The authors of “Managing Risk and Performance: A Guide for Government Decision Makers” were kind enough to send me a copy for my review and comment here. (The above link is to the Kindle edition, but it is also available in hardcover).
Intended for those charged with oversight or performance of the risk management function in government, Stanton and Webster have provided us with a great deal of material to ponder. In addition to their own work, the book has chapters from a number of others – including my good friend, John Fraser.
I confess to being let down by the book. I don’t think it spends enough time talking about the need for decision-makers at all levels to consider the potential effects of uncertainty (both upside and downside), or the need for risk-adjusted performance management. It focuses almost exclusively on the narrow definition of risk as being something bad, rather than including opportunities for success.
But it does have some good information, including how enterprise risk management was implemented in one government agency, and always useful information about Hydro One’s program.
If you are in government and charged with either oversight or execution of the risk management program, this book has value that justifies buying it. Just be aware that there is more to mature risk management than is covered in these 284 pages.
The latest edition of McKinsey Quarterly is on the topic of “Building a forward-looking board”.
I like the general theme, that “directors should spend a greater share of their time shaping an agenda for the future”. This is consistent with board surveys that indicate board members would prefer to spend more time on strategy and less on routine compliance and other matters.
The author, a director emeritus of the Zurich office and member of several European company boards, makes a number of good points but leaves me less than completely satisfied.
The good quotes first:
Governance arguably suffers most, though, when boards spend too much time looking in the rear-view mirror and not enough scanning the road ahead.
Today’s board agendas, indeed, are surprisingly similar to those of a century ago, when the second Industrial Revolution was at its peak. Directors still spend the bulk of their time on quarterly reports, audit reviews, budgets, and compliance—70 percent is not atypical—instead of on matters crucial to the future prosperity and direction of the business
“Boards need to look further out than anyone else in the company,” commented the chairman of a leading energy company. “There are times when CEOs are the last ones to see changes coming.”
Many rational management groups will be tempted to adopt a short-term view; in a lot of cases, only the board can consistently take the longer-term perspective.
Distracted by the details of compliance and new regulations, however, many directors we meet simply don’t know enough about the fundamentals and long-term strategies of their companies to add value and avoid trouble.
Rather than seeing the job as supporting the CEO at all times, the directors of these companies [with prudent, farsighted, and independent-minded boards] engage in strategic discussions, form independent opinions, and work closely with the executive team to make sure long-term goals are well formulated and subsequently met.
Boards seeking to play a constructive, forward-looking role must have real knowledge of their companies’ operations, markets, and competitors.
The best boards act as effective coaches and sparring partners for the top team.
The central role of the board is to cocreate and ultimately agree on the company’s strategy. In many corporations, however, CEOs present their strategic vision once a year, the directors discuss and tweak it at a single meeting, and the plan is then adopted. The board’s input is minimal, and there’s not enough time for debate or enough in-depth information to underpin proper consideration of the alternatives.
While I agree with the forward-looking theme and some of the ideas around such issues as getting the most from the talent within the organization, I am troubled in a few areas:
- The detailed discussion on strategy still has a shorter horizon, one year, than I believe optimal. While it is difficult if not impossible to plan further ahead, the organization should have a shared understanding between the board and top executives about how it will create value for its stakeholders over the longer period. There should be more discussions around strategic and other developments (risks and opportunities) that should shape not only long-term but short-term actions.
- There is insufficient discussion of the fact that you cannot have a fruitful discussion about strategy without understanding the risks (adverse and potentially positive) in the business environment. What are they today and how will they change tomorrow? How able (agile) is the organization and able not only to withstand potentially negative effects (the focus of McKinsey in this piece) but to take advantage of market opportunities? Is it now and will it in the future be able to change or adapt strategies established in different conditions?
- Many companies are less than agile because they have stuck-in-the-mud executives, unable to pull themselves out due to a lack of vision, legacy systems, and poor information. The boards need to understand this and question management on how they plan to address it – with urgency!
