MANAGING RISK IS NOT DIFFERENT
TO, BUT A FUNDAMENTAL PART
OF, MANAGING STRATEGY
An exploratory context with twenty-three highly knowledgeable risk managers
by
DAVE ROELOFS
University of Groningen
Faculty of Economics and Business
Master of Business Administration
Specialization Organizational & Management Control
June 23
rd2014
Ernst Casimirlaan 54a 9717 AX Groningen
(06) 51437280 d.a.j.roelofs@student.rug.nl
PREFACE
This thesis is written as a final assignment for obtaining the Master of Science degree for the specialization in Organizational and Management Control of the master Business
Administration at the University of Groningen. I decided, after a detailed discussion with my supervisor, to investigate the development of risk management in organizations. This research creates insights for dealing with risk management in general and the integration of the risk appetite with the strategy specifically.
Finishing this thesis and hence the master makes me very proud. This thesis is a completion of two very instructive, interesting and valuable years in Groningen. Writing this thesis about risk management was a great challenge which fits perfectly into my interests. I can look back with satisfaction and great pleasure over the research I have done in the past period.
I would firstly thank my supervisor prof. dr. D.M. Swagerman for his great support in writing this thesis. I had the freedom to set up this research and received valuable guidance when needed, which was very helpful for me. Further I would thank my group members Stefan ter Bekke, Herman Heule and Kevin van Schagen for the cooperation in collecting the data and sharing thoughts about the subjects. Moreover, I want to thank the interviewees for their interests and the time they took for providing us rich data. A final thank goes out to my family and friends who always supported me.
Hopefully you will enjoy reading this thesis.
Yours sincerely,
ABSTRACT
This exploratory study investigates the integration of the risk appetite with the organizational strategy and in addition the factors that makes this integration problematic. A sample of 22 interviews and 23 persons with major experience in risk management provides the empirical setting of this research. The study reveals that the characteristics reactive, subjective and dynamic are decisive for integrating the risk appetite with the strategy. The way these characteristics influence risk management depends heavily on the environment of the
organization. The implicit character makes it complicated to manage risk in a structured way, which introduces and emphasizes in this way a qualitative approach. It becomes problematic when organizations do not have the internal drive to work with risk management and
therefore should risk management be integrated in the planning and control cycle. That shift from an operational focus towards a strategic focus is still in progress.
Key words: risk appetite, enterprise risk management, strategy, long-term goals, strategic risk management, communication, implicit, reactive, subjective, dynamic
First supervisor: prof. dr. D.M. Swagerman
TABLE OF CONTENTS
INTRODUCTION ... 6
1 LITERATURE REVIEW ... 8
1.1 The essence of risk ... 8
1.2 Enterprise Risk Management ... 9
1.3 Risk appetite ... 10
1.4 Strategic and long-term orientation ... 12
1.5 Integration of risk appetite and strategy ... 13
1.6 Strategic risk management ... 14
1.7 Communication and organizational culture ... 16
2 RESEARCH DESIGN ... 17 2.1 Reliability ... 17 2.1.1 Researcher ... 17 2.1.2 Instruments ... 18 2.1.3 Respondents ... 19 2.1.4 Circumstances ... 19 2.2 Validity ... 20 2.3 Data analysis ... 21 3 RESULTS ... 22 3.1 General impression ... 22 3.1.1 Reactive behavior ... 22
3.1.2 Quantitative and qualitative approach ... 24
3.1.3 Risk normalization ... 26
3.2 Risk appetite ... 27
3.2.1 Implicit character ... 27
3.2.2 Irrationality ... 29
3.2.3 Comply or explain policy ... 30
3.3 Strategy ... 30
3.3.1 Influence of risk ... 31
3.3.2 Determining long-term goals and strategy ... 32
3.3.3 Focus on top risks and objectives ... 33
3.3.5 Consciously taking risk ... 36
3.4 Communication for creating risk awareness ... 36
3.5 Organizational culture ... 39
3.5.1 Relation with strategy ... 39
3.5.2 Transparent and blame free culture ... 40
3.5.3 The right people at the right spot ... 41
4 DISCUSSION ... 42
4.1 Integration of the risk appetite with the strategy ... 42
4.1.1 Risk appetite ... 42
4.1.2 Strategy ... 43
4.1.3 Integration ... 44
4.2 Characteristics of risk management ... 45
4.2.1 Reactive ... 45
4.2.2 Subjective ... 46
4.2.3 Dynamic ... 47
4.3 Communication and organizational culture ... 47
5 CONCLUSION ... 49
5.1 Theoretical implications ... 50
5.2 Managerial implications ... 50
6 LIMITATIONS AND SUGGESTIONS FOR FURTHER RESEARCH ... 51
REFERENCES ... 53
INTRODUCTION
Risks are necessary for all organizations to take in order to be innovative and to survive, moreover all firms face risks due to unexpected changes and uncertainties in their business environment (Hain, 2011). In recent years, risk and the way it is managed has become an increasingly interesting discussion topic for organizations. Corporate governance scandals of the earlier crisis (e.g. Enron and WorldCom), prompted a rapid legislative response in the US. This legislative change resulted in the Sarbanes-Oxley Act of 2002 (SOX), which tried to recover market confidence and prevent future corporate governance failures by setting new standards for financial reporting (Silva et al., 2013; Smart and Creelman, 2013; 71). However, these new standards created by SOX did not really address risk management. A more notable and recent world event like the global financial crisis in 2008 has intensified the interest on risk. Many organizations affected by the crisis failed because of their excessive exposure to risk. Therefore, the International Organization of Standardization (ISO) developed “ISO 31000”, which is an international standard for risk management. Despite the fact that
organizations are often talking about the long-term vision of their organization there are still remarkable cases of fraud (e.g. KPMG) and industrial disasters (e.g. Gulf of Mexico) which have intensified the interest on managing risk.
