Recent years have seen a growing interest in attempts to collate and categorise risks at a macro level, partly driven by the financial crisis and the whole issue of systemic risks.
The latest of these takes a slightly different approach by tackling the issue of risk governance deficits rather than looking at risks that may impact governments and organisations.
The report, ‘Risk Governance Deficits: An analysis and illustration of the most common deficits in risk governance’, is not simply an academic exercise in risk analysis, but aims to be an ‘analytical tool designed to identify weak spots in how risks are assessed, evaluated and managed,’ according to the organisation behind the report, the Geneva-based International Risk Governance Council (IRGC).
It is an interesting approach because it analyses the risk that the very systems in place to manage risk may be deficient in some way.
Indeed, the report describes risk governance deficits as either deficiencies or failures within risk governance processes or structures: ‘A risk governance deficit is a failure in the identification, framing, assessment, management and communication of a risk issue or of how it is being addressed. They may be found throughout the risk handling process, and limit its effectiveness. They are actual and potential shortcomings and can be remedied or mitigated.’
The report makes it clear that it is focused on systemic risks ‘because they provide a greater challenge for risk governance and thus greater scope for the occurrence of deficits.’
However, the IRGC stresses that the aim of the report is to help risk decision-makers in government and industry understand both the causes of deficits in risk governance processes and their capacity to aggravate the adverse impacts of a risk.
‘With this understanding, it is hoped that risk practitioners will be able to identify and take steps to remedy significant deficits in the risk governance structures and processes in which they play a part, including those that may be found within their own organisations,’ stated the report.
Marie Valentine Florin, Deputy Secretary General at the International Risk Governance Council, says that the target audience of the report is both the public and the private sector. It has therefore taken care to ensure that the deficits described are of relevance to corporate risk managers, as well as public policy makers.
“Many of the risks faced by corporate risk managers are, in fact, systemic in nature, especially in large companies, whose fortunes may be linked to the health of the local economy or society,” she explained. “Along with risks related to financial or reputational loss, inadequate risk governance on the part of companies producing food or consumer products, for example, could result in health risks for the general population. The case of melamine-tainted milk in China is one example.
“Therefore, it can be advantageous for risk managers in businesses of all sizes to be aware of the potential deficits in risk governance and their causes as they revisit the risks they must deal with, even if these risks are not necessarily systemic in nature,” added Ms. Florin.
According to Martin Weymann, a Senior Risk Manager at Swiss Re in Zurich, and one of the contributing authors to the report: “The way different stakeholders perceive risk can play a very important role in the way risks are assessed. Take genetically modified organisms (GMOs), for example. In Europe, risk perception of GMOs involves moral and democratic considerations as well as the uncertainty relating to possible adverse consequences, whereas the U.S. population seems to accept GM foods more easily.”
He explained that stakeholder perceptions can also change over time. “Chlorofluorocarbons (CFCs) came into common usage in the 1930s and, according to one scientific study written in 2002, were seen as ‘non-toxic, stable and harmless in every way’. But in the 1970s scientists found that CFCs cause the depletion of the ozone layer. The Montreal Protocol, signed in 1987, helped overcome the risk governance deficit with respect to CFCs by addressing the negative side effects of risk management decisions relating to the use of these chemicals.”
Mr. Weymann said: “Institutions are becoming increasingly challenged by governance gaps, which often relate to interconnected risks such as those associated with climate change.”
The report lists 23 deficits, each of which is illustrated by examples from the risk governance of past or current risk issues. Examples include the outbreak of BSE in the U.K., Hurricane Katrina, EMFs or genetically modified crops in Europe.
It splits the deficits into two categories:
- Those related to the assessment and understanding of risks, such as the failure to spot, ignorance or exaggeration of early signals of risk, the lack of adequate, factual knowledge about a risk, and the provision of biased, selective or incomplete information about a risk
- Those related to the management of risks, such as the failure to anticipate side effects of risk management, the failure to implement and enforce risk management decisions, and the lack of imagination and capacity to face the unexpected.
Ms. Florin says that the deficits are applicable across many different sectors and, as a result, they have to be presented in something of a generic way.
“But this wide applicability is what makes them most useful for a wide range of organisations,” she pointed out. “The deficits were identified precisely because they are common to many types of organisations and have occurred repeatedly, whether in the context of financial, environmental, health risks and the like.”
There is always, of course, the danger that corporates may ignore the possibility of risk governance deficits because they may believe they are properly assessing risks, but their processes or data or analysis are flawed in some way.
Ms. Florin believes that this danger certainly exists and points to recent examples of it, such as the collapse of financial institutions including Bear Stearns following the subprime crisis in 2008.
“Executives and traders within the company, along with many other companies at the time, almost certainly believed that they were adequately assessing risks,” she said.
“There were processes in place that involved models and rating agencies and the company was even known for the quality of its risk management. However, the flaws of these processes, such as weaknesses of models that had not been ‘tested’ by previous financial crises and reliance on ratings agencies who themselves failed to adequately account for all the risks involved with, for example, collateralised debt obligations, were not recognised in time,” she continued.
Ms. Florin said that one of the main purposes of the report was to raise awareness among risk practitioners that they must question and review the risk governance processes that they currently rely upon and not simply assume that they are adequate.
“Without an understanding of what the most common deficits are and what causes them, it is not necessarily evident that a risk governance process is lacking until it is too late,” she said.
The full report can be found at http://www.irgc.org/IMG/pdf/IRGC_rgd_web_final.pdf