- Finally, while the piece discusses the need for effective board and director evaluations, surveys show that it is hard to fire under-performing directors. How can a board succeed in that environment? I think this needs to be on the board agenda if it is to remain forward-looking.
Do you agree? I welcome your comments.
If your audit firm is asking you to complete a COSO checklist with the 17 Principles, please let me know a.s.a.p. I am talking to a regulator who would like to know.
The topic of risk culture has been receiving a lot of attention ever since it was identified as a cause of many of the problems that led to major issues at financial services organizations a few years ago.
Risk culture drives behavior when it comes to taking the desired risks and levels of risk. As I say in my KEY POINTS section at the end of this post, traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact (of taking the risk) and after damage may have been done!
One learned paper (I was a minor contributor) was published by the excellent Institute of Risk Management. I wrote about the topic in a 2011 blog post, with reference to a couple of excellent articles, and included these quotes:
“The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.
Most risk professionals saw the technical factors which might cause a crisis well in advance. The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.
Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).”
“Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.
While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”
I like the definition above, that “Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.”
In other words, risk culture is what drives human behavior. That behavior can and hopefully is to take the risks that the organization wants taken. But too often, people react to a situation by taking the ‘wrong’ risk (including taking either too much or too little risk).
Now a new paper has been published. By three respected professors, Risk Culture in Financial Organisations tackles the topic in great depth. It doesn’t include a clear (at least to me) definition of risk culture, but I believe if they did it would be consistent with my discussion, above. They certainly talk about the trade-offs and identify many of the same factors that contribute to an organization’s risk culture.
I suspect that readers of the research paper will appreciate the discussions of such matters as whether the risk function should try to be an independent monitor or a partner to the business; whether the risk function is focused on enabling effective decisions to advance the organization, or on compliance; whether organizations know where behaviors and their drivers need to change; and the questions it suggests organizations ask to probe the issues.
I particularly enjoyed some of the quotes the authors included, such as:
“…the leaders of industry must collectively procure a visible and substantive change in the culture of our institutions, so as fundamentally to convince the world once again that they are businesses which can be relied on.”
“…development of a ‘risk culture’ throughout the firm is perhaps the most fundamental tool for effective risk management.”
“The institutional cleverness, taken with its edginess and a strong desire to win, made Barclays a difficult organisation for stakeholders to engage with. Barclays was sometimes perceived as being within the letter of the law but not within its spirit. There was an over-emphasis on shortterm financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients. There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”
“The strategy set by the Board from the creation of the new Group sowed the seeds of its destruction. HBOS set a strategy for aggressive, asset-led growth across divisions over a sustained period. This involved accepting more risk across all divisions of the Group. Although many of the strengths of the two brands within HBOS largely persisted at branch level, the strategy created a new culture in the higher echelons of the bank. This culture was brash, underpinned by a belief that the growing market share was due to a special set of skills which HBOS possessed and which its competitors lacked.”
“In contrast to JPMorgan Chase’s reputation for best-in-class risk management, the whale trades exposed a bank culture in which risk limit breaches were routinely disregarded, risk metrics were frequently criticised or downplayed, and risk evaluation models were targeted by bank personnel seeking to produce artificially lower capital requirements.”
“Culture has played a significant part in the development of the problems to be seen in this Trust. This culture is characterised by introspection, lack of insight or sufficient self-criticism, rejection of external criticism, reliance on external praise and, above all, fear….from top to bottom of this organisation. Such a culture does not develop overnight but is a symptom of a long-standing lack of positive and effective direction at all levels. This is not something that it is possible to change overnight either, but will require determined and inspirational leadership over a sustained period of time from within the Trust.”