What induced that excessive exposure to risk led to corporate failures? One particular factor that contributed to these failures is the organizational failure to explicitly account for risk when formulating their strategies (Kaplan, 2009). The financial crisis made abundantly clear that separate strategy and risk management is, in these continuous turbulent times, unsustainable (Smart and Creelman, 2013; 53). Also the failure of organizations to integrate the risks within their business activities and the excessive short-termism of remuneration structures of banks, which neither supports prudent risk management nor works in
organizations long-term interests, were described as major root causes. In addition, there was a systematic failure by boards to provide strategic oversight and direction (ACCA, 2008; Lawrence, 2011). Lord Turner (FSA Chairman in the UK), emphasizes in a report from BCI (2009) this with the following statement: “The failure to properly evaluate and challenge risk
of overall business strategies was probably the biggest intellectual failure of boards, regulators and shareholders”. Due the growing societal influences, organizations became
big issue for implementation (Atkinson, 2013). Evidence suggests that investors demand more disclosure of risk information such as the risk appetite due to these earlier mentioned
prominent corporate failures (Solomon et al., 2000; Cabedo and Tirado, 2004).As has been seen since the financial crisis in 2008, was a disconnection between the organizations risk appetite and organizational strategy not uncommon in practice (Rao and Marie, 2007; Shang and Cheng, 2012). Van der Stede (2009) stated that organizations often still treat performance and risk management separately, and in addition a few organizations are doing it effectively in practice (CGMA, 2012; EIU, 2010). Even more problematic, besides that the risk appetite is not linked with the corporate strategy, the risk appetite is still unclear in a lot of organizations (NBA, 2013; KPMG, 2010). This can have an adverse effect on the management and control of the organization and experiences has shown that the integration of risk management into the setting of strategy is key to long-term success (Palermo, 2011). Although, the link
between strategy and risk is now top concern for organizations, it is unclear how well defined this process is in reality (KPMG, 2010).
In the existing academic literature a lot is written about risk management in relation with performance management (Arena and Arnaboldi, 2014; Cokins, 2010; van der Stede, 2009). While performance management focuses on shorter-term issues, an organizational-wide approach of risk management should especially draw attention to strategic longer-term risks (Palermo, 2011). This means that in academic literature little scientific proof is related to the alignment between an organizations strategy and risk appetite. Despite the calls to fully integrate risk appetite and strategy it is unclear why there are problems related with this integration in practice. This gap in the literature is surprising, because short-termism was one of the root causes of corporate failures in recent years. Therefore this research will focus on the strategy that will give new insights into the practical problems that organizations face towards achieving the long-term objectives. Due to these problems in practice and the gap in academic literature, the following research question will be investigated:
Besides the theoretical relevance this research is also relevant for practice and society because it contributes to the development of risk management and improves the understanding of the relationship between the risk appetite and the long-term strategy. This is partly interesting due to an increasing demand from stakeholders on the transparency of risk management and risk appetite. In this manner, most organizations have to report about the risks they face associated
with the strategy and their daily operations and have to indicate whether those risks are controlled or mitigated. Because the society expects that organizations respond accurate and timely on societal developments and in addition mitigate and control those emerging risks it is important that these two components are fully integrated (EY, 2013; NIVRA, 2009).
The remainder of this paper is structured as follows. In the next section the literature review will give an overview of what previous researchers have discovered regarding the subject. After that, the research design is discussed. The remaining sections contain the results of this research that will finally results in a discussion, conclusion and limitations with
suggestions for further research.
1 LITERATURE REVIEW
In this part of the research the state-of-the-art of science about risk management is indicated. As stated in the introduction, there are some contradictions in the comparison between literature and practice. These contradictions indicate the direction for this research. Besides these contradictions, there could be irregularities or deviations in the literature that have not been resolved yet. The purpose of this literature review is to indicate whether this is the case by analyzing the academic literature. In this section the main components for risk
management in general and for answering the research question specifically are described by using the academic literature, namely: the essence of risk, enterprise risk management, risk appetite, strategic and long-term orientation, integration of risk appetite and strategy, strategic risk management and finally communication and organizational culture.
1.1 The essence of risk
Risk is defined as the effect of uncertainty on objectives (ISO, 2009). It is all about
uncertainty, where this uncertainty presents both the possibility to diminish or enhance value (COSO, 2004). This means that events can have a negative impact and a positive impact on the organizational objectives. Despite that uncertainty is a main component in defining risk Chenhall (2003) stated that it is important to distinguish uncertainty from risk. Where risk is determined by the combination of probabilities and the extent of consequences, uncertainty can be distinguished from risk because these probabilities cannot be attached to particular events in situations of uncertainty. This is because environmental elements can be
their predictability, controllability, management and the magnitude of their consequences to the organization. Using this categorization, Kaplan (2009) distinguished three levels of risk. Level 3: Routine, Operational and Compliance Risks. These risks are known and
avoidable and arise from errors in routine, standardized and predictable processes. Level 2: Strategy Risks. For selecting a strategy whereby organizations hope they will
create and sustain competitive advantage that leads to superior performance, organizations have to accept risks. These risks are called the “known unknowns”. Organizations should identify the major plausible risks inherent in their strategy.
Level 1: Global Enterprise Risks. The most threatening risks are the “unknown unknowns” or “black swans”, which are the unpredictable occurrences that create
existential risk for organizations and could lead to their demise. These are highly unlikely events but have the highest consequences.
1.2 Enterprise Risk Management
Based on the definition of risk, enterprise risk management (ERM) should be about the management of uncertainty that organizations face regarding the organizational objectives. It is all focused on controlling or mitigating risks through the whole enterprise. TheCommittee of Sponsoring Organizations of the Treadway Commission (COSO, 2004, p. 2) defines ERM as: “a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. This definition indicates that risk
management is all about achieving organizational long-term objectives and gives risk management a strategic purpose, which suggest that risk has to be managed and not eliminated. Clearly, strategy and ERM needs to be connected and aligned. In recent years ERM emerged as a process for transforming risk management from a technical instrument of minor relevance into an organization-wide integrated process (Arena and Arnaboldi, 2014). According to COSO (2004), ERM encompasses:
Aligning risk appetite and strategy Enhancing risk response decisions
Reducing operational surprises and losses
Identifying and managing multiple and cross-enterprise risks Seizing opportunities
In this way ERM encompasses the whole organization. The component “aligning risk appetite and strategy” is emphasized in the remainder of this research. As the definition suggests, ERM is used by organizations as a method to manage risk and involves the consideration of an organizations risk appetite for evaluating strategic alternatives and business goals. It ensures that the objectives support the organizations’ mission and are consistent with its risk appetite (Storero, 2009). ERM encompasses the whole enterprise and should therefore be firmly integrated in an understanding of the business, its stakeholders, and strategy. This makes it possible for organizations to identify and manage in an integrated way, all significant risks (Paladino et al. 2009). In this way, the purpose of ERM is to increase the probability that an organization will achieve its objectives by managing risks to be within the stakeholders’ appetite for risk, and to reduce the probability of negative risks by managing risks across the organization (Pagach and Warr, 2010). If organizations organize ERM correctly in strategic planning it should not ultimately only protect but also seek to maximize value by finding an optimal balance between strategic objectives with related risks. It helps an organization attain its goals and execute strategies successfully (Gates et al., 2012; Rao and Marie, 2007).
