Herbert Hoover on Engineering
Health care and cheesecake (factory)

HBR on Mitigating Strategic Risk

The June issue of Harvard Business Review had an article on "Managing Risks: A New Framework" by Robert Kaplan (of Balanced Scorecard fame) and Anette Milkes. In it, the authors argue against the belief that "risks can be managed by establishing and following rules, standards and guidelines", as they repeat in a HBR blog post they wrote after JP Morgan's losses in its Chief Investment Office in London - the losses, brought about in the famous "London whale" case, could reach $9bn. ("Not all losses are failures of risk management — unless we expect to take no risk at all... [A] large loss in itself is not evidence of a risk management failure, because a large loss can happen even if risk management is flawless".)

The authors distinguish between three types of risk: preventable risks, strategy risks and external risks. They comment that "while a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions."

The authors advocate the use of independent experts, facilitators and/or embedded experts. They also make the case for the following tools:

  • for strategy risks, interactive discussions about risks using maps of likelihood and impact of identified risks and key risk indicator scorecards, resource allocation to mitigate critical risk events,
  • for external risks, "envisioning" risks through tail-risk assessments and stress testing, scenario planning and war gaming.

They talk about probabilities here and there, but overall I found the disregard for quantitative tools a bit annoying, as if managers didn't need to put in place contingency plans to, say, satisfy customer demand, no matter where the disruption will take place. (Or as if the uncertainty underlying them didn't need to be mitigated using analytical tools.)

Instead, we're treated to color-coded risk event cards and risk report cards, which come across as trying to make uncertainty palatable to managers who aren't trained in decision-making under uncertainty. Maybe in this day and age it is time to say that everybody interested in risk management should exhibit enough familiarity with randomness that you don't have to "prettify" things by color-coding them to shove probabilities down the throat of decision-makers.

The article itself explains: "The benefits from stress-testing... depend critically on the assumptions - which may themselves be biased - about how much the variable in question will change. The tail-risk stress tests of many banks in 2007-2008, for example, assumed a worst-case scenario in which US housing prices leveled off and remained flat for several periods." This should serve as a reminder of the pressures exerted on risk management groups because their cautious, downside-focused approach will always stand in the way of the upside-focused methods favored by the rest of the company. In turn, this will always result in pressure to consider overly optimistic assumptions. This is not the fault of the quantitative models, but of the very human people who implement them (or oversee said very human people).

Indeed, the authors state: "A firm's ability to weather storms depends on how seriously executives take risk management when the sun is shining and no clouds are on the horizon." A more in-depth mention of relevant quantitative techniques and analytics would have helped, besides the mentions of scenario planning and war gaming. It's tempting to conclude from the article that the environment is so uncertain you can't really use anything quantitative, when in fact the risk report card has numerical values for assessed risks and critical risks (with color-coded arrows for the trends). The article should become a reference for managers who have developed an interest in risk management while in "qualitative-driven" careers, but might be found lacking by managers who already possess quantitative skills.

The authors are right to say, though, that the purpose of risk management is to "neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become."

Further readings:


The comments to this entry are closed.