That seems to be the assertion by my good friend, Alexei Sidorenko, in a 2017 blog post I read for the first time this last week.
Why risk management in SME is better than in large corporations makes a number of good points. Here are some, with my comments.
- SMEs simply can’t afford to waste time or other resources on an activity that does not generate direct value.
- Comment: neither can larger companies. The reason (IMHO) that many CROs feel starved of top management attention, let alone budget, is that top management just don’t see the value. They see it as a compliance activity that may satisfy the regulators and the board but doesn’t help them manage the company for success. It consumes management time that is needed in problem-solving and decision-making, rather than helping make their informed and intelligent decisions.
- Do modern day risk managers in non-financial companies in fact make money for their companies? Very few. Most of the modern day approaches used by the risk managers are so academic and superficial, that management has a tough job buying it.
Alex asks some penetrating questions to build on these points, including:
- do risk assessments really change the way business processes work, change the manufacturing process, change the way products are sold?
- do risk assessments change the way executives make decisions and is risk analysis available on time to support every significant decision? do they? really?
- are risk registers looked at by the CEO before making an important decision?
- do risk appetite statements in non-financial companies change the way company operates and the way decisions are made?
- SMEs don’t do risk management to mitigate risks, they do it to make better decisions
- Comment: This should be the case for every organization or any size in any sector.
- we seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It’s just another management tool to help them make better decisions and hence achieve the objectives.
- SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analysed at any moment during the day, when an important decision is being made or at every milestone within the core business processes, you are probably doing something wrong.
- If there is one thing I learned over the years is that no one in the company and I mean NO ONE, except the risk manager, cares about risks. Well maybe some about-to-retire audit committee member as well, but most of them wouldn’t have the courage to deal with the real risks if you showed it to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result. You can assign risk ownership to them as much as you like, no one cares. SMEs learned it the hard way, unless an activity directly contributes to achieving objectives, it’s not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them. When instead they could be saying things like “the probability of meeting this objective is 10% unless we change things”, “there is a 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on.
- Comment: Blunt, but there’s a great deal of truth here. It’s not about managing risk, its about managing the business for success with informed and intelligent decisions.
Alex styles himself as outspoken, and he certainly was in this post.
What do you think?
Do you agree with him? If so, what needs to be done? If not, why not?