Risk Management Blog
Bryan Whitefield focuses on building risk leaders in organisations and on demystifying enterprise risk management, risk financing and business continuity planning for non-risk professionals.
Last month I mentioned a recent webinar I ran on Risk Appetite in which I pointed out that an articulated risk appetite statement is only the beginning. You need managers to operationalise it so that staff can live it.
One part of operationalising risk appetite is through communication to staff. Another part is through implementing a regime of risk tolerance monitoring. In plain language that means: monitoring processes and systems to see if they are operating as they were designed to.
There are several challenges when it comes to establishing a monitoring regime:
1. You measure way too many things.
2. You look at something and suggest it is simply not measurable.
3. You don’t see the value in measuring so you don’t even start.
A. You should only be measuring what matters.
B. Everything is measurable, it is a case of making sure we know which measures matter and then devising a means to economically measure them.
C. The value comes from understanding what the data is telling you and being able to communicate that to the business.
All of these answers lie within the data, data you have access to right now, however, you don’t even realise it.
What is required is the development of the skills or the acquisition of resources that can help you find the answers from within the data and to create the narrative around it so you can communicate it to the business.
Please don’t throw your hands up and say it is too hard. Take on the challenge. Boards and Executive teams are demanding earlier and earlier indicators of risk, not more excuses as to why we did not see it coming.
In my Trusted Advisor program I discuss the concept of wisdom with participants. We draw out what it means and what it looks like. I always ensure that simplicity gets onto the whiteboard. At the end of the day, we all know that when we hear about something new that is very, very simple we are singularly impressed.
For many of us we have created complexity in what we do or deliver for seemingly many good reasons. Take aircraft for example. Around a century ago we went from a base structure with cockpit, landing wheels and wings to build aircraft with cabins, seats and TVs with an ability to cater for just about every need. Some of the really successful airlines of today have pared back that complexity and become budget airlines (not unsafe airlines). They don’t fly cargo, they won’t carry your cat or dog and it is BYO entertainment.
So my food for thought for this month is to ask yourself how you can pare back complexity in what you are doing. Look to identify the underlying cause of the effects you or your product or service are having on stakeholders and eliminate the bad or unneeded and work harder on the good or needed.
To clarify, the question I am asking is twofold. One relates to the perceptions created for the end client, management and the Board. The second relates to governance.
Taking the second question first, does having risk and audit report through to one person mean that that person has a conflict of interest? When might this be the case? Under what circumstances? Does it depend on the specific arrangements for risk and audit or is it simply better practice to not have them linked? Are they linked simply for the organisation to save money or for good reason? My premise for considering this a potential dilemma is that risk management is a support function and audit is an assurance function and audit should be assuring management and the Board from time to time that risk management is doing a great job of supporting the business.
Second, does linking risk and audit serve to confuse the business? Does it create or reinforce existing perceptions that risk is a compliance function?
I have plenty of reasons to argue that risk and audit should not report to one person, however, let me give you some perspectives from speakers at the RMIA Conference in Brisbane last week.
Collaboration of Risk and Audit:
Several speakers discussed how as Group Manager for Risk and Assurance or with similar titles they had seen great benefits from the collaboration of risk and audit. This I can see, there is no doubt that risk should know what audit is thinking so they can help support the business while audit should know the results of risk profiling and the controls the organisation is relying on for the management of risk.
My problem is when the risk team and the audit team report to the same person. I made a comment and asked a question at the conference that went like this:
“I am not entirely convinced of the merits of risk and audit coming together under one person. I quite regularly have phone calls from professionals asking me for information to support their view to management that their dual role should be split. The main reason, because they feel conflicted. I asked ‘Is this because of the personality or skill set of the person, because of the business model they are operating under or simply because it is true?’
Cannot two different teams reporting to two different managers ensure collaboration between the two teams while remaining independent and free of conflict?
Perceptions of Risk and Audit:
My view of the risk function is that risk should be striving to become a trusted advisor to the business and leave assurance that risk is being managed well to the auditors. The main reason is that to be a trusted advisor your (internal) client should not look at you as an internal cop.
