The topic of risk culture has been receiving a lot of attention ever since it was identified as a cause of many of the problems that led to major issues at financial services organizations a few years ago.
Risk culture drives behavior when it comes to taking the desired risks and levels of risk. As I say in my KEY POINTS section at the end of this post, traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact (of taking the risk) and after damage may have been done!
One learned paper (I was a minor contributor) was published by the excellent Institute of Risk Management. I wrote about the topic in a 2011 blog post, with reference to a couple of excellent articles, and included these quotes:
“The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.
Most risk professionals saw the technical factors which might cause a crisis well in advance. The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.
Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).”
“Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.
While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”
I like the definition above, that “Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.”
In other words, risk culture is what drives human behavior. That behavior can and hopefully is to take the risks that the organization wants taken. But too often, people react to a situation by taking the ‘wrong’ risk (including taking either too much or too little risk).
Now a new paper has been published. By three respected professors, Risk Culture in Financial Organisations tackles the topic in great depth. It doesn’t include a clear (at least to me) definition of risk culture, but I believe if they did it would be consistent with my discussion, above. They certainly talk about the trade-offs and identify many of the same factors that contribute to an organization’s risk culture.
I suspect that readers of the research paper will appreciate the discussions of such matters as whether the risk function should try to be an independent monitor or a partner to the business; whether the risk function is focused on enabling effective decisions to advance the organization, or on compliance; whether organizations know where behaviors and their drivers need to change; and the questions it suggests organizations ask to probe the issues.
I particularly enjoyed some of the quotes the authors included, such as:
“…the leaders of industry must collectively procure a visible and substantive change in the culture of our institutions, so as fundamentally to convince the world once again that they are businesses which can be relied on.”
“…development of a ‘risk culture’ throughout the firm is perhaps the most fundamental tool for effective risk management.”
“The institutional cleverness, taken with its edginess and a strong desire to win, made Barclays a difficult organisation for stakeholders to engage with. Barclays was sometimes perceived as being within the letter of the law but not within its spirit. There was an over-emphasis on shortterm financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients. There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”
“The strategy set by the Board from the creation of the new Group sowed the seeds of its destruction. HBOS set a strategy for aggressive, asset-led growth across divisions over a sustained period. This involved accepting more risk across all divisions of the Group. Although many of the strengths of the two brands within HBOS largely persisted at branch level, the strategy created a new culture in the higher echelons of the bank. This culture was brash, underpinned by a belief that the growing market share was due to a special set of skills which HBOS possessed and which its competitors lacked.”
“In contrast to JPMorgan Chase’s reputation for best-in-class risk management, the whale trades exposed a bank culture in which risk limit breaches were routinely disregarded, risk metrics were frequently criticised or downplayed, and risk evaluation models were targeted by bank personnel seeking to produce artificially lower capital requirements.”
“Culture has played a significant part in the development of the problems to be seen in this Trust. This culture is characterised by introspection, lack of insight or sufficient self-criticism, rejection of external criticism, reliance on external praise and, above all, fear….from top to bottom of this organisation. Such a culture does not develop overnight but is a symptom of a long-standing lack of positive and effective direction at all levels. This is not something that it is possible to change overnight either, but will require determined and inspirational leadership over a sustained period of time from within the Trust.”
“Absent major crises, and given the remarkable financial returns available from deepwater reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency… There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”
Simons’ Risk Exposure Calculator (1999) is composed of 12 keys that reflect different sources of pressure for a company. Managers should score each key from 1 (low) to 5 (high). ‘Alarm bells’ should be ringing if the total score is higher than thirty-five. The keys are: pressures for performance, rate of expansion, staff inexperience, rewards for entrepreneurial risktaking, executive resistance to bad news, level of internal competition, transaction complexity and velocity, gaps in diagnostic performance measures, degree of decentralised decisionmaking.
“You go to a management meeting and you talk about management issues and then you go to a risk committee and you talk about risk issues. And sometimes you talk about the same issues in both but people get very confused and I don’t know … I don’t know how right it is but I really think you should be talking about risk when you talk about your management issues because it kind of feels to me again culturally that’s where we are.”
“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite […] Remuneration has incentivised misconduct and excessive risk-taking, reinforcing a culture where poor standards were often considered normal. Many bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before the long-term consequences become apparent. The potential rewards for fleeting short-term success have sometimes been huge, but the penalties for failure, often manifest only later, have been much smaller or negligible. Despite recent reforms, many of these problems persist.”
This is clearly the work of academics and practitioners may find it hard to digest the long piece. However, the authors have tried to be practical and if you focus on the questions at the end of each section there is some good material.
In particular, focus on the underlying message. In my reading, it is essential that management and boards of organizations, including but not limited to the risk office, understand how behavior is being driven when it comes to taking desired risks – and levels of risk.
- Are the positive influencers, like policies and related training, effective?
- Are the potentially negative influencers, such as short-term financial incentives, understood and mitigated?
This understanding should then be used to assess whether actions need to be taken to improve the likelihood that desired risks will be taken.
Whether you call this risk culture or not, I believe it is very important. Traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact and after damage may have been done!
By the way, the Bibliography is excellent and the publication is worth downloading just to get it!
I welcome your views and comments.
The Audit Committee of the Board (or equivalent) is responsible for oversight of the external auditors’ work. This should include taking reasonable measures to ensure a quality audit on which the board and stakeholders can place reliance. As a second priority, it should also include ensuring that the audit work is efficient and does not result in unnecessary disruption or cost to the business.
Audit Committees around the world should be concerned by the findings of the regulators who audit the firms in the US (the Public Company Accounting Oversight Board, or PCAOB). They examine a sample of the audits by the firms of public companies’ financial statements and system of internal control over financial reporting. A report is published for each firm and an overall report is also published every few years.
In their October 24, 2013 Staff Alert, the PCAOB highlighted “deficiencies [they] observed in audits of internal control over financial reporting”. They reported that “firms failed to obtain sufficient audit evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies”. In addition, in a large majority of the audits where there were such deficiencies, “the firm also failed to obtain sufficient appropriate evidence to support its opinion on the financial statements”.
While the Staff Alert is intended to help the firms understand and correct deficiencies, it also calls for action by the Audit Committee of each registrant:
“Audit committees of public companies for which audits of internal control are conducted may want to take note of this alert. Audit committees may want to discuss with their auditor the level of auditing deficiencies in this area identified in their auditor’s internal inspections and PCAOB inspections, request information from their auditor about potential root causes, and inquire how their auditor is responding to these matters.”
In a related matter, COSO released an update last year to its venerable Internal Control – Integrated Framework. It includes a discussion of 17 Principles and related Points of Focus. Reportedly, the audit firms and consultants are developing checklists that require management to demonstrate, with suitable evidence, that all the Principles (and in some cases the Points of Focus) are present and functioning. This ignores the fact that COSO has publicly stated that their framework remains risk-based and they never intended nor desired that anybody make a checklist out of the Principles.
