Author and consultant Sim Segal published The Corporate Value of Enterprise Risk Management in 2011. It is a marvelous book – an unusual combination of technical sophistication and readability. You should read it cover to cover, but I will focus on three important lessons from Segal in this post.
1. Organizations overemphasize financial risk (and ignore others).
Segal is a vocal advocate of “enterprise risk management,” where organizations do not focus on silos of risk but instead take a more holistic approach to identifying threats and opportunities. He notes, however, that there is more basic flaw in most approaches to risk management: management overemphasizes financial risk because financial risk is perceived as more measurable.
“For financial risks, there is a large amount of objective market data to use in developing risk scenarios, which include quantitative impacts on financial results. However, for strategic and operational risks, which are heavily dependent on the specific makeup of the organization impacted, there is far less data available. In addition, popular qualification methods do not adequately support strategic and operational risks.”
Sim Segal, The Corporate Value of Enterprise Risk Management (2011), at 28. As a result, Segel notes that there is “the belief that financial risks are the most important risks — that they are the majority of the risks that most threaten the organization. This is not supported by experience, and in fact, quite the opposite is true. Research studies consistently show that strategic and operational risks represent the majority of the key risks for company and also comprise the biggest threats.” In fact, a study that Segal performed showed that only one percent of front page news of risks in the Wall Street Journal in 2006 were financial, while two thirds more strategic and approximately one third were operational. Id. at 28.
The take away? Financial risks may be important, but they should not overshadow all their threats and opportunities that deserve attention.
2. Focus on a manageable number of key risks.
Effective risk management does not require an exhaustive attention to every risk. To the contrary, the number of threats and opportunities an organization should focus upon should depend upon the organization’s capacity:
“[T]he number of key risks does not depend on the size of the organization. . . . This is because the number of key risks is merely a reasonable number of risks on which senior management can focus, at a given time, in a priority manner.”
Sim Segal, The Corporate Value of Enterprise Risk Management (2011), at 35. The lesson? Organizations hesitate to begin risk management because they believe that it is an exhausting process that would uncover every little risk and distract attention from the core mission. But risk management is incremental. Although a risk management process may begin by attempting to survey all threats and opportunities faced by an organization, effective risk management focuses in like a laser on those threats and opportunities that present the greatest return on investment.
3. Be vigilant about two risks that are hard to talk about – arrogance and concentration.
Segal notes in his book two risks that do not get a lot of attention in the literature, but are very important for growing businesses and nonprofits: arrogance and concentration risk.
“There are two particular types of risks that weren’t highlighting separately because of the special nature. These risks share three qualities. They are: politically difficult to introduce; easily identifiable; and a leading indicator of high-severity risk events. Two such risks which we will discuss are arrogance and concentration risk.”
Sim Segal, The Corporate Value of Enterprise Risk Management (2011), at 155.
a. Arrogance. Arrogance is a real threat to small, start-up businesses that want to scale. Until they hit a major bump, they believe they are invincible. They believe the “bigness” of their big, hairy, audacious goal will carry them over any hurdle. Rather than investing a small amount of money in developing core processes for customer service, talent management, and other basic business activities, they allow their perception of superiority cloud their view. Unfortunately, this can lead to disaster. “When arrogance takes root, it can sprout many different types of risk events. Arrogance is like dropping one’s guard. Once you unknowingly drop your guard, attacks can come in any form.” Sim Segal, The Corporate Value of Enterprise Risk Management (2011), at 157. The lesson? Strong, growing, resilient organizations invest in basic human infrastructure. They document processes. They install controls. They set up tools to identify threats and opportunities that may not be immediately evident to the founders team.
b. Concentration. Segal defines “concentration risk” as “an unhealthy level of internal or external concentration of power. Power can take many forms, including authority, information, access to markets, and so on. Sim Segal, The Corporate Value of Enterprise Risk Management (2011), at 158. The author notes that there are both internal and external power concentration risks. Rainmakers and masterminds may present internal concentration risks. Critical suppliers, large customers, or large distributors may pose external power concentration risks. Id. at 159.
Small organizations, whether for-profit or nonprofit, are particularly susceptible to concentration risk. A strong executive director, a charismatic hard-charging founder, core rainmaker – these are worrisome indicators of potential concentration risk. The lesson? Seek diversification. This can come by expanding one’s network of connections, finding trusted advisors, and focusing on developing a culture in which even the leadership – especially the leadership – can be questioned and can question itself. In some sense, curiosity and learned humility are the essence of effective risk management.
In short, read Segal’s book. It’s extraordinary. But follow these three lessons, and you will have already gained benefit from his work.
Do you face any of these issues? Don’t go it alone. Instead, please give us a call.
Also, please share this post if you found it useful. We are out to change how organizations think about threats, opportunities, and risk management, and we need your help.
Photo credit: Viktor Hanacek, Picjumbo