Therefore the risk appetite and the strategy should be inseparable. A survey, conducted by Gates et al. (2012), suggests that the use of ERM leads to “increased management consensus,
better-informed decisions, enhanced communication of risk taking, and greater management accountability”. ERM encompasses the whole enterprise, where the person closest to the risk
is in the best position to evaluate and manage those risks. In this way all employees can be called a risk manager when they manage risk within their responsibilities (Colletts, 2014). This indicates that risk management should be firmly integrated in the organizational culture.
1.3 Risk appetite
As mentioned in the previous section and according to Nocco and Stulz (2006) it has been well recognized that defining the explicit risk appetite of an organization is decisive for the success of the implementation of ERM. One of the risk management failures during the financial crisis were poorly implemented risk appetite frameworks, indicating that the
importance of the risk appetite was not recognized or that there are problems with defining or implementing risk appetite. As a result, organizations exposed themselves, whether
Risk appetite can be defined as “the total exposed amount of risk that an organization wishes
to undertake or is able to assume in its exposure and business activities for one or more desired and expected outcomes” (Fox, 2012; Lentino, 2012). When this statement is made
clear it should be obvious for employees what is and what is not acceptable when making business decisions. Smart and Creelman (2013) distinguish seven steps for creating a risk appetite statement:
1. Identify the key business drivers of your business 2. Define risk levels based on key business drivers 3. Define a set of strategic objectives
4. Define and assess a set of key risks 5. Align strategy and risk
6. Define the risk appetite statement
7. Monitor the alignment of risk-taking to appetite
This indicates that the key business drivers related to risks have to be developed and integrated with the strategy, which will result in risk appetite statement that can then be monitored. In this way, risk management should start at a higher strategic level in the organization. This theory contributes to other literature by focusing on key drivers for achieving the success of the organization. By using key drivers for defining risk levels with multiple risk appetite levels (e.g. low, moderate, high and extreme), the shared understanding of risk taking will increase and this will lead to a common language for expressing risk appetite. With a robust set of qualitative statements and quantitative measures, the risk appetite statement should summarize the firms’ strategic ambition and acceptable risk profile (Lentino, 2012; Smart and Creelman, 2013). According to Riley and Willson (2011) it is a challenge for organizations to clearly articulate and define the risk appetite because of the intangible nature of risk. Besides that, it is a well-known problem in practice that most organizations cannot quantify their risk exposure and have no common basis to evaluate their risk appetite relative to their risk exposure. The objective of organizations should be to match the risk exposure to the risk appetite (Cokins, 2010; Smart and Creelman, 2013; 38).
However, observed practice shows that the explicit definition of risk appetite remains a fairly rare practice despite that risk management procedures are in place in all organizations
the communication about the way the risk appetite is embedded with the mission, vision and strategy be clear and transparent through the organization (EY, 2013). The communication of the risk appetite is further discussed in section 1.7.
1.4 Strategic and long-term orientation
When an organization has defined their mission or vision, management has to establish strategic objectives, select a strategy, and align the objectives through the whole enterprise. As mentioned, ERM has the focus to realize those objectives and therefore effective risk management starts at the top of the organization with clarity around risk strategy and governance (COSO, 2004; EY, 2013). An organizations strategy is about moving the company forward towards achieving performance. To achieve this, goals should both excite and motivate the organization so that all employees are moving towards the strategic direction of the organization and are understanding the strategic path that will be undertaken to realize their goals (Smart and Creelman, 2013). According to Kaplan (2009) is risk management is in contrast to strategy about “identifying, avoiding, and overcoming the hurdles that the strategy
may encounter along the way”. In this way management needs to estimate the likelihood of
important contribution to the strategy process (CGMA, 2012). Besides the time horizon (short-term vs. long-term) the risk appetite is even important. Barton and Wiseman (2014) emphasize this in the following sentence: “short-term under performance should be tolerated
- indeed, it is expected - if it helps achieve greater long-term value creation”. Therefore it is
important to identify the risk appetite because hereby you can identify whether such underperformance is tolerated within an established risk appetite (Barton and Wiseman, 2014). Reflecting on the remuneration policy of particular the banking sector, whereby in some cases (individual) short-term successes were pursued instead of the overall
organizational long-term objectives, it is now obvious that major mistakes were made. This emphasizes the importance of a long-term orientation which is creating value for the whole organization.
1.5 Integration of risk appetite and strategy
As mentioned in section 1.2, ERM encompasses several capabilities. But one capability, aligning the risk appetite (section 1.3) and strategy (section 1.4) emphasizes specifically the importance of a strategic orientation. This alignment is described by COSO (2004) as:
“management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks”. This indicates that
the risk appetite statement set the boundaries for making business decisions and setting objectives. The alignment of risk appetite and strategy is important because, as emphasized, risk can no longer be separated from strategy due to the great competition and the
continuously unstable markets for organizations. These rapid changes increases an
organizations risk exposure, which makes a comprehensive use of ERM necessary (Killackey, 2009). Because achievement of strategic objectives is subject to external events that are not always within the organizations control, ERM therefore can provide a reasonable degree of certainty and made the management and board aware to which extent the organizations is moving towards achievement of its objectives (COSO, 2004). Therefore this alignment between risk appetite and strategy can help protect and create shareholder value when it becomes an integral part of an organizations strategy setting process (Beasley and Frigo, 2007). When this is not done correctly and risks are ignored in the organizations strategy, risk opportunities can be overlooked (Paladino et al., 2009). No matter how well thought a
statements are meaningless if they are not translated and communicated into daily
management decisions. This means that in its ideal form, risk appetite should create linkages across the functions of strategy, risk management and business activities. When these linkages are created correctly, it ensures the full embedding of risk appetite into the hearts and minds of the business team and the culture of the organization. In addition, it ensures that an organizations movement is in line with strategic and risk priorities (Lentino, 2012). When organizations are dealing with changes (e.g. change in the strategy of the organization, market situation or financial conditions), its risk appetite must be reconsidered to confirm that it will support the achievement of its objectives, which also emphasizes the link between risk appetite and strategy (KPMG, 2008; Shang and Chen, 2012).