Of note is the fact that the PCAOB and SEC have not changed their auditing standards and guidance. They continue, as emphasized in the PCAOB Staff Alert, to require a risk-based and top-down approach to the assessment of internal control over financial reporting.
However, the checklist approach does not consider whether a failure to have any of these Principles or Points of Focus present and functioning represents a risk to the financial statements that would be material.
In other words, blind completion of the checklist is contrary to PCAOB and SEC guidance that the assessment be risk-based and top-down.
With that in mind, I suggest the members of the Audit Committee consider asking their lead audit partner these seven questions at their next meeting. An early discussion is essential if a quality audit is to be performed without unnecessary work and expense to the company.
1. Was your audit of our company’s financial statements and system of internal control reviewed by the PCAOB? If so:
- For which year was it reviewed?
- Did the Examiners report anything they considered a deficiency?
- How significant did they believe it was?
- Do you agree with their assessment? If not, why not?
- What actions have been taken to correct that deficiency?
- What actions will you take to ensure it or similar deficiencies do not recur, including additional training of the staff?
- Has any disciplinary action been considered?
- If you did not promptly report this to us, why not?
2. Were any of the partners and managers part of the audit team on a client where the PCAOB Examiners reviewed and had issues with the quality of the audit? If so:
- What was the nature of any deficiency?
- How significant did the Examiners consider it to be?
- What actions have you taken and will continue to take to ensure it and similar deficiencies do not occur on our audit, including additional staff training?
3. Are there any members of your audit team who have been counseled formally or otherwise relating to quality issues identified either by the PCAOB or other quality assurance processes? What assurance can you provide us that you will perform a quality audit without additional cost to us for enhanced supervision and quality control?
4. With respect to the audit of internal control over financial reporting, have you coordinated with management to ensure optimal efficiency, including:
- A shared assessment of the financial reporting risks, significant accounts and locations, etc., to include in the scope of work for the SOX assessment? In other words, have you ensured you have identified the same financial reporting risks as management?
- The opportunity to place reliance on management testing? Have you discussed and explained why if you are placing less than maximum reliance on management testing in low or medium risk areas?
- The processes for sharing the results of testing, changes in the system of internal control, and other information important to both your and management’s assessment?
5. Are you taking a top-down and risk-based approach to the assessment of internal control over financial reporting?
6. Does the top-down and risk-based approach include your processes for assessing whether the COSO Principles are present and functioning? Do your processes ensure that neither in your own work nor in your requirements of management addressing areas relating to the Principles and their Points of Focus where a failure would present less than a reasonable possibility of a material misstatement of the financial statements filed with the SEC? Have you limited your own audit work to areas where there is at least a reasonable possibility that a failure would represent at least a reasonable possibility of a material error – directly or through their effect on other controls relied upon to either prevent or detect such errors? Or have you developed and are using a checklist contrary to the requirements of Auditing Standard No. 5, instead of taking a risk-based approach?
7. How do you ensure continuous improvement in the quality and efficiency of your audit work?
I welcome your comments.
It can be hard for internal auditors to tell their stakeholders, whether at board level or in top management, what is putting the organization at greatest risk.
It can be hard to say that the root cause for control failures is that there aren’t enough people, or that the company does not pay enough to attract the best people.
It can be hard to tell the CEO or the audit committee that the executive team does not share information, its members compete with each other for the CEO’s attention, and as a group it fails to meet any person’s definition of a team.
It can be hard to say that the CFO or General Counsel is not considered effective by the rest of management, who tend to ignore and exclude them.
It can be hard to say that the organization’s structure, process, people, and methods are insufficiently agile to succeed in today’s dynamic world.
But these are all truths that need to be told.
If the emperor is not told he has no clothes, he will carry on without them.
Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out:
- They may believe, with justification, that their job is at risk
- They may believe, with justification, that their compensation will be directly affected if they alienate top management
- They may believe that their career within the organization will go no further without the support of top management, even if they receive the support of the board
- The level of resources provided to internal audit will probably be limited, even cut
- The CEO and other top executives have personal power that is hard to oppose
- They are focused on “adding value” and do not want to be seen as obstacles
- They fear they will never get anything done, will not be able to influence change, and will be shut out of meetings and denied essential information if they are seen as the enemy
Yet, if internal auditors are to be effective, they need to be able to speak out – even at great personal risk.
It would be great if internal auditors were protected from the inevitable backlash. I know of at least one CAE that has a contract that provides a measure of protection, but most are only protected by their personal ethics and moral values.
It would be great if the audit committee of the board ensured that the CAE is enabled to be brave. But few will oppose an angry CEO or CFO.
We need to be brave, but not reckless. There are ways to tell the emperor about his attire without losing your neck. They include talking and listening to allies and others who can help you. They include talking to the executives in one-on-one meetings where they are not threatened by the presence of others. Above all, it is about not surprising the emperor when he is surrounded by the rest of the imperial court.
It is about treating the communication of bad news as a journey, planning each step carefully and preparing the ground for every discussion.
It is also about being prepared to listen and if you are truly wrong being prepared to modify the message.
But, the internal auditor must be determined to tell the truth and do so in a way that clearly explains the facts and what needs to be done.
You can be amazing
You can turn a phrase into a weapon or a drug
You can be the outcast
Or be the backlash of somebody’s lack of love
Or you can start speaking up
Everybody’s been there,
Everybody’s been stared down by the enemy
Fallen for the fear
And done some disappearing,
Bow down to the mighty
Don’t run, just stop holding your tongue
And since your history of silence
Won’t do you any good,
Did you think it would?
Let your words be anything but empty
Why don’t you tell them the truth?
Say what you wanna say
And let the words fall out
Honestly I wanna see you be brave
With what you want to say
And let the words fall out
Honestly I wanna see you be brave
Michele Hooper is a highly-respected (including by me) member and chair of audit committees. She has been a passionate advocate for internal audit and its profession for many years and an advisor to the Institute of Internal Auditors (IIA). In addition, she has been very active with the Center for Audit Quality (CAQ), which is where I met her (she was chair of a CAQ meeting in San Francisco to discuss fraud and I was present as a representative of the IIA).
In December, Michele was interviewed for an article in Internal Auditor (Ia), What Audit Committees Want.
The article brings out some important points. I agree with some and disagree with others (in part because they are left unsaid).
The very first sentence is telling:
“I rely on CAEs to be my eyes and ears in the organization, reporting back on culture, tone, and potential issues that may be emerging within the business”.
The expression ‘eyes and ears’ is an old and perhaps tired phrase. On one hand, it implies that internal audit is spying on management and then running, like a child, to tell on it. On the other, it describes the important role of internal audit as a source of critical information to the board on what is happening within the organization, which may be different from what they are hearing from management.
