Managing the Risk of Risk Management

Risk Management by Ed Levy, Firestorm Expert Council Member

Edward M. Levy is a senior security executive with nearly 30-years in the corporate and government sectors. Mr. Levy was the VP & Global Head of Security for Thomson Reuters. He served in other corporate security positions with Pfizer, CIT Group, and the Empire State Building. Mr. Levy is also a retired Lieutenant Colonel form the US Army and former Assistant Professor at the United States Military Academy at West Point.

When I was playing high school football, after one game I told the coach, “I almost made an interception.” He responded back, “is that like almost being pregnant”? I realized there was no almost. You either got it or you didn’t. In my view, it is the same concept with risk management – you are either applying its principles or not - there is no almost.

I have learned there are many interpretations of risk and risk management by executives, and many different ways leaders and managers view it and apply it. The results – there is risk in the manner risk is managed. Many find it is easy to self-rationalize they are doing it. Others may find it reassuring to sit through a short, semi-annual presentation on their company’s risk management program, move on to the next topic, and confidently feel their company is resilient. Quite a gamble.

A positive approach, we have seen companies assign a C-Suite executive with the responsibility for leading risk management, even to a point of titling a Chief Risk Officer (CRO). Shortfalls easily occur when the view of risk management descends into a partitioned approach, counter to a centralized or enterprise approach under a unified operating model and the focus is on select areas of risk, such as financial or market risk – important, but limited and even short-sighted.

To protect companies, boards are chartered to do a reality check on the breadth and depth of their company’s risk management program. The question should be asked if the CRO or company’s Risk Manager is truly assessing and including risk venues across the different thresholds or limiting their scope and cherry-picking areas of risk focus, while discounting, ignoring, assuming-away, or just non-perceptive of other areas of potential exposure and its reputational, fiduciary, and consequential impacts.

A sound leadership model which applies risk management across the enterprise is reflective how military generals and admirals operate. As senior and accountable executives, these leaders and their full [not partial] staffs are trained, experienced, and versed to understand the synchronization of operating systems for their organizations - imperatives towards achieving objectives and mission accomplishment.

These executives have limited opportunities, or maybe even one, to get it right. Failure to conduct a complete risk review can be considered negligent and derelict. That is why the continuous investment in complete staff planning, training, and analysis provides results to fully measure options and minimize risk to achieve superior returns, even when hit with adversity, to remain resilient, exploit the initiative, and obtain the advantage.

Critical for success is to apply risk management processes which are continuous, consistent, and all-inclusive. The application to mitigate potential consequential outcomes includes the complete staff and is not limited to a few functions. Boards should conduct a self-actualization on their expected risk management reviews and identify “the what” and” the who” as part of their reviews and ask themselves if their risk management programs are mitigating risk or adding new realms of corporate-wide risk.