Risk Management is a awkward and hard to grasp discipline. Not only in boardrooms, but also in the practice of our professional risk management discipline.
Once you think you've captured risk management, it captures you...... again and again...
By definition risk management is a paradox.
Once you fully 'control' and 'manage' a certain risk, it's no longer really a 'risk' in the sense that it can surprise you.
However..., did you check and do you manage the following risks?
Meta Risk Management Risks
- Risk Framework Risk
All (regulatory) rules and principles you apply in risk management are filters that cause new risks. Therefore every kind of risk management framework is also a source of risk and should be part of your risk management framework.
Have you identified weak spots in your risk management framework?
- Risk Measures Risk
Every risk measure taken, causes a new risk.
Have you identified what the risks of risk management measures are?
- Model Risk
All models you use in risk management are dangerous and risky approximations.
Therefore, always use at least a second 'Challenger Model' to fully understand, check, calibrate and control your risks and risk measures.
Do you have at least one challenger risk model in place?
- Unknown Risk Preparedness
In the heart of the matter 'managing risk' is not primarily 'risk management'. Preparing for unknown risks is what risk management is really about.
Do you have a procedure in place for managing unknown risk events?
Congratulations if you have successfully passed the above Meta Risk Management Test.
Yet, there's still one risk management ground rule you could have violated.... Denying this ground rule is the same as the ground rule itself!
Never classify any event or reported risk as not relevant
A. Example Challenger
One of the most classic examples of violating this ground rule is the disaster of the space-shuttle Challenger back in 1986. Engineer reports about the failing two rubber O-rings that caused the accident, where denied by management.
Just recently we can observe another possible example of violation.
B. Stress Test
On 11 may 2015 the supervisory authority EIOPA launched its first 'stress test' for European pension funds (IORPs;Institutions for Occupational Retirement Provision).
Now take a look at the initial response of a spokesman of the Dutch pension fund association (Source: IPE; translated):
- Not happy
The Dutch pension sector is not happy with a stress test for pension funds, as issued by the European regulator EIOPA.
According to the Pension Federation the test is 'not necessary' for Dutch pension funds and the test could lead to "unnecessary European rules'. The test is just a burden for the funds. A waste of their time. Besides the Pension Federation fears that the results lead to all kinds of EU rules which do not require in the Netherlands. We must be careful that there will not draw the wrong conclusions.
- Dutch Pension funds cannot Topple
From a Dutch perspective, the test unnecessary, because Dutch funds cannot topple by what is regulated here in The Netherlands.
It's clear that this kind of reactions are counterproductive and violate the ground rule of risk management.
To put it in a different way: Perhaps Dutch pension funds cannot topple, but they sure can collapse!
As experts in risk management we're all confident that we can identify, understand and manage risks. Unfortunately, nothing less is true...
We all have our blank space.......