I can accept that, but what I especially like and appreciate are the next words: “culture, tone, and potential issues that may be emerging within the business”.
Michele is not talking about controls. She is not even talking directly about the management of risk. She is talking first about the culture and tone of the organization, and then about emerging business risks and related issues.
Does your internal audit function provide the board and its audit committee with a sense of the culture and tone within the organization – at the top, in the middle, and in the trenches? If not, why not?
Does your internal audit function ensure that the board is aware of new and emerging business risks and related issues? If not, why not?
Then Michele goes astray:
“An important responsibility critical to audit committee and board discussions is the CAE’s ownership and prioritization of the process management framework for risk identification.”
The CAE should not own the process for identifying and prioritizing risks. The IIA has made that clear in its famous Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management. It says: “Management is responsible for establishing and operating the risk management framework on behalf of the board….. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management”.
When Michele is asked about the risks she and the audit committee will worry about in 2014, she comments on:
- Internal control
- Compliance, especially regulatory compliance
- Cyber vulnerabilities
- Financial reporting
- Reputation risk, and
- Oversight of the external auditor
What she does not mention are:
- The effectiveness of the organization’s ability to manage risks to the achievement of objectives
- The effectiveness of governance processes
- The need for the audit committee to work collaboratively with other board committees, such as the risk and governance committees, to ensure risks are managed at acceptable levels
I wish she had. I especially wish she had mentioned the magic word:
Let’s return to basics, but with a new twist: a new explanation of the primary purpose and value of internal auditing.
Internal audit provides objective assurance to the board and top management of the effectiveness of the entity’s organization, people, processes, and systems in managing risks to the achievement of the entity’s objectives at acceptable levels.
Does your internal audit department provide that assurance, formally, to the board and top management?
It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.
I want to turn this on its head.
If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:
Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?
If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?
Now let’s ask another question?
Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?
If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?
If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?
I welcome your views and commentary.
I thoroughly enjoyed listening to an MIT Sloan video, “What Digital Transformation Means for Business”. It features executives from Intel, Avis (the president of Zipcar), a researcher into the topic from MIT, and a Capgemini consultant.
It’s about 45 minutes long, so allow yourself some quiet time and have a pad and pencil (or tablet) handy so you can take notes.
I found it inspiring to hear these influential leaders talk about the need for organizations to embrace disruptive technology (they mentioned cloud computing, ultramobile, advanced big data analytics, and social media).
They also emphasized that the risk of NOT embracing the technology of tomorrow, even when they are in the process of implementing the technology of today, is too great. It is critical to continue to watch and consider how the technology that appears on the horizon may affect the ability of the organization to excel.
I loved the story told by the Intel CIO of how she assigns her staff to work within the business to learn it, and then takes them back into IT so they can work on enhancing that business.
You should also listen to how Intel uses gamification to have a better handle on earnings forecasts. It was a great example of how gamification can be used as a technique for understanding and assessing risk. I have written separately about how an organization assessed risks to the success of a major software implementation by creating a stock market game around it. Individuals on the project team from IT and user departments, the consultants they engaged, and others with a stake in its success bought and sold fictional stock in the project. The stock price varied based on demand: when there was optimism, people bought stock and the price rose; when there was pessimism, people sold and the price dropped. The risk assessment considered the stock price and tried to understand why it moved.
Intel and Avis, together with Capgemini, talked about how much time executives were spending on digital transformation. Clearly, these companies (and I join them) expect leaders from the CEO on down to be spending a good amount of time looking at and considering the technology of today and tomorrow and how it can transform their business.
What do you think?
You might also consider this discussion on the battle between IT and the business for control over technology resources.
I close with my greetings to all for a healthy, prosperous, and joyous holiday season and new year.
The Aon report is based on a maturity model (see table below) that I think is interesting. It differs a little from the one I developed. It includes these key requirements for the top level: “process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions”. I prefer the language of the top level requirements in my model: “Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds”.
Aon assesses maturity based on ten characteristics, broken down into 40 specific components. I think it would be useful for any organization to participate in the Aon study and assess where their risk management standards, especially compared to where they want it to be.
This is useful information for risk officers, senior executives, and the board. I think using a maturity model to assess and report on risk management is an excellent approach for internal auditors. It provides useful information without punishing risk officers who are still working to implement and upgrade the maturity of their program.
|Description||Component and associated activities are very limited in scope and may be implemented on an ad-hoc basis to address specific risks
|Limited capabilities to identify, assess, manage and monitor risks
|Sufficient capabilities to identify, measure, manage, report and monitor major risks; policies and techniques are defined and utilized (perhaps inconsistently) across the organization
|Consistent ability to identify, measure, manage, report and monitor risks; consistent application of policies and techniques across the organization
|Well-developed ability to identify, measure, manage and monitor risks across the organization; process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions
In their study of 361 publicly traded companies, Aon found that 3.3% were in Initial/Lacking, just 0.7% were in Advanced, and the majority (56%) were at or around Defined. 30.6% were above Defined and 50.6% were below.
Aon found a correlation between the maturity of risk management and the performance of their stock, based on an analysis of market data between March 2012 and March 2013. Comparing organizations with the highest (Advanced) maturity rating to those with the lowest (Initial/Lacking):
- Share price grew 18% vs. a drop of 10%
- Share price volatility was 38% lower
- Return on equity was 37% compared to negative 11%
They also reported that “Our initial findings indicate a direct relationship between higher levels of Risk Maturity and the relative resilience of an organization’s stock price in response to significant risk events to the financial markets.”
This, I suggest, is useful information to share with executives and the board on the value of mature risk management.
You might reference an older report by Ernst & Young that had similar results, Managing Risk for Better Performance.
The Accenture report was based on a survey of 450 individuals, described in one place as “global risk professionals, and in another as “C-level executives involved in risk management decisions.” The breakdown shows that 25% are CROs, 20% CEOs, 25% CFOs, and 22% are Chief Compliance Officers.
Here are some excerpts:
“The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was “Action is not optional”. That is seen as true both for the broader organization and for the risk management function.”
“At one time, risk management in many organizations could be described by some as “the department that says no”. Today we would characterize risk management more as “the department that enables execution”.”
“The proportion of surveyed organizations having a CRO, either with or without the formal title, has risen from 78% in 2011 to a near-universal 96% in 2013.”
“We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization—particularly in budgeting, investment/disinvestment, and strategy.”
“Survey respondents see risk management as enabling growth and innovation. In order to survive—and certainly to grow—every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce – both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”
However, Accenture warns that risk management in practice is still falling short:
“There appear to be large gaps between expectations of the risk management function’s role in meeting broader goals and it’s perceived performance— for every organizational goal we surveyed.”
The authors include four recommendations and a detailed analysis to support their findings.
One interesting section is where they describe “Risk Masters” (they have a “Risk Mastery capability scale, like a maturity model) and what sets them apart.
