Tag Archives: hazard

How to Understand Your Risk Landscape

This is part two of a series of five on the topic of risk appetite and its associated FAQs.

The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.

The Risk Landscape

Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.

First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives?  Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?

To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.

It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated

Crucially, risk is now defined as “the effect of uncertainty on objectives.”

It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.

Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:

1.  Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.

2.  Risk reporting: In relation to risk reporting, two significant matters arise:

Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.

Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.

Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.

3.  Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.

The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.

Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.

For example:

a.    Comprehensive training for business line managers and supervisors on:

  •  (Risk) Management Processes,
  •  (Risk) Vocabulary,
  •  (Risk) Reporting,
  •  Board (Risk) Assurance Requirements

b.    Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,  

c.   System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:

  • The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
  • Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
  • Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
  • Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.

4.  Lack of understanding of the nature of the risks that need to be mastered in the boardroom:

Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?

Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.

There are essentially two kinds of uncertainty:

1.   Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.

Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.

Measurable uncertainties are funded out of operating profits.

2.   Unmeasurable uncertainties:  These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.

Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.

Un-measurable uncertainties are funded out of the balance sheet.

The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.

5.  Urgent need to recognize the mission-critical importance of building  and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises  Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.

RMIFINAL

Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk  

Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report.  Resilience was described as capability to

  1. Adapt to changing contexts,
  2. Withstand sudden shocks, and
  3. Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.

The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).

The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.

The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.

When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.

Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.

table3

It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:

  • Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
  • PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
  • S&P: Risks that do not currently exist,

The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:

  1. Financial volatility (24% of respondents)
  2. Cyber security/interconnectedness of infrastructure (14%)
  3. Liability regimes/regulatory framework (10%)
  4. Blowup in asset prices (8%)
  5. Chinese economic hard landing (6%)

Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.

References:

Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM)  Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens

2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.

3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.

4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman

5  The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech

6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)

7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)

8 Specified to the ISO 31000 series

9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard

10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman

11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration

12 Managing Risks: A New Framework

13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).

14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,

15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;

Breaking Through The Barrier Of Hardnosed Workers, Part 4

Winning Them Over
In Part 3 of this series, safety officer Ken Malcolm talked about the importance of building trust between hardnosers and those who try to change them. To this, Malcolm adds respect.

“Give them [hardnosers] respect,” he says, “and problems go away. They might not like you, but when you handle people accordingly, someone is always watching, and that tough but fair method gets you respect.”

Trust and respect form the pivot point that directs difficult employees away from dysfunction, toward responsibility. Hardnosed workers will never trust or respect you more than when you demonstrate to them that you have their best interest at heart.

You do this when you create intentionally interpersonal safety training to meet the intensely interpersonal weaknesses of workers.

Intentionally Interpersonal Safety Training
Not all worker resistance is of the severe magnitude experienced by the desperate general manager described in Part 1. But to any manager who suddenly realizes that “good employees” in his organization are on the verge of spinning into the Cycle of Rejection (see Part 2), the situation can seem as serious.

Such was the panicky attitude of a global manufacturing company's operations excellence director when he realized that his plants' safety representatives, were, for no apparent reason, beginning to resist his carefully crafted 5-year safety excellence plan. Midway through the plan, he found that the ability of his safety representatives to engage employees — younger employees in particular — was less than he initially believed.

The harder he pushed them to engage employees, the more they resisted. Sound familiar? The interpersonal skills of his representatives required improving in a manner that did not risk further alienating them, so he called the author for help.

Since hazard recognition was the next focus of the 5-year plan, it was decided to integrate relational skill development into the safety representative's hazard recognition training program. An emphasis on reaching younger workers was included. One of the company's values, integrity, served as the drumbeat.

The human development goal was to help the representatives understand the difference between the preferred behavioral tendencies of older workers, such as themselves, and the preference of the plants' predominately younger workers. An easy four-part behavior profile was incorporated to help the participants understand the difference. From earlier articles in this series, you may recognize this goal as helping the hardnoser understand why people do what they do.

The safety management goal was to teach the representatives a simple 1-2-3 hazard recognition process that could be persuasively communicated to employees.

The resulting outline for the 8-hour training course delivered by this author is as follows.

Course Achieving Safety Integrity through Hazard Recognition
Length 8 hours
Format Live presentation; interactive workshop
Section 1 Hazard Recognition: A Matter Of Integrity
Participants are asked to think of hazard recognition as a matter of integrity, as a way of “doing the right thing.”
Section 2 Clearing the Value Path to Hazard Recognition
Participants learn about a “perfect storm” of negative social influences that hinder employee “buy-in” to hazard recognition. How to turn these negatives into positives is taught.
Section 3 Capitalizing On Communication Desires to Jump-Start Haz Rec
Participants learn a behavioral approach to hazard communication — capitalizing on the communication craving of Generations X and Y — in order to achieve employee engagement in hazard recognition.
Section 4 Making Haz Rec Work Simply
Participants learn a simple 3-step process for Haz Rec — observe, interpret, apply — that engages everyone in the routine practice of hazard recognition. A 3-question mechanism for gaining accountability is taught.
Section 5 Using Behavior Recognition Skills to Build Haz Rec Effectiveness
Participants learn the strengths and weaknesses of each behavior type so that they may better recognize how employees allow hazards development and loss to occur. Correcting unacceptable behaviors before an incident happens is taught.