There were two very important statements by Chief Risk Officers at the RMIA Conference that reinforced my view on this:
Peter Dean, Bank of Queensland. Peter said that his role as a member of the executive team is as a strategic advisor. Personally I believe any amount of the “compliance brush” being painted on that role will diminish its effectiveness. Managers will tend to “game” anyone that is checking up on them.
The second was Mark Hamill from Fortescue Metals. Now I only came in on his presentation just as he was saying this, so this is not a direct quote. He said words to the affect that one of the managers he was working with was saying that he was happy to help him with the risk profile rather than Mark help the manager! This is classic management perception that risk is a compliance function and not a critical success factor for the business.
What a long post! My apologies, however, I am really keen to hear your views and wanted to give some good background to my thinking.
I thought this article by the UNSW Business School put forward a well-balanced argument for and against the Australian Institute of Company Directors’ push for changes to corporations law to afford directors broader protection (see AICD article here).
In essence the argument goes that if directors feel too much at risk of personal liability they either won’t act as a director or they will be risk averse in their decision making. Being too risk averse is bad for the economy and bad for shareholders. Providing too much protection for directors may lead to poor risk taking and may harm stakeholders.
I am not a legal expert so I cannot provide any clarity on the likely realities of the current protection vs the AICD proposed protection. What I can offer, however, is some practical advice to directors on risk taking.
Without doubt there is good and there is bad risk taking. Think Apple and the iPhone 6. All those people who lined up to buy an iPhone 6 as soon as the store opened would have been hoping that the new version had some really cool new features. This does not come without risk taking. Of course if Apple took too much risk and the phone was a disaster, customers would be most dissatisfied. And so on and so on when you look at other key stakeholders of a business.
The tip for directors is that having management articulate the organisation’s appetite for risk allows for a much needed discussion to occur to ensure directors and executives are on the same page when it comes to risk taking. Don’t forget, depending on the remuneration structures you have in place, executives may be much more highly incentivised to take risk when compared to a director.
In a recent webinar I ran on Risk Appetite, I also pointed out that an articulated risk appetite statement is only the beginning. You need managers to operationalise it so that staff can live it.
As a Trusted Advisor in Risk do you focus on all the decisions the business is making or do you focus on the big issues?
I bet you thought to yourself, of course I focus on the big issues, they are the ones that count.
Now, what if I asked you, “as a Trusted Advisor in Risk, do you VALUE all of the decisions the business is making or do you only focus on the big issues?” Now you are saying to yourself, “of course I value all of the decisions and I value the bigger ones more than the smaller ones."
Now let’s think about the decision to expand capacity of a current manufacturing process. Let’s assume to do this will cost of the order of $100M and will take 12 to 15 months from decision to move ahead until the first product from the expanded facility is being shipped to market.
The first decision, to expand the plant or not is obviously the biggest one. However, once the decision is made, there will be many thousands of decisions being made by staff, contractors and suppliers before the plant is in full production. There will be decisions about technology and about which supplier to use. There will be decisions about timing of purchases and modes of transport. There will be decisions about hiring additional plant operators and how best to train them.
Are you getting the same feeling that I am getting? The size and the importance of decisions is reducing over time, however, their numbers are increasing. I have portrayed this as a Decision Value Curve (see diagram). My point is, that the 1,000 decisions at the end of a project can approach the value of the big decisions at the start of a project.
What does this mean for you? Yes it means you had better get the big decisions as right as possible. However, it also means you had better have all your people making good decisions given the sheer volume of them being made. One poor choice can set a project back a month or render a desired functional outcome as no longer possible. Therefore you want good risk-based decision making by all your staff throughout the organisation.
As a Trusted Advisor you and your team of advisors or Risk Champions should be helping to ensure you have staff across the organisation highly capable at decision-making under uncertainty – yes, that’s Risk Management!