“Risk Masters include risk considerations in the decision-making process across strategy, capital planning, and performance management. Masters also better integrate their risk organization into operations, establishing risk policies based on their organization’s appetite for risk. And they delineate processes for managing risks that are communicated across the enterprise. These activities are supported by robust analytic capabilities that reinforce efficient compliance processes and provide strategic insight.”
I encourage the reading and consideration of both reports, together with a discussion of where your risk management program falls.
Are you at the maturity level you want to be? Are you taking the steps to become more mature?
Can you achieve the benefits these studies report?
I welcome your views.
The firm of Arthur J. Gallagher & Co. has published an interesting and challenging paper, Collaborative Risk Management: “Risk Management” vs. “Managing Risk”. While it is targeted at organization s in higher education, its message is relevant for all.
The firm is an insurance broker that provides consulting services related to risk management. One of their principals, Dorothy Gjerdrum, was one of the individuals involved in the paper. She is their Executive Director for the Public Entity & Scholastic Division; the leader of the committee (the Technical Advisory Group of which I am a member) that represents the US standards agency (ANSI) in risk management related standards (especially the global risk management standard, ISO 31000:2004); and a friend.
I am putting that friendship and my respect for her as a risk management practitioner aside to review this paper.
Let’s get the main criticism out of the way: this whole idea of Collaborative Risk Management (CRM) is a repackaging of proven and long-established principles. The authors say that they are writing the paper because too many organizations are treating risk management as a project instead of a continuing management process. However, I don’t think they need to provide a new name for established best practices.
Yet, I agree with many of the statements in the paper and we should focus on those instead of the name the authors put to risk management. Here are some excerpts with my comments:
“There can be a tremendous difference between institutions that have risk managers and institutions that manage risks. One end of the spectrum is represented by the often-overworked individual with an overstuffed portfolio. At the other end…will be found… multiple integrative teams and a culture that rewards risk ownership and builds risk assessment into every initiative. These teams take into account an appropriate stratification of risk, assuring that board-level, administration-level, and operational-level risks all have proper owners and teams working on them. Support and a structure are established whether or not, and long before, exhaustive “risk registers” are created. Rather than slogging through a cumbersome catalog of many and unequal risks, a strategic, carefully selected few have coalesced and become the main focus. “Risk” has become a category incorporated in the planning process, like staffing and budget, for every enterprise of the institution—woven into the culture not by the efforts of one employee, but by many teams.”
The paper restates the argument more simply: “the key is an understanding of the difference between ‘risk management’—perhaps assigned to one harried Director of Risk Management (or Chief Risk Officer, or Audit, Compliance, Legal, or Finance)—and ‘managing risk,’ which top-flight institutions realize is a collaborative, distributed, networked assignment for everyone.”
Comment: It is indeed time to move to the management of risk, where the risk manager neither owns the fish nor gives them to executives and the board. Instead the CRO teaches the organization how to fish and assesses his own performance by the number who can fish without help. The CRO counts the fish harvested by others and provides the board with consolidated reporting.
The paper continues:” Much positive collaboration can take place when teams are utilized, and the team leader sees the job of the team as ‘managing risk’ for the institution as a whole. On such teams, the risk manager may be a frequent participant but may be the leader on only a select few, if any.”
I don’t know why, but the refrain I have been using the past few years seems to becoming popular. I use it for both risk management and internal audit, saying that they “have to stop being the department of ‘no’, and become the department of ‘how’. Gallagher says it well:
“Operational risk managers have long bemoaned the fact that, like a James Bond villain, we are occasionally nicknamed “Dr. ‘No!’” Internal clients sometimes feel they have exciting ideas for programs and opportunities with great institutional benefits, but when they run those ideas past risk management, all they hear is “No!” because operational risk management focuses on the negatives. Admittedly, part of this is defensive: someone needs to point out the risks and possible downfalls of ideas for which the proponents only see the positive. But this role may cast operational risk managers in an unpleasant light. No one wants to talk with risk management if it only means their ideas will be shot down.
The new landscape of risk management is bringing a simple, one-word change: risk management is now the process of trying to help others get to “Yes!”
The paper tackles the need to remember that risk management is not only about navigating the possible adverse effects of uncertainty; it is also about seizing opportunities:
“[Effective] risk management specifically aims to incorporate positive risks. That is, [it] means to consider opportunities and the cost of not being able to leap at them—such as letting other schools gain a competitive advantage, or missing out on a clear demographic shift. While operational risk management has historically weighed the cost of a course of action, [effective risk management] also considers the potential costs of not acting—the “carpe diem!” failures…..ERM is about… achieving success as much as avoiding failure.”
The authors have suggestions for bringing the disciplines of risk management to the decisions and actions of the board and top executives:
“One significant challenge with integrating risk management throughout the institution is determining whose job it should be. Strategy is traditionally the province of the Board. A healthy Board asks strategic questions: “Where should the institution go next? What major initiatives should we undertake? What societal and demographic forces may threaten our success, or propel us to further greatness?” Few operational risk managers are asked to consider these high-level issues, or to report on them to the Board, much less to manage them. Since ERM incorporates consideration of strategic issues (along with any issues that keep the institution from reaching its objectives), there is a common disconnect between it and what institutional risk managers have traditionally done each day.”
They continue: “Certain types of risk should be managed directly by the Board, through the use of Board committees. On the other hand, the Board does not run many aspects of the ERM process—the Board is not in a position to drive ERM initiatives through the institution on a daily basis. The way forward is to delineate carefully the respective roles of the Board, senior administrators, and operational risk managers. Stratification is key—some risks, such as strategic questions, major initiatives, and general societal and demographic shifts, are the role of the Board. We might call this true “strategic risk.” Senior administrators, by contrast, are responsible for implementing the decisions of the Board as operations of the institution, and minding specific risks facing the institution as a whole (“institutional risk”). Likewise, operational risk management will likely be aware of, and in a position to address, risks that may be below the sight lines of the Board or senior administrators, but nevertheless might affect the eventual success of the institution in achieving its objectives (“unit risk”). These different risk types should be handled by different groups across the institution. Successful [risk management] must incorporate the perspectives of all of these participants, in their proper strata. Thus risks, besides having aspects such as frequency and severity, have an altitude, a level at which they are best managed. A Board thus manages risk via linkage between various levels of stratification: committees report up to certain senior-level administrators, who may report to Board committees and thus to the full Board.”
Comment: this idea of altitude is intriguing. It may work for some and not for others. They key is to understand who owns and is responsible for managing risk (typically the individuals who own and manage performance and achievement of the related objectives). This requires that top-level objectives and risks are cascaded down across the enterprise and that people take ownership of that slice of the objective and risk that is in their area of responsibility.