“Absent major crises, and given the remarkable financial returns available from deepwater reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency… There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”
Simons’ Risk Exposure Calculator (1999) is composed of 12 keys that reflect different sources of pressure for a company. Managers should score each key from 1 (low) to 5 (high). ‘Alarm bells’ should be ringing if the total score is higher than thirty-five. The keys are: pressures for performance, rate of expansion, staff inexperience, rewards for entrepreneurial risktaking, executive resistance to bad news, level of internal competition, transaction complexity and velocity, gaps in diagnostic performance measures, degree of decentralised decisionmaking.
“You go to a management meeting and you talk about management issues and then you go to a risk committee and you talk about risk issues. And sometimes you talk about the same issues in both but people get very confused and I don’t know … I don’t know how right it is but I really think you should be talking about risk when you talk about your management issues because it kind of feels to me again culturally that’s where we are.”
“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite […] Remuneration has incentivised misconduct and excessive risk-taking, reinforcing a culture where poor standards were often considered normal. Many bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before the long-term consequences become apparent. The potential rewards for fleeting short-term success have sometimes been huge, but the penalties for failure, often manifest only later, have been much smaller or negligible. Despite recent reforms, many of these problems persist.”
This is clearly the work of academics and practitioners may find it hard to digest the long piece. However, the authors have tried to be practical and if you focus on the questions at the end of each section there is some good material.
In particular, focus on the underlying message. In my reading, it is essential that management and boards of organizations, including but not limited to the risk office, understand how behavior is being driven when it comes to taking desired risks – and levels of risk.
- Are the positive influencers, like policies and related training, effective?
- Are the potentially negative influencers, such as short-term financial incentives, understood and mitigated?
This understanding should then be used to assess whether actions need to be taken to improve the likelihood that desired risks will be taken.
Whether you call this risk culture or not, I believe it is very important. Traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact and after damage may have been done!
By the way, the Bibliography is excellent and the publication is worth downloading just to get it!
I welcome your views and comments.
The Audit Committee of the Board (or equivalent) is responsible for oversight of the external auditors’ work. This should include taking reasonable measures to ensure a quality audit on which the board and stakeholders can place reliance. As a second priority, it should also include ensuring that the audit work is efficient and does not result in unnecessary disruption or cost to the business.
Audit Committees around the world should be concerned by the findings of the regulators who audit the firms in the US (the Public Company Accounting Oversight Board, or PCAOB). They examine a sample of the audits by the firms of public companies’ financial statements and system of internal control over financial reporting. A report is published for each firm and an overall report is also published every few years.
In their October 24, 2013 Staff Alert, the PCAOB highlighted “deficiencies [they] observed in audits of internal control over financial reporting”. They reported that “firms failed to obtain sufficient audit evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies”. In addition, in a large majority of the audits where there were such deficiencies, “the firm also failed to obtain sufficient appropriate evidence to support its opinion on the financial statements”.
While the Staff Alert is intended to help the firms understand and correct deficiencies, it also calls for action by the Audit Committee of each registrant:
“Audit committees of public companies for which audits of internal control are conducted may want to take note of this alert. Audit committees may want to discuss with their auditor the level of auditing deficiencies in this area identified in their auditor’s internal inspections and PCAOB inspections, request information from their auditor about potential root causes, and inquire how their auditor is responding to these matters.”
In a related matter, COSO released an update last year to its venerable Internal Control – Integrated Framework. It includes a discussion of 17 Principles and related Points of Focus. Reportedly, the audit firms and consultants are developing checklists that require management to demonstrate, with suitable evidence, that all the Principles (and in some cases the Points of Focus) are present and functioning. This ignores the fact that COSO has publicly stated that their framework remains risk-based and they never intended nor desired that anybody make a checklist out of the Principles.
Of note is the fact that the PCAOB and SEC have not changed their auditing standards and guidance. They continue, as emphasized in the PCAOB Staff Alert, to require a risk-based and top-down approach to the assessment of internal control over financial reporting.
However, the checklist approach does not consider whether a failure to have any of these Principles or Points of Focus present and functioning represents a risk to the financial statements that would be material.
