Building an award-winning global community of risk champions – with Alexander Larsen, Peter Smith and Vladislav Kulakovsky

This article follows on from another Risk Champions article – Building an Effective Risk Champions Network

As published by Risk Leadership Network – Publication date: Thursday, 13 May 2021 – with Alexander Larsen, Peter Smith and Vladislav Kulakovsky

Creating a consistent framework for risk management across a diverse, multi-national organisation can be difficult, but a network of like-minded people can spread the culture needed for its success.

Performing cohesive risk management across different sites is never an easy task, but when the operations of those sites include a multitude of different specialists and technicians, this amplifies problems.

The risk managers interviewed here, along with colleagues, came up with a simple yet effective idea that took risk management outside the traditional risk function to interested individuals so that risk became a part of everyday life.

They then created a centralised tool so this community could share best practice and improve knowledge and understanding globally. The result was an award for best risk communication initiative at the MEA Risk and Insurance Excellence Awards 2016.

Exec summary

• At its heart, risk management relies on having the right people in the right place to gather and analyse the information needed to make better business decisions
• Alexander Larsen and Peter Smith, who were interviewed for this case study, along with colleagues including Vladislav Kulakovsky, created a network of risk champions to help them improve risk management across a multi-national oil company
• Not only did they bring people outside of risk management into the risk function and improve understanding and day-to-day practices and procedures, but they also created a global community underpinned by a culture of sharing to distil best practice across their company globally

Context

The company had a lot of international assets (oil fields) across the world and the company was keen to manage its overseas operations out of one single office in Dubai, which is where Vladislav, who kickstarted risk management within the project, and we, were based. Although based in Dubai, Alexander eventually moved to Iraq for a few years to work on the Iraqi asset that was being managed from Dubai.

We decided early on that the Iraqi asset, a megaproject, would be a good starting point for an initiative that looked to improve risk management on the ground in Iraq, both during the project and when it was handed over to operations for ongoing management of the facility.

The oil field in Iraq was the largest undeveloped asset in the world at the time, and the company was investing billions of pounds into its development over several years, so it was a really mammoth undertaking, with several megaprojects running simultaneously, often inter- linked.

Having appropriate and effective risk management controls would be a big factor in its success both in terms of meeting project timelines and budget, but also for its successful operation once the facility was complete.

We, and indeed the rest of the risk management team, were neither drilling experts nor geologists so we decided to set up a risk champion structure using staff from the various technical departments on the ground in Iraq to help feed into the risk management process. This would be critical to the success of not only risk management or this project, but of other projects too.

Although it took time to gain traction and there were numerous challenges (language, culture, risk understanding and differing project or departmental objectives, to name a few), once it was implemented successfully, the risk team realised the opportunity for sharing the lessons learned.

Taking the successful risk champion structure and then distributing it to assets across different continents would allow other facilities to learn from their successes and develop their own risk champion structure (or improve already established ones). It would also allow sharing of ideas and knowledge that may even bring benefits to the Iraqi asset, where it originated.

Over time, the network expanded further, inviting non-risk staff to join, and providing access to a knowledge database of tools, procedures and best practice.

Before the network was in place, there was a lot of communication with, and travel to, overseas suppliers and contractors. So, we thought that by having individuals in each of these different areas of the business, we would reduce the amount of time spent on collecting the information, while also increasing the quality of the information. Then, we could focus on running quantitative risk analysis, reporting across the project and supporting decision- making within the projects – which, after all, was the main part of our job.

Key Steps

Sourcing network champions

The way we decided to approach expanding and improving the risk management programme and bring in expertise from various areas of our business was to set up a network of risk champions.

These were people who had the right roles in the right departments and who could provide us with the right level of information on their aspect of the project. They also had a certain level of technical expertise combined with an ability to learn and communicate ideas.

It started out as an informal process; we needed help speaking to various experts in the business and understanding the technical information being fed to us by people like geologists or engineers.

In order to find the right individuals, we would look for people across the business who were showing an interest in, and enthusiasm for, risk and developing their understanding of risk management.

Getting champions on board

Once we’d determined who was keen to get involved, we would speak to their manager, explain what we were trying to achieve, and get their permission to start involving that worker in the risk management processes.

Sometimes there was some pushback from managers on this, so we would need to involve influential people who were onboard with our project to try and convince any dubious manager of the benefits of letting their employee get involved.

Conversing with champions

We would meet at least once a month, both in formal and informal sessions, to share information around what risks we were facing and how the controls were working. This would be in offices on site in Iraq, but could include more relaxed meetings like going for a walk around the site in the evening, for example.

It was important to build a relationship of trust and friendship with them while also making the risk management discussions more relaxed and fun.

All the information and risks we gathered, as well as the analysis results, we then fed to the Dubai office, where Peter and Vlad would bring all this together into a central source for the Iraq asset that detailed all of our policies, procedures and risk analysis work.

Outputs

Creating consistent reporting

One of the first tangible outputs to come out of the risk champion network project – and the Iraq project more widely – was a set of more complete and more effective dashboard reports that gave an overview of all the different operations in Iraq so they could be reported on in one overarching report.

When this reached the corporate team operating in the Head Offices, they too wanted to expand the value beyond the international business. It also paved the way for these reports and the practices we had put in place to be rolled out across the company.

We were able to take these reports to our partners in joint venture projects, as well as our suppliers, so they could see how we did risk management, but also so that we could incorporate our risk management processes into their operations to better manage the risks we faced from the work they were doing either with us or on behalf of us.

Building a global community

At this point, the overseas office in Dubai was really starting to see and understand the value of what we were doing in Iraq and wanted to roll it out across all of the company’s other assets around the world.

Up until then, these different sites had, of course, been practicing some form of risk management, but there was no overarching structure to it, and the levels of risk management being undertaken at each site varied greatly.

To bring some level of harmony to all these different sites, we decided to establish what we called a community of practice. Peter set it up initially, using the information, policies, procedures and risk champions structure that Alexander and Vlad had developed on the ground in Iraq and in the Dubai office. We then added to what we had in order to provide a more overarching approach that might be suitable for all assets.

