Back to the Basics:
What is risk?
Legendary football coach Vince Lombardi opened training camp for the Green Bay Packers in 1961 in historic fashion. The Packers had blown a 4th-quarter lead in the NFL Championship Game against the Eagles the previous year. The players came into camp expecting to pick up where they left off in their quest to win the championship.
Instead, Lombardi returned to the basics. He held up a football, and said: “Gentlemen, this is a football!”
Before we get to the nature of risk, let’s talk about the basics, and then look at current best practices in the evolution of Enterprise Risk Management (ERM). We’ll examine an example of how this evolution can be put into practice, and what the outcome looks like. That will lead us to an understanding of the nature of risk.
At its most fundamental level, risk is the possibility of harm or loss. In the context of ERM, risk embodies several levels:
- Risk of non-compliance with laws and regulations,
- Risk of critical failures in transactions and operations,
- Risk of disruption in achieving business objectives, and
- Risk to the organization’s strategy.
ERM Ecosystem:
As ERM has evolved, it has focused more on the strategic and less on the operational levels of risk. Rochdale has developed an ERM Ecosystem to graphically describe this continuum. (You’ll recognize the model, as it’s based on Abraham Maslow’s hierarchy of needs. The concept is similar: we must satisfy or mitigate risk at the lower, or more basic levels, before we can address risk at the higher levels of the continuum.)
Note that as we move along the continuum to higher levels – i.e., as we move from the operational to the strategic – the focus shifts from value preservation to value creation. As with Maslow’s hierarchy of needs, the aim moves from survival to relevancy. And the key constituencies migrate from SMEs and the front line to the C-suite and the board room. In the context of this discussion of the nature of risk, we’ll focus on the highest level: strategic risk.
Strategic Risk Assessment Process:
At Rochdale, when we assess a credit union’s risks as part of an ERM engagement, we break those risks down across the institution’s various business units. However, we also include a “Strategic” business unit. This business unit does not exist on the credit union’s organization chart. It captures those risks that bubble up to the executive level to be addressed; risks that cannot be addressed by operational business units, and are indeed larger, more impactful, and more “strategic”. (Note that we refer to these business units as “risk units” for the purpose of ERM risk assessments.)
The risks included in the Strategic risk unit should not be confused with risks in the Strategic risk category, although many of those risks will fall into that category. But there may be other risks in the Strategic category that are identified and assessed in other risk units.
Some credit unions might leverage a baseline set of “standard” risks for the Strategic risk unit, which could be customized in the initial (or a subsequent) risk assessment. These include risks that might be common to any credit union that would be addressed by the executive team, such as:
- Loss of income tax exemption
- Uncompetitive operating expenses
- Late to market risk
- Lack of succession planning
Obviously, these “one-size-fits-all” risks, while they may certainly be relevant in terms of being risks that all credit unions might face, do not necessarily represent the key strategic risks that an individual credit union faces at any given point in time.
As part of the evolution of ERM from the operational to the strategic, and consistent with Rochdale’s ERM Ecosystem, I worked with a number of clients throughout 2023 to replace the legacy “standard” risks in the Strategic risk unit with risks that are directly aligned with each client’s strategic plan. This results in a risk assessment that is consistent with the credit union’s strategic plan and executive performance plans, leading to more relevant and meaningful discussions about risk at the strategic level between senior management and the board of directors.
The first step in this exercise was to obtain each client’s most recent strategic plan. Each of these plans contained five to ten key themes, elements, or pillars – whatever term the credit union chose to use to describe the major strategic initiatives set forth in its strategic plan.
We then wrote risk descriptions based on these themes as we desired to identify risks to achieving the particular strategic theme, as well as risks of not achieving the particular strategic theme. The key questions regarding risks to the strategic theme were focused around those things that might inhibit the credit union from accomplishing whatever objective it had outlined. We also included dialogue around the risk of not achieving the particular objective.
These risk descriptions generally took the form of “Failure to [achieve the theme in question].” Some examples include “Failure to leverage digital channels,” or “Failure to add new members,” etc. We identified which of these new risks would be assessed as out-of-pocket losses, and which would be assessed as opportunity costs. Then, we made recommendations as to which of the “legacy” risks should be closed, which should be retained and moved to one of the operational risk units, and which should be retained in the Strategic risk unit. Finally, we agreed on which of the new risks would be added and assessed.