In other words, blind completion of the checklist is contrary to PCAOB and SEC guidance that the assessment be risk-based and top-down.
With that in mind, I suggest the members of the Audit Committee consider asking their lead audit partner these seven questions at their next meeting. An early discussion is essential if a quality audit is to be performed without unnecessary work and expense to the company.
1. Was your audit of our company’s financial statements and system of internal control reviewed by the PCAOB? If so:
- For which year was it reviewed?
- Did the Examiners report anything they considered a deficiency?
- How significant did they believe it was?
- Do you agree with their assessment? If not, why not?
- What actions have been taken to correct that deficiency?
- What actions will you take to ensure it or similar deficiencies do not recur, including additional training of the staff?
- Has any disciplinary action been considered?
- If you did not promptly report this to us, why not?
2. Were any of the partners and managers part of the audit team on a client where the PCAOB Examiners reviewed and had issues with the quality of the audit? If so:
- What was the nature of any deficiency?
- How significant did the Examiners consider it to be?
- What actions have you taken and will continue to take to ensure it and similar deficiencies do not occur on our audit, including additional staff training?
3. Are there any members of your audit team who have been counseled formally or otherwise relating to quality issues identified either by the PCAOB or other quality assurance processes? What assurance can you provide us that you will perform a quality audit without additional cost to us for enhanced supervision and quality control?
4. With respect to the audit of internal control over financial reporting, have you coordinated with management to ensure optimal efficiency, including:
- A shared assessment of the financial reporting risks, significant accounts and locations, etc., to include in the scope of work for the SOX assessment? In other words, have you ensured you have identified the same financial reporting risks as management?
- The opportunity to place reliance on management testing? Have you discussed and explained why if you are placing less than maximum reliance on management testing in low or medium risk areas?
- The processes for sharing the results of testing, changes in the system of internal control, and other information important to both your and management’s assessment?
5. Are you taking a top-down and risk-based approach to the assessment of internal control over financial reporting?
6. Does the top-down and risk-based approach include your processes for assessing whether the COSO Principles are present and functioning? Do your processes ensure that neither in your own work nor in your requirements of management addressing areas relating to the Principles and their Points of Focus where a failure would present less than a reasonable possibility of a material misstatement of the financial statements filed with the SEC? Have you limited your own audit work to areas where there is at least a reasonable possibility that a failure would represent at least a reasonable possibility of a material error – directly or through their effect on other controls relied upon to either prevent or detect such errors? Or have you developed and are using a checklist contrary to the requirements of Auditing Standard No. 5, instead of taking a risk-based approach?
7. How do you ensure continuous improvement in the quality and efficiency of your audit work?
I welcome your comments.
Whether you are a fan of the COSO ERM and Internal Control frameworks or not, a paper just released by COSO is worth reading and thinking about.
The intent of the two authors (my good friend Jim DeLoach of Protiviti and Jeff Thomson of the Institute of Management Accountants) is to explain how the COSO frameworks fit within and enhance the operation’s processes for directing and managing the organization. In their words:
“Our purpose in writing this paper is to relate the COSO frameworks to an overall business model and describe how the key elements of each framework contribute to an organization’s long-term success.”
My intent in this post is not to quibble with some of the concepts and language with which I disagree (such as their portrayal of risk appetite), but to highlight some of the sections I really like (with occasional comments) and encourage you to read the entire paper.
For those of you who prefer the ISO 31000:2009 global risk management standard (and I am among their number), the paper is worth reading because it stimulates thinking about the role of risk management in setting strategy and thereafter optimizing performance. It has some useful language and insight that can help people understand risk management, whatever standard you adopt. That language can be used by ISO advocates, for example when explaining risk management to executives and the board.
In addition, even if you like the ISO risk management standard, it does not provide the insight into internal control provided by the COSO framework. It is perfectly acceptable, in my opinion, to adopt ISO for risk management and COSO for internal control.