Learning Objectives

  1. A review of the company value of integrity in relation to hazard recognition
  2. A simple effective 3-step method of hazard recognition
  3. A knowledge of the participant's own core behavior tendencies
  4. A method to accurately recognize (read) the behavior tendencies of others
  5. An understanding of how to 'sell' hazard recognition to others via persuasive communication skills targeted to the behavior tendencies of others
  6. A strategy for maximizing hazard recognition through the networking behavior of Gen X and Y

The effectiveness of the intentionally interpersonal approach to safety training was immediately evident in the participants' feedback. Hardnosed safety representatives are not easily fooled. Most have seen a dozen lackluster varieties of the “safety flavor” of the month.

“He left no stone unturned,” said one. Grasping the dual nature of the training, another said, “Not only did I learn about safety recognition but I also learned more about my own personality and the personality of coworkers.” [The course emphasized behavior, but the common use of “personality” is close enough.]

Still another of the 75 participants said, “It wasn't what I expected.” No, it isn't, which is the point. It met felt needs, unlike other safety training. Added the participant, “I liked the straight talk.”

Most telling is the participant who stated that she will “use these ideas at work and at home.” It is a reminder that the greatest needs are life skills. Another participant said that he would use the course material to “make personal changes.”

Intentional Results
Success is never guaranteed. But the intentionally interpersonal safety training advocated in this article has proved successful in every work environment from which the T-JTA data that defines a hardnosed worker was extracted.

In addition to improving the measures of traditional safety management — recordables, lost times, observations — several measures of human resource management effectiveness were improved, including personnel turnover rate, workers' compensation claim rate and various measures of employee engagement or attachment.

One large maritime company saved over $20 million during a 2-year period as the author and his colleagues worked with them to conduct a company-wide interpersonal safety training program.

An organization committed to breaking down the barrier presented by hardnosers may reap the unimaginable “better results” spoken about by John Bennett in Part 3. But to do so requires a shift in management perspective — from a reactive posture in which the hardnoser is viewed as an object to be conquered to a proactive policy of ministering to the hardnoser's needs.

Below is the story of one company that made this commitment. It's the company whose desperate general manager initially called the author in Part 1. Remember him? He is the one who thought that his supervisors were acting like troubled kids. And he was right. So was his inclination to react in the right way.

Enabling A Safe And Profitable Transition
One beneficiary of the blended safety training approach was Chotin Carriers, Inc., now a part of the Kirby Corporation. Kirby's impending buy-out of Chotin, a small company of 120 employees, only added to the human resource and safety management challenges faced by Chotin's general operations manager, Arnie Rothstein.

Chotin's overall personnel turnover rates for the years previous to the buy-out were respectively 47%, 40%, 44%, 35% and 41%. Rothstein conservatively estimated that each employee turnover cost Chotin a minimum of $4,300, or an average annual turnover cost of $349,760.

Starting in Chotin's buy-out year, the author administered a series of training programs that addressed both the safety need of Chotin and its human resource development challenges. The result was that Chotin's turnover rates dropped to 20.3% and 2% respectively over a two-year period, saving Chotin thousands of dollars in personnel turnover costs.

During the same period of time, Chotin's safety performance was also improved. The company's total injury index rate (per 200,000 man-hours) dropped from 8.0 to 4.32, a 46% reduction. With an estimated cost of over $30,000 per lost time back injury, special emphasis was placed on reducing lost time injuries. The result was a 64% reduction in Chotin's lost time injury frequency rate.

Better than these results to Rothstein was the sweet aroma of employee cooperation, evidenced by one of the company's reformed hardnosers, who said, “I've learned more from this training than I've learned in all the other training put together.”

Why Bother?
It is convenient to be like the skeptical Cleveland-area businessman in Part 3 who views everything in this presentation as silly “social work.” But the evidence presented here suggests that you can not pretend that a sub-culture of hardnosed workers does not exist.

Take it from an expert in destructive behaviors. If there is one thing that delights a hardnoser — that encourages his resistance — it is knowing that management will ignore him, allowing him to run amok. Such tolerance provides him with a complete sense of control. It justifies his retreat into emotional isolationism, disengagement, and dysfunction.

Ignorance by management is not bliss. There is a price to pay for such folly.

Massive amounts of money are spent on strategies that, at best, merely limit the ongoing damage done by change-resistant employees.

No amount of pre-employment screening can solve the problem. No human resource policy, employee management strategy, or performance evaluation criteria can deter it.

Nothing short of a purposeful, committed effort to provide hardnosers a path to healthy personal development will decrease their resistant nature. Safety is the open door to that end.

Bibliography

“Focus On Teamwork, Attitude Improves Quality And Safety.” The Waterways Journal. April 25, 1994: 41-44

Newton, Ron. No Jerks On The Job. Irving, TX. PenlandScott Publishers, 2010.

Riddle, Glenden P. An Evaluation Of The Effectiveness Of Stress Camping Through The Use Of The Taylor-Johnson Temperament Analysis Exam. Research Project. Dallas Theological Seminary, December 1978.

Taylor, Robert. Taylor-Johnson Temperament Analysis Manual. Thousand Oaks: Psychological Publications, Inc., 1992.