Scalable risk management: Small is beautiful
Small to mid-size firms are not always clear on how to adjust the rules and regulations of risk
management their size and business model. In this paper we argue that, in matters of risk
management, small is beautiful: smaller firms enjoy larger benefits from risk monitoring and
mitigation, not the least due to their lower coordination costs, easier internal communication,
facilitated access to the C-suite. In smaller firms, there is no need to spend days searching
for the risk expert with the right information, coordinating agendas for larger meetings
postponed to weeks ahead, there isn’t, or shouldn’t be, disparate pieces of risk management
tools and reports, because they all have been developed by separate parts of the business.
When it comes to size and risk management, being small outweighs the benefits of being
large.
Figure 1. Simple Operational Risk Management Process
1
You already have more than you think
Every business, every household, manages its risk. Not all of us may call it risk management,
but we all act to protect our children from accidents, we all look after our belongings, we all
save or plan for the future. Risk management is an integrant part of what we do and
businesses are no exception. There is a natural level of risk management in every business
activity, more or less developed depending on the risk aversion or risk appetite of the firm,
more or less apparent or documented, depending on the history and style of doing business.
Making a business realize how much he does already for risk management, maybe without
calling it that way, is the first added value of a risk manager. Highlighting the good practice,
presenting risk assessing and mitigation in a structured way, do wonders to get acceptance,
to save time and efforts. The CEO of a mid-size UK branch of a larger group told me one
day: “we’re good already”. Exactly right. In Six steps for preventive KRIs, the third step is
“recycle”. The same yields for all risk management actions. To a large extent, operational risk
management is the other name of performance management.
A top-down approach, guided by the CRO function, taking advantage of the accessibility of
the C-suite, is the best way to deploy quickly and effectively a risk management framework
in the firm, without heavy artillery of operational risk management tools. A year ago, the group
operational risk director of a worldwide bank told me: “we are too large to be top-down”. It
puzzled me at the time, but I now understand what it meant: gigantic firms can’t really channel
messages and practices from the top all the way down to every operational activities. Smaller
firms can do it much more easily and should take advantage of it, in particular to deploy
consistent risk views and practices.
A top-down process
Having in mind the idea that much exists already, a top-down process as described in figure
1 is an advisable way to go. As a senior risk officer, with 27 years on Royal Air Force
experience puts it: “risk does not exist in a vaccum”. Risk is a relative concept, dependent of
the business objectives. A general definition of risk is any adverse event that could occur and
jeopardize the realization of objectives. Therefore the first step in a risk management process
is to clarify the business objectives, both strategic and operational.
Table 1. Small is Beautiful: Advantages of small size in risk management
Small is Beau ful: Advantages of small size for
risk management
Reduced coordina on costs
Improved communica on
Facilitated top-down approach
Increased Senior Management involvement
More consistent framework
Time saving
Holis c view of risks
2
From the objectives will derive the risk identification exercise; What could go wrong? And
how bad could it be? Are some of the jargon-free questions that are often more productive
than What are your key risks?, more susceptible to produce the general laundry list of : cyberregulation-reputation. Be creative, tell your own story. Discussions around key risks will, or
should naturally lead to the description of scenarios, which are not much more than the
pessimistic realization of some of the key risk envisaged. Reflecting on the business’s
exposures (key clients, main systems, key vendors, etc.) and vulnerabilities, is another way
of applying risk management without necessarily mentioning “risk”, and using only a business
perspective. Good risk management is good management.
Scalable risk management doesn’t mean skipping some risk management steps, it means
doing everything in a lighter and more direct way, in a simplified form, adjusted to the size
and complexity of your business. Less people, less meetings, more communication. The
value is in the conversation: most value arise from exchanges and debates between
managers and the risk team during this exercise. It enhances awareness, foster reflection
and prepares ideally to regulatory visits, as genuine risk management is what regulators
expect.
Risk appetite is a topic that puzzles most, large and small organizations alike. Yet, it does
not need to be complicated or require an excessive amount of time. In a small firm, I have
drafted all risk appetite and tolerance statements, in collaboration with the risk officer, with
just 3 iterative short meetings with the C-suite. To kick-start the conversation, questions like
What’s absolutely unacceptable? versus What’s tolerable? set the ranges of severities of
potential incidents. These questions are directed at the executive board. Once the limits are
set, it is the role of the risk function to translate these tolerances and intolerances into the
corresponding exposures limits and control requirements, then into relevant monitoring
metrics – the famous KPIs and KRIs - to produce a consistent framework. In small firms, the
exercise is just as important as in large ones, but it is much easier and quicker to achieve.
Holistic view
Finally, smaller size and larger involvement of senior management facilitate the breaking
down of silos for a vision across risks, rather isolated views between credit, market and
operational risks. Many small firms have one CRO office that handles every risk types. If it
decreases specialization, it allows also a holistic approach of risk management, highlighting
the connections between risks types. Such holistic vision of the risks interconnection can
significantly improves prevention.
In conclusion, we encourage small firms not to shy away from operational risk management
but rather to embrace it, taking advantage of their moderate size. They can fully exploit the
benefits of involving senior management in the very first stages of the process, to give
impetus and direction to a fully integrated risk awareness and vision for appropriate and
proportionate responses.
Gail Danvers
Head of PSD Banking and Financial Services
Dr. Ariane Chapelle
Founder and Director, Chapelle Consulting Ltd
3