According to NBA (2009) the direct link of the risk appetite and the strategy can be divided into an early phase, growing phase and a sustainable phase. The early phase indicates that the importance of risk management is recognized but the risks are not formally defined in relation to the strategy. The growing phase shows that there is a structured approach and that the risks are defined based on selected business objectives. The sustainable phase means that risk management is part of the daily business operations as an integrated whole. In this way the risk appetite and strategy are seen as two sides of the same coin. These different phases indicate that organizations are still working to integrate the risk appetite with the strategy.
1.6 Strategic risk management
It is now obvious that risk should be managed in the strategy and risk management and strategy need to be fully integrated. In this way, the success of the risk appetite can be measured by the degree to which an organization can demonstrate how strategy and risk management are integrated (Lentino, 2012). This introduces a new phenomenon namely, strategic risk management (SRM). According to Frigo and Anderson (2011) SRM can be defined as: “a process for identifying, assessing, and managing risks and uncertainties,
affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder and stakeholder value”. This definition of SRM is different to ERM
opportunities and the positive side of risk. In this manner SRM enables organizations to realize opportunities they otherwise might have missed (Zolkos, 2012). According to Frigo and Anderson (2009) the Strategic Risk Assessments process contains out of seven steps, illustrated in figure 1. This process is used to assess the possible risks that most threaten the enterprise.
FIGURE 1: Strategic risk assessment process (Frigo and Anderson, 2009)
As can be seen in figure 1, strategy and risk should be inseparable which in practice is not always the case. Smart and Creelman (2013) describe in their Risk Based Performance Management framework a comparable process. In this process should the strategy first of all be formulated which subsequently influence performance management and risk management. By integrating those in, which Smart and Creelman (2013) call ‘risk-taking to strategy’, a certain governance and communication is created which sets the culture in the organization. In this way, the culture is appointed as a specific subject. The influence of the business drivers is large in this entire process, which indicates that Smart and Creelman (2013) put more emphasis on the business drivers and the managing of performance, where Frigo and
SRM has gained attention of organizations, but widespread usage by organizations is not visible and should be improved. Therefore, SRM remains an immature activity and there problems lie with the alignment between the risk appetite and the corporate strategy in practice. That is why it was not surprising that a disconnection was common in practice (Rao and Marie, 2007; Frigo and Anderson, 2011; Shang and Cheng, 2012; Zolkos, 2012; NBA, 2013).
1.7 Communication and organizational culture
One subject that is underexposed in this research is the communication and organizational culture. According to Smart and Creelman (2012) one of the purposes of the risk appetite statement is: “to provide effective communication throughout the organization in order to
drive the implementation of enterprise risk management”. This definition indicates that once
the risk appetite statement has been developed it has yet to be communicated to the
employees. The risk appetite can be communicated at various levels of accuracy and detail and there are more and more organizations that are cascading their risk appetite statement to lower levels of the organization. This makes sense when the business units are influenced by different business drivers, and therefore would it be logical to split up the corporate statement into individual statements for the business units. When the risk appetite is communicated specific enough, organizations can monitor whether risks are being managed within that risk appetite (COSO, 2012; Smart and Creelman, 2013). This also means that it is crucial that the risk appetite is embedded in the organizational culture. For getting the culture adequate, communication is an important aspect. When the communication is effective, the risk appetite can be incorporated into the organizational culture. And when the culture is adequate risks will more likely to be managed and objectives will more likely to be achieved (Smart and Creelman, 2013). This indicates that the organizational culture is a prerequisite of a successful strategy. According to COSO (2012) there are three main approaches for communicating the risk appetite:
Expressing overall risk appetite using broad statements
Expressing risk appetite for each major class of organizational objectives Expressing risk appetite for different categories of risk
is the risk appetite for each major class of organizational objectives, which is often
communicated in the form of a statement. The advantage of such an approach is that it does not threat different risks in the same way. The third approach is the most detailed and is about the communication of the risk appetite for different categories of risk. In this way there is greater judgment about the unique recitals of each category of risks (COSO, 2012).
2 RESEARCH DESIGN
As described in the literature review this research is focusing on one key aspect of risk management namely the relation between the risk appetite and the organizational long-term goals or strategy. This relation means that the risk appetite should be integrated with the strategy to set the right objectives. With the use of existing theory a research question is developed deductively, which led to an explorative study that discussed the outlines of the field. This research investigates and delves deeper into the thoughts and experiences of persons who are confronted with risk management in practice and seek for new insights (Saunders et al., 2009). It is an interpretative approach towards the understanding of the meanings people attach within their social worlds to the relation between risk appetite and strategy and is about “people’s view(s) of reality” (Snape and Spencer, 2003; Gephart, 2004; Golafshani, 2003). Therefore the emphasis of this research will be on the understanding of specific situations and perceptions of people in relation to the subject.
2.1 Reliability
To show that the same results would be obtained when this research should be repeated in the same way and under the same circumstances is important to provide the reliability. Therefore the process for carrying out this research is described in detail in this section (Shenton, 2004). According to van Aken et al. (2012) the reliability can be divided into: the researcher, the instruments, the respondents and the circumstances.
2.1.1 Researcher
This research is part of a larger investigation about risk management, where a team of four people all focused on a specific subject. The interviews were conducted in a two person team and focused on four different topics about risk management. Due to the fact that we had three times not the permission to record the interview, the possibility of doing two person
interviewee the other person observed, made detailed notes during the interview and filled gaps in the questioning. In this way this research is independent of the researcher. In addition to that the reliability is increased by using a semi-structured way of interviewing with an explorative character where interviewees explain or build on their responses (Saunders et al, 2009). By getting a more fixed procedure in conducting the interviews, the influence of the personal characteristics of the researcher are reduced (van Aken et al., 2012). A
pre-established interview protocol was used for bringing different topics into conversation. By using this protocol open-ended questions were asked about the subject where is tried to use a more nondirective approach. This approach was used because it was not clear what kind of information was available and because there was uncertainty about what the reactions of the interviewees would be.For interviewing we entered the conversation with the interviewee, where is tried to gather information about interpretations and considerations. Therefore the interviews are not only focused on gathering factual information but more on the underlying thoughts. The topics raised during interviews, which covered the subjects of the four
researchers focused on the risk appetite, the relation of the risk appetite with the strategy, organizational culture and reputation risk. The following questions are formulated for this specific research:
1. In what way contributes risk management for achieving long-term goals?
2. To what extent affects the risk appetite the strategy of the organization? And vice versa? 3. What considerations are made for defining the appropriate risk exposure when the
long-term goals are kept in mind?
