Lessons Learned: Developing Top Risks Lists and Reporting to Senior Management
There is a tendency to underestimate risks. If you go back and look at the problems we ran into over the last four to five years, everybody knew there was a housing bubble there. Everybody knew the banks and others were stretched out. But rather than face up to the fact that you had this huge risk and understand what the consequences were of the risk materializing, it was relatively easy to say, "Well, it is a low-probability risk, so let's go on – things look good." It may be a low-probability event, but those low-probability events have a way of materializing, and therefore we need to better understand what happens.
– Mustafa Mohatarem, Chief Economist, General Motors, October 2012
While we understand the value of assessing probability and impact for risks, we have made additional improvements to our process for ranking and prioritizing risks. In the past, we facilitated meetings at which our risk officers were asked to score proposed risks individually along defined impact and probability scales. The output of the session was a typical "heat map" with risks that were ranked or plotted based on probability and impact scores.
However, we quickly learned that not only was this a very tedious process, but it injected a great deal of subjectivity since many of the participants did not really have specific knowledge of these parts of the business. We have also learned from various world events, such as the Fukushima disaster in Japan, that there may be a tendency to dismiss risks with the potential for very high impact because they have a very low probability of occurring. These low-probability events are often risks that companies cannot afford to miss. As we looked back on what has worked well or needed improvement, we thought there was a better way to provide our board and other stakeholders with more meaningful and actionable information. This prompted us to make a number of changes to improve the program.
First, we gave the responsibility for assessing the probability and impact ratings related to risk to the senior executives who were assigned the primary responsibility for overseeing the risks, since they were uniquely positioned to provide the most accurate assessment. We stopped the practice of asking risk officers to vote on impact and likelihood levels. Instead, when developing (or refreshing) the top risks list, we employed a real-time, web-based pairwise comparison tool to assist in prioritizing the risks in relation to each other. When developing our top risks, we briefed participants (risk officers) with precise risk descriptions to help enable their decisions when voting on each risk pair. Once we completed the various pairing sequences, the tool generated our preliminary risks list. This preliminary list was then subjected to various sense checks prior to delivering a proposed top risks list to our senior management or board.
Second, we moved away from using a ranked top risks list altogether. Too much time was being spent on whether a risk should be number 3 or number 5, for example, when the choice did not at all affect how the ERM team or management would address the risk. We moved instead to a three-tiered approach (Exhibit 34.2), which more broadly separated risks by their relative importance. We did not limit ourselves to any predefined number of risks in any given tier; we looked for natural breaks in terms of concurrence on what is a top risk (often looking at the pairwise scoring) versus what is more of an emerging risk.
Third, we focused on using three measures – the levels of inherent, current, and residual risk – as indicators of where the organization currently viewed the effect of its mitigation activity and where the level of risk was expected to be upon completion of the mitigation plans. We created a five-point scale with definitions surrounding the ratings for inherent and residual risks (see Exhibit 34.3), and asked the respective risk officers to provide these assessments in consultation with their Executive Committee members (GM senior leaders reporting directly to the CEO) using the ERM risk template. While just a minor modification to the previous ERM risk template, this assessment of current and expected future risk levels quickly became a focal point for senior management and the board committees when presented. With current and future risk levels now documented, we were able to provide the board with better insight into the status and projected movement of our
Exhibit 34.2 Three-Tiered Approach
top risks (see Exhibit 34.4). We continued to provide the standard heat map of risks, but the new chart provided the type of forward-looking insight and status that heat maps do not provide. The new chart has been very well received and we continue to utilize it.