Effective risk management must include a strategic element as well as an operational element. The strategic element includes, among other things, effective governance based on a comprehensive risk policy that provides specific guidance about the organization's risk appetite and risk tolerance. An Enterprise risk management plan (ERMP) that directly aligns with the organizational risk policy is the foundation for the operational risk management element.
A recent report by the Organization for Economic Co-operation and Development (OECD) on risk management and corporate governance indicates risk historically has not been managed on an enterprise wide basis and not adjusted to corporate strategy. The report goes on to state that risk managers were often kept separate from management and not regarded as an essential part of implementing the company’s strategy (OECD, 2014). Disconnecting strategic risk management elements from the operational element sets the stage for catastrophic failure. The Deepwater Horizon disaster in 2010 clearly demonstrates what can happen when operational and strategic risk management elements are disconnected.
The rig workers on the Deepwater Horizon drilling platform were well trained and followed documented procedures including a detailed safety manual. Unfortunately, the safety manual was based on a dramatic understatement of risk. British Petroleum's (BP) Oil Spill Response Plan presented worst case spill scenarios ranging from 28,033 to 250,000 barrels (Davis, 2012). Between 1937 and 2010 there were at least 59 oil spills ranging from 29,000 barrels to 6 million barrels, which means BP undervalued spill risk by more than 2,400%. Nearly all elements of strategic risk management failed here.
- The risk was dramatically understated
- There was insufficient monitoring and oversight to support BP's risk appetite
- The degree of variance between stated worst case scenarios and actual oil spills was astronomical indicating an unreasonable risk tolerance
An organizational risk policy that clearly defines the organization's appetite for risk and associated tolerance is a critical success factor. Aligning the operational elements of risk management (i.e. risk management plan (RMP), risk review board (RRB), etc.) with the organizational risk policy will yield effective organizational risk management.