The community of practice was a virtual group for everyone within the company who had a responsibility of risk, regardless of which site they were working on or in which region they were based. We then shared best practice solutions and success stories from our experience in Iraq so that they could be incorporated into all the different risk management practices across the company as a whole. Over time other assets shared their success stories and challenges too.

Building a central repository

Once we had firmly established ourselves in Iraq and been given the go-ahead from the overseas office to push these ideas out to the other international operations across the world, we knew that alongside having the community of risk champions, we would also need a

central hub for sharing all the different documents, reports and pieces of information that these individuals were creating.

And that central repository of information we created eventually became one of the successes underpinning the community of practice that had been rolled out across the company.

The repository was initially based on the information we had collected as part of the Iraq project, but we later expanded this to include a database of resources and a chat function so people across the various different sites could comment on the resources, asking each other questions or providing feedback.

The different sites were able to download the various resources in the hub and then tweak and tailor them to the specific needs of their part of the organisation.

This really helped to create a unified approach to risk management across the company, while still allowing processes and procedures to be flexible enough to meet the specific requirements of each region and site.

Expanding the community of practice

As part of this roll-out to the wider company, we knew we also wanted to expand and formalise the community of practice so that other individuals outside of the risk function could be brought in to help the different sites, just as we had done in Iraq. We started working on improving the community of practice along with input from Vlad and other risk managers in the business to build something formalised and engaging.

To do this, we created a training programme that was delivered across the different assets, and at the end of each training session there was a sort of advert for the network, encouraging people who were interested in finding out more to get in touch.

In addition to this, we formalised an agenda that ensured each asset shared their own best practices and training presentations. Each asset was also given the opportunity to share their own documents and reports to the central repository.

While working on improving the community of practice we also revised our original risk champions network in Iraq to improve it further. For those that ultimately got involved as a risk champion, we began incorporating risk management objectives into their performance review. This really helped to give a formal structure to the network, as well as helping to build a culture that was putting risk management at the heart of everything we do.

These objectives would then get progressively more demanding and complex as people improved their understanding of risk management, until they became a fundamental part of the risk management process, and quite a few of those early champions are now carrying out roles that are solely focused on risk within the organisation and also in other organisations.

One last initiative we decided to launch was to open up parts of the central repository to contractors and partners in order to encourage knowledge-sharing among them and improve performance on our own projects. This also involved inviting contractors and certain partners to attend our meetings.

Results

One of the most successful projects we were able to use the risk champion network for was the building of a quantitative risk model based on several scenarios that included oil price, credit worthiness of partners and investors, production output, reservoir pressure and other factors.

Due to the information we had gathered and analysed with the help of all the risk champions, we could run in-depth analysis quickly and effectively. In a number of weeks we were able to build and run over 60 scenarios, something that would have been impossible without the risk champions. A couple of scenarios would have been challenging enough!

With these scenarios, we were able to demonstrate to the overseas office, as well as the HQ, the power of risk analysis. The fact that they were already used to seeing the dashboards we had created for the ongoing risk management reports meant that they were already familiar with how we operated, they trusted our data and our reports, and it was therefore much easier for us to secure their support for taking a more risk-focused approach to decision-making. This was a fantastic way to demonstrate the value of what we were doing with the risk champions network and this different approach to risk management in Iraq.

Meanwhile, the success of the community of practice was demonstrated by the fact that all the assets were providing better and more consistent risk management analysis and data despite different cultures, projects and contractors. We won a risk communications award for the work we did on the wider risk champion and community of practice project, and we even took our internal risk management training to a conference where they asked us to run a one- day masterclass in which we, along with Vlad, led various mini exercises and presentations.

The award was a great opportunity for us, and it also demonstrated once again to head office the value of what we had created, as well as representing the business in a good light in front of our peers at a big industry event.

Lessons Learned

• Understanding people and their personal and business objectives lets a risk manager understand who will be a blocker and who will be an enabler to a project. This allowed us to quickly navigate through the teams to ensure we targeted those who would engage with the process, drive adoption from within their own team and get results
• People want to share knowledge. Simply creating the platform allowed a passionate group of risk managers, risk enthusiasts and interested parties to share, communicate and learn, and that central repository of information created a hive of activity and discussion that only served to benefit the business
• Finally, the knowledge and experience sharing within the community of practice was so effective in strengthening risk management immensely across all assets globally

Bitcoin Matters

As a wide range of digital assets become mainstream, organisations need to carefully assess the opportunities and risks of adoption

By Dylan Campbell, SIRM & Alexander Larsen, CFIRM

Originally published as a shorter version in the IRM’s Winter 2022 Edition magazine “Enterprise Risk”

The last few years have seen a lot of hype around the converging technologies of web3, blockchain, cryptocurrencies, NFT’s and the Metaverse. In a previous article we laid out how the Metaverse is shaping up and whilst we concluded that the Metaverse will take a while to become a reality, blockchain technology, in which much of web3 is built upon, has now risen to prominence, gaining wide spread adoption.

According to Blockdata research, 81 of the top 100 companies use blockchain technology. It was found that the technology is being used in areas such as payments, traditional finance, banking, supply chain and logistics. This is no longer a technology of the future that may or may not be useful, but a technology that is established and being developed. For more information on the Blockchain refer to a previous article here

The tumultuous rise and fall in the wider cryptocurrency market, led by Bitcoin, over the last two years has no doubt triggered renewed concerns regarding legitimacy of the asset class, with many pointing this out as proof that this is just a passing fad being fuelled by speculators.  Whilst on the surface it may look this way, there are many indicators that suggest that it is actually here to stay. We will therefore take a closer look at the opportunities and risks of Bitcoin corporate adoption and review the possibilities that may exist in Web3, where cryptocurrencies, NFTs, the Metaverse, decentralised finance (Defi), community tokens and decentralised autonomous organisations (DAO’s) all converge. 

What are Bitcoin and Cryptocurrencies?

