Paul Harwood suggests management risk should be considered as a category on its own, to the benefit of business results
I may have discovered a new risk: 'management risk' - defined as 'the risk that management doesn't deliver the planned results'. This type of risk is strangely absent from much of the enterprise risk management (ERM) literature.
Isn't it just operational risk? It could be, particularly given that operational risk is a balancing category, a convenient label for a diverse set of 'no upside' risks. But I've never seen management risk as an operational risk sub-category. Plus, it has an upside.
What's the nature of management risk? Boards hire management teams to deliver a defined plan on agreed assumptions within a reasonable corridor. The great thing about a plan is that you can subject it to a whole host of tests, stresses and scenarios. You can assess how results benefit from better - or suffer from poorer - management, and whether assumptions are reasonable. This feels like productive, meaningful analysis.
Luck or judgment?
Yet business results happen by luck as well as skill. Colleagues tell me that when results are good, management takes the credit; when they are poor, it's down to bad luck. That can't be the whole truth of it, regardless of the cynics. Certainly, performance is a mixture of luck and skill. A good result might have been better with more luck, a bad result might have been worse with less management skill.
Do boards hire management teams for their luck or skill? It should be skill - assuming that luck is not a part of a team's composition. Shouldn't we be pressing to understand how much of management's performance comes from skill and how much from luck? This, I suggest, is about understanding the nature of management risk.
Ideally, remuneration and skill would be correlated. Maybe that's not consistently the case in practice. I'm not offended by that; it is the way of the world. What does concern me is a default approach to risk management that does everything but put management under the spotlight. The closest we get is to talk of culture. These discussions can be interesting, but they tend to explain, rather than help manage, problems.
We must take care in financial services. Decision-makers, often not close enough to the models, rely on the analysis and synthesis of actuaries and risk officers. Sometimes the synthesis is wanting, and voluminous analysis serves as a proxy. Management can mistake the volume of their choices and the breadth of their discussions as symptomatic of good culture and an open environment.
The reality is that risk management crystallises when decisions are made, and culture radiates most strongly from decisions made (what is rewarded, what is punished), not the tolerant, friendly, anything-can-be-raised atmosphere in the boardroom.
What better risk management strategy than to expect management to deliver what it promises? That sends a very strong anchoring message for the culture: "We mean what we say."
Assessing management risk brings executive performance management and risk management together. This can only be a good thing.
Operational risk is no longer a little-understood silo report but central to the evaluation of executive ability.
Does this introduce incentives to game the system? Yes, theoretically.
But boards already have to ensure that their management information systems needs are met and that board challenge is robust, regardless of any gaming that is going on. There is no reason why management risk can't be part of that.
A common plan
'Management' follows from the accumulated decisions of, maybe, hundreds of people. So it could be argued that focusing on management risk overly concentrates challenge on the few people around the table.
But all ERM work starts with those very same people. They need a common language, drivers and intent to support their decision-making.
The plan conveys that.
Furthermore, the overarching plan is made up of many smaller plans that should, diversification aside, add up. Management risk should be additive. Focusing on the same things throughout can't be deleterious.
In summary, management risk may be the missing link, the driver of culture, and a risk component that boards can use to manage their firms to good effect. Let's have more managers doing what they said they would, or explaining why, in the context of risks faced and skills executed. The result should be a proper appreciation of high-quality management teams that can drive and protect business results.