There’s an unfortunate stereotype that risk management is boring. Risk managers are pessimistic clerks. Compliance officers are scaremongers. Too many managers think this way. As a result, risk management is an unloved and misunderstood discipline. Until disaster strikes, risk management is, for most, a painstaking and costly chore.
In an increasingly volatile world, however, risk management has never been so important. Nonetheless, risk managers struggle to make their voice heard in the face of more immediate and commercial pressures. This is especially true in small- and medium-sized companies — organizations with entrepreneurial cultures, fewer regulatory demands, and more resource constraints. These businesses tend to view risk management as an expensive luxury — and they may be more exposed to risks as a result.
This article presents a more enlightened approach to risk management based on two decades of applying, researching, and teaching risk management to academic and professional audiences. It will help managers — including those at SMEs — to better understand risks and apply effective, positive risk management techniques. It’s a framework that relies on three actions: designing controls proportionate to the risks at stake, analyzing the lessons from success (not only from failures), and using risk management to boost and protect business performance.
Positive risk management is proportionate
Proportionality means that small risks require small fuss; big risks demand big focus. Daily risks are acceptable, such as: forgetting an email attachment, double paying a modest invoice, missing a deadline on an internal report. Errors and slips like these simply show how busy we are. They are understandable oversights in fast-moving enterprises, especially SMEs where teams are lean and resources scarce.
Conversely, extreme risks deserve greater care: a phishing link starting a cyber-attack, the loss of key intellectual property in an innovative start-up, a bacterial infection in the water supply of a care home. Neglecting real dangers costs millions, heartaches, and lives — and that’s when we regret not being more vigilant, more careful, more boring.
Yet, organizations often miscalculate risks. Smaller incidents are the most frequent; they raise attention but do not matter. From a sample of 500,000 operational losses in banks over the years, data show that incidents from the smallest size category are the most frequent (61%) but the least damaging overall (6% of the total loss severity). The real damage comes from largest, rarest incidents: each year, the top 0.3% of incidents cause on average 63% of the total losses. Despite this imbalance, risk managers and businesses dedicate more time and attention to the small issues, rather than preventing serious damage.
Risk management is costly when over-applied. For example, excessive cyber protections slow down computers and logins, and double checks of every single payment and transactions wastes time that could be better used for creative activities. Credibility comes from restraint. Risk managers are respected when they show pragmatism in their calls for prudence. Competent risk managers prepare for severe and plausible scenarios while tolerating limited mishaps.
Proportionate risk management reduces the inefficiencies arising from either too much control or too little control. Being too cautious leads to slowness, rigidities, and opportunity costs. Carelessness causes accidents, instability, and remediation costs. Non-financial risks have a risk-return trade-off like their financial equivalents. Saving costs by lifting some operational controls to increase productivity is a reward for operational risks. Effective risk managers and astute business leaders have a clear view of how much risk they are prepared to accept, and for which benefits. The concept is widely referred to as risk appetite.
Positive risk management celebrates success
It is a good risk management practice to dissect the root causes of accidents, especially those with the largest potential damage. However, when focusing on past losses and future mistakes only, risk managers fail to recognize and reinforce the causes of success. Looking back to the causes of failures is valuable, but it can create resistance through implied criticism.
For example, a senior risk officer of a clearing house in London stormed out of a workshop when some of the causes of the loss discussed were identified as a consequence of his management style. He vetoed further exercises and was let go six months later, for other reasons. The firm in question has now closed.
Reflecting on success stories is inspiring. “Why did we win?” creates more enthusiasm for analysis than “Why did we lose?” Dissecting past achievements is encouraging and insightful. Successes are there, but often overlooked: on Monday morning, no one notices the IT migration that ran smoothly over the weekend, nor praises the absence of customer complaints, thanks to the efficient performance of staff. The negativity bias of the human brain means that negative experiences imprint on our memory more quickly and last longer than positive ones. Deliberate reflection on past victories is a welcome counterbalance to the common risk management focus on what went wrong.
There are accepted rules for effective risk management: vigilance is key, and rapid intervention reduces impact. “If you see something, say something” is the New York City Subway’s motto to prevent terrorist attacks. “See it, say it, sorted” is the equivalent for the London Underground.
For SMEs, discipline and vigilance are also essential for success. Start-ups need more than great ideas to thrive; they depend on the relentless attention of their founders, who must continually monitor performance and be alert on what could go wrong. The international expansion of a nascent brand requires rigorous planning, market knowledge, thorough due diligence, and competent managers who can fix a myriad of potential issues before they turn into disasters. Such as in personal life, the early detection of a theft, a fire, or an illness can make all the difference between a fright and a tragedy.
Praising good risk management practices reinforces winning behaviors and avoids undue criticism, and positive risk managers become mentors, not doomsayers. Welcome and accepted, risk management becomes an ingredient of achievement.
Positive risk management protects performance
Managing risks is inseparable from managing performance. Positive risk management aims to capture the upside of uncertainty, and to prevent the downside as much as possible.
Dream big, risk big: taking risks is necessary, even desirable. But it takes method. Stunt actors are great risk managers, otherwise they would not survive their first movie. Entrepreneurs must balance dare with caution, or they are destined to fail. Firms and governments must watch and respond to threats, or they will create havoc for themselves and others, as we have witnessed too many times. When risk management fails, organizations go down. The Great Financial Crisis, Covid-19, or the recent collapse of Silicon Valley Bank all find their source in the failure of risk management.
Risk management is a condition for ambition: the more ambitious the objective, the more important risk management is to achieve it. Hotels and resorts require flawless processes for a satisfactory customer experience; fintech banks must be first-class cybersecurity experts to operate; healthcare providers need impeccable patient safety procedures to survive.
Particularly for smaller firms, growth comes with risks, and fast-growing start-ups generate operational risks faster than revenues, as complexity increases more rapidly than size. Only those with sound risk management systems will become the Google, Amazon, Disney, or McDonald’s of tomorrow.
With the growing focus on climate change, financial regulators and investors such a BlackRock expect organizations to understand, assess and communicate their exposure to climate-related risks. However, what is now required for climate-related risks is valid for all types of business exposures: to protect its business model and performance, managers need to oversee all the relevant changes to their operating environment. For instance, blockchain innovations and cryptocurrencies are most relevant to payment platform providers, while the mining conditions of cobalt and the availability of rare earth elements are essential to monitor for lithium-ion battery producers. Generative AI scares many, but used wisely (with proper risk management), this tool can be a fantastic productivity booster to be embraced rather than fought.
SMEs do not have the same regulatory pressures that can lead larger companies to measure and mitigate their risks, but they also have fewer buffer resources to resist unexpected shocks. They are one large potential incident away from bankruptcy.
By being positive about risk management, professionals can bring an inspiring narrative to their discipline, recognizing the value of taking risks and the necessity of protecting performance. A constructive dialogue between optimists and pessimists, between those who dare and those who prefer caution, powerful engine for business growth without booms and busts. In the pursuit of success and happiness, we need to decide what we can gamble on, and what we cannot afford to lose.