Please write your thoughts in my Blog, here,
I was reading a recent article from Knowledge@Wharton called “It’s Worth What!? Pressure-testing Companies with Sky-high Valuations” based on a book by Derek Lidow about Startups and what leadership style is needed at which point. So if you are a stock market punter it is worth a full read.
I was attracted to the article because I remember oh so well the dot.com to dot.bomb era at the turn of the century (doesn’t that sound like a long time ago?) and I have been fascinated with valuations of companies like Facebook and Uber. I understand that the market is backing the intellectual capital within the heads of the founders and their employees, however, this article clarified for me some of the decisions they need to make so they “make it” in business.
One key decision is to create and to hone at the same time. The article refers to Google as having “…shown itself skilful at creating new products while simultaneously honing existing ones”.
The process of creating and honing is not just for Startups. It has a place in most product and service development. Everyone in business should be looking for add-ons to your offering, however, add-ons bring complexity and so you also need to know when to pare back complexity and hone-in on what you do best.
The way to pare back complexity is to reveal cause and effect. That is, which of our product or service offering add-ons are causing customer satisfaction, which have become neutral and which are now causing dissatisfaction. Just because you added it on for good reason a year ago, doesn’t mean it should stay today.
If you have attended a workshop or speech of mine in the last 10 years you may well have been exposed to my version of the risk management journey for organisations from Vulnerable to Resilient. I portray the journey using an S-Curve, as shown here:
The nature of an S-Curve is that it is relatively easy to run up the middle of the curve, however, it is difficult to move up the last 20% or so. So it is for organisations in their risk management journey and so it is for Risk Advisors in organisations.
My observation is that there are four phases along the S-Curve for a corporate risk advisor. They are:
• Framework Designer
• Perception Modifier
• Behaviour Change, and
• Trusted Advisor
If you focus too much on framework design you are likely to make it too complex. Once you move on to modifying staff’s perceptions you begin to make substantial change in your world; that is, people seem to be listening. The real test is if you have moved on to become a Behaviour Changer. Are staff behaving the way you hope they will, are they making better decisions by taking more account of the uncertainty around those decisions? And then the ultimate goal is to become the Trusted Advisor. Are you getting invited to the table where the big decisions are being made?
Where are you on your personal S-Curve?
The MIT Sloan Management Review and Deloitte University Press have collaborated to produce an excellent paper on the value of social media. It is titled Moving Beyond Marketing and it can be found here.
The article made me realise that if all an organisation is doing is using social media for communicating messages and monitoring the response, they are missing out on great opportunities. The paper is based on research into social media use by business and derives its key learnings from businesses they describe as at the mature end of the sector, the ones:
- Using social media to make a broad range of decisions
- That have their leadership focused on a vision of social media creating massive positive change, and
- That have a vision that includes social media being used for much, much more than marketing
Here are some thoughts from my read of the paper:
- Integrate social media into operations such as to drive product development or help facilitate after sales service. How often do you search for a solution to a problem with a product on the internet only to find the company only provides a manual that doesn’t really help? The next search result is for a forum where some other poor sod with the same problem who solved it, has the good sense to let other people know about it. More advanced companies have their own forums, monitor other forums and respond through those same channels.
- Monitoring social media is an obvious must, however, there also should be a periodic high level review of the data. Trends, repetition, absence of reference are all items that may tell a story that needs to be acted on.
- Senior management must get involved. It can’t just be outsourced to those in the organisation who use and like social media. It requires leadership to ensure the best results. That doesn’t mean you have to be on Twitter like Rupert Murdoch.
- Facilitate how social media drives talent development. Use social media to allow staff to express themselves, share knowledge and cultivate a strong, close-knit community.
There are lots of great examples in this paper of how companies have utilised social media to drive change. I encourage you not to sit back and watch, get in and be part of it as the way we work continues to evolve.
I have said more than once that the IT industry has much to be blamed for in terms of poor project delivery. I wrote a discussion paper on Project Risk Management where I lead off with “Why could we land a man on the moon in 1969 yet in 2013 we struggle to get a moderate sized IT project delivered successfully? – An acceptance of mediocrity?”
