Risk Management Blog

Risk Leadership: 3LoD

 

I saw this abbreviation, 3LoD, in a presentation the other day and it took me a few seconds before I worked out it refers to the Institute of Internal Auditors' whitepaper entitled The Three Lines of Defence. There are some very good aspects to the paper and a few I am not so keen on.

3LoD has a good summary of the different roles and responsibilities of management, risk and compliance teams and internal audit:

• Managers manage their risks by putting into place processes and systems to guide staff and minimize the potential for unwanted outcomes.
• Risk and compliance teams are internal consultants acting as facilitators or enablers for management. They provide guidance on how best to understand and manage the uncertainty.
• Internal audit provides assurance that what the governing bodies are told is the situation, is the situation.

There are a couple of less than perfect aspects of the risk and compliance professions that the title of this paper highlights. The first is a focus on the negative aspects. The use of the word defence suggests we need to use risk and compliance to protect ourselves from bad management whereas the main aim of risk and compliance is to focus on achieving success through the management of uncertainty.

The paper also highlights the lack of independence of auditors in all kinds and sizes of firms. So often the same person heads up the second and third lines of defence despite the IIA saying it should only happen in exceptional circumstances. It should never happen!

For more information on the value of independence that the separation of the risk/compliance and audit roles creates, see the December 2012 issue of Risk e-Views.

One of the great advantages of family holidays is the opportunity to learn from the younger generation. So often there is no end of surprises and you are walking away with your tail between your legs or nodding approvingly.

Why should we look for risk leadership from the uninitiated or those younger than us?:-

"Devil may care" Their carefree attitude can remind us of why we are doing all this in the first place and help shift our risk appetite to a more appropriate level.

"Ignorance is Bliss" Their ignorance will often lead to solutions. They may be ignorant of the risk, however, more importantly they will be less willing to give up and are more likely to fight for a solution.

"Technology Savvy" We know they are technology savvy so why not ask them about the technology. Don't fall for the vendor's sales pitch.

"Social Re-norming" We know there are social norms, however, the younger generations are "social re-norming" our society. If you don't allow them to lead some of the way, you will fall further behind than you already are.

I know they say youth is wasted on the young but so too is experience wasted on the experienced. We forget too much of what we have learned, we forget how great it can be to take some risks because we have seen too many bad outcomes. We forget what we thought of the experienced when we were the inexperienced.

Don't waste your experience, tap into the younger and uninitiated and help drive change in attitudes to risk taking - remind people of what helped them get to where they are today - youthful exuberance balanced with risk-based decision making. It's not what you called it, but it was what it was!

I recently read an interesting article in my son’s school’s newsletter.  It was a teacher of 28 years’ experience who for the first time in his career had another teacher sit in on a lesson with the purpose of self-improvement via a collaborative approach.  In his words:

"So, after 28 years in the wilderness, I took the plunge this week and welcomed a colleague into the protected walls of my classroom. My colleague, many years younger, technologically savvy, and very cool, quietly sat in the back corner and wrote copious notes on his observations. At first, I was conscience of his presence, but quickly got into the swing of the lesson. By its conclusion, my Year 12 students had understood the concepts, or so I thought, and the lesson went to plan. The observation was followed up with a meeting and my colleague arrived with four pages of typed notes! After reminding him where he got his meal ticket from, our discussion commenced. What transformed was one the most valuable professional development experiences in which I have participated during my teaching career. My colleague sensitively raised issues, made suggestions, provided praise and left me with some strategies to work on before our next encounter in the second term. The entire experience proved very enriching and will certainly, in the long run, improve the educational outcomes for the boys in my classroom."

 It reminded me that every risk professional could benefit from similar support.  When we are facilitating or taking on a tough meeting influencing senior executives on risk, how often do we have a peer sitting in the wings to provide us feedback?  My tip is to search out a peer to provide that feedback from time to time so you can continually improve.

Recently I read a comment in a LinkedIn Group that stated Chief Risk Officers should be given more authority in order to enforce sound risk management practices. This made me raise my pen.

The notion of authority for a CRO worries me a bit along the lines that the risk management function and internal audit should be separated. I am more of the school that CROs sell benefits, facilitate better practices and influence good decision-making as broadly as they are able while the assurance function (eg Internal Audit) attests to the success or otherwise of the CRO's efforts (Also see my blog on should Boards have a separate Risk Committee). Yes, sometimes the CRO’s job will be near on impossible and you would need the charisma of Richard Branson, however, being seen as a “Trusted Advisor” rather than an authoritative figure will in the end assist management make better decisions.