4. To what extent is the risk appetite across the organization discussed and communicated? Our concern was to leave the interviewees some freedom of speech and to encourage them to discuss problems or irregularities which they perceive while working with risk management. Therefore interviewees can bring their own view on the subject without being limited to the pre-established questions.
2.1.2 Instruments
questions that require explanation or understanding of social phenomena within different contexts. Moreover Saunders et al. (2009) stated that: “managers are more likely to agree to
be interviewed, rather than complete a questionnaire”. For analyzing documents of the
organizations, annual reports are collected and Internet sites are used. This took away some methodological uncertainty, because drawing conclusions that are only based on interviews are quite subjective. Due to this double triangulation of sources and methods the reliability of these findings can be better confirmed, which strengthens the construct validity (Golafshani, 2003; Yin, 2014). In addition to that these multiple methods provide better opportunities for answering the research question. In some cases there is also made use of internal documents (e.g. risk management frameworks), which were provided by the interviewee.
2.1.3 Respondents
In order to increase the reliability the results should be independent of the respondents (van Aken et al., 2012). The typical way of selecting respondents is according to Maxwell (2005), purposeful selection: “selecting those times, settings, and individuals that can provide you
with the information that you need in order to answer your research questions”. With an
exploratory phase of 22 interviews (23 persons) knowledge about the research object has been build. These interviews were conducted with highly knowledgeable persons with extensive experience in risk management. The interviews are conducted in different industries to shed some light on the link between risk appetite and the long-term strategy of an organization. In selecting organizations, a key criterion was that the particular organization was of sufficient scale to be sure that risk management should be a major topic. Access to the organizations was acquired through the use of personal contacts or by directly contacting the organizations or persons. Following this logic, we studied organizations from the different industries, as can be seen in appendix 1. Whenever interviews revealed features similar to interviews we earlier conducted, we stopped our data collection. This means that when we heard the same
information again and again we had reached “theoretical saturation” (Glaser and Strauss, 1967). By keeping this in mind, we added with each additional interview new information.
2.1.4 Circumstances
2.2 Validity
The validity of a research is high when the results of a research are really about what they appear to be about (Saunders et al., 2009). According to van Aken et al. (2012) there are three major criteria for evaluating the results of the research: construct validity, internal validity and external validity. For increasing the construct validity, before generating the interviews an expert in research about risk management was asked to evaluate the measuring instruments. In this way is investigated whether the questions of the interviews measure what it is intended to measure. After this conversation, were the question tightened and adjusted. Based on new insights obtained while conducting the interviews, the interview protocol was one time adjusted with a modification of a question, which also improves the construct validity (van Aken et al, 2012; Yin, 2014). Because the results of this research rely mainly on interviews there is some bias. Therefore it is because of the subjectivity impossible to find the absolute truth. It is not the intention of this research to search for differences and similarities between industries, but is particularly focused on interpretations, considerations and underlying thoughts and to view the focal phenomenon from diverse perspectives (Eisenhardt and Graebner, 2007). Therefore, all interviews were conducted with risk managers in the Netherlands or with persons who are in another way involved or confronted with risk management. A diversified range of functions from different layers were interviewed, these functions ranged from a corporate treasure, head of compliance, risk manager, advisor, concern controller, executive vice president to a writer/teacher. In this manner it is unlikely that these interviewees will have a one-sided view on the subjects which increases the internal validity of the results and limit biases (Eisenhardt and Graebner, 2007; van Aken et al., 2012). Because this research is part of a larger investigation, it was possible to acquire more data by generating interview questions for the other researchers, which adds to the richness of the data and increases the external validity (Eisenhardt 1989; Yin, 2014). The interviews were
conducted in March, April and May, in a period of total sixty-six days. They took place in the Netherlands at different locations, namely in Amstelveen, Amsterdam, Apeldoorn, Assen, Den Haag, Enschede, Gouda, Groningen, Leeuwarden, Utrecht, Wageningen and Zwolle. Here the longest took 150 minutes and the shortest 35 minutes. If we had permission to record the interview, the interview has been recorded. Permission was granted to record 19
literally quoted by name. That request was complied, which means that the analysis is quoted anonymous. To give some supplemental supporting data the function of the interviewee and the corresponding industry of the organization is illustrated in appendix 1. According to Shenton (2004) this additional information increases the external validity and transferability of this research. A final point is that the credibility of this research is increased by supplying the themes of the interview before the event to the interviewee. This gave the participants the opportunity to gather some relevant organizational information, which promotes the validity and the reliability of this research (Saunders et al., 2009).
2.3 Data analysis
The purpose of this research relies on the search for promising insights, patterns or concepts that could be further developed (Yin, 2014). For analyzing the interviews any in-depth analysis of the data is avoided until all interviews were completed, which avoids imposing meaning from one interviewee to the next one (Seidman, 2006). Because most of the interviews were tape recorded, the quality of the data analysis is improved and reliability is guaranteed. The researcher became familiar with the various key points made by the interviewees by listening to the tape recordings of the interviews one after another. This approach leads to the understanding of various perspectives and is followed by a search for connecting threats and patterns (Rowley, 2012; Seidman, 2006). There is tried to find out the experiences of the interviewees and make connections among the experiences of the
interviewees that share the same thoughts (Seidman, 2006). For making connections the data is categorized, where the categories are utilized from the data and based on the actual terms used by the interviewees (Saunders et al., 2009). According to Saunders et al. (2009) it is likely to use the literature for analyzing the data. In this manner remarkable similarities and differences were listed and those were compared with the existing literature to sharpen insights regarding risk management. As Eisenhardt and Graebner (2007) emphasize in their article; qualitative data should be presented “by simply presenting a relatively complete
rendering of the story within text”. Therefore the results from this research are interspersed
and supported with quotes from interviewees. In the results section the case evidence is presented in the form of “construct tables”, which is emphasized in the article of Eisenhardt and Graebner (2007). These tables summarize the evidence from the interviews and
3 RESULTS
As discussed earlier, the link between risk appetite and the organizational strategy and long-term goals in theory is not a straightforward issue. This section presents the results of the interviews which shed some light on problems with the integration of this link. Besides that there are also notable features of risk management in general discussed. The findings of the interviews are, according to Rowley (2012), presented under headings that reflect the main themes of the analysis. All these themes are part of the analysis for answering the research question and each interview is analyzed on these different themes. Quotes from individual interviewees are used to illustrate their meanings and underlying thoughts in the form of construct tables. In appendix 1 can the function of the person quoted and industry of his/her organization be found. By interviewing 23 highly knowledgeable persons with extensive experience in risk management, a broad view of risk management and the integration of risk appetite and strategy has been obtained.
