Contenu connexe Similaire à Let's Talk about Risk (20) Let's Talk about Risk1. Let’s Talk about Risks
Why Communication in Risk Management matters
Handout to the presentation “Let’s Talk about Risks – Why Communication in Risk Management matters”,
at the Università della Svizzera Italiana (Lugano) on 14 April 2009.
Thesis: Adequate and systematic communication in Risk Management is essential for
organizations to achieve their goals.
Definition of relevant terms
Communication (in particular: knowledge communication): (Deliberate) activity of interactively
conveying and co-constructing insights, assessments, experiences, or skills through verbal or non-
verbal means. Successful transfer of know-how, know-why, know-what and know-who through face-
to-face (co-located) or media-based (virtual) interactions.
Knowledge Communication process: Identification of experts Briefing to experts Analysis by
experts Communication of results Decision taking Implementation.
Risk: Uncertainty that influences the achievement of goals in a
negative or positive way.
Risk Management: Structured approach of assessing,
improving, monitoring and reflecting about risks and risk
management in order to minimize the effects of risks on an
organization's goals (see Figure 1).
Risk Communication is the deliberate activity of interactively
conveying and co-constructing information, experience and
insights about single risks, risk portfolios and risk management
activities through verbal or non-verbal means.
Risk Visualization designates the systematic effort of using
(interactive) images to augment the quality of risk Figure 1: Generic risk manage-
communication along the entire risk management cycle. ment process
Internal communication about risks
Internal communication about risks and risk
activities is required to govern and manage an
Senior Management /
Oversight / organization successfully.
Board of
Executive Board
Directors
All relevant functions of an organization are
involved in this communication (see Figure 2).
External Audit
Furthermore, external parties like investors,
Risk Mgt Internal Audit regulators or rating agencies are interested in
risk information.
Business
(Specialists)
Discussions
Organization Inquiries/Reviews
Figure 2: Risk communication between internal functions
Common enablers and tools for communication about risks:
Formal Risk Management Committees and/or Audit & Risk Committees
Standardized risk models and methodologies
Regular risk and control issues reports; key risk indicator reports; ad-hoc analysis; early warnings
© 2009 by Markus Aeschimann | markus.aeschimann@mindarea.ch | 06/04/2009 1/5
Let's talk about Risks - Handout - 20090406_1540_aem.docx
2. Pre-defined escalation procedures for crisis situations or important information exchange
Focused reviews about risks/issues (e.g. by Internal Audit or risk functions) resulting in
recommendations
Alignment meetings between representatives of Business and Risk Functions
Formal and informal ad-hoc meetings, phone conferences etc. regarding specific risks or issues
Central model and possible communication problems
To analyse potential communication problems within risk management we should focus on the various
“players” taking part and their communication relationship between each other (see Figure 3). A
relationship we don’t look at here in detail is the constant exchange with the external environment
regarding risk input and best practices (out-side-in perspective).
Figure 3: Central model for knowledge communication in risk management
Following a selection of possible communication problems in risk management and some suggestions.
A. Communication between Business Specialists and Risk Management
Communication Problem Ideas for Improvements
No common risk language. Establish a Risk Model and use clearly defined
terms consistently in all communication.
Performance vs. risk perspective, e.g. in Implement standardized processes with “toll
product development, M&A, strategy gates” and involve risk functions to enable
development. holistic view (e.g. in product development).
“Information hiding” by business due to “Tone from the top” and positive role model by
inadequate incentives and remuneration executives (leading by example) to foster open
(neglecting long term effects or sustainability of communication culture. Anchoring in MbO.
business).
Risk Managers do not completely understand Risk Managers should get insights into
the business or – on the other hand – are not business processes, e.g. by being involved in
independent enough and therefore can not internal audit assignments from time to time.
challenge the business adequately to think Regular exchange with similar functions from
about the risks of their business model. peer companies.
Limits in risk documentation/communication to Focus on communication instead of
be considered due to possible legal or security documentation. If management is aware of
impact (examples: product risks and liability, such risks they can take appropriate measures.
security services).
No or inappropriate usage of visualizations like Learn visualization techniques and include
risk maps, driver maps etc. in the identification appropriate visuals in discussions,
and assessment phase of risk management. presentations and reports.
© 2009 by Markus Aeschimann | markus.aeschimann@mindarea.ch | 06/04/2009 2/5
Let's talk about Risks - Handout - 20090406_1540_aem.docx
3. B. Communication within Risk Management
Communication Problem Ideas for Improvements
Risk functions (e.g. investment risk, operational Establish a Chief Risk Officer role as a head for
risk, compliance, controlling) are organized in all risk functions. Appoint a “Generalist” as
silos hindering risk information flow and impede CRO, not a “Quant”. Foster regular information
appropriate best practice transfer. exchange between risk functions.
