I choose this article to reflect upon the latest economic crisis and the opportunities which were lost
to mediate the eventual downfall of many a company. The article identifies the problem as an “urgent
need for the new kind of corporate governance. A strategy grounded in risk management.“ This article
states that many businesses “Failed due to inadequate risk management expertise, lack of adequate
support, and outdated tools.” This article outlines a framework for risk thinking and development of a
risk oriented culture. Prior to the recent failure of our economy most companies were fortunate to
enjoy a long and continual trend of expansion. While enjoying the easy successes of a strong business
environment attention to risks were often ignored. Companies should have been asking
themselves.,“Are we putting ourselves at risk.” The failure to take appropriate actions to identify and
react to risk is a major contributor to poor corporate performance especially during turbulent times.
These failures demonstrate a lack of focus and a failure to execute a proper risk strategy.
Due to the increasing complexity of today's business world the board of directors can easily be
distracted from even the most basic issues. In today's economy a multitude of data is generated and
presented to the board. Due to the number of competing priorities it is easy to lose focus on something
as important as a well developed risk strategy. The established way of risk identification and mitigation
fails to fully address risks within functional areas. A better way of drafting plans to mediate those risks
is sorely needed. The latest crisis has made it clear that we cannot operate in a business-as-usual state
of mind.
The first question of risk strategy asks, “Do we fully understand our institution's risk exposures?”
The first step towards understanding the risk facing the organization is the identification and
quantification of the risk. Risk identification is probably most effective when developed by the
business unit where the risks can readily be identified. It is essential that the presentation of the risks be
properly presented to ensure focus is spent on those issues with the most importance. Execution of a
well defined action plan will be the result when board-level executives are able to see through the
clutter.
The second risk strategy question addresses, “Are our risk exposures appropriate relative to earnings
objectives, risk appetite, capital levels, and desire for long-term sustainability?” The interrelationships
between both risk and business opportunities must be recognized for proper mitigation strategies to be
formed. The formation of these strategies must be include long-term changes in the market which they
operate and take into account outliers such as that of a disruptive technology. The drive to increase
shareholder value must be tempered within an equivalent risk and reward portfolio. During times of
crisis opportunities from this portfolio must be approached in an entirely different fashion. Obviously
that approach is driven by the preservation of capital and investments which correspond to reduction of
risk throughout the enterprise. Companies may well choose to invest capital into strategies that alter the
long-term structure of the company. Examples include the exiting of certain markets and the shuttering
The third risk strategy asks, “Is our organization adequately dynamic from the viewpoint of risk
management?” Tilman and Martin state that a “Lack of organizational dynamism..was one of the main
characteristics of failed companies during the recent financial crisis.” This can be related to early
identification of risks and other changes and drafting responses to those elements identified. This
cannot just be the development of a report that goes into a filing drawer but must be continually
monitored by the board of directors. Tilman/Martin give an example of British Petroleum's lack of
organizational dynamism. I believe this demonstrates that large corporations often miss the important
issue as their attention spans over a multitude of events occurring simultaneously. BP's ability to react
to the crisis may have been better managed had their been a better system of risk reporting.
The fourth strategy question asks, “How do risk and uncertainty factor into our strategic decisions?”
Tilman/Martin give an example of Wachovia and the deeply-held belief that "growing deposits is
perhaps the most profitable thing that a retail and small business bank can do." Wachovia's strategic
opportunities were driven by this philosophy and resulted in a merger with an entity whose risk ran
deep. Wachovia's failure to fully identify risks within the merger lead to their failure. As a company
identifies where to compete they must also take into account the downside of each decision. As with
Wachovia plans are sometimes drafted without enough diligence paid to each option. With each
opportunity the corresponding cost of risk needs to calculated into the equation. If each business case is
developed with a quantified risk component choices may become a little clearer.
