Stage 5: Evaluate performance
Risk management is but one input to policy making in an organisation. It is usually an important element, but can only be useful when put in context with other strategic requirements. In practice, risk is also a consequence of other policy decisions, and so should be seen in this context rather than in isolation.
It is reasonable to believe that an organisation has an intrinsic capacity for absorbing risk, dependent on such factors as its size, its access to capital, its economic and/or social role, the attitude of the owners and so on.
Unfortunately, it is seldom easy to put a figure on that capacity for any particular organisation, though there is often a consensus about the estimated area for the total. For example, most people would expect to see a biotechnology company accepting more risk than, say, a charity providing housing for disadvantaged people. Deciding which of two UK charities, for example, the British Heart Foundation or Macmillan Cancer Relief, has more risk capacity, however, would be a much more difficult, if not impossible, task.
In the corporate world – especially for exchange-listed companies – although determining what is the risk capacity for a business is still fraught with difficulty, the market will be very clear if it thinks a company has got it wrong. Too much risk and the share price declines or even collapses; too little (that is, excessive unused capacity) and a take-over bid may appear – nowadays, often a highly leveraged bid, using the excess risk capacity on offer.
Let us assume that the board of an organisation has, by some process – which will necessarily include evaluation of other strategic decisions already made – decided on an acceptable level of total risk. How should they go about formulating policy to allocate their risk?
It is important that risk allocation is seen as a constraint on the system, not a driver. By this we mean that it is the other inputs to strategy – corporate goals, market opportunities, core industry and so on – that should be promoting the direction of the organisation. The risk mapping and risk-capacity calculations should be used to assess that the organisation is functioning within its limits. However, the effect of different parts of a business acting like a portfolio may mean that simply adding up the risks of individual aspects of the organisation may overstate the net risk. This can be allowed for in the mapping process (with some difficulty) or it may be accommodated in a less precise way by senior management taking an optimistic view of the total risk capacity of the business – that is, an overestimate of risk capacity compensating for an overestimate of the net risk.
In practice, the information made available by the risk management process can help do more than just ensure that the business does not step over the risk cliff into the chasm of destruction. It can assist in the choice of path so that the direction taken heads most swiftly towards the organisation’s goals, without smashing on the rocks or meandering inefficiently. By clarifying what dangers the business faces, risk management better enables management to avoid them without having to leave an excessive margin for error. The likelihood of optimising the risk-to-return equation is, therefore, maximised.
With these factors in mind, it is vital that organisations regularly and systematically evaluate the overall performance of their risk management system and analyse whether it continues to best support organisational goals and is in line with the organisation’s capacity for absorbing risk. It is important to realise that both these factors will change over time.