I
D
E
N
T
F
I
I
C
A
T
I
O
N
O
C
N
T
R
O
L
T
T
S
E
Building a Culture
of Risk Management
RISK MANAGEMENT IS RAPIDLY BECOMING A MUST-HAVE SKILL FOR TODAY’S BUSINESS LEADERS. BUT
FOCUSING ON MANAGING RISK INSIDE ONE’S COMFORT ZONE IS AN INVITATION FOR DISASTER BECAUSE
THE MOST DESTRUCTIVE RISKS LIVE BEYOND THE EDGES AND BETWEEN SILOS—WELL BEYOND THE
COMFORT ZONES OF MOST EXECUTIVES AND MANAGERS. BY JEFFREY BRUCKNER
To find and manage the most destructive business risks,
leaders must build a culture of risk management that is
vigilant in its pursuit, innovative and agile in its control
response, and disciplined in its execution. Today’s businesses are learning hard lessons about risk: BP Deepwater
Horizon, naked credit default swaps, and more than
$63 billion in failed U.S. technology projects, to name a few
high-profile cases.
Each of these disasters caused billions of dollars in
value destruction, yet each of them happened on the watch
of competent risk managers who did their jobs properly.
Each had compliance systems, regulators and oversight
mechanisms expressly designed to mitigate risk. So what
went wrong?
In a word: systemic. Systemic risk originates in the complex interactions among the components that constitute a
system. Either individual components can function flawlessly
while the overall system experiences a massive failure, or
the system functions as an impact multiplier, magnifying the
impact of a single component failure.
Managing systemic risk requires a culture of risk man-
agement that extends beyond the individual components
to the edges, seams and overall system behavior. Mature
risk cultures are characterized by a set of essential man-
agement practices that ensure that the risk framework of
the enterprise functions at a consistently high level. These
include the following:
requires the collaboration of diverse minds and different
perspectives that represent all constituencies.
CONTROL
Risk control is an analytical process that devises a control
system to mitigate each identified risk. Control systems
range widely. They can be designed to respond to a risk
event, re-engineer the process to eliminate or transfer
the risk, or detect the risk early, before it can cause significant damage.
TEST
Control systems require compliance to be effective, and
testing simulates risk events and the control-system
response. Test results are fed back into improved and
more-effective control systems; they also serve to identify
new sources of risk, each of which requires a corresponding
control system.
ILLUSTRATION BY MICHAEL WIRTZ
As our knowledge economy expands and global interconnections increase, complexity grows exponentially.
Business leaders and risk managers must proactively manage complexity by constructing control systems that not
only function in complex environments, but also adapt and
evolve along with them. Our risk systems and culture must
evolve as fast as the changes we see around us. 3
IDENTIFICATION
Risk identification is the process of identifying sources of
risk from all directions, internal and external. Risk identification is an inherently creative process, and as such, it
Jeffrey Bruckner is the chief knowledge officer of BTM Corporation.
BTM innovates new business models and enhances financial performance by converging business and technology with its products and
intellectual property.
© 2010 BTM Corporation | info@btmcorporation.com
BASELINE JULY/AUGUST 2010