I have one quibble that I think is worth mentioning: the authors at one point say that internal control “deals primarily with risk reduction”. I disagree. It should serve to provide assurance that the right level of risk is taken. On occasion, that may mean taking more risk. For example, one objective that is too often overlooked is to be efficient. More risk in reviewing expense reports might be appropriate when the cost of intense reviews exceeds the potential for expense-related fraud or error. Another example is when a decision has to be made on the quantity of key raw materials to re-order as quantities on hand fall. Current practice may be to place an order that will bring inventory to 20% more than is expected to be consumed in the next period, as a precaution in case of quality issues or should incoming orders exceed the anticipated level. But, having excess materials can result in a different risk. Risk management thinking can help us decide how much risk to take when it comes to running out of raw materials compared to how much risk to take that the materials may degrade due to extended time sitting on the shelf.
But back to talking about the “good bits”, with the first from the Executive Summary:
“Within the context of its mission, an organization is designed to accomplish objectives. It is presumed that the organization’s leaders can articulate its objectives, develop strategies to achieve those objectives, identify the risks to achieving those objectives and then mitigate those risks in delivering the strategy. The ERM framework is based on objective setting and the identification and mitigation or acceptance of risks to the achievement of objectives. The internal control framework is designed to control risks to the achievement of objectives by reducing them to acceptable levels. Thus, each of the frameworks is inextricably tied into the operation of a business through the achievement of objectives. ERM is applied in the strategy-setting process while internal control is applied to address many of the risks identified in strategy setting.”
Comment: While COSO Internal Control Framework assumes (or presumes) that the appropriate objectives are set, as we all know controls within the objective-setting process are essential to address such matters as engaging the right people in the decisions and providing them with reliable information.
“The ERM framework asserts that well-designed and effectively operating enterprise risk management can provide reasonable assurance to management and the board of directors regarding achievement of an entity’s objectives. Likewise, the internal control framework asserts that internal control provides reasonable assurance to entities that they can achieve important objectives and sustain and improve performance. The “reasonable assurance” concept embodied in both frameworks reflects two notions. First, uncertainty and risk relate to the future, which cannot be precisely predicted. Second, risks to the achievement of objectives have been reduced to an acceptable level.”
“In general, ERM involves those elements of the governance and management process that enable management to make informed risk-based decisions. Informed risk responses, including the internal controls that accompany them, are designed to reduce the risk associated with achieving organizational objectives to be within the organization’s risk appetite. Therefore, ERM/internal control and the objective of achieving the organization’s strategic goals are mutually dependent.”
“Robust enough to be applied independently on their own, the two COSO frameworks have a common purpose — to help the enterprise achieve its objectives and to optimize the inevitable tension between the enterprise’s value creation and value protection activities. Therefore, both facilitate and support the governance process when implemented effectively.”
“ERM instills within the organization a discipline around managing risk in the context of managing the business such that discussions of opportunities and risks and how they are managed are virtually inseparable from each other. An organization’s strategic direction and its ability to execute on that direction are both fundamental to the risks it undertakes. Risks are implicit in any organization’s strategy. Accordingly, risk assessment should be an integral part of the strategy-setting process. Strategic and other risks should be supported or rationalized by management’s determination that the upside potential from assuming those risks is sufficient and/or the organization can manage the risks effectively.”
“The risk assessment process considers inherent and residual risk and applies such factors as likelihood of occurrence, severity of impact, velocity of impact, persistence of impact and response readiness to analyze and prioritize risks. Risk assessment techniques include contrarian analysis, value chain analysis, scenario analysis, at-risk frameworks (e.g., value, earnings, cash flow or capital) and other quantitative and qualitative approaches to evaluating risk. Furthermore, risk assessment considers relationships between seemingly unrelated events to develop thematic insights on potential long-term trends, strategic possibilities and operational exposures.”