3.1 General impression
Besides the main subject of this paper (the relation of the risk appetite and the strategy), the underlying motives for performing risk management are also analyzed. This section provides an overview of the most discussed and prominent topics.
3.1.1 Reactive behavior
Recently, it is required for organizations to manage risks in a certain degree. It became evident from the interviews that some organizations are for only a few years engaged in risk management. For these organizations it seems that it is more an obligation to manage risk than it is really internally driven and free will. This is remarkable, because the added value of risk management is generally known. On the other hand, some organizations have to;
otherwise they will be punished by the regulator. What became clear from the interviews is that this is particularly true for financial institutions and governmental agencies. The following sentences do describe these findings.
Person Quote
E
“The risk manager is there for the fixation of the risks, and actually just for the
accountability. Because we do not really manage it. The other way around as the method describes, but more effective. First the risk identification, then actions and after that we write down what we did.”
F “Because of new requirements, is there no other option for banks. A colleague tries to make it
explicit, because of the requirements of the DNB.”
E
P
“The specific arrangement of the risk and compliance management was there already for a part but especially after the SOX was arranged in the US. (…) We have had quite some fines in recent years, and therefore there is a lot more attention for managing risk. The costs are not in proportion to the revenues we may have.”
C
“Financial institutes are mainly engaged in risk management because they are imposed by the law and regulations (rules-based). Production and construction companies base their risk management and risk appetite more on strategy and vision instead of rules (principle-based). A balance between rules and principle-based must be found.”
R
“Now is risk management often about accountability: what are the reasons that we have abnormalities? Weren’t we able to avoid that? So we have to balance to what extent it does make sense to spend a lot of time in looking forward. Maybe we should just accept it.”
J “We have already the risk appetite, but mainly used for the accountability (a model).” E
“(…) But how does the outside world know that people are risk aware? Therefore you need the lists again to show that. It is a kind of trade-off between creating risk awareness and accountability to the outside world.”
Q
“It is often pure the financial calculation. That is because risk management is in
municipalities often part of finance department and not a stand-alone department. In this way they give the signal that they actually just do it for the financial reporting. (…) They find it less important.”
Another impression that emerged from many interviews was that risk management is often incident driven. This implies that something first have to go wrong, before a certain risk will be managed. It makes the organizations and also the employees aware of the risks they are confronted with, but this is actually too late. This is especially the case for risks that are not necessarily about safety. Incidents related to human safety are different risks than the risk banks and financial institutions have. In the engineering, oil and gas or technical services industry the focus is often on mitigating those risks related to human safety, because people can lose their lives if there is any deviation from a certain process or protocol. But other industries, with a more office atmosphere, are not confronted directly with those risks. When something goes wrong the consequences are often financially, which is in people’s perception very different. In some annual reports is illustrated that irregularities made clear that
governance and business controls were not sufficiently effective. This means often that when there are setbacks, management will react sharper and become more critical. This is also illustrated in the following quotes from the interviews.
Person Quote
C
“Due to corporate (accounting) scandals, the rules have become even stricter in recent years. This shows that the law and regulations are overtaken by events. This happens in fact within companies to: risk management become better addressed after the incident have taken place.”
D
“We can make a step regarding the current approach on risk management, but that takes also some costs. So there would be something to occur or likely to occur from which we say, actually we are insufficiently informed.”
H “Incidents provide, through training or information, focus. (…) Often when an incident has
E “To be honest, we are not a company like Shell. (…) When employees risking personal injury you have to be risk aware. That is not the case in our organization. In our organization it is
just work, and when something goes wrong, we have more work to do.”
C “Scandals are good for the risk appetite; this makes the people in the organization more
aware of the risks.”
F “Other companies also run forward with risk management, mainly because they have gone
through all kinds of trouble.”
Q “It varies by municipality whether there is a risk identification for each project. It seems that
it depends on whether they have recently had a major setback. Then the board requires it.”
M “It is all incident driven and not structured. Maybe it is fine that people come up with
something and act accordingly, instead of frameworks which are often obstructive.”
The sentences above do describe that regulation is needed in order to get some organizations to work with risk management. But the incident driven behavior means that new regulations are often a result of incidents. Because of this ever increasing regulation it is all becoming too complex. This is shown in the following quotes.
Person Quote
J “I think that a wrong move is that rules are created on the basis of excesses. The complexity
will only increase. You have to go back to simplicity.”
K “There is a tsunami of regulation. For a small bank, it is quite complex to understand all that
rules. (…) The time and effort it takes to make all those reports, terrible.”
Some organizations believe that the costs outweigh the benefits and suggest that organizations should always be reactive. This should especially be the case for organizations with a lot of stakeholders. These findings are illustrated in the following quotes.
Person Quote
O “You will always keep a certain reactive behavior, because you cannot assess any risk in
advance, so when it then occurs you have to react.”
L “In general, things were going well. And as long as things go well, you do not have a good
idea about what can go wrong.”
K “Some things you cannot understand and preclude. The trick is that you learn that if it is
wrong, you act.”
S “It think any organization where stakeholders are responding to incidents require that the
board should take action.”
3.1.2 Quantitative and qualitative approach
Person Quote
A
“Our risk assessment model, I’m really enthusiastic about it, it is very simple (…) We indicate what concerns we have and where we can plot this on the basis of history. That is the only drawback. With a new issue is this model very difficult to apply, because it is all uncharted territory. In some cases we can only look back one or two years, in this manner this method does not work. (…) In that case, we try to do it with different scenarios. (…) But then you notice quickly that it becomes quite artificial. Then you have a category: heard of in the industry? No, never heard off. So everything ends up actually low in the model. Actually, we do not have a good instrument for that.”