The authors spend a lot of time reviewing what causes risk management initiatives and programs to fail. I will let you read through these, just excerpting one point. This talks to a feature of many risk management programs where management (and the CRO) may feel, in error, that they have effective risk management.
“The biggest problem……… was that once a board committee or senior administrator indicated an ERM program was wanted, the institution often plunged at once into a process of risk identification. Long lists of risks—risk registers— were created, some with hundreds of entries. Risk managers, and ERM teams, are getting stuck at this risk register phase and are having difficulty moving on to actual management of the risks. There seems to be an 80/20 problem: 80% of scarce ERM time is spent on identification and assessment (frequency, severity, velocity and the like), and only 20% is applied to strategic thinking.”
Comment: I frequently lament (such a good word) two things: 1. There is too much emphasis on identifying the risk and not enough on taking action to optimize outcomes, and 2. People are managing a relatively static list of risks instead of implementing a risk management program that is “dynamic, iterative, and responsive to change” and embedded into organizational processes (ISO and COSO both say this). As I said earlier, the CRO must teach managers and executives to fish.
The document also provides advice for getting risk management right. Again, I won’t go into detail: it repeats many of the suggestions others have made about support from the top, ensuring the right risk culture, selective appropriate guidance (they prefer the ISO 31000:2009 risk management standard), and more.
There is one important point that they infer but don’t state directly.
Risk managers have used workshops as an effective technique for identifying, assessing, and treating risk. But we should ask whether it makes sense to have a team (for that is what this is) that is only responsible for the risk aspect of the decision-making process. There are probably teams (if not in name) that come together to address the performance side of the decision-making process, and it would be better to have them include the risk side rather than set up and run a separate risk workshop.
I welcome your thoughts on this and the other aspects of this interesting paper. It is worth downloading and reading.
Deloitte has given us food for thought in an article “The Four Faces of the CIO”.
Fortunately, they are not talking about a devious executive. Instead, they are talking about four different key roles that every CIO has to play.
The roles are:
- Catalyst: As a catalyst, the CIO acts as a credible, enterprisewide change agent, instigating innovations that lead to new products or services; delivering IT capabilities in radically new ways; or significantly improving operations in IT and beyond. Catalysts have significant political capital and are able to enlist and align executive stakeholders. Their relentless focus on disruptive innovation and cross-functional teaming allows them to lead transformational change in IT and the business at large.
- Strategist: “The CIO’s primary objective as strategist is to maximize the value delivered across all IT investments. The strategist has deep business knowledge and can engage as a credible partner, advising the business on how technology can enhance existing business capabilities or provide new ones. “The strategist also keeps the business apprised [sic] of distinctive IT capabilities that can drive revenue, create new opportunities, or mitigate and navigate risks and adverse events.”
- Technologist: “As a technologist, the CIO is responsible for providing a technical architecture that increases business agility by managing complexity, supports highly efficient operations (to keep costs low), and is flexible and extendable enough to meet future business needs. Technologists also continually scan the horizon for new technologies, rigorously analyze and test those with promise, and then select the ones most apt to achieve enterprise architecture objectives (efficiency, agility, simplification, and innovation).”
- Operator: “As an operator, the CIO oversees the reliable day-to-day delivery of IT services, applications, and data. Operators manage the department, and hire, develop, and lead IT staff. They institute service level agreements with IT customers and ensure performance targets for IT services are achieved. They maintain transparent IT cost models and charge the business appropriately for IT services. Operators also source technology, services, and staff, and govern those third-party relationships. Among the biggest challenges for operators are protecting the organization against cyber attacks and ensuring regulatory compliance.”
In this world of dynamic and business model-shattering technological change, it is essential that the CIO take her rightful place as a business leader. The Strategist and Catalyst roles are of massive importance if an organization is to succeed.
This is recognized in a survey by Deloitte of where CIO’s actually spend their time vs. where they want to spend their time:
- 36% as an operator, compared to a desired level of 14%
- 43% as either strategist of catalyst, compared to a desired level of 71%
I believe that boards should be asking the CIO, and whoever she reports to, where she spends her time. If the dominant portion is not as Strategist and Catalyst, they should ask why not.
Risk officers should consider whether there is a risk to the business if the CIO is predominantly a passive Operator, and the CAE should consider how the situation can be improved.
I welcome your views.
If I was asked to join a board and serve as the chair of the audit committee (which I am qualified to do), I would apply the lessons from what seems like a lifetime of working with audit committees. In most cases, the chair was excellent and I would hope to be as effective as they were.
After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:
- Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?
- Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?
- How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?
- Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?
- What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?
- What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for assurance they are being managed satisfactorily?
- How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?
- How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?
- Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?
- Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?
- How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?
- How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?
- What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?
I have probably missed a few items. What would you add?
Please share your comments and views.
While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.
This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.
Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.
In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.
So let’s turn to the more common usage of GRC – governance, risk management, and compliance.
Earlier this year, in April, I wrote companion pieces on GRC:
Seven months on, I am starting to think that the term is becoming even more meaningless in practice.
Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.
The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).
But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:
“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”
I love and agree with this sentiment.
To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:
“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”
We could leave it there, in a confused and confusing world.
But enough is not enough.
Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):
- Identity and Access GRC
- Legal GRC
- 3rd Party GRC
- Enterprise GRC
- GRC gamification
Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.
Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?
I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:
“The reliable achievement of objectives while addressing uncertainty and acting with integrity”
Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).
What do you think?
Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?
I welcome your views.
How many organizations, small or large, expect to succeed if they have a large number of “average” people – and by that I mean truly average, neither poor nor exceptional?
None. Yet, do we always do everything we can and should to hire, retain, reward, and develop exceptional people?
Does our human resources function help us find and hire exceptional people, or does it limit us to people who are paid average or, if we are lucky, just above average salary, benefits, and other compensation?
Do you really expect to hire exceptional people with just-above-average compensation?
Are we encouraged to recognize our people – all our people – as exceptional, or are we required to grade their performance on a curve?
At one of the companies where I was head of internal audit (CAE), I inherited an existing team. I would rate only two of the staff (one in US and one in Singapore) as stars; a few had the potential of being very good; a couple were struggling; and the rest were “average”. They were competent, but had little potential for growth and were tolerated rather than welcomed by our customers.
I demanded more, in part because I was changing the style of the audit department so that instead of working in large teams, people were working in pairs or individually. This required more initiative, leadership, and exercise of common sense and business judgment.
The couple that were struggling recognized they were not going to be able to meet the new standard and left of their own volition. A few others saw the opportunity to growth and seized it. But the rest of the “average” performers remained average.
I was able, over time, to find positions for a couple of these people but the rest seemed to have glue on their feet. They enjoyed the new work and challenges, but were setting nobody on fire.
Our human resources function (HR) was no help. Since their work performance was “adequate”, I had no ethical way to move their sticky feet.
I wished I could have rolled back the clock and persuaded my predecessor to hire better people, people with greater intellect, curiosity, and imagination.