Poor data quality and/or tools for analysis and Perform regular internal and external best
reporting. practice reviews regarding tools and quality.
Inappropriate (calculation) models for risk Perform regular best practice reviews by
assessments (e.g. stress testing), unrealistic external specialists. Always ask for alternative
assumptions or inadequate calibrations to scenarios to get a feeling for ranges between
please business requests. best and worst case.
C. Communication between Risk Management and Senior Management
Communication Problem Ideas for Improvements
“Tone at the top” not fostering communication “Tone from the top” and positive role model by
and/or risk culture; no common risk language executives (leading by example). Anchoring in
within the organization; focusing on facts that MbO. Establish Risk Model and use clearly
support taken decisions. defined terms consistently in all communication.
Managers tend to cover their lack of Talk to executives beforehand if important
understanding in front of colleagues (e.g. in a decisions have to be taken and get their
committee). commitment before the board meeting.
Inadequate setup of Risk Governance Initiate a best practice transfer from peers or
(including silos, missing or ineffective other companies. Engage consultants to work
management and risk committees, fragmented with executives and get their commitment to
approval structures), e.g. due to gaps in risk change the organizational structures. Improve
management expertise. executives’ knowledge about risk management
with adequate presentations and trainings.
Senior Management does not ask for holistic Show interrelations between risks and between
risk view but focuses on (wrong) details (big their decisions and possible consequences.
picture problem).
“Departmental agenda” of Senior Managers, if In a first phase – for communication purposes –
also responsible for specific business areas disconnect departments’ risk profile from overall
(transparency on own risks not wished). risk profile. Link it again in a later stage.
Inadequate risk reports due to high complexity, Reduce complexity dramatically. Focus on 3 to
poor visualization or inaccurate timing. 5 top issues per report/meeting, minor topics in
Information overload. Low information quality. appendix. Use visualization techniques.
D. Communication within Senior Management
Communication Problem Ideas for Improvements
Lack of transparency and alignment regarding Formalized meetings with Senior Managers
risks, responsibilities and mitigation actions. from business and risk functions to get a
common understanding on situation.
Unclear communication of strategy within the Increase awareness for this problem by
organization; overall goals are not clear to mentioning it as major a risk.
everyone.
Lack of awareness; industry-wide issues are Document external events and establish link to
not discussed (“problem of others – does not own company. Ask for detailed explanation why
happen to us”). this cannot happen to your company.
Filtering of information and inappropriate Use direct communication channels to the
aggregation method of risk information. appropriate executives. But keep confidential
information confidential.
© 2009 by Markus Aeschimann | markus.aeschimann@mindarea.ch | 06/04/2009 3/5
Let's talk about Risks - Handout - 20090406_1540_aem.docx
4. E. Communication between Senior Management and Stakeholders
Communication Problem Ideas for Improvements
Shareholders and Investors
Risk of communication itself (e.g. profit Establish a communication policy and balance
warnings); loss of trust after repeated “poor information requirements with associated risks
communication”. consciously.
Investors request more information on risks and Balance investors’ information needs with
risk management approach than organizations internal confidentiality considerations. Studies
are willing to provide. show that investors reward transparency.
Public
The public trusts in people (and media) instead Top Management must act in an authentic,
of analyzing facts. open and trustworthy way, communicate about
facts and experiences.
Senior Management does not recognize shifts Establish a function for external monitoring.
in public’s perception regarding specific risk Implement standardized communication
factors (e.g. corporate social responsibility). processes to provide management with
meaningful insights and advice.
Regulators, Rating Agencies and Analysts
For banks: Problematic symbiosis between Do not focus on local regulator alone but also
banks and regulators in general (importance of benchmark with best practices and regulations
financial market and banks for Switzerland; in other industries or jurisdictions.
regulator approves risk models but does limited
challenging of results of these models only).
Possible negative effects of full transparency Sooner or later, transparency will be rewarded.
(e.g. fines, special audits, withdrawal of license) E.g. rating agencies require full transparency. If
may hinder organizations to communicate companies block information, they will receive a
frankly about risks. poor rating.
Rating Agencies’ requirements framework Benchmark with best practices and other risk
regarding risk management not yet standards.
sophisticated enough (e.g. ERM framework
S&P for Insurers).
