By Professor Robert Kaplan

Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them.  Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood, or the impact, of a disaster, just as it did not prevent the failure of many financial institutions during the 2007-2008 credit crisis.

So which risks can be managed through a rules-based model and which require alternative approaches?

The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organisations face. According to our research, risks fall into one of three categories: preventable risks, strategy risks and external risks.

Preventable risks

Preventable risks are internal risks which are controllable and ought to be eliminated or avoided. Examples include employees’ or managers’ unauthorised, illegal, unethical, incorrect or inappropriate actions and the risks from breakdowns in routine operational process. While companies should have a zone of tolerance for defects or errors that would not cause severe damage and for which achieving complete avoidance would be too costly, in general, companies should seek to eliminate these risks as they get no strategic benefit from taking them on.

This risk category is best managed through active prevention: monitoring operational processes, guiding people’s behaviours and decisions toward desired norms, clear statements of codes of conduct, internal control systems, and a strong, independent internal audit department.

Strategy risks

A company voluntarily accepts some risk in order to generate superior returns from its strategy. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains.

Strategy risks cannot be managed through a rules-based control model. Instead, a risk-management system must be designed to reduce the probability that the assumed risks actually materialise and to improve the company’s ability to manage or contain the risks events should they occur. There are three distinct approaches to managing strategy risks: independent experts, facilitators, and embedded experts.

These risk-management approaches enable companies to take on higher-risk, higher-reward ventures than their competitors with less effective risk management.

External risks

Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts.

As external risks cannot be prevented, their management must focus on identification and mitigation. There are various tools which can be used by companies to identify their external risks, including stress tests, scenario planning and war-gaming.

Stress-testing helps companies to assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable.

Scenario planning is suited for long-range analysis – typically five to ten years out. Scenario analysis is a systematic process for defining the plausible boundaries of future states of the world. Participants examine political, economic, technological, social, regulatory and environmental forces, and select a number of drivers – typically four – that would have the biggest impact on the company.

War-gaming assesses a firm’s vulnerability to disruptive technologies or changes in competitors’ strategies. In a war-game, the company assigns three or four teams the task of devising plausible near-term strategies or actions that existing or potential competitors might adopt during the next one or two years – a shorter time horizon than that of scenario analysis.

While companies have no influence over the likelihood of risk events identified through these methods, managers can take specific actions to mitigate their impact. Since moral hazard does not arise for non-preventable events, companies can use insurance or hedging to mitigate some risks, or make investments now to avoid higher costs later.

Organisational biases

Identifying and managing strategy and external risks requires an approach based on open and explicit risk discussions. That, however, is easier said than done. Extensive behavioural and organisational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it is too late.

Individually, people overestimate their ability to influence events and tend to be over-confident about the accuracy of their forecasts and risk assessments. As organisational biases also inhibit our ability to discuss risk and failure, these collective inclinations explain why so many companies overlook or misread ambiguous threats.

Risk management is non-intuitive; it runs counter to many individual and organisational biases. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralise their managerial bias of seeing the world as they would like it to be, rather than as it actually is or could possibly become.

Professor Robert Kaplan: Marvin Bower Professor of Leadership Development Emeritus at the Harvard Business School.