As discussed before, risk management has a reactive character. Because the regulator mainly monitors the quantitative models, organizations have to do this appropriate according to the directive. This indicates that there are two ways of approaching risk management:
1. Managing risk for better management and governance 2. Managing risk just for the outside world
The following citations indicate the emphasis on the quantitative approach, which is not always suitable.
Person Quote
K “The regulator is currently putting pressure on mainly the quantitative criteria. We cannot
avoid that, so we are changing our model a little bit.”
Q “Only quantitative calculations that seems a lot but says nothing.” M
“We have difficulties to write down risks that are messy, vaguer and difficult to quantify (e.g. risks about organizations, relations, information flows), because we just cannot handle that, we do not understand it.”
E
“Risk management depends on the person. You can set up great lists with processes and actions which you update every month, but then does it not live in the organization yet. You want that the employees wake up every morning with the three biggest risks in their head; those people do not need lists anymore. (…) If you configure it procedurally the actions are more or less done, but it still does not work. (…) You can show with methods, instruments and processes that the organization is working on it, but what good it is?”
J
“Someone of the DNB asked me, how long it should take to implement risk management. I
answered: two or three years. Why so long? I can do it in one month, but then it looks amazing from the outside, but does not work from the inside.”
The above citations do indicate that a quantitative approach in itself is not desirable. A qualitative approach towards managing risk can give more value to such a risk assessment model. This can give value for the organization itself as opposed to the quantitative approach, which is for some organizations mainly done to show the outside world that they are working on it. But some organizations are struggling with this subjective approach. Important is to give the right person the right responsibility. Those aspects are very important to give it the right value. This is shown in the following quotes.
Person Quote
J “Risk management is very subjective. It is all about knowledge and experience. That is what
T
“I think we need to keep an eye on the balance between quantification and experience, intuition and human contribution. You should also consider the emotions, which means that a decision should also be subjective.”
U “You can quantify everything, but that is not what I do. Because that means that all techies
are more concerned with quantifying instead of solving disruptions.”
Many interviewees mentioned gut feeling as an important component for managing risk. This is mainly because it is difficult to relate risks with concrete things. Gut feeling reflects the great subjective nature of risk management, which is discussed above, and should be based on the person’s knowledge and experience. The following quotes underpin these notions.
Person Quote
D “For large tenders a risk analysis will be made. It is a pretty rude overall risk analyses,
guesswork.”
G “To make decisions with social issues is very difficult and quite subjective.” E
“Many risks, notably at a higher level, are elusive and hard to quantify. How to weigh the risk then? Is like trying to know the unknown, impracticable. (…) Quantitative weighing of risk on certain level is almost impossible, and based on gut feeling.”
M
“In practice is the risk appetite framework not applied, maybe unconscious. Per project it is primarily based on gut feeling which depends on the organizations position in the market. (…) There is nothing wrong to follow your feelings. As an entrepreneur you should just do it.”
Q
“Sometimes it is about the little things, which can be very painful. For example, sending a letter to a deceased person, everyone absolutely tries to avoid that. On the other hand, people decide without too much debate about a project with hundred millions of risks.”
R
“I just say to the risk analysts, that they simply must determine what is acceptable on the basis of their professional knowledge.”
3.1.3 Risk normalization
Another phenomenon that came forward during the interviews is risk normalization. Risk management is difficult when some risks are perceived as normal, because paying attention towards those risks is often perceived as unnecessary. Employees are familiar with them which makes it almost impossible for management to actually take those risks along in the risk management processes. This is shown in the following quotes.
Person Quote A
“Most troublesome of risk management is risk normalization. You get used to risks in routine activities. (…) It is not easy to get them on the agenda. We have a lot of incidents where people just have not been paying enough attention. One of the challenges is to get the risk awareness when people are doing their routine work.”
D “I can imagine, when foreigners think about the Netherlands and say: you live below sea
level, that is dangerous. But for us is this risk very acceptable.”
D
3.2 Risk appetite
Why the risk appetite is often not explicitly defined and what the main problems are is not clear in the existing literature. In this section the general impressions and main problems are described for defining the risk appetite. As discussed in the previous section, it appears from the interviews that risk management has a reactive behavior. In addition, it appears from the interviews that the determination of the risk appetite in some cases still is done for the accountability to outsiders. This means that for some organizations it is not internally driven and out of free will or that it is not working on a quantitative way which the regulator sometimes demands. In this section the researcher is taking a closer look at the implicit character of the risk appetite, the irrationality related to the risk appetite and the “comply or explain policy”.
3.2.1 Implicit character
From the interviews became clear that the risk appetite remains a difficult subject. As discussed, the qualitative aspects of risk management are very important in relation to the quantitative aspects. This indicates that risk management is, as well as the risk appetite, partly implicitly adjusted. From many interviews became apparent that the risk appetite is not always explicitly defined. In other cases it is still under construction or perhaps even more extreme, the term is not used at all where there is not a guideline for taking risk. This is shown in the following citations.
Person Quote M
“And the risk appetite, we are not so good to determine this. Actually we do not have one, and there is also not really the need for. (…) We have been busy preparing such a session, but we have this not done yet.”
L “(…) In this manner we do not even use the term ‘risk appetite’, it is not a thing we use or is
formulated in one sentence.”
S
“Actually we do not define the risk appetite explicitly. I guess that we are generally very risk averse. But it is a good point, because when we really want to do something, you might have to take more risk.”
R “It is not really called the risk appetite. If we communicate it throughout the organization, it
is more about the core commitments and statements about how we treat each other.”
H
“There is not a guideline for the risk appetite, because what is risk? (…) There are a lot of risks wherefore it is impossible to cover it in a general statement. It is not a universal standard happening. It is simply the point that decisions should be made responsible and thoughtful, not blindly.”
F
“(…) if you ask what is explicitly agreed on risk management, hmm yes… in general we have made agreements about it, but if I ask what these agreements are? It is usually not written down.(…) The definition of the risk appetite, what is important before you enter a risk assessment, is often missing.”
R “When you look at rules of thumb, which indicate the risk appetite, then there is a lot
implicit.”