I have made a habit, now, of fighting hard to create an environment that lets me hire exceptional people. For that I need pay ranges agreed with HR that let me pay attractive salaries and offer excellent benefits, bonuses, etc. I need job titles that give the people pride in their position and responsibilities. Finally, I need the ability to rate all my people where they truly deserve to be rated – as exceptional performers.
Does your HR function let you hire the best possible person – and that is not the best you can find at the permitted rate, but the best you can find for the job you need done? Or are they a drag on performance?
How many of your sales team are “average”?
How many of your engineers are “average”?
What are you doing about it?
I welcome your comments and stories.
The other day, I was on a call with other members of an oversight committee. We were talking about the high level project plan for our new products and I asked to see a version that showed key deliverable dates. The chair of our small committee agreed, suggesting that the project manager add a diamond to the dates or otherwise indicate when the various deliverables would be completed.
But the project manager replied that the deliverable dates were in the detail of each “sprint” (the project was being managed using agile management techniques). We were looking at a higher level and he would be happy to show us the plans for each individual sprint.
I told him that I understood that the deliverables were in the sprint-level detail, but needed to see the deliverable dates on the higher-level project plan. Without that, I would not be able to see whether the plan was acceptable and the products would hit the market at the right time. For example, I could not see whether the timing of it made sense to work on deliverables serially or in parallel, or when oversight activities needed to occur.
His response was that he couldn’t run the project using two different project management techniques. Implying that my requirement was old-fashioned (I admit here that I have been managing or overseeing major projects since he was in grade school), he reiterated that he was using agile project management.
I tried to tell him that agile is how you run the project day-to-day, but for oversight purposes I needed to see the big picture – especially when the deliverables were to be completed.
Noting my rising tone, the chairman intervened and suggested that the project manager take the chart he was showing us and simply overlay the deliverable dates. He needed them as well.
The lesson here is that I, as an oversight and big picture person (at least in this role on this project), was talking a different language than the project manager.
I respect the project manager for his expertise and experience in running projects to successful completion. But, he was unable to put himself in my shoes, understand my needs, and then express himself in a way that communicated what I needed to know.
The same issue applies when technical experts, whether in finance, information security, risk management, internal audit, or other area, need to communicate with people in a more senior management or board position. They tend to think and talk in technical detail, while senior management and board members think and talk in terms of the bigger picture.
- Understand the questions that senior management and the board need answers to.
- Answer those questions directly.
- Only provide additional detail when necessary to answer the questions – to their satisfaction, not yours – or when asked for more detail.
- Get to the point quickly.
For example, when a risk, security, or audit practitioner is talking to an executive officer, recognize that they want to know (a) is there anything I need to worry about, (b) is there anything I need to do, and (c) is there a need for me to continue to monitor the situation. They don’t need to know details when there is nothing for them to spend time on.
I welcome your views. If you can share experiences and stories, that would be appreciated.
Hopefully, you are familiar with the global risk management standard, ISO 31000:2009.
ISO has now developed and just published ISO 31004. This is a “Technical Report” titled “Risk management – guidance for the implementation of ISO 31000″.
Because it is a global document, you can download it from your national standards board’s site. In the US, you can find it on the ANSI site as well as on the ISO Swiss site. It is not free, but it is not expensive either.
The Technical report “provides: a structured approach for organizations to transition their risk management arrangements in order to be consistent with ISO 31000, in a manner tailored to the characteristics of the organization; an explanation of the underlying concepts of ISO 31000; [and,] guidance on aspects of the principles and risk management framework that are described in ISO 31000″.
In addition to advice on upgrading risk management using ISO 31000, the Technical Report has useful appendices including a discussion of underlying concepts and principles. This latter starts by explaining that “Organizations of all kinds face internal and external factors and influences that make it uncertain whether, when and the extent to which, they will achieve or exceed their objectives. The effect that this uncertainty has on the organization’s objectives is risk”.
Another useful section says “Controls are measures implemented by organizations to modify risk that enable the achievement of objectives. Controls can modify risk by changing any source of uncertainty (e.g. by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.”
It concludes this appendix with “Risk management is an integral component of management, as it involves coordinated activities concerned with the effect of uncertainty on those objectives. That is why, in order to be effective, it is important that risk management is fully integrated into the organization’s management system and processes.”
Perhaps of most use is the discussion and explanation of risk management principles. I am not going to list or discuss them here, as you should really read and consider themselves for yourself.
I recommend purchase of ISO 31000:2009 (if you don’t already own it) and the new 31004:2013.
I welcome your comments.
The effect that a CEO can have on corporate culture is, in my experience, not as great as CEOs like to think. However, when their actions stand out and startle, as they do in the two stories I am going to share, they can have a significant impact and shape how employees feel about their leaders and company.
Both companies in these stories failed a few years later, for very different reasons. One failed because of inept management (my opinion); the other in spite of good management, because the company had failed five or ten years earlier to address structural problems leading to high cost and slowing innovation.
In 2003, I was working for a large global company that was experiencing significant pressure from customers to cut costs. As revenue dropped, profits slipped to losses and the company’s position in the market started its slip from #1 to #4.
The new CEO decided that across the board cuts in headcount were needed and perhaps a thousand people lost their jobs. At the same time, he was rebuilding his executive team. He wanted them to be compensated for the turnaround he believed he was going to deliver, so he gave each of them hundreds of thousands of options to purchase shares in the company (then trading around $12) at one tenth of a penny per share. But this was not the action that startled.
At the same time that the company was letting many people go, he invested a million dollars to rebuild the executive floor. Each top executive got a fancy new office, replacing the cubicles previously mandated for every employee, with a new coffee lounge. I mention the coffee lounge because the newly hired COO insisted that if he was going to join the company he needed a high-priced Espresso machine. The lounge, with its precious coffee maker, was off limits to all but the executive suite and their assistants.
I heard talk about the “princes” of the company, the “CEO and his cronies”, and other unflattering references. Any pride that employees might have had in their leadership dissipated, and management at all levels reflected the apparent executive focus on personal reward.
It is perhaps not surprising that my audit team found a lot of financial statement fraud during this period, as managers tampered with results to make their performance look better.
I left the company. In 2005, my new company also started losing revenue and market share. The board recognized that they faced two problems: (a) the pace of innovation was slowing, due at least in part to (in their opinion) poor leadership by the head of engineering; and (b), the cost of a key component was higher than the cost experienced by competitors. While our main competitors had invested years earlier in plants to manufacture close to 100% of their needs for this component, my company had built a small facility – in a high cost area – that could only supply 35% or so of their needs. This component was at the heart of the company’s products and one of the most expensive components.
As a result, existing products carried a higher cost to manufacture than our competitors’ products. We either had to sell them for little profit, or sell very few; we did a bit of both. In addition, our engineering team was unable to design new products that would be cost-effective – a result of a combination of the slowing innovation and the high component cost.