I recently read “Agile for Dummies” published by IBM and authored by Scott W. Ambler and Matthew Holitza, which is about mastering Agile, a project management methodology for IT projects (by the way, it’s free). It reminded me of a conversation I had with a mate about project management that made me realise we really do not learn enough from other industries. My mate was a very experienced project manager in the major construction industry. Later in his career he found himself managing a large non-construction project for an organisation and he told me that they thought he was an absolute genius because he introduced two week project planning within the longer-term 12 month project plan. Of course, this is how he had learnt the trade of project management, he never knew any other way.
The truth is that the Agile IT project management technique, whether by accident or because they went looking, is based on short, such as two week, development windows. Where it differs from a construction project is their focus on delivering working software every two weeks whereas that focus can’t apply to building a 30-storey building!
Now all the Agile community needs to get right is some good risk assessment methodologies and the IT industry really will have learnt to do things well. They may exist, however, I have not found an IT team that was doing risk assessment well before I arrived (sorry clients!), and IBM’s paper did not fill me full of confidence. It does recognise “project risk” throughout and they do provide tips on how to reduce it. In fact, they mention risk management as one of the “things” to be focussed on at the right time, but include nothing about how to do it.
Risk taking is not just essential it is unavoidable. The other evening I was waiting at a busy intersection with complicated turning options for vehicles. I saw a green light, took two steps, realised something was wrong and hightailed it back to the curb. Yes, it was the green light for the cars and my pre-programmed and distracted brain misinterpreted it as a signal for me to commence my crossing.
How could this “incident” be avoided? Automatic barriers preventing me from crossing that are linked to the lights? The same system at every busy intersection? That infrastructure would cost millions – could this money be better spent on health or education?
My point is, society has by default chosen a background level of risk to life and limb that is at least approaching tolerable although we continue to try and improve safety as our knowledge, technology and wealth increases.
Has anyone written down our society’s appetite for risk? Should we? Would we?
This is a truly vexing question and in an organisational context, managers often either choose not to document their implied risk appetite or write down what they believe is palatable rather than the truth. Does this impede risk-based decision-making in the organisation or do staff inherently know the accepted level?
In my experience the larger the organisation, the less likely staff have adopted the same risk appetite that senior management have for risk. Documenting and communicating risk appetite both ensures all senior managers are on the same page and definitely drives decision-making further down the organisation.
If you don’t have one, have a look at this sample Risk Appetite Statement and let me know if you would like some help.
Last month I provided some tips regarding improving engagement with your risk program through developing your personal skills and building a team of Risk Champions to support you. This month I want to dig a little deeper to expose a key driver to great engagement and that is experiential learning.
Because of many people’s poor perception of risk their willingness to engage is very low. The perceptions of risk as only compliance, as a handbrake on business, is a barrier to learning. Consequently you need strong learning techniques to break down the barrier.
- Describe the barrier – unveil it if you wish
- Paint a different picture of risk – paint a picture of success
- Take them through the process – show them it works
For the last tip, showing them it works, I highly recommend you follow these 5 experiential learning steps:
- Break your participants into groups
- Use live examples such as a current project
- Ask them to apply the risk tools and templates you have provided them
- Guide them through the process with your expert facilitation
- Help them to implement their learnings back in the workplace
Food for Thought: Is it Luck or Good Management?
They have a saying in the insurance industry: “A lucky underwriter beats a good underwriter any day of the week”. Well, we have it confirmed once again that Australia is the Lucky Country. This time the evidence is provided by APRA in their submission to the Financial System Enquiry on 31 March 2014.
In the Executive Summary on Page 6 it states:
“APRA eschewed light touch supervision in the wake of the collapse of HIH Insurance in 2001, and it has significantly strengthened its supervisory approaches and practices since then. In APRA’s view, its most enduring contribution to the resilience of institutions in the crisis came from its ‘close touch’ efforts to promote their financial health prior to the crisis, and to deal conclusively with struggling institutions.”