The fifth strategy asks “Is there is an integrated firm-wide risk management policy?” Tilman/Martin
outline the important questions that an organizational risk management strategy must entail:
"comprehensive risk reporting, governance policies and limits, escalation procedures, action triggers,
and dynamic and integrated firm-wide process." They go on to identify the prerequisites necessary for
the above policies to be in place. "an analytical system capable of properly: identifying, measuring and
aggregating all risk on the enterprise-wide level." A board will become easily overwhelmed without a
proper system that is capable of both the collection and dissemination of risk information throughout
the enterprise. A key here is the aggregation of this information. Although it is important for risks to be
reported from the bottom up, it is equally essential to see the overall trends emerging from each
operating unit. The board may see trends across business units and have the chance to act accordingly.
Tilman and Martin’ sixth identified question of empowerment: “Are all professionals at all levels
empowered to manage risk?” Tilman/Martin identify the important components necessary for the
company to instill a culture where all professionals are charged with risk management: common risk
language must be established throughout the organization - along with clearly delegated responsibilities
for managing risk at all levels; the risk management function must be genuinely empowered, with
senior risk officers gaining not only the "seat" but also a "voice" at the table where important decisions
are made; last, leadership and management structures must be correctly aligned with the firm's business
model from a risk perspective, and that the right balance must be established between competing
The last risk issue to address is whether there is an appropriate risk management culture.
Developing a common definition of risk throughout the organization facilitates the collaboration of
both risk professionals and functional management. It becomes critical at the time of aggregation of
risk data. Without common metrics it would be hard to evaluate or quantify risks throughout each
business unit and without a common reporting system risk truly becomes unmanageable. A common
risk strategy must include common operating procedures between units to ensure that the risk message
has been both received and dutifully implemented. The board must demonstrate their willingness to
listen and assimilate the issues outlined by the companies risk professionals to legitimize the
importance of the companies risk management function. Without empowering the risk professional the
risk function will not be taken seriously. Executives must continually demonstrate their 'buy in' for the
I learned the importance of a properly implemented risk culture. Tilman and Martin alluded to the
fact that risk is a system of values and behaviors that need to apply to everyone as they conduct
business. Each individual must go beyond just the understanding of risk. Each manager must
understand their company’s beliefs that police risk. The rules of risk and how they apply to everyday
operations must remain through a risk framework which clearly sets out policies and standards to
consistently follow. Employees must know where the company stands. A strong risk culture can be
I also took away the relevance of the proper communication related to the companies risk strategy. A
risk strategy will not be successful without a context in how to apply risk principles, therefore,
communication is the key to it’s success.. The tone must be set by the companies C-level leaders and
represent the real driver of change throughout the organization. The organization will follow the actions
of their leaders so they must go beyond nearly recognizing the importance and actually put the strategy
into everyday practice.
Another area where I can apply material is with the actual application of risk strategy thought the
enterprise. There must be a consistent and repeatable approach to risk; otherwise, there will be
differences between business units. Implementing risk policy in a common fashion allows for the
upward reporting and allows for trend analysis. A proper risk environment may also need to take into
account things such as hiring practices and be a part of real performance reviews and rewards for
There are two areas where this article failed to focus: proper training of the organization in risk;
ethical considerations of risk strategy. Without proper educational opportunities employees will not
make the most use of risk strategy. Placing a priority on risk education will reinforce the importance of
the risk mitigation throughout the enterprise. It is not sufficient to demonstrate risk behavior,
disseminate the risk message and develop risks and rewards for risk behavior. Education is a very large
piece of the risk equation and in order to effectively implement the strategy there must be a
corresponding investment. Understanding risk management and learning how to apply that knowledge
is a crucial part the corporate risk strategy. The second area I felt could have been explored was the
association of risk with ethics. A company's risk culture should clearly outline the behaviors and
practices to which employees are expected to adhere to on a daily basis. A constant, clear message is
key to enforce the policies and procedures needed for compliance. There is a strong value correlation
between those companies which choose to develop a risk culture and then enforce it's compliance and
those who choose to simply communicate and lead through example. There must be a personal buy-in
from employees as they will be the key to implementing the risk strategy on a daily basis.