By Horst Simon, The Risk Culture Builder, taken from the IRM Energy publication
Regulations, Cyber attacks, Security situations and Global Climate Change—paranoia in a world that is still just a spinning ball with an increasing population; a place where businesses seem to boom today and are gone or “acquired” by tomorrow evening. This is the world of disruption in which risk managers must advise and support business managers to survive and build competitive advantage over peers and over future competitors that do not even exist in the marketplace today.
To top all of this, we have seen the toxic culture of corporate greed and deceit spread from banking into auto-making and lately to pharmaceuticals. Rigging is no longer a term associated with physical hard work and scheming (an adjective that describes someone who is always doing sneaky things to make things happen) is now evident in corporate boardrooms. It is almost a world in which bribery and corruption are perceived to not be criminal activities, but gladly still a perception that changes very quickly when you are caught. “White collar crime” is too often resolved by the payment of large fines without admission or denial of any wrongdoing.
Chief Risk Officers and Risk Managers are often wrongly seen as super humans who can single-handedly identify, own and be responsible for the identification, reporting and mitigation of all risks inside and outside the business. How did we get all of this so wrong and how will we fix it?
“Risk Culture is the balance of people, controls & chaos at the edge of business performance” was a quote from the weekly Risk Culture Builder quotes and reaction to this went as far as a comment saying: “Risk is not part of culture”, so with all the perceptions and opinions out there, let us look at getting some clarity from this chaos.
Clarity from Chaos
Change starts at the top. Executives live in a space of information overload and risk reporting sadly fell into the same trap. Board Risk reports in many organisations produce more information than what can be digested and certainly much more than what is needed to make better decisions. The first step is to filter this to what is really required and useful, so many risk reports are just presentations of historic “data” that is not converted into “information” and thus not of much use to those whom it is presented to. The risk visualisation example found on the Risk Guide website HERE is one way to move away from this information overload.
Filtering brings us to three key elements to watch, Money, Risk and Change.
Money is why we take risk as the essence of any business is to take risk for reward, so we have to watch the money, bad cash flow kills companies, and as we see more and more now, so does greed. Find that balance between risk and reward and always remember that you can only take more risk, as you get better at risk management, thus more money is a result of better risk management, nothing else. Those who still see risk management as preventing things from going wrong will differ with me here; those who understand that risk management is about management of risk and opportunity will understand and agree.
Secondly, you must watch the Risk, both the levels of risk internally and externally, as well as emerging risks, including those that do not presently exist. Two big pitfalls here; trying to identify all the risks and focusing more effort on the internal ones rather that what is outside of the business. You can never identify all the risks you are exposed to, so the ability to assess risk and take the best decision in response to that situation of risk is more important than risk identification. The basic risk management process should start with managing the ones you know about and consider to be above the current acceptable levels within your risk appetite. So many executive teams struggle through pages and pages of risk reporting on what is internal to the business and focus all the risk management efforts on controlling everything internal to the business, this is similar to building a bomb shelter, but not putting sandbags on the outside, a pretty useless exercise. Generally, what is inside is well known and if you are still in business, reasonably well managed; the ones from outside are the ones that are most likely to put you out of business. Too often, I hear and see executive teams trying to drive the profits up and the risk profile down, getting all the risks “green” will never bring sustainable growth and certainly not bigger profits.
The third key element after filtering the information overload is Change. The world is changing at an unprecedented pace, the levels of change are much bigger than before and change is happening much faster than before. During any phase of change the level of risk increases and new risks are introduced during the process, or sometimes because of the process. No business can exist without human intervention and there is a limit to the level of change and the pace at which any human can accept such disruption. So often, we see examples from the oil industry where they launch new a multitude of new projects, restructure, enter new markets, change operating systems or involve themselves in mergers and acquisitions; all at the same time.
The foundation for success must be built at the top and from that level down the strategy must be clear on the goals for Money, Risk and Change, in a balanced way.
How much do we need to make? How much risk will we take to do that and what if things go better or worse? How much change can we afford and cope with? “Make as much as we can” is not a goal, it is a recipe for disaster.
Once the foundation is laid, we can move on to the future of risk management. The most difficult change is to move on from risk management being seen as and obstruction to business that is only relevant in industries where there are regulatory requirements to be complied with to the understanding that it is essential to drive value and sustainability. Risk management operations in any business must deliver a positive return on investment, risk management is not part of the cost of doing business, and it is the driver for business success.
However, there is always the risk of employees seeking to maximise their bonuses who may take excessive risks, particularly if their bonuses or other incentives are based on immediate results and ignores long-term profitability and prudent risk management. In the oil industry there are numerous examples of major accidents occurring due to cutting corners in order to meet schedules, or risk management being silenced in order to hide true completion dates in order to achieve quarterly bonuses.
The second challenge is changing risk reporting from this rear-view mirror picture based on historic, often inaccurate, data; to something that is forward-looking and can support better decision-making in the business. Even with more than 16 years of experience in Operational Risk, I can still not understand the importance and focus placed on historic risk reporting and often ask the question: “Do you care about how much fuel was in your car last week?”