J “My role is to create awareness on decision making. (…) For us it is pretty amazing that it is
Besides that an explicit statement about the risk appetite is often missing, in some cases it is tried to capture this in a quantitative model. But the underlying motives are not exactly substantiated because it is based on people’s experience. Interviews gave the impression that it sometimes was not carefully determined and as discussed, in some cases just done for the accountability. How this is done is shown in the next two quotations.
Person Quote L
“Earlier we used five risk levels for assessing risks, now only three because it was
unnecessarily complicated and time consuming. (…) The threshold is not really reasoned or calculated, just an amount pricked that should be interesting and mainly based on our experience.”
E
“Determining the line of the risk appetite is quite simple, I just put it in. I let someone else take a look and ask him what he thinks. There is yet no one who understands the effect and meaning. At the time you are going to work with it, than it turns out whether it is right or not.”
In many interviews a risk appetite framework or heat map was discussed. This is not an explicit statement, but are categories that are divided in certain consequences and
probabilities. From the impression that was given during the interviews became clear that this does not work appropriate because it remains doubtful. In some cases you have to react quickly, so an explicit statement or process is in that case not desirable. This is shown in the underlying citations.
Person Quote G
“This risk appetite framework will be further improved. Why? Because you can have a discussion about each cell in the heat map.(…) Difficult about this is that, although we are not even a complicated company, this varies by activity. We aim to decorate each business individually. But then you have the discussion about how far you will go into detail.”
H “(…) With that cumbersome process that we have, it is also likely that we loss a project
because it is too bureaucratic which makes it unable to react quickly.”
A problem to determine an explicit risk appetite statement is that the risk appetite is in some cases dynamic. It depends on people’s perception, knowledge and experience but also on the type of project or situation. According to some interviewees it is not the case that the risk appetite is a general statement that can be used in every situation. Therefore the risk appetite is more seen as a kind of culture that makes people aware of what is acceptable. This has the effect that it cannot always be defined in one sentence. The following quotes reflect this.
Person Quote D
“The risk appetite is not something that is very concrete and everybody knows. It is more a kind of culture, and that is very dynamic. It depends heavily on the people and their skills, knowledge and experiences.”
M “I really think that the risk appetite depends heavily on people and their feelings and
experiences.”
C “For some innovative projects, the risk appetite can be higher than actually the general risk
R
“When you have accepted the project, it is the project leader who determines how much risk
is taken.(…) The risk appetite is definitely not every project, situation or environment the same. We have very simple projects but also extremely complex projects with a very high risk profile.”
L
“In certain areas is determined what is acceptable and absolutely not acceptable. But we have no prior judgment about some type of projects. The decision is made when it is proposed, but actually then it becomes an operational decision again.”
Another difficulty is mentioning the risk appetite for social and political considerations. It is about people’s perception and when someone can lose his live it does not matter what the financial risks are to avoid those safety risks. This indicates that it is impossible to create a risk appetite statement when it is about people’s perception or has to do with social issues. This is shown in the following quote.
Person Quote
Q
“The risk appetite is not really determined for local governments, and is actually not
pronounced. Financially it happens sometimes implicit, and financially it is possible. (…) But when is something good enough (which is the inverse of risk appetite)? Socially is that very difficult, and as an organization you do not know what you should aim. On the social side it is impossible to determine that. (…) Risks are in people’s perception very large when it is about human lives. (…) Every time it is a political consideration, which means that the risk appetite differs every time.”
3.2.2 Irrationality
From the interviews appeared that there are elements in making a decision that are not always rational. For example, political elements and the decision whether a certain project should proceed or not. Often there are great interests of different stakeholders to do it in a certain way, which can have an impact on the risk appetite. This means that it is every time a battle between the rational weighing of risks and the political drive to realize something. Besides the political interests, which are playing a role for municipalities in decision making, this also can play a role in businesses with for example prestige projects. This means that also in
businesses the decision making is not always even rational. These findings are shown in the following quotes.
Person Quote
S
“It is not the case that the low risk appetite means that we never do risky projects. If there is a large collective desire of the board to realize a certain project, risks are accepted. This is the political element, and therefore it is not always rational. Despite a risk analysis, are actually the political elements and ambitions decisive. It is controversial and a paradox for
municipalities: we are in general very risk averse because we spend public money, but at the same time we realized certain projects with significant risks. (…) So our attitude is hybrid, at the same time we want to achieve certain things, but there will always be a movement to belittle the risks.”
T “The rational approach is often different than the emotional approach. (…) You should also
Q
“In business, you see that at least as much is politically driven as in an average municipality. (…) I always thought that within companies reasonably rational considerations were made, so you can incorporate the risks, but that is not the case generally.”
Q
“There are three explanatory factors: we cannot estimate, we are naturally optimistic and political misrepresentation (I would simply call it lying). That happens with prestige projects. They emphasize then a lot of positive effects, where it is serious the question whether this is realistic. You should not expect that the project leader stops with ‘his’ project. So I have my doubts whether he is honest about the risks.”
D “The estimation is often wrong. You have to deal with sales people, and they are often
optimistic. There are a lot of factors that lead to projects with an unrealistic contract price.”
3.2.3 Comply or explain policy
Something that came forward during some interviews was the “comply or explain policy”. In contrast to the risk appetite this policy is more manageable, and the idea behind this policy is that risks should be managed qualitatively. There are a lot of possibilities as long as you have a good story or explanation for making a certain decision. This is illustrated in the following quotations.
Person Quote L
“For a complex and diverse organizations it is not possible to determine the risk appetite. On corporate level it is only possible to formulate outlines. There we have a “comply or explain policy”, with deliberately too strict rules. One can act only beyond those rules if they have a good story or explanation.”
K
“We have a collective board of four people where we make decisions about for example, which sectors we want to run in our business. We have just made a strategic move, and acquired a foreign company, because we want to grow in that country for specific reasons. In that collective board we talk about the risks of that acquisition. Not to say no, but to say informed yes. Because it is a waste when people talk six months about a move they want to make, and after that I decide to say no. (…) You need to manage risks, not only avoid them.”
A
“Sometimes we get involved in activities which we rated as high risk. In that case we want that the board of directors also have had the opportunity to assess the mitigation plans. So that they can say: ‘we do not do it’ or ‘we do it as long as…’.”
D “You must have a story; you cannot just take any risks with the money from someone else.”
R “When you want to enroll a project with a loss, you have to come with a damn good story
towards the board and explain why you want to do that project.”
3.3 Strategy