As many of the subsequent posts to the comment stated, you need to earn respect. In my words, “Trusted Advisor” status must be earned. You can have notional authority without influence.

Lastly, I was involved in the establishment of a Masters in Risk Management at Monash University, Australia, about 12 years ago and during a workshop on what might be a CRO's ultimate skill set, we concluded someone with the core technical RM skills and an MBA was getting towards the mark. Since then I have often commented that a CRO needs to be an MBA on steroids. A CRO needs to understand strategy, finance, safety, project and change management, organisational behaviour as well as have a great understanding of the business. On top of that, a CRO needs to show strong leadership across all of these areas.

Risk Leadership: The Need to Listen

A great TED video, this one by Ernesto Sirolli who tried a different approach (listening) to aid small rural and 3rd world communities, inspired this month's musings.

The first half is entertaining storytelling leading up to some interesting points about the need to listen if you wish to solve problems. I am sure you have experienced many of these scenarios in your risk advising career, however, we can all do with a reminder from time to time.

Why didn't they tell us? Because we didn't ask. Risk Managers can fall into the same trap as Ernesto did with his aid work in Africa. We sometimes assume too much or get too absorbed with other issues to ask the right questions.

They really don't get it, do they? Sometimes as risk professionals we are flummoxed as to why "they don't get it". Some of the most common reasons include:

• They really don't want to know about what you have to offer because you have not created any sense of need - whether carrot or stick.

• The environment you are in when you are engaging them.  A cafe/mess hall/restaurant (neutral ground) is better than your office.

• You picked the wrong target - you needed to choose those with the need, help them shine and then move on to the harder targets.

Why didn't anyone speak up? A quote from Ernesto: "Entrepreneurs don't come to public meetings". Put another way, if you want to get an honest opinion on your risk framework or your risk training or other aspects of your endeavours, the most insightful comments won't necessarily come from a group forum.

The last inspiration from Ernesto was "two heads are better than one". Yes we have all heard it, however, his story about Richard Branson's autobiography was a terrific reinforcement of the main selling point about the role of risk professionals: to provide the second head. In an exercise Ernesto asks his students to count how many times Branson refers to "I" vs "we" in the first few pages of his autobiography. The answer is 32 times for "we" and not once for "I".

Treasury's consultation paper on governance standards for charities to come into effect 1 July 2013 under the new Australian Charities and Not-for-profits Commission (ACNC) has the right approach and should provide all of us with increased confidence that our donations and tax dollars are in good hands.

The paper draws on existing legislative principles for corporations to strengthen the accountability of management of charities and not-for profits and puts them in line with other business sectors.

Here is a very quick overview of the six governance standards, however, you can download the entire document here or you can visit the ACNC website where there is additional guidance material.

• Purpose: This standard is set out simply and clearly. As a charity you are required to have a stated charitable purpose and you need to be able to communicate it to stakeholders and demonstrate your activities are in keeping with the purpose.

 

• Accountability to members: This one is even more simply put. If the charity has a membership then those managing the charity should be accountable to them. There must be modes for members to query or raise concerns about the governance of the charity.

 

• Compliance with Australian laws: You might think this one is a "no brainer", however, there is a little more to it. The ACNC wants to maintain some flexibility here to be able to take regulatory action against illegal activities without necessarily causing the charity to lose its charitable status. That is, if the situation can be corrected and the charitable purpose resumed, the ACNC wants the leeway to help make this happen.

 

• Responsible management of financial affairs: Like the first two, this is cut and dried: be fiscally responsible.

 

• Suitability of responsible entities (an individual, corporation or trustee): This standard draws on the approach of other regulators such as ASIC and APRA and holds the charity accountable for ensuring potentially unsuitable people are not in positions of authority. For example, it draws on disqualification under the Corporations Act as an example of an improper person.

 

• Register of disqualified responsible entities: Again the ACNC is seeking additional scope. The ACNC will have the ability to disqualify an entity and maintain a published register of all those they disqualify. This will allow them to take action where the Corporations Law and other laws do not come into effect. Assuming they apply their powers appropriately, the register will be an additional protection for stakeholders of charities.

IN ESSENCE - The standards are not onerous and generally bring charities in line with other organisations we do business with. To meet the standards' objectives, charities will need to do enough to demonstrate compliance without creating a bureacratic nightmare that significantly increases the ratio of administration costs to the funds directly employed for the charitable purpose.  