Form of communication with analysts not Balance the importance of this stakeholder
always adequate (e.g. analysts prefer analysts’ group for your business with the additional
meetings or 1-to-1 sessions with Senior costs for individual communication.
Management; organizations create reports and
have large press conferences).
Summary and focus points to improve risk communication
The ultimate goals of risk communication are:
Common Language / Framework: Improving the understanding of risks and risk management process.
Holistic View: Ensuring that the views of all stakeholders are considered.
Clear Responsibilities / Priorities: Ensuring that all stakeholders are aware of their roles and
responsibilities within risk management.
© 2009 by Markus Aeschimann | markus.aeschimann@mindarea.ch | 06/04/2009 4/5
Let's talk about Risks - Handout - 20090406_1540_aem.docx
5. A first step to achieve an adequate risk communication is to identify all relevant players, to make their
information and communication relationships transparent and to be aware of the various possible
communication problems.
To improve risk communication, one should focus on the following points:
Adjust organizational/functional setup; from silos to integrated risk functions.
Build a common risk language and risk aware culture.
Strive for a holistic risk view instead of focusing on detail issues.
Use visualization techniques to improve communication in risk identification, risk assessment and risk
reporting.
Improve communication channels (e.g. committees, reports, escalation procedures).
Start to improve internal communication, and then enhance external communication.
References / Further Reading
Eppler Martin: Jenseits der Folienpräsentation: Wissenskommunikation zwischen Entscheidern und Spezialisten,
April 2008. http://www.knowledge-communication.org/ICA_Workingpaper4-
08_Wissenskommunikation_Practice_Report.pdf (30.4.08)
Eppler Martin: Knowledge Communication Problems between Experts and Managers, May 2004.
http://www.bul.unisi.ch/cerca/bul/pubblicazioni/com/pdf/wpca0401.pdf (13.3.09)
Eppler Martin / Aeschimann Markus: Envisioning Risk: A Systematic Framework for Risk Visualization in Risk
Management and Communication, September 2008. http://www.knowledge-communication.org/envisioning-
risk.pdf (13.3.09)
Ernst & Young: Managing Risk – Stakeholder Perspectives, November 2006.
http://www.ey.com/GLOBAL/content.nsf/International/Global_Risk_-_Risk_Research_-_Stakeholder (13.3.09)
Ernst & Young: Investors on Risk – The Need for transparency, November 2005.
http://www.ey.com/GLOBAL/content.nsf/International/Global_Risk_-_Risk_Research_-_Investor (13.3.09)
FSA: Market Watch No 25 on Société Générale case.
http://www.fsa.gov.uk/pubs/newsletters/mw_newsletter25.pdf (13.3.09)
Goto Shigeyuki: Study on Behavioral Risk Management Systems, November 2004.
http://app.cul.columbia.edu:8080/ac/bitstream/10022/AC:P:65/1/fulltext.pdf (31.3.09)
Selim Georges / McNamee David: The Risk Management and Internal Auditing Relationship: Developing an
Validating a Model. In: International Journal of Auditing, 159-174 (1999).
Senior Supervisors Group: Observations on Risk Management Practices during the Recent Market Turbulence, 6
March 2008. http://www.fsa.gov.uk/pubs/other/SSG_risk_management.pdf (13.3.09)
SFBC: Subprime Crisis: SFBC Investigation Into the Causes of the Write-downs of UBS AG, 30.9.2008.
http://www.finma.ch/archiv/ebk/e/publik/medienmit/20081016/ubs-subprime-bericht-ebk-e.pdf (13.3.09)
Standard & Poors: Summary of Standard & Poor's Enterprise Risk Management Evaluation Process for Insurers,
26 November 2007.
http://www2.standardandpoors.com/portal/site/sp/en/us/page.article/2,1,5,0,1148449517749.html (13.3.09)
Stulz René: Six ways companies mismanage risk. In: Harvard Business Review, March 2009.
Taleb Nassim Nicholas: The Black Swan. New York, 2007.
UBS AG: Shareholder Report on UBS’s Write-Downs, 18 April 2008.
http://www.ubs.com/1/ShowMedia/about/news?contentId=140331&name=080418ShareholderReport.pdf
(13.3.09)
van Riehnen Bob / Schwaller Patrick: Risk Convergence – From business pain to business gain. In: Ernst &
Young – Insight Financial Services, Autumn 2007.
http://www2.eycom.ch/publications/items/fs/200703/ey_insight_fs_200703e.pdf (13.3.09)
© 2009 by Markus Aeschimann | markus.aeschimann@mindarea.ch | 06/04/2009 5/5
Let's talk about Risks - Handout - 20090406_1540_aem.docx