The board acted. They directed the CEO to fire the head of engineering. When the CEO refused, they fired him as well, and the chairman of the board (an experienced CEO in this industry) took over.
The new CEO made a number of excellent decisions, including hiring a first-class head of engineering and best-in-class CFO.
However, the problems were too great to prevent the company’s revenue and profit slide.
The CEO reluctantly decided that the company had to cut cost, and a few hundred people were laid off.
That was not startling.
What did startle was that the CEO held a global all-employee meeting, where he and his executive team did a number of things. First, the CEO apologized to the employees for the company’s prior failures that had led to the need to cut headcount. He explained with honesty and humility the unfortunate need to let valued employees go. Then, he said that he and his #2 were both going to cut their salaries by (if I recall correctly) 15% for at least the next two years, and would forego any bonuses or stock awards.
While the CEO of the first company gave the impression that his priority was his and his team’s personal rewards, the CEO of the second gave the strong impression that his priority was the company and its employees.
People of all generations, creeds, and nationalities respond when others show they matter, when they are listened to, and when they are given respect. They respond with loyalty, dedication, and performance.
When they experience the opposite, that their leaders are only interested in ‘feathering their own nests’, employee loyalty, dedication, and performance are blown away like feathers in the wind.
I welcome your views and comments.
Deloitte continues to provide interesting information on risk management, the latest being Exploring Strategic Risk (the link is to a summary, which in turn includes links to an infographic with key results and the full report).
Before exploring their report, I find it interesting that people focus on so-called strategic risk – defined by Deloitte as “those that either affect or are created by business strategy decisions”. Both COSO and ISO refer to risk as the potential effect of uncertainty on objectives, so all risk – if it matters – is strategic!
My conclusion is that (a) people are not going through the necessary exercise of taking each of their strategies and objectives and identifying all risks that might affect their achievement, and (b) they are focusing instead on what might go wrong in their operations (including IT), or might create a loss in their financial portfolio.
This is supported by the principal Deloitte finding: “[only] 81% of surveyed companies now explicitly managing strategic risk – rather than limiting their focus to traditional risk areas such as operational, financial and compliance risk”.
I added “only” because while some may see this as encouraging, that 81% have upped their game, a large number, 19%, have not.
Another important finding is that only 67% say that “the CEO, board or board risk committee has oversight when it comes to managing strategic risk”. Either they are blind to risk that might derail the organization or have delegated it to somebody (such as a CRO) at a subordinate level.
This is a recipe for failure.
The third key finding is that only 13% believe their risk management processes support, at a high level, the ability to develop and execute business strategies. Another 48% believe their processes are adequate.
If this was my company, I would be very concerned!
I am encouraged that 43% are improving their ability to continuously monitor risks. I will close with this excerpt:
“It used to be that if certain risks were to happen, a company could have up to a news cycle to respond,” says Phil Maxwell, Director Enterprise Risk Management, The Coca-Cola Company. “The speed of risks is so much greater now, and as a result you have to be more prepared – faster to respond than you were in the past. That’s one of the biggest differences today versus even three or four years ago.”
I welcome your views and comments.
If you are, I am worried that you might be relying on so-called research by the analyst firm, Gartner. Each year, they publish a Magic Quadrant (MQ) that is presented as addressing organizations’ needs for GRC software. Their 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’ (EGRC) is available from Gartner or one of the included software vendors. (I haven’t seen the 2013 MQ).
The purpose of the MQ is to present their “assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives”.
It is good to see my former employer, SAP, in the top quadrant. This means that Gartner considers them visionaries with a high ability to execute.
Also included are players with whose products I have some familiarity: Archer, BWise, IBM, Thomson Reuters, MetricStream, and Oracle.
But does this mean anything? Does it actually have value and relevance for organizations seeking to improve their governance, risk management, and compliance programs?
I have so many criticisms, it is difficult to know where to start:
- Gartner assesses software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same as your prioritized needs and requirements! While they talk most prominently about risk management and compliance programs, and these are typically the areas with the greatest need and potential ROI, they include requirements for internal audit, policy management, and more. How many companies would give significant weight, when considering solutions for risk management, to the needs of the (typically small) internal audit function? At the same time, they exclude critical functionality (in my opinion) around the capabilities to link strategy and risk, perform risk monitoring, and support risk workshops. How can you run an effective risk management program without the ability to continuously monitor risks in this turbulent business environment? When you are assessing the effect of uncertainty on objectives (i.e., risk), how do you do that when you have no way to identify the risks to each objective?
- They talk about governance, but their assessment includes next to nothing that supports governance. Even their definition of governance is limited and, in my opinion, wrong. It doesn’t include board communications, for example.
- Gartner assumes that you need a single platform for risk management and compliance. I believe that compliance-related risks should be included in the risk management program, and that a risk-based approach to compliance is generally wise. However, I find it difficult to believe that all the requirements for a compliance program (e.g., ethics certification and training, investigation case management, legal case management, whistleblower services, anti-money laundering and FCPA compliance, and more) can be found in a single solution – let alone one that supports risk management as well.
- Gartner assumes value in the integration of these various functionalities. However, that integration has much less value in practice than they consider. I would prefer to see integration between strategy and risk management than risk management and internal audit!
- They don’t consider the need to integrate risk and performance (and strategy) reporting. If we are to integrate risk management into the fabric of the organization, you need combined reporting on both performance and risk indicators.
- Few organizations have a ‘GRC’ organization, one that combines (as Gartner sees it) risk management, compliance management, policy management, internal audit, and some limited aspects of governance. So why should we think about a GRC solution?
I will stop there, that looking for a ‘GRC solution’ is (IMHO) short-sighted and likely to lead to selecting the wrong software for your organization.
I might use the MQ to make sure I am considering all the vendors that might have solutions to meet your needs.
But, I would define my requirements based on my needs, my requirements, my potential ROI, and not the needs of the fictional organization considered by Gartner.
I would also be concerned if a vendor presented their solution as addressing the requirements of an EGRC platform, as they may be designing a solution to get better grades from Gartner instead of satisfying their real customers.
What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.
If you need to address needs in multiple areas, where is the value from integration? Is it better to get separate solutions that are optimal for each area than one that perhaps is good in one or two but less so in others?
As I look back at my former companies where I was chief risk officer, ethics and compliance officer, and led internal audit, I would not have acquired one of these EGRC solutions. I would have acquired separate solutions for risk management, legal case management, SOX compliance, ethics management, and so on. The integration I would have prioritized would have been between risk management and strategy/performance management, and I would also have given significant weight to risk monitoring (using the sophisticated analytics tools now available from SAP, IBM, and Oracle).
I welcome your views.
The regulators and others around the world are asking organizations, especially those in financial services, to establish a risk appetite. This is typically in the form of a risk appetite statement or framework.