Reflecting on the events of the past two years, you may be forgiven if you missed hearing about how Bitcoin has won over some of worlds best known billionaires.  From technology entrepreneurs such as Jack Dorsey, Peter Thiel and Elon Musk to Wall Street legends such as Stanley Druckenmiller and Paul Tudor Jones. All have embraced Bitcoin, but why?  What qualities does this relatively new, highly volatile and digitally intangible asset have that would garner such interest?  To attempt to answer that question, one must first understand what Bitcoin is and what it does.

Bitcoin is a new digital form of money that is censorship resistant, seizure resistant, borderless, permissionless, pseudonymous, programmable and fully peer-to-peer.  It is therefore available to everyone around the world and all that is required to interact with the network is a mobile phone and an internet connection.  With Bitcoin, transactions are not managed by banks or financial intermediaries, but instead value travels directly from one person to another.  Payment processing is not done by a regulated company like Visa or PayPal, but instead it is all facilitated by a decentralized global software network, with custodianship not handled by a bank but the users of the network. 

Other cryptocurrencies aim to emulate these attributes.

While the wider cryptocurrency market is awash with different digital assets and tokens (over nineteen thousand of them), Bitcoin has, since inception, remained the largest cryptocurrency by market capitalization.  To many investors, it’s Bitcoin’s longevity and simplicity that sets it apart from the rest of the digital asset market.

Bitcoin’s Mainstream Acceptance

A telling metric that reflects Bitcoin’s mainstream acceptance, is the increasing trend of corporate adoption.  One of the most prominent examples of this was NASDAQ listed MicroStrategy Incorporated’s announcement in December 2020 that it had made more than $1B in total Bitcoin purchases in 2020, claiming that would “provide the opportunity for better returns and preserve the value of our capital over time compared to holding cash.”  Following this other companies, such as Tesla, followed suit.

There may be several reasons why a company may wish to add Bitcoin to its balance sheet.  This may be to leverage a potential opportunity for asymmetric risk returns observed over previous years (given its early stage of global adoption) or as a hedge against currency devaluation brought about by unprecedented state intervention in the money supply.  It could be part of a corporate strategy to embrace modern, open-source technologies or to support an operational strategy that includes accepting Bitcoin as payments. 

A major developing area of Bitcoin is that of energy optimisation and reduction of carbon emissions. Despite the commonly held view that Bitcoin is bad for the environment, there are a number of initiatives that are focused on using Bitcoin mining to both reduce carbon emissions and increase the use of and viability of, renewable energy. As an example, Bitcoin Mining is integrated with wind and solar farms to help balance grid loads and optimise energy generation. The weakness of solar and wind is that they are intermittent and there may be periods where supply exceeds demand, thus leading to waste. By signing agreements with Bitcoin mining companies who get exclusive rights for times of low demand and to turndown mining in periods of high demand, energy companies are able to more efficiently run their operations. The measures implemented by the Electric Reliability Council of Texas (ERCOT) is a great example of this. By augmenting power generation with Bitcoin mining energy companies’ are able to raise capital to build more infrastructure which will help speed up renewable adoption and support making grids more resilient. Some hydroelectric dams in North America are already seeing the advantage of Bitcoin mining with an increase of revenue allowing them to make repairs and upgrades and keeping them in operation. 

Oil and gas companies such as Exxon, ConocoPhillips and Equinor are also exploring Bitcoin mining as part of their operations. Instead of letting excess gas be vented or flared which releases Methane (a more harmful greenhouse gas than CO2), they are looking to mine bitcoin with the excess gas which reduces emissions by up to 63% (according to Crusoe, a company dealing with Digital Flare Mitigation) whilst increases revenues (Bitcoin) allowing them to potentially invest in green initiatives or to make their operations more efficient.

Evolving landscape:  From Cryptocurrencies to Web3

The past two years have been transformative when looking at the wider altcoin landscape.  In the early days of Bitcoin, altcoins were largely cryptocurrencies that sought to challenge bitcoin.  This is no longer the case.  The concept of Web3 has risen to prominence where it’s staunchest supporters claim that we will have an “internet owned by the builders and users, orchestrated with tokens.”  If Web1 was the Read internet and Web2 is the Read-Write internet, then Web3 will be the Read-Write-Own internet.  In the following sections we will touch on various aspects of Web3 to understand whether this goal is being realised and what risks and opportunities may be presented.

Risks of investing in Bitcoin

Whatever the reason, holding a new asset such as Bitcoin on a balance sheet, most certainly exposes an organization to risk. 

As this is a digital financial investment, it is essential that the CEO, Chief Financial Officer, Chief Risk Officer, Chief Technology Officer, Board of Directors all have a clear assessment the asset’s risk profile and where this aligns and diverges from the company’s tolerance for risk.  As such risk managers are key to helping make their organizations aware of these risks so that appropriate mitigating strategies can be developed and implemented to help ensure success in this venture.   Key areas of risk to consider are as follows:

  *   Regulatory Compliance Risk:  Arguably the most important risk to consider given the relative immaturity of the asset class and the lack of firm regulatory treatment of Bitcoin and other digital assets across different jurisdictions.   Not only is it important to consider the company’s regulatory obligations, but also those of it’s counter parties (e.g. exchanges or custodians).   Items to consider would be KYC/AML rules, accounting rules, tax rules, commodity laws and securities laws.  These should tie in with existing company Code of Conduct rules.

  *   Liquidity Risk: This risk seeks characterize the company’s ability to meet its day-to-day working capital requirements through deployment of cash reserves.  A working capital threshold should typically be established with only cash in excess of this to be made available for digital asset investment. 

  *   Technology Risk:  While Bitcoin has a provable decades long track record of performance, it is vital that the technology be understood and monitored as it evolves.  Material changes affecting the validity of the protocol are deemed to be highly unlikely (not necessarily the case with other blockchains).  Nonetheless, the protocol continues to evolve, albeit at a measured pace.  Incorporation of bitcoin improvement proposals (BIPs) typically take years to agree before being incorporated into the protocol.  Adoption of the proposals does come with new features that allow for more functionality (e.g. BIP9, which facilitated deployment of the Lightning Network, a layer 2 solution that scales Bitcoin’s transaction throughput).  These could be leveraged by the company, but may also introduce unforeseen risks.