I just read an article in a newsletter published by the Macquarie University natural hazard research group, Risk Frontiers, discussing the case of the six Italian scientists and a government official who were found guilty of manslaughter for "failing to adequately communicate the level of risk" regarding an earthquake swarm. Their conclusion - "A need for separation between the roles of scientists and that of authorities responsible for civil protection is strikingly clear. Scientists need to be independent and provide scientifically-grounded risk assessments not biased to the needs of an administrator".

This was on the back of a colleague in the risk profession asking me about the separation of the roles of risk and audit because he was feeling increasingly conflicted while performing both roles. The message is clear: A lack of independence creates temptations of many kinds to twist the truth.

Below is a value model for independence that extends well beyond the avoidance of jail terms. It explores some of the drivers of temptation and shows the benefit of remaining independent. How do you overcome some of these temptations and remain independent and objective when giving your advice? Here are some tips for a range of professional situations:

Audit Professionals: Stick to auditing. If you set up the risk process and you help populate the risk profiles you are conflicted when it comes to providing assurance to management and the Board. By all means consult on risk for another client, but don't carry out both roles for one client.
 

Insurance Brokers: Whenever possible earn a fee for service and don't take brokerage or other fees from insurers. If that is not practical (and you may surprise yourself if you give it a go while explaining the reasons to your clients), then create a value statement for your company concerning independent, objective advice and preach this consistently to your staff. Above all, act always in fulfilment of your value statement as staff will act as you act.

Risk Advisers in Organisations: Don't get too close to the managers who actually manage the risk. They often can't see the forest for the trees and that is not their fault. Above all, stick to your principles and be prepared to resign. To be as comfortable in this position as possible, ensure you maintain a healthy professional network to support you, address any hearsay and to get you to your next role where your rewards will be greater still.

Everyone: It's all about managing reputation risk. You are only as good as your last piece of advice.

Risk Leadership - What is GRC?

I just returned from GRC 2012 - The inaugural industry conference bringing together the Australian Compliance Institute and the Risk Management Institution of Australasia. If you are wondering what GRC stands for, why the associations combined their conferences and what GRC really means, here are my views.

What does GRC stand for? GRC is an acronym for Governance, Risk and Compliance. It has its origins in the US, particularly post the large corporate collapses of a decade ago, where there was a mountain of compliance requirements loaded onto organisations and the software industry responded with solutions. Some offered risk only or compliance only solutions, however, before long the industry was offering solutions for both, plus various elements of governance processes. Whether it was a software vendor or someone else who first coined the phrase is irrelevant, the software industry has been pushing their wares under this banner and it has become a huge industry globally.    

Why the combined conference? Because in many people's eyes, mine included, the risk and compliance professions are converging. Among my clients there is a plethora of job titles with mentions of either risk, compliance or both, along with a good proportion having governance in their title.

What does GRC Really Mean? There was a lot of discussion on this at the conference. Indeed there was often complete disdain for the term. In general people could see that risk and compliance activities are part of good governance and that good governance is a good risk and a good compliance strategy and hence they are closely linked. If you were to ask me to summarise what GRC means I would say that GRC is all about ensuring the organisation has "NO REGRETS". That although we might not have been as successful as we wanted to be, we were true to ourselves.

What is a GRC Professional? In short you are a performance coach. Athletes are coached to do their best and, other than those at the pinnacle of their sport, they fail many, many times. Perhaps you should have the title "Chief Performance Officer" or "Chief Performance Advisor"!

I have had some very interesting conversations lately with Boards, Senior Managers and Risk Managers about risk appetite. Here are some insights:

Describing what we mean by risk appetite: Risk appetite is risk speak, however, it can be easily explained. With private sector firms I tend to describe using dollars as the example - "How much capital are you are willing to risk to try and make your forecast profit?" For not-for-profits I tend to bring it back to values - "What are you willing to do to achieve your mission? What would you not do?" And for the public sector I tend to use their number one objective in their corporate plan - "What are you willing to do to achieve your number one objective? Would a few minor adverse audit findings be OK? Would you be prepared to weather the storm if the media ran with a story about your methods?"

