By Pascal vander Straeten February 22, 2023
The profession of intelligence gathering is often compared to the art of risk management in that there are many similarities between both job assignments. For instance, both professions require the ability to carefully analyze data, identify potential threats and develop strategies to mitigate them. The motto of the U.S. Office of Naval Intelligence perfectly sums up the mission statement of a risk management department: “In God We Trust, All Others We Monitor.” As with an intelligence agency, a risk management department should collect, analyze, and exploit risk data in support of the organization’s business model and objectives.
It is crucial that risk management adds value to the business model of any organization, not just monitoring and managing risks. Risk management should aim to gain and hold a decisive information advantage over an organization’s potential adversaries (i.e., it can rely on internal rating methods rather than external rating agencies when rating structured finance assets, for example). By leveraging the insights, it would gain into potential threats and opportunities, create a competitive advantage, while also actively managing risk in real-time.
To that effect, similarly as an intelligence agency, the risk management department within an organization should collect, analyze, and produce relevant risk intelligence and disseminate that knowledge rapidly to critical strategic, operational, and tactical stakeholders to meet the organization’s requirements. By doing so, the organization can ensure that it is able to recognize, assess, and respond to new and emerging risks and opportunities in a timely manner. This in turn can help the organization to stay ahead of the competition and maximize its opportunities for success.
Collapsing all risk data with the various types of risks together with all the interests of the stakeholders within the company is the goal of risk management. Through this integrated approach, business operations can be supported while vital information is provided to plan the company’s resilience against threats domestically and globally. By understanding all the risks that the company may face, the company can develop strategies to mitigate those risks. This integrated approach also allows the company to assess the current and future risk environment more accurately, as well as identify potential areas of vulnerability. Additionally, this approach allows for the company to collaborate with all of its stakeholders more effectively in order to develop the best risk management plans possible.
Like an intelligence agency, risk management should rely on several sources of information to achieve these objectives:
- SIGINT – Data collection and analysis using algorithms, mathematical models, and predictive analytics.
- HUMINT – Information collected from people on the ground: this includes regular (weekly) meetings between account managers, front office personnel, business development personnel, and portfolio managers.
- GEOINT – Intelligence gathered from analyzing country and geopolitical risks as well as the environment in which an organization operates.
- OSINT – Information gathered from open sources, including articles in the media and industry research, meetings with peers and customers, and conferences.
- MASINT – risk assessment (in collaboration with Finance Department) through robust data analytics.
The risk management field has developed enormous popularity among scholars and organizations over the last several decades. Individuals and their organizations have always employed risk management functions, but it took some decades before the need for an integrated approach was finally understood and its benefits became apparent to managers and decision-makers. As such, risk management has become an essential element of a successful business strategy, allowing organizations to identify and mitigate potential risks before they cause costly problems.
Risk management is best practiced as a comprehensive approach to the discipline, commonly referred to as Enterprise Risk Management (ERM), Organizational Risk Management (ORM), or Corporate Risk Management (CRM). According to this perspective, organizations should continuously monitor the risks associated with their strategic objectives, proactively managing risk. Similarly, the latter would indicate the severity and evolution of threats within the organization to maintain a risk profile aligned with the organization’s strategic objectives. As such, companies should prioritize risk management strategies to ensure their objectives are achieved in a safe and secure environment.
Hence, risk management is integral to the organization’s processes, recognizing that there can be upsides and downsides to the organization. A holistic approach to risk management means that it is not divided into departments and functions but is instead organized in order to maximize performance while mitigating risks. Consequently, risk management would contribute to increasing the likelihood of success while reducing the likelihood of failure and the uncertainty of achieving the organization’s goals. Risk management is like a toolbox – having the right tools for the right jobs is essential to increase the chances of success while mitigating the risk of failure. Keeping all the tools organized and accessible is key to ensuring the job is done correctly and efficiently.
A comprehensive approach to risk management considers all types of risks that an organization may encounter. A proactive approach aimed at improving organizational performance is also more effective than a purely defensive one. Managing enterprise risk involves aligning strategy, processes, people, technology, and knowledge with the objective of assessing and managing threats and opportunities. An organization’s risk management function is responsible for directly managing its risk management policy from this perspective. This proactive approach also allows for greater agility when it comes to mitigating emerging risks, allowing for a more comprehensive and holistic approach to risk management.
A risk management program is implemented by coordinating with all the operational and business areas of an organization, which is ultimately responsible for the implementation of risk management and the performance of a permanent monitoring process. The risk management perspective therefore implies that risks need to be managed in a comprehensive manner, covering potential threats at all levels of the organization, whether they are part of the planning stage of a new project or during day-to-day strategic and operational management. As part of this, organizations should develop strategies and plans to address risks, as well as develop processes and tools to identify, analyze, and manage risks. In addition, organizations should create protocols for monitoring both the immediate and long-term impact of risks to ensure that they are managed in a way that meets the organization’s objectives.
Through a portfolio view of risk, a holistic view of risk attempts to capture the big picture by identifying key risks. An entity’s residual risk profile must align with its overall risk appetite when management looks at risk from an entity-wide perspective. An enterprise-level risk assessment must be conducted, from the perspective of each manager, for each business unit, function, and process. To determine whether the entity’s overall risk portfolio matches its desired risk profile, senior executives, and the board examine a composite view at different levels of the organization. This allows them to assess the impact of individual risks on the entity’s risk profile and make any changes necessary to ensure that the organization is properly positioned to meet its objectives.
The core principle that should be observed when managing risks holistically is that it remains more beneficial to focus on the system’s resilience rather than attempting to predict the likelihood of an event occurring. The usefulness of quantitative methods in tail risk management wanes despite their use in risk assessment. The focus must truly be on building a resilient business model to mitigate extreme risks and preserve a firm’s survival. This is because predicting the likelihood of a tail event occurring is extremely difficult, if not impossible. As such, the focus should be on creating a system that is resilient to shocks, allowing it to weather any unexpected events. This is the most effective way to ensure that the firm is able to survive in case of a tail event, without having to rely on predictions of their likelihood.
There are a number of robust tools to help you create resilient and agile business models, including supply chain risk management, risk mapping, reverse stress testing, highly reliable organizations, and financial continuity plans. As a result of tail risks, major and well-respected financial institutions have failed in recent years, demonstrating the inadequacy of current quantitative practices to protect against them. A qualitative approach to tail risk management involves business strategy in addition to capital management. To effectively navigate the uncertain and unpredictable landscape of tail risk, it is essential to not only employ quantitative practices but also to develop the appropriate business strategy.
The final point to be made is about risk management’s added value, and what is missing currently: discerning the intentions of clients, potential clients, and competitors.
A simulation aspect can be added when, for instance, underwriting a business proposal or investment. When a company invests in a particular business, what is the severity to the firm if the business goes bankrupt suddenly? If the assets of the business were liquidated, how much could the company recover?
Regarding portfolio management, what are the intentions of the rival banks regarding, for example, Greek, Italian or Venezuelan risk exposures? We want to know if our competitors will keep the assets on their books, if they will apply a risk provision or a haircut, if they will try to sell the assets on the market, etc.
Adding value through risk management also requires that risk management is tightly integrated with the organizational strategy, linking strategy and critical success factors, to be effective. Putting risk management in context and within staff’s understanding by connecting it to the company’s strategy is a great way to make it more understood. In addition to looking at downside risks, this approach also allows for examining missed opportunities.