  *   Custody and Information Security Risk:  Thorough appreciation of the various risks associated with custody of bitcoin needs to be undertaken.  This is particularly important in the face of historical high-profile hacks.  There are different strategies a company may decide to follow with respect to custody of its bitcoin.  Self-custody, fully outsourced custody to a trusted third party, or using some combination of the two via multi-signatory custody may be considered.  Self-custody is considered harder to do securely for most organizations, but outsourced and multi-signatory custody are not without risk either. Should the latter two options be explored, secure private key storage, assurance of account statement accuracy, custodial service liquidation risk management, market volatility management (especially if the bitcoin is being rehypothecated) and information security protocols all need to be thoroughly understood and vetted.

  *   Transaction Control and Authorization Risk: Executing inbound and outbound transactions and cross account transfers will create several risks. Transaction workflows need to be fully understood with key controls put in place.  These include documented segregation of duties outlining who has access to the accounts and clear levels of authority detailing what type and threshold of transaction each person can or cannot undertake.

*   Stakeholder Risk: Bitcoin’s energy consumption has been a major point of concern raised by environmental groups and competing less energy intensive blockchains in mainstream media.  While recent studies have largely refuted these claims and indeed Bitcoin has even been demonstrated to promote responsible and efficient use of energy (e.g. the one USA’s oldest running renewable energy plants was kept afloat as result of mining bitcoin during off peak demand periods, promoting grid resilience).  Nonetheless, understanding and addressing stakeholder concerns with respect to adopting Bitcoin must be an imperative.  This will require well thought out proactive stakeholder engagement planning.

Decentralised Finance

To understand Decentralised Finance, one must first appreciate the challenges associated the traditional (centralised) finance system.  Most people can relate to the friction, inaccessibility and regulatory burden associated with interacting the current banking system. In recent years, these challenges only seem to be worsening and a trip the dentist seems preferable to a trip to the bank.  In many parts of the developing world even having a bank account is a privilege.  

Decentralized Finance or DeFi attempts address these challenges by allowing users to utilize financial services such as borrowing, lending, and trading without the need for a bank or financial institution. These services are provided via Decentralized Applications (Dapps), which are deployed on smart contract blockchain platforms such Ethereum, Solana or Cardano. Many have benefited from the boom in Defi. It has also however had its fair share of controversy. This ranges from abuse of smart contract bugs, Miner Extracted Value front-running, flash loan manipulation, and rug pulling.  Any venture into Decentralised Finance should only be undertaken with a full understanding of all the risk categories mentioned above.

Decentralised Autonomous Organisations (DAOs)

As with Defi, let’s start with a definition.  A DAO is a digitally native community that centres around a shared mission and whose assets are managed by the community’s contributors. A DAO is code committed to a public ledger and the blockchain guarantees user accessibility, transparency and rights. The DAO’s token determines its voting power, allocation of funds to achieve the groups goals, incentivizes participation, and punishes anti-social behaviour.  

DAOs can be set up for a variety of purposes where groups of individual need to raise funds to achieve a goal.  Some examples of this include Uniswap, a decentralized cryptocurrency exchange built on the Ethereum blockchain worth $ billions; and UkraineDAO, a fundraising DAO set up to collect and distribute donations to assist those affected by the war in Ukraine.

A significant advantage of DAOs over traditional organisations is the lack of trust needed between two parties with no leader or board making decisions. DAOs are however not without risk. The now famous Ethereum DAO hack highlighted the importance of ensuring Technology risk is properly managed.  A bug in the DAO’s code led to the theft of $60 million worth of Ethereum tokens. Regulatory Compliance risk would be another area that will require detailed understanding as regulators seek to define how these entities should be treated. 

The Metaverse, Cryptocurrencies, NFTs and Community Tokens

In a previous article we already highlighted all the opportunities and risks of the Metaverse and its important to highlight that if the Metaverse becomes a reality and widespread, the use of cryptocurrencies and NFT’s will boom. Cryptocurrencies is the main way in which people will conduct financial transactions in the metaverse whilst NFTs will be the items you buy. 

Whilst the Metaverse will ensure widespread adoption, NFTs don’t require the metaverse to have a use case. They can be, and are being adopted right now for university degrees, house ownership, artwork purchases and any other real-world item that is unique and requires ownership proof that can be stored and found securely on the blockchain. 

Some organisations are developing their own Cryptocurrencies or NFTs in order to reward customers or staff and tie them into their own ecosystem. JPMorgan developed one to make global transfers cheaper and faster whilst Amazon have developed one to work as a store card. Binance, a cryptocurrency exchange that allows users to trade various tokens, have their own cryptocurrency to reward users for using their services and helps provide a competitive advantage against the competition. Football clubs have developed NFTs for fans, allowing them access to players and allowing them to vote on things such as what song to be played when a player scores a goal and this could be extended to much more serious votes in the future. Expect the emergence of cryptocurrencies and NFTs being created by companies to increase further with Google and Facebook expected to launch too in the near future.

What about Central Banking Digital Currency (CBDC)?

Central banks have been providing money to the citizens of the respective countries for centuries. To keep pace with a rapidly changing world and pursue their digital public policy objectives, some central banks are actively investigating offering their own digital currencies to the public

CBDC’s are being considered as a future for the national currency by some central banks. Where previously we had paper money and money sitting in our bank accounts, some central banks are now looking at creating CBDC’s which are essentially centralised cryptocurrencies. They claim it has a number of benefits from reducing tax evasion to understanding population spending habits and reducing fraud and the funding of illicit activities. The potential risks it poses however include the ability of a government to fully monitor the population and restrict access to their funds or what they can spend their money on. Currently countries like the UK and USA are already reviewing the concept and have plans to implement them whilst the e-Krona in Sweden is already under testing and countries like the Bahamas have already adopted it.  Whether benefits outweigh the risks remain to be seen and it is likely that CBDC’s will live alongside their decentralized counterparts such as Bitcoin.