Why risk appetite is important in risk management: I find putting risk appetite in context with how it is used when assessing risk is quite important. I use the example of crossing the road. The objective is the same, however, there is always a reason (running late for a meeting, running late for a hot date, to save your 4 year-old child from being abducted by a stranger). Your willingness to get to the other side based on your assessment of difficulty level to cross the road is an expression of your risk appetite.

 Risk Appetite Statements: While risk criteria in the form of likelihood and consequence tables and a risk matrix are valuable expressions of risk appetite, staff who were not involved in the discussions that formulated them are not aware of all of the thinking behind them. Providing additional commentary on each category of risk and on the core corporate objectives will communicate a much clearer message to staff as to what constitutes acceptable behaviour.

First and foremost a risk statement is a conversation between the risk owner and any stakeholders that have or should have an interest in the risk. It is also a record of your analysis, a baseline for initial and ongoing risk reporting and a to-do-list for the risk owner to monitor.

If your risk statement fulfils its role as a conversation between the risk owner and stakeholders, each stakeholder should have a clear appreciation of your position regarding the risk. That does not mean they have to agree with it, however, they will have enough information to engage with you and decide for themselves if they agree with the analysis or if they recommend changes.

In my view the articulation of the risk should be with regard to a specific objective and be made up of a range of sources of risk taken to one and no more than two levels below the objective (see the Sources column in the example). If in fact the achievement of the higher level objective is at high risk, then it may be warranted to continue well below the second level to get a clearer picture of what is driving the high risk level.

In my world of risk it therefore follows that you can capture a strategic risk profile for an organisation in 5 to 9 risk statements (risks) because most organisations have around 4 to 6 objectives. Then you may need to add some specific “risk” objectives such as one for safety if the organisation does not have a separate objective for safety or it is not sufficiently captured in a broader people objective.

 

This little blog stems from a question I read in a LinkedIn Group. The question was “Should risks be always stated in a negative manner?”

My view is that it doesn’t really matter as long as everyone involved accepts that risk is not only about the downside. As most modern definitions of risk refer either specifically (ISO 31000) or by inference to risk being about managing the uncertainty around our objectives, it follows that risk management is about achieving and hopefully exceeding our objectives – upside risk in some people’s terminology.

If any of your risk owners are unconvinced then try a slight change to the wording of the risk eg:

Risk V1:                                Failure to achieve a shareholder return of $XXX EBIT

Risk V2:                                Failure to achieve or exceed a shareholder return of $XXX EBIT

Risk Leadership - Should Boards have Risk Committees?

In November 2009 I contemplated "Should Board Audit and Risk Committees be Separate?" and today I question "Should a Board have a risk committee at all?"

In 2009 I concluded:

• Management's responsibility is to identify, manage and report on risk with a predefined risk appetite which has been established in consultation with the oversight body, most commonly a Board of Directors or an Advisory Board.

• The Board has an "assurer role" to provide stakeholders with assurance that management has done their job on risk.

• The Board has a "mentoring role" to provide oversight of the risk management process.

• Therefore there should be separate Audit and Risk committees fulfilling different roles, in particular for larger organisations with much larger amounts of information to process.

Since 2009 a few things have caught my attention that have caused me to consider whether the Board should have a risk committee at all. An example is APRA's requirement for Boards "... to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks."

Although APRA's requirement only applies to organisations they regulate, I believe it is applicable to all boards.  How then can a Board delegate risk to a sub-committee of the Board? Surely it is necessary for each and every director to understand the risk profile of the organisation.

 My advice to Boards is:

•  Have a Board Assurance Committee which, through audits and other means, is responsible for ensuring the risk management framework put in place by management is appropriate and working, just as it does with all the other key processes of the business.

• The Board collectively should be in discussion with management to ensure the Board and Management understand the implications of strategic, business unit and major project risk profiles presented to the Board and whether or not risk levels are within the risk appetite set by the Board and Management.

As a risk workshop facilitator I get to assist many organisations assess risk to their key organisational objectives.  Interestingly the outcomes are not always about risk treatments, often they are about reviewing risk appetite.

Situation One:

The results of the risk workshop show that three of five key strategic objectives have Extreme risk ratings.  This may be due to one of two scenarios:  Either you are an organisation that is on the edge of the cliff OR your risk criteria are simply wrong.  If the latter, you haven’t expressed your risk appetite clearly.  In this case, developing a risk appetite statement to augment risk criteria would help you to set the risk rating criteria more appropriately before the workshop.

