuanced view of the dichotomy between RM1 and RM2 helps us to reconcile different risk management practices. I'm not trying to save RM1, but I will argue that a more RM2 approach to some of the aspirations of RM1 can help turn regulatory obligations into value opportunities.
RM1 vs RM2 as Governance vs Decision Support
If instead of identifying the goals of RM1 with the results of the way it is so often practiced, we look to what we must assume were the best intentions of those regulatory requirements before they were undermined by fatally inadequate methodology, then we might ascribe at least a value aspiration to RM1—even if it proves elusive to see it very often realized.
There is undoubtedly value in a periodic process that engages leaders and subject matter experts in an organization to articulate the uncertainties that beset the aspects of the business over which they preside and to distribute accountability for managing those uncertainties.
But this isn't very much value from what is inevitably a huge amount of process and workflow—building and managing reporting structures, cascading processes, rolling up reporting, and so on, ensuring the right meetings are taking place at the right time, with the right people furnished with the right data so that all these uncertainties and the interventions that circumscribe them can be surfaced, captured, assigned, and assessed.
There's not much value here because most of what we do to manage the risk, we would do anyway. Maybe someone surfaces some uncertainties that weren't thought of before, maybe someone is made aware of a responsibility to which they were hitherto oblivious. But if good governance is our goal, we need both actionable information on the current state of affairs and a reasonable basis of intervention to improve them. And if our risk program is to add any real value, the workflow needs to lead to insights that motivate decisions and interventions that improve outcomes.
RM1 vs RM2 as Heat Maps vs Modeling
This is where the methodological inadequacy of heat maps fails us utterly. Even advocates must see that a heat map can only ever tell you a risk owner's opinion of a risk on a risk-by-risk basis. That's not nothing in the context of the governance goals of risk identification and accountability, but it's not very much either, because we can do nothing meaningful with all those individual subjective assessments. It doesn't make sense to compare subjective assessments, and we can't synthesize them to give us any meaningful overview of risk at the scale of the enterprise.
Even semi-quantitative heat maps, that try to address subjectivity by aligning assessments with some measurable quantity or objective descriptive outcome, cannot be used to compare risks, even crudely, not even for triage; and cannot be used to aggregate, again, even crudely.
These shortcomings fatally undermine any hope we might have of deriving meaningful, much less decision-actionable information from our enterprise risk program. All we have to show for all that work is a long, utterly inscrutable, hopelessly fragmented list of different colored risks.
Achieving RM1 Aspirations with RM2 Methods
A qualitative risk register is a sorry sight. At best, it may give a little comfort that a great many people have been sitting down thinking about their risks and controls and making lists with colors on them. Again, not nothing, but good governance requires the possibility of informed intervention, and any hope of delivering value is absolutely dependent on it.
We win substantial decision-actionable insight simply understanding which risks contribute most, potentially, to our losses, and which controls save us, potentially, the most relative to their cost. An ability to aggregate would allow us to use the reporting structures that inform the risk management program to understand the aggregated effect of risks across the organization structures that reflect the executive and functional authority with which enterprise decisions are executed in an organization. This can help to inform us on where we need to spend, where we can save, where we should invest, where we should divest.
To achieve these ends, we need a model. It needs to be a very simple model, at least at the individual risk level, because we will be asking everyone who till now has been pinning a risk tail on a heat map donkey to now provide parameters that capture the individual contributions of a risk to the aggregated risk profile. Ideally, we do not wish to burden these people with additional workload; we're only looking to leverage the framework we already have in place. So, at least to start, we use the same people in the same meetings with the same data.
Luckily, it doesn't need to be a very nuanced model, because—at this scale—we are not managing individual risks; we would not be able to accommodate any serious level of granularity on the decision levers around individual risks anyway. Our goal is just to be able to defragment the multi-colored risk register landscape and clarify the enterprise picture so we can make enterprise-level decisions using enterprise-level executive structures.
The model does have to capture the right information at the individual risk level to render a faithful representation of the aggregated risk to which that individual risk contributes. But most of the detail of individual risk assessments is lost in the mechanics of convolution, and a careful choice of distributions and guiding questions can ensure that even simple, fairly crude assessments capture what matters to yield faithful representations of risk exposure in the aggregate.
Quantitative ERM
This is Quant ERM, ERM as typically practiced, but with heat maps replaced with a very simple, fully prescribed model, and equipped with methods for leveraging this model to provide decision-actionable information that can inform enterprise and strategic decision-making.
This is in no way a replacement for RM2, it's more an extension of RM2 to extract value from the regulatory obligations imposed in RM1 and, I would argue, actually deliver on the intentions of those requirements.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.