Conclusion

Despite the concerns and scepticism associated with of Bitcoin, NFTs and altcoins, it is clear that adoption is happening, and it is likely only going to become more wide-spread. The question is what involvement should an organisation looking to get involved have? From investment to developing their own cryptocurrency or investing in the ecosystem, there is plenty to explore, and as with all initiatives that have high rewards, they come with plenty of risk. 

Alignment with the organisations vision, mission and values would be the starting point, followed by development of a digital asset strategy.  Once this is in place a thorough assessment of the opportunities and risks needs to be undertaken with particular emphasis on where these converge and diverge with the company’s risk tolerance.

Written By

Alexander Larsen, CFIRM – Founder of Risk Guide & Chair of the IRM Energy & Renewables SIG

Dylan Campbell, SIRM – Secretary IRM Energy & Renewables SIG

The demise of Risk Management and the light at the end of the tunnel

By Horst Simon, The Risk Culture Builder

Bank regulators have been on a “capital charge”-path for a very long time. No capital charge can be a buffer for bad management of risk. History showed us that sometimes ALL the capital is not enough to save the bank from a risk event gone wrong

Then they created a thing they call conduct risk and went on a “break the bonus mission” thinking that money and incentives can reduce the risk posed by humans in a business environment of greed and profits. Conduct is the outcome of good or bad people risk management and can only be mitigated by addressing people risk.

Risk equals Reward, the problem is not with the risk, the problem is that organisations try to take more risk for more reward WITHOUT getting better at the management of risk. You can only live on the edge if you are good at managing risk.

All this time, and still; there are hundreds of people running around with standards, frameworks and guidance papers converted into PowerPoint presentations; selling it off as a couple of days training to obtain some obscure “internationally recognised” certification in Risk Management. No wonder we have so many “experts” in Risk management! A couple of days, a multiple-choice exam after a couple of thousand dollars can even get you a “certified diploma” in Risk management.

Finally, some are now realising that the answer to all the losses, scandals and fines is to build an effective Risk Culture. You can have the greatest looking set of values on the wall, the most optimised capital charge, the best-looking dashboards and best policies, systems and processes; if the humans behind it act up; it is all worth nothing.

Risk Culture Building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimise risk to the advantage of the organisation. It is not about using concepts and buying systems created outside your business by people who might not even understand your business; it is about training every employee risk management skills and sending the information down the line for them to take risk-informed decisions. It is about what the entire workforce does daily, not about how well the selected “army” defend.

We have known for a long time that no two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by many factors, the main ones are:

• Nationality & culture
• Childhood experiences (and formative environment)
• Work ethics, trust & honesty
• Education (and the way it was obtained)
• Work experience
• Religion and other spiritual thinking
• Attitude towards life (and death)

Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Risk Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something daily to mitigate, control and optimize risk.

At the end, it all goes into the “Human Control Malfunction” – box and it is important to realise that your key human controls are often those who are paid the least.

The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

Finally, stop trying to do everything and chase all so-called best practices, it is impossible to do. The challenge to build an effective Risk Culture in your organisation requires passion and dedication and has no end-date. Risk Culture Building is an agile process that needs to change and adapt as the internal and external risk profiles change, a process that can only be stopped by the organisation failing and going out-of-business. Successful Risk Culture Building is never reaching that point.

Top-down Drowning

By Horst Simon, The Risk Culture Builder

I know some of you are already thinking about Bottom-up drowning. Not really an issue, when the bottoms are up, drowning is complete. A better thought is likely to be: “How decisions at the top can kill those at the bottom”

We learned from the Titanic that an “unsinkable” ship can very quickly become a sinking ship because of greed and wrong decisions at the command centre. Today’s command & control companies are thus high-risk places. Over a period, we have centralized more-and-more into these corporate status towers and in the process, those living in them became removed from reality; they know less-and-less about what is really happening out there. In most command centres, we only know what the “committee” tells us and we all know that most (risk-and other) reports go through a process of “sanctification”—they get better the higher they go!

Communication and reporting is often so bad that the command centre does not even know that people are in the water and busy drowning; let alone that there are way too few lifeboats and losses are unavoidable. But we challenge reporting in our Board Meetings! Great, challenge is good, but the internal business battles between the subcultures distort reporting and these wars can destroy the corporation. These are not the office punks, rockers and skaters who recently joined the workforce; these are the HR-people, the Finance-people, The IT-people, and the Auditors and so on… The subculture with the most flamboyant leader generally gets the most airtime and the biggest slice of the cake as they are perceived to be carrying the whole cake.

Some greedy, bad captains cling to power until they go down with the ship; or get kicked-off (sometimes this happens way too late); whereas others jump ship first, survive and move on to another ship as a hero. When all is submerged and casualties are floating around, the vultures and treasure hunters come.

Finally, back to bottom-up drowning: Yes, that is possible, but normally only in cases of civil unrest; lately these are multiplied in size and speed by social media. So, if you are not the “commander” of a country, do not worry about this one, worry about the top down one only.

Never forget that part of commanding is also how you lead & treat those whom you command!

Bon Voyage!

Now is the time for Insurance to prove it’s worth

By Ben Norris for Commercial Risk

A Ukrainian risk manager told Commercial Risk’s latest event that now is the moment for insurance to prove its worth and help his country in its hour of need.

Speaking at our Global Programmes Conference 2022, Mykhailo Rushkovskyi, risk manager at DTEK and founder of RUNDERC, also believes business needs to urgently review its approach to risk and insurance management following his country’s invasion by Russia, in order to deal with future systemic shocks.

He urged insurers to step up and help insureds in the Ukraine, as well as others around world affected by the war, to bounce back from the ongoing crisis.

“Now we are in the moment where insurance must show its value and its support for business and the recovery. This is the challenge not only for Ukraine but also the global market because we have a lot of joint projects, infrastructure and logistics, and it is all interrelated. We are all linked to each other,” said Rushkovskyi.

He likened insurance to a parachute that can seem unnecessary when on the ground but is clearly needed once you jump out of the plane. Ukrainian companies are now at that point when they need the parachute to open.

