Paradise by the Risk Dashboard Light
While it’s important and compelling to discuss macro risks in broad strokes, implementing risk reduction is the job of individual companies, agencies, and humans. Even when we need to act in concert, we’re not the Borg: a unified response is just an aggregation of many individual responses. And in large organizations, risk dashboards can be key risk management and communication tools.
A risk dashboard is a visual, high-level overview of an organization’s key risks and current mitigation status. The International Risk Management Institute defines it as: “the graphical presentation of the organization’s key risk measures (often against their respective tolerance levels); typically used in reports to senior management.” An executive should be able to glance at the dashboard and hone in on areas that exceed the firm’s risk tolerance and therefore need focused action.
Sounds great. But risk dashboards are sometimes not great for various reasons:
Some may be too granular (too many components).
Others aren’t well-aligned with the business’ goals or risk appetite and tolerances (they highlight risks tangential to business success or failure).
Still others are insufficiently differentiated (everything looks the same, so it’s hard to prioritize).
Some may be corrupted by incentives (they set parameters and thresholds to present the picture risk managers think executives want to see).
Here are some ways to make risk dashboards more useful and actionable.
The problem of incentives
Many dashboards use a red-amber-green scale to help readers visualize risks, where red typically means “Needs Improvement” and green means “Attention Not Required”. From an organizational behavior perspective, incentives lean toward presenting a dashboard with just enough—but not too much—red and yellow.
Why? Well, a verdant green self-assessment with only a couple of red splashes may prompt (valid) criticism from senior-level risk committees that it might not be fully objective or useful. As John Sterman writes in Business Dynamics (he’s talking about modeling, but the message resonates for risk measurement, too): “… because many organizations punish those who make mistakes, mistakes are often hidden, denying the organization the opportunity to learn from experience.”1 Risk almost always exists, and if looking at your company’s risk dashboard feels like attending a yoga retreat, you’re not seeing or surfacing that risk, and it’s not getting actioned. It’s still lying in wait, though. And when internal or external conditions deteriorate, it will still be there, and you will see it, but not in your dashboard: in your business results.
In a well-functioning organization, therefore, risk managers are unlikely to be rewarded for perfect green lawns. Too much green is poison green.
On the other hand, a bleeding red self-assessment could lead to lost bonuses, demotions, or firings in the risk department if corporate culture isn’t structured to reward mistakes or incentivize honesty. Lost bonuses and demotions are a massive dis-incentive to report a sea of red.
So, it’s easy to end up somewhere in the middle. Incentives can corrupt almost any endeavor, including risk assessments.
Also, if everything’s red, prioritization is impossible.
Yes, one of the goals of a risk dashboard is to identify the most important and urgent risks. But stratification should be objective, not manufactured or artificially influenced.
If an honest assessment would produce a sea of red, that should be accepted, as long as the identified risks are appropriately managed and mitigated and the most important risks are otherwise emphasized. Too much red then becomes a starting point for good risk management. After all, before you can manage risk, you must identify where the organization has exceeded its risk tolerance.
And that’s the only thing too much red objectively means: the organization has exceeded its risk tolerance. It doesn’t mean risk managers are necessarily bad. Instead, it might mean risk managers have finally identified risks that previously lurked unseen or unreported, but which are now surfaced for mitigation.
Overly red dashboards become a problem only if they don’t improve. That’s bad risk management. A pattern of recurring hemorrhage across quarters and years indicates deeper problems that likely require personnel changes, management changes, and/or corporate culture changes.
One caveat: if a new, different risk is identified and that causes more red, that’s also good and shouldn’t be confused with sliding backward. It’s continued progress as long as different risks are driving the resurgences of red.
Tackling intangible incentives
What’s the remedy for risk dashboards that suffer from over-fitting or pressure to show constant improvement at the expense of objectivity?
The difficult, long-term answer is cultural shift. Some organizations punish mistakes, while others reward them as long as they’re disclosed. An organization that punishes mistakes breeds distrust and secrecy (because every human makes mistakes). An organization that rewards disclosure of mistakes and doesn’t let them derail career paths encourages further disclosure and an honest, risk-focused (instead of sheer performance-focused) culture.
In the short term, one way to highlight risk in a performance-focused way is to include near-misses in risk reporting. In a 2020 article in the Journal of Operational Risk, Andrea Giacchero and Jacopo Moretti define a near miss as “a negative and anomalous event that causes an accident without damage to people, corporates or environmental assets due to fortunate and/or random circumstances.”