These changes resulted in roughly the same number of risks in the Strategic risk unit for each client, and no client experienced a significant change in the dollar amount of residual risk assessed. We did see some changes in the mix of opportunity cost vs. out-of-pocket loss assessed, depending on how those risks were identified and assessed, both in the “legacy” risks and the new, re-aligned risks.
The most significant result from the change, however, was that the Strategic risk unit assessment was a much more robust and thoughtful discussion than it had been in the past. Where before it largely felt like a “check the box and get this over with” discussion, the assessment of these risks, which related directly to the credit union’s strategic plan, resulted in deeply engaged conversations about what could go wrong with each of the credit union’s key strategic themes, what the cost might be if things did go wrong and the risk weren’t mitigated, and very candid assessments of just how well the risk surrounding those themes was mitigated.
In Practice:
Last weekend, I had the opportunity to participate in the presentation of this year’s ERM assessment results to a client’s board of directors at their annual board retreat. The board members applauded the change in the Strategic risks, and agreed that it would lead to more meaningful discussions about risk between senior management and the board.
I noted that, as the credit union’s strategic themes change over time, the risks assessed in the Strategic risk unit may also change, and thus the amount of residual risk associated with those risks may fluctuate. I stated that this is okay, as those risks should reflect the environment in which the credit union is operating at any given point in time. At some times, we face greater risks (or opportunities), therefore our assessed risk is naturally going to be higher than during periods when we face relatively less risk.
One board member asked whether it would be better to hold those risks constant over time, “so that over time we’re comparing apples to apples, instead of comparing apples to oranges.”
This, finally, brings me to the point of this discussion about the nature of risk.
I replied that, while some basis of consistent comparison can be good, it isn’t inherently “better” to keep assessing the same Strategic risks over time, merely for the purpose of being able to “compare apples to apples.” Why?
Because some years are apples, and some years are oranges. Just think of what we’ve faced in the last four years: an unprecedented global pandemic that resulted in shutting down the world’s economies; the highest inflation in a generation; the most aggressively restrictive monetary policy in U.S. history resulting in the highest interest rates in nearly two decades; the tightest liquidity conditions faced by financial institutions in recent memory; and fears of a systemic banking crisis for the first time since 2009.
So yes, some years are apples, and some are oranges. When the COVID pandemic hit in 2020 – well, that was a completely different kind of fruit, sort of a big, rotten kumquat.
In Conclusion:
Which brings us to a conclusion: risk, by its very nature, is dynamic. It is ever-changing. If there is anything about risk that is constant, it should be our approach to it; how we anticipate it, how we prepare for it, how we address it, how we mitigate it.
I don’t mean to suggest that we will take the same approach to managing all risks in all situations. Our approach in an “apple” year may look quite different than in an “orange” year. And when that big, rotten kumquat came rolling our way in 2020, we had to throw everything we knew about risk out the window and figure out our approach on the fly – one analogy was that we were flying the airplane while we were building it, with no schematic, and air traffic control was changing its instructions on a daily basis.
What I mean about a constant approach is that we must have a constant discipline and framework for anticipating, preparing for, assessing, measuring, mitigating, and managing risk. We should always be forward-thinking, and we should ensure that we have a robust ERM program and system that will enable us to handle the apples, the oranges – and yes, even the kumquats.
Rochdale can provide that system and assist in developing that program. Our deep bench of experts helped guide clients through the assessment of risks associated with everything from the initial work-from-home requirements of the COVID pandemic, to return-to-work considerations as restrictions eased. We are proactive in our approach and disciplined in our methodology – but flexible enough to handle the dynamic nature of risk.
We started this discussion with a fundamental definition of risk, followed by a comprehensive list of the levels of risk incorporated into ERM. Perhaps the best definition of risk, one that captures its dynamic nature, is this:
“Risk is what’s left over when you think you’ve thought of everything.”
For more information on Rochdale’s ERM services and software, please contact us at sales@reimaginerisk.com.