Rushkovskyi said the big lesson from the war in Ukraine is that the world of risk management and insurance cannot carry on doing things as it did before the crisis.

“My crystal risk management ball says this is not the last systemic shock we will face. For example, we haven’t yet had the big cyber crisis, we haven’t had the big logistic crisis… so we urgently need to review our risk management systems and upgrade them,” he said.

Rushkovskyi added that insurance will need play an important role in building this stronger resilience and buyers need more bespoke solutions.

“We can’t use one-size-fits-all solutions. This will not work,” he said, before urging all parties in the risk transfer chain to come around the table and develop better cover.

“We need to talk,” said Rushkovskyi. “This should involve all parties, the risk managers, the insurers and brokers. We should all sit together and find solutions for specific risks, not one size fits all,” he added.

As well as pushing insurers to deliver on their promises and develop better risk transfer solutions, Rushkovskyi urged them think about the costs and value of the product they sell to corporates.

Expecting inflation to drive market hardening again in Europe this year, he suggested companies may become less inclined to buy increasingly expensive cover that, in some cases, has yet to prove its worth.

“Risk managers are coming to the board and saying ‘ok we have this insurance that may or may not work, and today it costs twice as much as it used to’. Put yourself in the shoes of the top management. Are they willing buy that insurance? Do they have trust in the insurance coverage? This is an open question to think about,” said the Ukrainian insurance buyer.

He went on to warn that the war in Ukraine could impact risks on other countries. For example, he said some countries are heavily dependent on agricultural exports from Ukraine that may struggle to deliver.

“There is a huge amount exported in the third quarter of this year. It is usually exported through the largest sea ports of Ukraine in the south but now we have only two ports for these operations. And we have Russian military ships in the Black Sea. So, this is the challenge to deliver these goods to other countries,” he said.

“So there could be social unrest in these countries… that could trigger another political crisis in different regions around the world. The ripple effect is really, really significant,” he added.

What makes a great Risk Manager?

Views from Risk Professionals across the world

During the recording of “Risk Managers Getting Coffee” which can be found on YouTube HERE as well as on our website here, a few discussions came up with a recurring theme. One was the question of what makes a great risk manager. Risk Guide has created a short clip of all the answers from the season in for this and other questions that were raised. The video is available at the bottom of this article

Quantitative skills, Theoretical understanding, Soft skills or other?

This is a question often asked and discussed. Some believe that Quantitative Analysis skills are critical or technical knoledge/theory are vital, whilst others focus on soft skills such as presentation and networking as well as being able to lean on charisma.

Obviously the answer always depends on what the organisation specifically needs and who is already in place and any team should be seeking to find a balance. If there is just one role available however then the only answer should be someone who is well rounded, has an abundance of soft skills, is likeable and can solve problems. They will need to bring people onboard within the organisation and build a positive risk culture. The only way to do this is through good networking, building relationships, understanding what drives people and being able to tell a risk story.

A technical practitioner or someone with an abundance of theoretical knowledge will never be able to translate this into something interesting or something of value for the business. Often times Risk Frameworks become overly burdened with heavy processes that fail early on. There will often be a tendency to want to reach the highest levels of maturity without bringing people on board.

A Quantitative practitioner on the other hand will bring some great data points to the table for decision making but may fail to build the right networks and relationships to get reliable data in the first place. And do they understand how to present this data in the right way to the right people?

Again, it is important to stress that both these types of people are vital to have in your business if you have reached the right maturity levels. If there is buy in from the top, buy in from the business, if people are getting risk management concepts and are interested in contributing. They will also form part of a very effective team, but in isolation they will most likely struggle to perform.

Are there examples?

In one NGO the Risk Leader, who was highly thought of and also charismatic, traveled for a full year to visit every field office in the world along with the regional offices. His main aim was to bring the Risk Management vision to them. It took time but people got on board. In a similar organisation, the risk team of 3 people started working on governance, policies and procedures, control frameworks, assurance processes and risk surveys without spending time meeting with people, understanding their expectations and needs and building those relationships. The program was unable to achieve in 2 years (with 3 people) what this one leader achieved in just one year.

These views seem to be backed up by risk practitioners globally too. From the Risk Managers Getting Coffee Series, there were similar views held from all participants of the series. (See the video below)

What do Risk Practitioners around the world from different industries think?

Peter Smith, who has worked in the rail, oil and gas and aviation sectors, and who is a graduate of the Glasgow Caledonian Risk Management Honours Degree, with experience in Project Risk and Enterprise Risk professional, is a big believer in quantitative risk analysis. However he believes that a risk manager needs to have an understanding of the impact of the wider business whilst leaning on the subject matter experts within the organisation, whether its engineering or otherwise. In order to do this of course you need to be able to communicate and have the soft skills to encourage risks to be shared but also for them to understand what risk actually means. He also suggests that an important part of the role is to have passion. Passion on the outcome.

This is echoed by Aarn Wennekers who suggests that there needs to be a good grounding in the business. It helps to know the industry but the business itself is a critical aspect. This doesn’t necessarily mean that the risk manager needs to understand geology or drilling deeply. However an understanding of the structures and culture of the organisation along with who has influence and who reports to who. This allows the risk manager to navigate the politics, gain allies, build relationships and roll out risk management effectively. Aarn has experience from government sectors as well as the oil and gas sector.

Dr Maria Papadaki and Horst Simon, who come from education and banking, are the most vocal about the fact that soft skills are critical. Being charismatic and inspiring plays a huge role in risk management. This is not only the case for training and running workshops but even being able to share ideas and concepts with colleagues on a one to one basis in order to capture their imagination and help them think a little bit more outside the box. On the question of Quantitative Risk skills, Dr Maria believes that this is a skill you can learn but more important is being able to translate that to various levels of the organisation.

This is not dissimilar to Gregory Irgin’s view who also believes the soft skills are key. He believes soft skills along with a breadth of knowledge, again, similar to Peter’s view in which you need experts to draw on. Gregory’s views of Quants also follows the thinking of Dr Maria Papadaki whereby you can only take Quants so far and without having the right soft skills (to translate and make the data interesting), along with being able to gain an understanding of the business, or an understanding of the people you are reporting to (what’s in it for them?), then you are unlikely to gain much value from it. Gregory has worked across the Middle East and Africa in a number of industries and has always been exposed to geopolitical risk and varying cultures and is in a perfect position to observe how risk management needs a more personal and human touch.