Situation Two:

The risk workshop results in Low risk ratings for all your key strategic objectives.  Again this may be due to one of two scenarios:  Either your risk criteria are simply wrong where again development of a risk appetite statement to augment risk criteria will help OR you are “at risk” of being too conservative.  You may need to raise the bar higher.  On the other hand, you may be very content in your apparently low risk world.

The key point is that a clearly articulated risk appetite will drive people’s behaviour so you need to set it right to drive the behaviour you want to see.

 

 

Christchurch City Council has just released a blueprint for the future of the city's CBD, entitled the Christchurch Central Recovery Plan. It is bold and imaginative and makes this statement: "we are here and we will be back better than ever before".

 

Douglas Hubbard, in his book "The Failure of Risk Management", claims that risk management failed us in the lead up to the GFC because of flawed risk models, the use of qualitative risk assessment through the use of risk matrices or both. He contends that anything can be measured and that we should be measuring.

The cloud is worth the risk if the annual benefit minus the expected cost of risk is greater than the cost to run in-house. A simple statement, however, on closer inspection the complexity of the decision becomes apparent and the engineer in me rises to the surface. Below is the cloud outsourcing decision expressed in mathematical terms. If you follow it through your cloud outsourcing decision should become clearer, even if it is difficult to assign numbers to give you an accurate answer.

Risk Leadership? Think Rescorla, Boisjoly & LeMessurier

These names may not be familiar to you, however they all have a prominent position in James Chiles book "Inviting Disaster".

 

Rescorla was the head of security at Morgan Stanley in the South Tower of the World Trade Centre at the time of the 9/11 terrorist attack. After the bombing of the underground car park of the World Trade Centre in 1993, he warned the firm of a possible terrorist attack from the air and that the firm should consider moving to another building. Because the lease was not up until 2006 no action had been taken by 2001. When the first plane hit the North Tower he acted on his earlier concerns and immediately started evacuating his staff in the South Tower while other firms delayed. Only 7 staff were lost, including Rescorla who was personally checking floor by floor that staff had been evacuated when the tower collapsed.

Boisjoly was an engineer at Morton Thiokol, the firm responsible for the design of the space shuttle rocket booster that sent the shuttle into orbit. Their design included the "O-ring" that failed on the Challenger shuttle in 1986. In a telecon with NASA the evening before the launch he had convinced his manager to refuse to sign off on the launch approval due to problems associated with inflexibility of the "O-ring" under cold temperatures. After much harassment from NASA, due to pressures of public image after several delayed launches, objections were withdrawn and sign off on the launch was given at a higher level. Boisjoly watched the launch the next morning at the behest of his manager only to be shattered by the resultant mid-air explosion. "Boisjoly spent the rest of the day in his office, not even able to speak when people stopped by to ask how he was doing."

LeMessurier was a structural engineer who designed the Citicorp tower erected in Manhattan in 1978. After the building was occupied he became aware of a number of construction issues and after investigation he discovered there was a 50/50 chance of the building collapsing due to wind stress that is experienced in Manhattan roughly every 15 years. He could have kept quiet as his firm was partially to blame, however, he spoke out. The building was retrofitted and made safe. His admission lead to praise, not ridicule.

These Risk Leaders, although not one was fully successful in their original quest, show what is required of a strong Risk Leader:

• Commitment to their firm and staff
• A mind attuned to identifying and analysing risk
• A willingness to take the difficult course of action

There are many more Risk Leaders who have not been written about in a book - because their message was heard. When you know something is wrong in your organisation, how far are you willing to push the issue? Do you have the knowledge, understanding and skill to deliver the message? Are you heard?

Stakeholder relationships can be complex and full of surprises and hence a perfect space for risk to simmer and sometimes erupt. Perhaps the single most important aspect of stakeholder relationships that sets them apart from other challenges you face is the extremely far reaching effect a poorly managed relationship can have. One minute you can be the flavour of the month and the next there can be a domino effect where first one customer finds you to be off-colour and the word gets out and next thing you know you have a crisis on your hands. It is no different for government agencies or the not-for-profit sector, people's perceptions of you can change very quickly.

"Who is to blame?" How often do we read that line in a newsletter or magazine article about a legal dispute when it all went wrong? Too often, we ignore those little clauses in contracts called indemnities. A slight change in wording in an indemnity can vastly change the circumstances of who pays how much if it does all go horribly wrong. Sometimes the contract gets signed without proper legal review and when we do have legal review, we often suffer from either the Optimism Effect or the Pessimism Effect.