In late March, I chatted with OpenPages’ Gordon Burnes about Toyota’s risk management issues and whether or not Kermit the Frog is a good fit for a chief risk officer position (he’s not, Burnes asserts).

This month, we picked up the chat while discussing how tone at the top should be expressed; how risk appetites are stated and communicated; and how key risk indicators can cure “alarm fatigue.”

Eric Krell: This begs the question: Who should be the risk manager then … Miss Piggy? Animal?

Certainly someone with the clout and courage (and karate chop) to surface bad news, right?

In fact, that marks a distinguishing characteristic, if earlier news reports are to be believed, between pre-crisis Goldman Sachs and pre-crisis banks that were crushed by the financial crisis. Goldman’s chief risk officer came from the trading floor and had the background, credibility and authority to raise questions. … Here, I think you are saying that tone at the top is a must, but you’re also pointing to the importance of the middle and lower levels of the organization – which is where technology can help to enforce risk-culture-building behaviors. I like the example of the organization that requires actions on risk-rating of “3,” which sounds like a “yellow” issue.

Here’s my question: How do organizations avoid risk-management burnout? Or, more precisely, what are some of the ways in which you see organizations achieving a healthy balance between taking too little action in response to risks and overreacting to risks?

Gordon Burnes: Tone at the top can be expressed in explicit statements about risk appetite. Once management understands a board’s risk appetite, then they can develop a risk framework to manage within the appropriate tolerances across the business. By developing and implementing a programmatic approach to reporting on risk exposure vs. tolerance, you can help to guide effective decision-making.

However, even the most effective risk management process doesn’t obviate the need for expert judgment. According to one of our customers, a head of operational risk, you have to know “where the bodies are buried.” This is a deep understanding of the informal aspects of the business, what the actors are likely to do, what their biases are, how the organization will respond. This type of skill comes with experience, and this is why, I believe, you see so many senior people in the position of CRO and other top risk management positions. They know how to implement a risk framework, but they also know how the organization actually works.

So, in the end, I think that it’s a combination of a formal risk framework and good leadership that helps a company to achieve the “healthy balance” you ask about.

Eric Krell: Ah, that’s great! I can envision a Chief Risk Officer search spec based on your head of operational risk’s crystallization of his role: “Seasoned executives only; must know where the bodies are buried.”

Yes, the balance I mentioned involves the tug between risk exposure and risk tolerance that a company – consciously or not – strikes. From my own research, I see that many executive teams do not make their risk appetites sufficiently explicit to the rest of the company. Can you give me two to three examples of explicit risk appetite statements that help to establish tone at the top and provide a foundation for risk processes and behaviors throughout the rest of the organization?

Gordon Burnes: Typically, we’ll see definitions of risk appetite coupled with risk tolerance limits, as the qualitative statement begs the question of how to manage against the goal. Risk appetite statements may include notions of what risks the company is willing to take and how much risk they’re willing to accept in order to generate a profit.

So, for instance, a risk appetite statement for the telecom industry may be, “We will grow the business through organic customer acquisition, superior customer service, and product innovation, without impairing the brand or earnings, by following the highest ethical standards and demonstrating consistent earnings growth.” The tolerances may be “98 percent of our employees will have gone through ethics training”; “we will not miss our earnings target by more than 5 percent in any one quarter”; “all new product launches will follow our gate stage methodology with appropriate sign-offs and approvals.”

What’s interesting here is that risk appetite statements get to the core of the business: How much risk are we willing to assume to carry out our business model?

Eric Krell: Makes sense, Gordon. Two questions for you. First, how pervasively have the best practitioners applied these risk tolerances? What I’m trying to understand is the extent to which risk tolerances can be applied to all or most business processes – not just those directly related to the bottom line. For example, I like the example with ethics training you mention; as any (successful) ethics officer will tell you, one of the tricks to creating an ethical culture is making the sometimes intangible concept of ethics tangible and measurable.

Second, how do companies know when their risk tolerances are too high or too low – what are some signs of accepting too much risk or being too risk-averse?

Gordon Burnes: KRIs [key risk indicators] are one way that practitioners measure exposure vs. tolerance, and the adoption of KRIs has been slower than one would expect. That’s a function of many companies not having an information architecture in place with which to develop KRIs — many companies are still trying to get their risk data in one place.

What happens, then, is that companies institute policies that managers are expected to adhere to, and those policies would be driven by some inherent notion of risk tolerance. For instance, as a bank you may have zero tolerance to lose personally identifiable information. One policy may be that every laptop has a bright orange sticker that says, “Do not load personally identifiable information on this laptop.” The KRI would be a number of laptops per 1,000 that doesn’t have the sticker. But, that’s not really practical, because you’re not actually going to sample those laptops. And this notion of whether the measures are fit for the purpose is really important.

The Boston Globe recently ran an article on how alarm fatigue contributed to the death of a patient. Basically, one alarm was turned off and others were ignored. The tolerances were set too low to be practical, given the staffing model and operating environment. Ironically, by setting the tolerances too low on the alarms you induce a situation where the risk is harder to manage. In the end, knowing whether you’re taking enough risk or not comes down to outcomes — in the hospital’s case, it’s about mortality rate; in the bank’s case, it’s about return on equity. ###