By Horst Simon, The Risk Culture Builder

Maybe the time has come to finally take the people side out of Risk Management—let us change the Basle definition and say Operational Risk is just systems, processes and external events, that is anyway the perception that was followed by most in the world. Even after the publication of the IRM’s Guidance papers on Risk Culture and the later study by the London School of Economics, the whole world is still adjusting to the people thing at a snail’s pace. Remember: Those who are slow or do nothing at all will just be EXPLOITED by those who are better!

In this new world, we do not have to worry about “Human Control Malfunction” or any other people risks, nobody really understood the reasoning behind “inherent” risk and “residual” risk anyway. How do you make anybody “imagine” a world without any controls? And then quantify the risks associated with that, just to be told the next moment to assess the “existing” controls and go through a brainwash exercise to now get to the “residual” risk—the only part we should be interested in.

Unless VAR and GRC die, we will never be able to make progress.

Who cares about the Value at Risk? It cannot prevent losses, it cannot help you to take better decisions and it cannot mitigate risk in any way. It is just a number and with the bad quality of data out there; mostly a “wrong” number.

GRC!! Why did we ever start cooking a stew of Governance, Risk and Compliance? Governance and Compliance are good— on their own. They just “protect” what is there; they cannot add value or improve performance, why did we have to add Risk into the pot to make them look better?

Then vendors came along with a tool to analyse the stew and claimed this to be the answer to all problems, killing the only good thing from regulatory guidance; that risk must be independent! So now, the only good thing is ignored and banks spent millions of dollars buying the “new” answer to all their problems, a GRC system with great looking red-amber-green dashboards of (still) historic data converted into mostly useless information. The purpose of risk reporting is to provide users with information that will allow them to make their own assessment of risk and support them in taking the right business decisions. The overall aim of any risk reporting process must focus on helping all employees to take better risk-informed decisions. As can be seen from this article; https://riskguide.wordpress.com/2021/02/07/shaping-organisational-success-ground-rules-part-1-open-letter-to-the-team/

Governance and Compliance are part of the cost of doing business, Risk is all about “doing” business adding value and building sustainable competitive advantage.

Risk Management; wait, there is part of the problem—why did we add “management” to Risk, now everybody think that whoever is the risk manager must “manage” the risk, we should have never created risk managers—all we should do is just to add “Risk Management” to every employee’s job description. Pretty much like the “and any other duties assigned” some bright spark came up with years ago.

It is time to really practice the extremely difficult art of THINKING, thinking about the Future of Risk Management!

Risk management is not rocket science and all organisations have been doing this in one form or another for as long as they existed. Sadly, too many rules and regulations forced the focus of Risk Management to centralised controls and an over-emphasis on quantification as the key to managing risk.

No information technology system, no amount of data analysis and certainly no mathematical model can mitigate risk, only people can.

We saw several problems highlighted by the economic crisis, this is by no means a complete list and the research and debate will continue for a long time. We saw: * There was an over-reliance on the use of financial models; with the mistaken assumption that the “risk quantifications” (used as predictions) based solely on financial modelling were both reliable and sufficient tools to justify decisions to take risk in the pursuit of profit.

There was an over-reliance on compliance and controls to protect assets, with the mistaken assumption that historic controls and monitoring a few key metrics are enough to change human behaviour.

There was a failure to properly understand, define, articulate, communicate and monitor risk tolerances, with the mistaken assumption that everyone understands how much risk the organization is willing to take.

There was a failure to embed enterprise risk management best practices from the top all the way down, with the mistaken assumption that there is only one way to view a particular risk (* from, The 2008 Financial Crisis, A Wake-up call for ERM, published by RIMS)