Companies shouldn’t risk how they manage risk

To quote UCLA Coach John Wooden, “Never mistake activity for achievement.” Integrating risk management into the corporate value chain is a daunting proposition. Policy is not enough. Execution is critical. A company can get in its own way.

An ancient Indian parable tells of blind men describing an elephant. The task exceeds their capabilities. They cannot see, so they cannot form a complete picture of the immense beast. They can only describe the isolated part of the elephant they happen to get their hands on. One encounters the foot and says the elephant must be a pillar. Another grabs the tuft of the tail and concludes the elephant is like a brush. And on it goes.

Each possesses limited understanding and none can possibly comprehend the whole. Putting together their observations is not particularly helpful because an elephant is greater than the sum of its parts. The elephant’s synergy is lost, so to speak. In the end, no one really understands the elephant or each other. Instead of knowledge, their best intentions yield acrimonious confusion.

Corporations can have a similar problem when developing strategy. If they cannot describe risk, they cannot analyze it, which makes appropriate action impossible. If the understanding of risk is flawed, so is the execution of strategy. Poor execution is death to good strategy.

From any perspective, risk and strategy are large conceptual beasts. They are closely related and can be confused with each other. They can be narrowly construed, or described in terms so vague as to be holistic. Actuaries view them one way, accountants quite differently. Financial engineers have another take. Academics tend towards the theoretical. Practitioners focus on specifics. Each sees but a part; none really comprehends the whole. Confusion, itself a source of risk, ensues.

Corporate structures, hierarchies and cultures evolved for specific economic purposes, such as the maximization of operational values and benchmarks – profits, efficiency, innovation, what have you – and the minimization of legal liability. They also evolved to facilitate the creation of value. But they did not evolve specifically for the purpose of analyzing and managing risk.

The primary focus should be on successfully grafting risk management activities to the company’s value chain. This is difficult work, but it creates value. Good execution and good strategy are essential. Each company must develop its own concept appropriate to its circumstances. It is of secondary importance whether we regard the activities as Enterprise Risk Management (ERM), strategic risk management, risk management culture, or by another current conceptual tag.

The inability to execute on risk management destroys value. A Booz & Company study from 2012 found “the mismanagement of strategic risk” is “most responsible for destroying shareholder value.” The following chart illustrates the extent of the damage, up to 35 percent.

It is very important to note that a badly executed response to an external risk is purely an internal problem, a weakness in the SWOT vernacular, a factor the company controls and can change.


An important internal weakness that can dilute strategic execution are the Board’s limited ability to exercise oversight (and increasingly, management) responsibilities for risk. There is an important role for the Board to play in ERM, but there are significant practical obstacles. In terms of expertise and availability of time, boards are often poorly prepared for this role. Walter Bagehot wrote in Lombard Street in 1873, “Not only would a real supervision of a large business…require much more time than the board would consent to occupy a meeting, it would also require much more thought than the individual directors would consent to give.”

Not much has changed since, but now regulators and others demand deeper board involvement in risk management. The Office of the Comptroller of the Currency, which is responsible for US bank regulation, issued risk management guidance in October that tasks bank boards to “approve contracts… that involve critical activities.” The concern is that if contract approval, a management job, is done by the board, insurers could deny coverage when things go wrong.

So, in this case, more board involvement leads to additional risk exposure and circumstances in which existing risk mitigation (insurance coverage) might be useless in case of a claim. How’s that for execution?

A prudent board might be reluctant to increase risk exposures that way. This reluctance might lead the Board to overreact to such demands by issuing risk directives too broad to be useful or, more likely, getting deep into the weeds and issuing policies too restrictive for the corporation’s good on matters the Board has not the time nor inclination to master.

This may be understandable, but the unintended effect would be to compromise the effectiveness of risk directives. With one eye on legal liability, corporations would emphasize process over execution, inhibiting management’s ability to implement and execute strategy, and so diminish the value of risk management overall.

General Motors and Coach Wooden

A company can pride itself on its risk management efforts, but it will accomplish little if it cannot implement and execute strategy. “The Upside of ERM,” from the November 2013 issue of CFO, states “if any company can be said to have put the ‘enterprise’ in risk management, it’s General Motors.” But GM’s Chief Risk Officer admits the company cannot quantify ERM’s impact on costs. He adds, “The individuals who represent almost all functional and geographic areas of the company are exposed to the objectives of the ERM program. Our goal is that they take this sensitivity back to their normal day jobs.”

It may be GM is in the early stages and cannot expect to have accomplished much. But it may also be that GM’s execution is faulty. Structuring ERM as a corporate program with the goal of exposing certain individuals to risk management ideas just might be the wrong way to go about it. It might be a while before GM can quantify its ERM program’s impact.

Many corporate risk management approaches suffer from this defect: placing emphasis more on defining the risk management process (or program) than on the actual execution of risk strategy. Is the corporate program imposed from the top down? Is there understanding of the interactions between organizational functions? Is there consideration of the value chain, the role risk management plays within it, and how risk management helps create value using the linkages between company activities? If not, the company is getting in its own way. Strategic risk management, an issue of fundamental importance, becomes confused, like the blind men with the elephant.