Let’s look at a couple of definitions of risk appetite.
“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value” (Understanding and Communicating Risk Appetite)
“To fully embed ERM in an organization, decision makers must know how much risk is acceptable as they consider ways of accomplishing objectives, both for their organization and for their individual operations (division, department, etc.)”
[You may have seen my review of the COSO publication, which includes links to other thoughts on risk appetite.]
A similar view is expressed by a global financial services authority:
“Risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives” - Institute of International Finance (http://www.iif.com/regulatory/article+968.php)
But, there are a number of people who believe that risk appetite is a flawed concept. I recommend a read of a paper by Grant Purdy, Demystifying Risk Appetite. When risk practitioners from around the world convened to develop a global risk management standard, ISO 31000:2009, they preferred to discuss risk criteria – a preference I share.
Is risk appetite a useful concept?
Let’s approach this by asking, as individuals, “What is your risk appetite?”
Perhaps you are saying that you are not a business, agency, or enterprise. But you still have objectives you want to achieve and you are more likely to succeed in achieving or surpassing them if you understand and treat/manage/address the risks and opportunities in your path towards those objectives.
Your personal objectives may include long-term ones like saving sufficient money to retire at a certain age, maintaining a certain level of health, or getting to vice president before you turn 35; short-term objectives might include being able to get to work on time today, or finishing a certain number of tasks at work so you can both make your manager happy and have dinner with a happy spouse at 7pm.
You will take risks in accomplishing these objectives. There is no “may” about it; you will take risks. With respect to your drive to work, your arrival time might be affected by weather (both good and bad), the volume of traffic (less traffic meaning you will surpass your objective), dangerous drivers, the possibility that you will fail to see another car when you change lanes, a request from your spouse to take the kids to school on your way, and so on. As you decide to leave, these are all uncertain events or situations that might or might not happen.
What is your risk appetite when you are deciding whether to change lanes because the traffic in front of you is too slow?
What is your risk appetite when you are deciding whether to agree to take the kids to school or ask your spouse to do it?
You have to decide whether to take these risks. You will certainly have a number of criteria that will help you decide, such as the potential for reward (arriving earlier or avoiding a delay in arrival) and the potential for loss (an angry spouse or manager, or physical injury in a car hits you). You will consider the magnitude or the potential loss or reward, the likelihood of each happening, and your ability or capacity to sustain any loss.
Can you put a number, a monetary value, on it? Is it a percentage of your net wealth?
When you decide whether to take a risk, you will be influenced by the likelihood and size of reward against the likelihood and size of loss. Will you decide to change lanes when there is an 80% chance of arriving on time if you do vs. 15 minutes late if you don’t, when you assess the risk of a car hitting you at less than 1%? How about if the chances of a crash are 5%, because there’s a lot of traffic, or 15% because visibility is low?
You will try to make an informed, management decision. You will use your judgment, and you will not even think about anything like risk appetite. “Criteria” is a concept that makes sense, but not “appetite”.
Isn’t running a business similar to driving a car, in that you want to make informed management decisions using your best judgment?
Will you decide whether to expand operations into a new country using your judgment about the likelihood of success (at various levels) and the likelihood of failure (also at various levels)? Failure could mean loss of funds as you abandon new offices, lay off newly-hired staff, and write off assets; it could also mean loss of customer confidence, reputation damage, and even loss of life (depending on where you expand).
Can you put a risk appetite value on this and say, as COSO says “how much risk is acceptable”?
I can understand that it may be important to know that management is not putting the survival of the company at risk, or that the company has not put on the casino table of business more than it can afford to lose.
But is that how you make decisions? Is that how you decide whether or not to take a risk?
What is most important is that:
- Managers and executives recognize that when they make decisions they have to consider what might happen, and the effect of that is what we call risk
- If a manager is to be successful, he has to recognize risk, assess it (upside and downside), and if it is at an unacceptable level act to modify it – because that increases his chances of being successful and the level of success he will achieve
- Decisions-makers should use their best and informed judgment to take risks. When the potential effect is outside their authority level, they should escalate the decision to more senior management – in the same way they make purchasing decisions
- The consideration of risk is an integral and essential element of decision-making and management in general. It is not a separate discipline
What is your appetite for risk appetite? Should we limit the concept to situations where it makes sense, like how much money to put at risk in the financial market? Mind you, we used to call those trading or position limits rather than risk appetite.
I welcome your comments.
An article by a former CEO and board veteran (William George), published in McKinsey Quarterly earlier this year, makes interesting reading.
I agree with the author’s perspective that improvements in organizational governance should focus on the performance of the board rather than “ministerial details”. In other words, make sure the board’s discussions are informed, timely, constructive, and fruitful.
One of the first points that George makes is an obvious one: that members of the board have less insight and experience with the business and its environment, and less time to spend considering it, than the executive leadership. He calls this “information asymmetry”. The lack of timely information is a frequent complaint and I wish the author had included suggestions for how it could be improved. My view is that the board should recognize this as a problem and set expectations with management on what they will receive, when it will be provided, and the level of detail that will be included. Management should be held to that expectation. In addition, board members should meet at different business locations and receive regular educational updates from leaders of the various business areas.
The author makes an interesting point, without calling it out as such: independent board members who are not afraid of “information symmetry” have an ability to challenge established thinking and the views held by those with far more experience in the business. Fresh perspectives can bring fresh thinking and the breaking down of long-held bias. However, this means that the know-it-all executive has to change and be prepared to at least listen to new ideas.
I am encouraged by George’s observation that board performance has improved, “with a new generation of CEOs sharing with boards more openly, listening to them more closely, and working to achieve a healthier balance of power with independent directors”.
The article mentions the need for “good chemistry”, but doesn’t call an acid an acid (or a spade a spade). George recalls how an independent director challenged the CEO in the board meeting while the other directors sat silent. But when they moved to executive session, they suddenly were able to speak and voice their agreement. This is poor performance, whatever your views are on chemistry. A board member who is silent in front of the CEO and only able to speak when he is not present is a poor performer. It is essential that every director be prepared and willing to speak out, even when alone in his views. Directors who don’t are only qualified to carry the CEO’s rubber stamp.
The author does call a spade a spade when he talks about the need for real succession planning. The board simply cannot afford to defer to a CEO that does not support or even obstructs such a process. I suspect that when a CEO is unwilling to consider succession planning he is probably a poor developer of executive talent; I would worry about what would happen if he were to leave.
George shares his views on whether combining the role of CEO and board chair is a good or a bad thing. He seems to come down on the side of combining and I will let you decide whether he is convincing.
In his concluding Reflections section, George makes some useful suggestions. I like this, from the middle of the second bullet.
[Everybody that works with or on the board should demonstrate] “high-level listening skills, the ability to see situations from the other person’s perspective, and the wisdom to understand the basis for the different points of view”.
I welcome your views and perspectives.