Watch the video below for more!

The Case for a Government Chief Risk Officer (From the Extreme Risk Podcast)

Risk Guide is delighted to bring a very special short episode from the very first series of our Extreme Risk Podcast in collaboration with Runderc.

In this special episode, Alexander Larsen speaks to Mykhailo Rushkovskyi about the need for more Risk Governance at a governmental level in the form of for example a Government Chief Risk Officer which will bring accountability and visibility to how societal and country risk is managed and how risks are considered in decision making. 

The need for resilient countries is becoming more evident by the year and ensuring transition initiatives consider risk is critical to remaining resilient. Over-reliance by the EU on gas from Russia for example has proved a disaster for many countries in the EU. Re-opening of coal mines (despite ESG and environmental targets) indicates how poorly the green transition was thought out in terms of risks and resilience.

And what influence does Leadership play? Alexander highlights an excellent example from Pakistan of strong and positive leadership that can only improve risk culture.

For further information about Mykhailo and his career, you can find the Risk Managers Getting Coffee series on: https://youtube.com/riskguide

You may also find the Extreme Risk Podcast on the most popular platforms:
   ⚪️ Apple podcast
   🟢 Spotify
   🟡 Amazon

Episode Content:

1.00 – Risk Management at Government Level
3.00 – Resilience & Risk-Based Transition Plans
4.20 – The Gold Standard – Pakistan Case Study – Risk Leadership & Culture
7.00 – What is the Role of Risk Management at Government Level
10.00 – Where is Resilience? (Banking, Natural Disasters, Government Budgets)
11.26 – Risk-Based Strategy & Resilience – Norway Case Study – The Norwegian Oil Fund

About the Podcast

The Extreme Risk Podcast is a new podcast that focuses on Crisis and people working under extreme circumstances. The podcast seeks to learn from the few Risk Masters who have experienced extreme events and share it with as many people as possible.

The first series of the podcast are focused on risk management during the largest military conflict in Europe since World War II – the Russia-Ukraine war. Together with Mykhailo, we speak extensively about the lead up to the war, the invasion as well as the months that followed. Undertaking a war risk assessment, preparation for potential scenarios, monitoring, how people reacted and how businesses responded. We also discuss the potential wider ripple effects of the war on the world economy 🌍

For further information about Mykhailo and his career, you can find the Risk Managers Getting Coffee series on: https://youtube.com/c/riskguide and https://riskguide.wordpress.com/2022/02/03/risk-managers-getting-coffee-episode-4-part-1-geopolitics-turmoil-and-a-journey-from-italy-to-ukraine/

All episodes will be released every few weeks here on the Risk Guide website and via our LinkedIn (https://www.linkedin.com/company/risk-guide) and Podcast pages https://extremerisk.buzzsprout.com/ as well as on RUNDERC – https://runderc.com/podcast

Episodes will be released every few weeks here on the Risk Guide website and via our LinkedIn (https://www.linkedin.com/company/risk-guide) and Podcast pages https://extremerisk.buzzsprout.com/

You may also find the Extreme Risk Podcast on the most popular platforms:
   ⚪️ Apple podcast
   🟢 Spotify
   🟡 Amazon

The Russia-Ukraine War series – Episode 4 – The Ripple Effect

The Extreme Risk Podcast – How the Russia-Ukraine war could cause a global ripple effect on countries, societies, individuals and organisations.

Risk Guide is delighted to continue the very first series of our Extreme Risk Podcast in collaboration with Runderc.

In this episode, Alexander Larsen speaks to Mykhailo Rushkovskyi about the potential ripple effects of the war. Looking at what industries are being impacted and what regions could face major risks (from Europe’s energy crisis to an expanding war, through to the Middle East struggling with increased grain and wheat production and potentially facing social unrest). There is an additional focus on resilience with mention to a children’s book focused on resilience called Mr Goose (this can be found at www.mrgooseonline.com

For further information about Mykhailo and his career, you can find the Risk Managers Getting Coffee series on: https://youtube.com/riskguide

You may also find the Extreme Risk Podcast on the most popular platforms:
   ⚪️ Apple podcast
   🟢 Spotify
   🟡 Amazon

Episode Content:

01:00 – What is the Ripple Effect?
02:56 – What scenarios are you considering from a Ukrainian perspective?
05:45 – Reviewing our strategic plans during times of potential uncertainty
07:00 – The various timescales for the end of the war
10:30 – Regions of the world and how they might be impacted by the war
19:20 – The Insurance Role
26:00 – The Risk Appetite
27.45 – Industries Risk and Opportunities from the war
33.20 – Global Economic impact of the war
35:25 – The impact on Society
38:55 – The Individual Responsibility and learning resilience at School
43.00 – Season Wrap Up
44.00 – Long Term Transition and Resilience – The Norwegian Case – Electric Vehicles

About the Podcast

The Extreme Risk Podcast is a new podcast that focuses on Crisis and people working under extreme circumstances. The podcast seeks to learn from the few Risk Masters who have experienced extreme events and share it with as many people as possible.