So the truth of the matter is that following the massive impact of the collapse of HIH, APRA changed and changed more than significantly. It grew very large teeth and it has not been afraid to use them. By 2007/2008 as the financial crisis unfolded the heavy hand of APRA had been felt by Australia’s financial institutions and their management had not played the same games as their counterparts around the world. Australia survived relatively intact. Now APRA, quite rightly, is seen as a guiding light for other regulators globally.
Still, there is a bigger question. Why can’t we learn from the past and not take our eye off the ball when things are going well again? Perhaps it is simply the optimistic nature of humankind.
If things are going pretty well for your organisation now, please investigate your corporate memory bank and have a look for where history may be repeating itself.
Food for Thought – Policy Administration
Last November in my Risk e-Views newsletter I wrote about a book entitled Administrative Behaviour by Herbert A. Simon. In a nutshell, Simon describes the basis of an organisation as:
• A well-defined purpose communicated to staff and other stakeholders.
• A series of decisions that affect actions.
• Policies, processes and systems to influence the decisions.
So, I recognise policies are inherently important for guiding the decision-making within your organisation, however, policies and their abundance have always been a vexed issue for me. In an ideal world all of your people know everything you could possibly write in a policy through osmosis. The reality is, there is a never-ending challenge to get the balance right between a policy void (low control) and policy mania (high control).
I found this paper entitled The Definitive Guide to Policy Management from Navex Global to be thought provoking and comprehensive. Remember when reading it, however, it is a US based company with the US its biggest market which means that with the level of laws, regulation and litigation in the US, large organisations in that market have a different level of challenge to most Australian companies.
I am not a policy administration specialist, I do however know about decision-making. So if decision-making in your organisation is in need of a cultural shift, please book a timeslot for a 15 or 30-minute one-on-one teleshare (a telecon with screen sharing) so we can explore your options. Book here or give me a call on (02) 9400 9702 to arrange a time.
Food for Thought: Performance & Health - A New Management Lexicon?
I have long agreed with those in the investment community that argue analysts drive short-term thinking by managers of many publicly listed companies, which in the end destroys value. While reading this article by McKinsey entitled “Building the healthy corporation” I realised that many organisations are now fighting back. McKinsey report that a number of firms have brought “Performance and health” into the corporate lexicon. They explain further with:
“Just as people may seem reasonably well today but may not have the physical condition for the rigors of a long and active life, so too companies that are profitable in the short term may not have what it takes to perform well year after year.”
A good point they make is that most investors do highly value health as well as performance and that it appears the noisy few investment analysts are the ones that are often heard and reacted to.
The McKinsey list for a healthy corporate body:
While you can argue a list like this until you are blue in the face, it is a sound list. In my experience, the one management has pushed the least in the modern organisation is “Metrics”. So many facets of an organisation are challenging to measure, however, if something is important it should be measured otherwise your subjective assessment of your performance will more likely be a long way off the mark.
Metrics using hard data and proxies for hard data can and should be developed. In my experience, once you get going with metrics, you will find the process somewhat intriguing and highly rewarding.
Call me on (02) 9400 9702 or email if you’d like to discuss methods for measuring the health of your organisation.
Food for Thought: The Challenge of Digital Transformation – We are ignoring the root cause!
An MIT Sloan Management & Capgemini research study prompted this edition of Food for Thought. The key theme – business leaders are lacking urgency when it comes to pursuing opportunities being afforded by technology. This quote from the article sums it up best:
“There are two wrong ways to approach (digital transformation),” MIT’s George Westerman told us. “One is to say, ‘just go off and do something. And we don’t need to worry about coordination.’ Another is to hire a bunch of people and say ‘make this happen. I don’t need to be involved.’”
Now cast your minds back to the 1990s. “Whoa, here comes a thing called the internet with this crazy email functionality!” “What a cool name, placing an “e” in front!”. What we have seen since are stories of boom and bust.