Stakeholders may be more willing to talk about near-misses because it gives them a chance to showcase how something went right—perhaps how detective or preventive or corrective controls stopped a much larger risk from manifesting. Also, it truly is preventive risk management if action flows from that disclosure: a win-win for the business and for risk managers.
How about tangible incentives?
Yep. Ideally, risk managers need to be not just celebrated, but also tangibly rewarded for highlighting problems, even if that means the risk dashboard starts to look gnarly. Organizations should consider meaningful bonuses for second-line personnel who recognize risks and spearhead action to reduce their potential impact.
Of course, P&L (profit and loss) is easier to gauge in the first line, so it’s easier to calculate incentives. But arguing that the second line’s contribution can’t be quantified is a cop-out. It’s feasible to calculate estimated ROI (return on investment) of mitigating risks based on a combination of likelihood and severity. If companies aren’t rewarding their risk management personnel, they aren’t valuing risk management highly enough.
Even worse than not getting rewarded is when the messenger gets figuratively shot, as mentioned earlier. Because if an organization’s culture endangers the messenger, the messenger knows this (unless it is her first week, in which case she will soon realize) and learns to calibrate the message. Adjustment of parameters becomes normalized, and risk dashboards tend to be green and yellow with a smattering of red, so it appears risk is being addressed. Emphasis on appears. This is bad for business and leads to buried risk, hidden until the moment it erupts like Mt. Vesuvius.
In contrast, true risk management occasionally leads to fluctuation on dashboards, with noticeable inflows of red metrics and then slow returns to normal.
KPIs vs KRIs
Now we get to another question: what types of metrics should be on risk dashboards? In a company with a performance-based culture, the natural inclination may be to use key performance indicators (KPIs), aka, “How well are we doing versus our goals?”
But a better orientation is to focus executives on, “Where are we going wrong?” An uncomfortable question, but it leads to the heart of risk management: identifying and mitigating risks by addressing their root causes. Key risk indicators (KRIs) are better than KPIs for focusing attention in this way.
Here’s an example of a KPI: percentage of packages delivered on time. Here’s an example of a KRI: percentage of packages delivered late or lost or, likely even better, percentage of customers with a late or lost package.2 The KRI tends to focus the audience on the problem: “What happened here?” That question naturally leads toward a discussion of possible root causes. On the other hand, the KPI may be more likely to prompt the thought, “We need to return to green status ASAP”. It’s a subtle difference but an important one.
Aligning with top risks
It’s wonderful when risk dashboards surface potentially significant risks that executives might not have considered before, but dashboards also should address the risks that the board and senior management have stated are important. Those risks tend to appear in surprisingly public places like 10-Qs and 10-Ks because public companies are required to identify significant risks in those reports.
Weaving those executive-identified risks into risk dashboards alongside other emergent risks that need attention would go a long way toward ensuring adequate risk coverage that’s also well-received by executives who have limited time and other priorities.
The dark matter of risk dashboards
Another way to improve risk self-assessments is to always ask, “What am I not seeing on this dashboard that I do see changing in actual business activity?” By necessity, risk self-assessments measure the same metrics over time to provide a consistent view of how risk is changing at a firm. But risk doesn’t change only in pre-defined buckets.
New risks arise all the time, typically in the wake of new or changed business activity. Having a section of the dashboard devoted to highlighting new risks—and a threshold for when to begin measuring a new metric over time—will go a long way toward making risk self-assessments a dynamic, useful tool for business leaders instead of a compliance exercise.
Identify the downstream users
Lastly, even if a risk dashboard is designed to provide important information in digestible format, it doesn’t do much good if that information doesn’t prompt action. Presenting a report to the board and senior management is good for raising attention and sparking discussion, but what then? Ideally, a risk dashboard’s output flows into downstream systems used by the business. So, ask yourself: Who are the downstream consumers of this information, and how are they going to use it?
As (half of an) old adage says, “Information wants to be free.” A better adage for risk dashboards is, “Information wants to flow.” Information that doesn’t flow isn’t useful: it’s lost knowledge collecting dust on a shelf or computer. It’s worth the time and investment to create a dashboard that adds enough value to become part of the business information flow and leads to action.
Sterman, John. Business Dynamics: Systems Thinking and Modeling for a Complex World, The McGraw-Hill Companies, 2000, p. 462.
Each customer not served ratchets up reputational risk. If two customers each receive one late package, two customers may be angry, whereas if one customer receives two late packages, only one customer may be angry. Of course, the importance of the customer to the business matters too. It’s not purely about the straight monetary loss from extra service time and expense per package.