The first series of the podcast are focused on risk management during the largest military conflict in Europe since World War II – the Russia-Ukraine war. Together with Mykhailo, we speak extensively about the lead up to the war, the invasion as well as the months that followed. Undertaking a war risk assessment, preparation for potential scenarios, monitoring, how people reacted and how businesses responded. We also discuss the potential wider ripple effects of the war on the world economy 🌍

For further information about Mykhailo and his career, you can find the Risk Managers Getting Coffee series on: https://youtube.com/c/riskguide and https://riskguide.wordpress.com/2022/02/03/risk-managers-getting-coffee-episode-4-part-1-geopolitics-turmoil-and-a-journey-from-italy-to-ukraine/

All episodes will be released every few weeks here on the Risk Guide website and via our LinkedIn (https://www.linkedin.com/company/risk-guide) and Podcast pages https://extremerisk.buzzsprout.com/ as well as on RUNDERC – https://runderc.com/podcast

Episodes will be released every few weeks here on the Risk Guide website and via our LinkedIn (https://www.linkedin.com/company/risk-guide) and Podcast pages https://extremerisk.buzzsprout.com/

You may also find the Extreme Risk Podcast on the most popular platforms:
   ⚪️ Apple podcast
   🟢 Spotify
   🟡 Amazon

Shaping organisational success – Part 6 – Ground Rules : Leadership

By Horst Simon, The Risk Culture Builder

LEADERSHIP

Let us practice Transformational Leadership. Let us motivate others to do more than they originally intended to do and this will evolve so they often will do more than they thought was possible.

The challenge of leadership today is a challenge of opportunity, not crisis. New leaders can prepare themselves for the challenges facing them by adopting the seven lessons of leadership (Tom Brown, Leader Lines)

1. Leadership starts from within: A leader must have a deep well of integrity “Character is destiny”
2. A central compelling purpose: A leader must have a clear purpose and make sure that purpose is rooted in the core values of the organisation.
3. A capacity to persuade: A leader must be able to effectively use every medium to argue for the purpose and direction that is right.
4. An ability to work within the system: A leader must harmonise all the partnerships in his network to optimum performance.
5. A sure, quick start: Leaders must “hit the ground running”, set a progressive pace and keep to it.
6. Strong, prudent advisors: The best leaders are the ones that surround themselves with the best advisors. A leader need quality people close at hand who can both support his thinking—or challenge it.
7. Inspiring others to carry on with the mission: The leaders, who will set forth a clear, steady path into the future…. Will also be the next to have a living legacy.

Servant Leadership

In the East, a philosopher named Chanakya wrote in his 4th century book Arthashastra:

“The King shall consider as good, not what pleases himself but what pleases his subjects.”

In the West, the concept goes back to Jesus:

“Those that are rulers are taught to lord it over others. Not so with you. If you want to be great, you must be a servant, and slave to all. Even the son of man did not come to be served, but to serve”.

(Mark 10:42-45)

• The servant leader knows that his/her own growth is facilitated by the growth of others.
• Servant leadership is a reaction: the most important job being to find out what the needs of the community are and fulfilling them.
• Servant leadership overcomes opposites, and works towards reconciliation. Opposites exist to be combined, and seen as not what separates people, but what brings them together.
• Servant leadership does not see cultural differences as a problem. It is seen as opportunities to create something together that is stronger than two parts.
• Servant leadership focuses on what you share and ways that resemble each other leads to a sense of connection, humanity, and compassion.

There is nothing new or even sophisticated about my points above. Your job is to take the initiative to ensure all members of staff understand these points. It is essential to agree on how we want to manage our business. Agreement will make your jobs, and mine, a lot easier, our company a better, more stable place to work, our shareholders more supportive and our families and communities more secure.

Siphumelele—“We ARE Successful!”

Uncertainty causing big problems for Businesses in Ukraine

By Liz Booth for Commercial Risk

A leading Ukrainian risk manager has told Commercial Risk Europe about some of the biggest challenges facing his profession as the Russian invasion continues. He said the banking system remains intact and insurance is helping to keep the country going but the uncertainty brought about by war is a major problem for business.

Mykhailo Rushkovskyi, who headed the risk functions in Ukraine at Naftogaz, the largest state-owned oil and gas group, worked for DTEK Group and is the founder of RUNDERC.com, said: “The key risk for us is uncertainty around the war and its timeframes. We do not know what will happen next.”

Rushkovskyi, who is based in Kyiv, said GDP is expected to drop by 35% in Ukraine this year and risk managers fear a big a recession.

“We worry about oil products and gas supplies. For the renewable companies there should be an opportunity, but most of the wind turbines are in the south of the country. That area is now partly occupied by the Russians and the turbines are controlled by third parties. We don’t know what state they are in. The situation is still unfolding,” said Rushkovskyi.

The better news is that the Ukrainian banking system is largely uninterrupted and allowing the country’s businesses to continue operating, he explained.

“IT businesses are also continuing. Because of Covid-19 we had become more flexible, so we have people working for Ukrainian businesses but living in another European country. They are still paying Ukrainian tax, so government still has an income, which in turn means it can pay its employees,” he added.

Rushkovskyi said insurance is also playing a critical role in keeping the country going. “At DTEK we had bought war cover for the turbines, for example, aiming to have comprehensive cover for the plant,” he said.

He likens this to the Wimbledon tennis tournament buying pandemic cover for years before Covid-19 hit. “They bought pandemic cover for years before it was needed but all those premium payments were well worth it as soon as the pandemic hit. We feel the same. We had been buying cover for all eventualities and it is now paying off,” said the risk manager.

“The government is also asking us to document all buildings and plant damaged by the Russians, so that we will be able to make a claim against Russia for the cost of rebuilding the country,” he explained.

Rushkovskyi is a huge advocate of the power of insurance, not just in enabling businesses to function but also to force change.

“As part of the sixth package of sanctions, EU officials are considering a ban on insurance for ships carrying Russian crude oil. Thus, an embargo on Russian crude oil would cut Russia off from the EU market and a ban on insurance would make it very difficult to export crude oil to Asia and other countries,” he said.

Adding: “This insurance approach was already used effectively ten years ago to restrict Iranian crude oil exports as part of the conflict over Iran’s nuclear programme. In this way, insurance can become one of the effective tools of the EU sanctions on Russia to reduce financial flows for the continuation of the war.”

But Rushkovskyi believes both risk management and the insurance market need to evolve. “We need risk management 2.0 and insurance 2.0 in the future. We cannot do things in the same way if we are to manage our way through systemic shocks, such as climate change and through cyberattacks,” he said.

• To hear more from Mykhailo Rushkovskyi, register for Commercial Risk’s Global Programmes conference on 15-16 June, when he will be taking part in a Q&A. Click here to register https://www.commercialriskonline.com/events/global-programmes-2022