I found the article excellent in articulating the current problem and it provides many sound ways of addressing it, however, the article does not address the question of “why” the problem is there in the first place. I can give you one very good reason, most senior management do not have sufficient understanding of technology – full stop.
Now here is the clincher for me. Last week I had the pleasure of offering some mentoring advice to some undergraduate business students, the future accountants, bankers, marketers and yes, CEOs. I asked them if their degree included a course on technology. The answer: “No”!
I ask you why, if technology has had the impact it has had in the past twenty years and the likes of MIT Sloan Management Review are able to so clearly depict the opportunities of the future, why are we not teaching our youngest and brightest about managing technology? Yes they may be excellent users of technology (so was I twenty years ago), however, being an advanced user of Twitter or Google has nothing to do with the core skills required to lead organisations through the next twenty years of technological change. Skills that from my perspective are still sadly lacking across Australian business.
If you agree or disagree I would love to read your comments on my blog. If you want to hear more from me on the topic, email me with your question and I will do my best to answer it within a few days – firstname.lastname@example.org.
Food for Thought: Bridging Silos
Silos allow management and teams to focus, however, they also create barriers to collaboration and the flow of much needed information. In this interview by McKinsey with Paolo Cederle, CEO of Milan-based UniCredit Business Integrated Solutions, Paolo outlines the business model UniCredit designed to move away from siloed thinking and provides some key insights into how they overcame many of the challenges the new organisational structure presented. Some of those insights included:
1. Matrix organisation guided via a governance layer. The organisational structure is now defined by a matrix of business lines and banking and infrastructure service lines referred to as the “factory layer”. Overlaying the matrix is a governance layer aimed at driving the integration of silos.
2. Disruptive cultural change. They recognised the culture change required was particularly disruptive as the new organisation required business and support people to work much more closely. People with often very different skill sets and ways of doing things needed to meet and find a new common ground.
3. Communication through technology. As with any change, communication is key. UniCredit used the latest in technology to drive the cultural shift. This included manager blogs, webinars, PC-enabled video conferencing and the use of narrowcast videos.
4. Management support. They did not sit back and find out which managers rose to the top, they designed the governance layer to specifically support them to both understand their new role and to assist them to drive the transformation.
While I have long upheld that a good risk management framework breaks down silos, I fully recognise that breaking down these ingrained structures is a complex task and this interview highlights some key steps to take to manage the transition.
Food for Thought: How technology slows the pace of change
I was listening to the radio just recently. A caller was asked about something he had done that was a bit unusual and his answer was “Run a 14km fun run in a Gorilla suit with my best mate”. Asked how wearing gorilla suits impacted their race time, his answer caught me and the radio host a bit by surprise. They had been running in the gorilla suits every year for over ten years and their race time had become not just slower, it had become exponentially slower as each year had gone by. The reason – technology!
What had technology done? It had put a camera in the pockets of the masses. Just about every runner in the race was carrying a smartphone with an A-Grade camera and they were snap-happy. Being the polite gentlemen that they are, they could not refuse a request for a photo.
This got me thinking about how else technology slows us down. Here is my hit list:
We wait for it patiently. We wait for the next best thing and miss out on the short-term benefits from the “now” best thing.
We wait for it impatiently. We fail to implement technology well and we wait until we get it right and way too often we wait and wait and wait.
We don’t wait for it, we grab it and we play with it. This is the typical techo. They can’t help themselves. The technology is soooo cool, it has to be played with.
We don’t wait for it, we grab it, we play with it and we discard it way too soon. This is the typical non-techo. We grab the technology all starry-eyed with grand visions and we are soon disappointed because we didn’t meld the technology into our environment. We just shoved it in.
For me this reinforces just how hard it is for designers to communicate to us about their technology and for us to assess it. Irrespective can you all please keep designing and assessing, as without doubt, technology makes the world an incredibly interesting place!
- Risk Management Partners
- +61 2 9400 9702
- © Copyright RMP 2010
- Design by Pimento