Comment: Although many leading experts have moved away from the concepts of inherent and residual risk, I still like them. What I like most in this paragraph is the discussion of other important attributes of risk. Impact and likelihood are not the only factors to consider when assessing whether the level of risk is acceptable.
“…..organizations must “plan” for disruption and build and refine their radar systems to measure and be on the alert for changes in key risk indicators (leading indicators) versus rely solely on key performance indicators (which are often lagging and retrospective in nature). Looking forward will enable an organization’s culture to support an experimental and adaptable mindset. Adapting is all about positioning companies to quickly recognize a unique opportunity or risk and use that knowledge to evaluate their options and seize the initiative either before anyone else or along with other organizations that likewise recognize the significance of what’s developing in the marketplace. Early movers have the advantage of time, with more decision-making options before market shifts invalidate critical assumptions underlying the strategy. Failing to adapt can be fatal in today’s complex and dynamic business environment.”
“Organizational resiliency is the ability and discipline to act decisively on revisions to strategic and business plans in response to changing market realities. This capability begins to emerge as organizations integrate strategic plans, risk management and performance management and create improved transparency into the enterprise’s operations to measure current performance and anticipate future trends.”
I welcome your comments on this paper and my analysis.
It can be hard for internal auditors to tell their stakeholders, whether at board level or in top management, what is putting the organization at greatest risk.
It can be hard to say that the root cause for control failures is that there aren’t enough people, or that the company does not pay enough to attract the best people.
It can be hard to tell the CEO or the audit committee that the executive team does not share information, its members compete with each other for the CEO’s attention, and as a group it fails to meet any person’s definition of a team.
It can be hard to say that the CFO or General Counsel is not considered effective by the rest of management, who tend to ignore and exclude them.
It can be hard to say that the organization’s structure, process, people, and methods are insufficiently agile to succeed in today’s dynamic world.
But these are all truths that need to be told.
If the emperor is not told he has no clothes, he will carry on without them.
Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out:
- They may believe, with justification, that their job is at risk
- They may believe, with justification, that their compensation will be directly affected if they alienate top management
- They may believe that their career within the organization will go no further without the support of top management, even if they receive the support of the board
- The level of resources provided to internal audit will probably be limited, even cut
- The CEO and other top executives have personal power that is hard to oppose
- They are focused on “adding value” and do not want to be seen as obstacles
- They fear they will never get anything done, will not be able to influence change, and will be shut out of meetings and denied essential information if they are seen as the enemy
Yet, if internal auditors are to be effective, they need to be able to speak out – even at great personal risk.
It would be great if internal auditors were protected from the inevitable backlash. I know of at least one CAE that has a contract that provides a measure of protection, but most are only protected by their personal ethics and moral values.
It would be great if the audit committee of the board ensured that the CAE is enabled to be brave. But few will oppose an angry CEO or CFO.
We need to be brave, but not reckless. There are ways to tell the emperor about his attire without losing your neck. They include talking and listening to allies and others who can help you. They include talking to the executives in one-on-one meetings where they are not threatened by the presence of others. Above all, it is about not surprising the emperor when he is surrounded by the rest of the imperial court.
It is about treating the communication of bad news as a journey, planning each step carefully and preparing the ground for every discussion.
It is also about being prepared to listen and if you are truly wrong being prepared to modify the message.
But, the internal auditor must be determined to tell the truth and do so in a way that clearly explains the facts and what needs to be done.
You can be amazing
You can turn a phrase into a weapon or a drug
You can be the outcast
Or be the backlash of somebody’s lack of love
Or you can start speaking up
Everybody’s been there,
Everybody’s been stared down by the enemy
Fallen for the fear
And done some disappearing,
Bow down to the mighty
Don’t run, just stop holding your tongue
And since your history of silence
Won’t do you any good,
Did you think it would?
Let your words be anything but empty
Why don’t you tell them the truth?
Say what you wanna say
And let the words fall out
Honestly I wanna see you be brave
With what you want to say
And let the words fall out
Honestly I wanna see you be brave