Tag Archives: marks

New Guidance on Operational Risk

The Risk Management Association has published Key Principles of Operational Risk Management. Designed by practitioners at financial services organizations, the document makes a number of good points. But let me start with what is missing: guidance on when to take risks.

When an organization is focused on avoiding failure, it is very hard to be successful.

Operational risk is basically about the things that can go wrong in day-to-day processes that can trip you up. It is impossible to eliminate such risk. The best you can hope for is to take a level of risk that is appropriate given the business and what it takes to be successful.

The issue is not even about “balancing” risk and reward. The potential for reward should always be higher than the potential for loss – but the key is to use the same assessment methods to understand the potential range of positive effects or outcomes as is used to assess the potential harms.

See also: A Revolution in Risk Management  

Recognize that it’s not either/or, reward or loss. It is highly likely that both will occur!

Anyway, the guidance makes some good points:

  • Risk management is an integral part of business management and should be incorporated into overall business and financial planning.
  • Business culture within institutions must embrace the value of risk escalation and welcome independent challenge of risk decisions. Soliciting multiple points of view and engaging in debate result in better, more informed decisions.
  • Senior management should provide direct oversight of current and emerging exposures. Meanwhile, risk management should be part of the normal management process and governance, not be made a separate, adjunct function.
  • Risk teams should be established with qualified, high-performing professionals who are closely integrated with business operations and the decision-making processes.
  • Effective risk management is a basic responsibility of business leaders and managers.
  • Risk management activities dictated solely by remote oversight functions lacking detailed execution experience are highly prone to error and inefficiency.

But I have a problem with the traditional perspective in this section:

As part of sound business and strategic decision-making, operational risk implications must be assessed and considered to determine whether to

  • Manage the risk.
  • Tolerate the risk.
  • Transfer the risk (for example, by insuring against the risk).
  • Decline the risk.

To be successful, sometimes you need to take the risk, even to embrace the risk because of the potential for reward.

See also: Risk Management, in Plain English

The attitude of tolerating or even accepting the risk is simply wrong. Take it happily!

If financial services organizations fail to take the right level of the right risks, they will fail and fade away.

I welcome your comments.

A Revolution in Risk Management

The management of risk, whether you call it enterprise risk management, strategic risk management or something else, is about helping an organization achieve its objectives. All the standards, frameworks and guidelines talk about risk in terms of its ability to affect the achievement of the organization’s objectives.

Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful. This allows the consideration of risks but not really how they might affect the achievement of objectives and which objectives might be “at risk.”

See also: How to ‘Gamify’ Risk Management  

Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?

Then we can answer these questions.

  • Considering all the things that we have identified that might happen, how confident are we that we will meet the objective (within an acceptable level of variation)?
  • What is the possibility that we can exceed it?
  • What is the possibility that we will fall short?

The assessment will not only provide valuable insight but will enable decisions to be made that will increase the likelihood and extent of success.

The report might look something like this.

Screen Shot 2016-11-11 at 11.56.30 AM

What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)

Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?

Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?

A report like this moves the conversation from focusing on failure to focusing on success.

See also: Can Risk Management Even Be Effective?  

Such a report changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.

This is a revolution in a couple of ways:

  • It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
  • It demonstrates how the management of risk is of huge value to the organization.

I welcome your comments.

Is this an approach that COSO and ISO should adopt as they upgrade their guidance?

How to Respond to Wells Fargo Fraud

I hope the Wells Fargo scam is causing boards, executives and practitioners everywhere to pause and reflect: Could something like this happen to us?

If it can happen at a great institution like Wells Fargo, it can probably happen anywhere.

In a couple of posts, I have shared questions that should have been asked and that should drive similar questions at other companies. For instance, why did management set incentive goals that didn’t appear to be aligned with driving revenue or earnings? What led to the failure of the controls that were designed to ensure that customers approved the opening of accounts in their name? Why didn’t customer complaints lead to identification of the problem? Why was the problem allowed to continue for at least five years? Did management have any idea that the culture of the organization would permit such a pervasive scheme? What was the role of internal audit, of the compliance officer, of whistleblower provisions and of risk management?

In a podcast with MIS Training Institute (which I recommend), I made another point. I think this is critical for everybody to understand.

I said that when people feel they are able to get away with a minor fraud, they will do something else. The level of fraud may start small, but it almost always increases.

I asked what else has been happening at Wells Fargo.


The public reaction by the Wells Fargo CEO, John Stumpf, included an observation that the scam only involved at any time about 1,000 people of the 100,000 in the branch network.

Let’s set aside the fact that 5,300 people were fired over a period of five years and that this number does not count anybody who was less severely disciplined or not caught.

Let’s set aside the fact that 1,000 people fired in each of the last five years reflects a continuing failure and, to me, indicates a breakdown rather than a one-time failure in controls.

The point is that he seems to believe that this is a small level of incidence, almost (in my words) an acceptable level of risk.

See also: Bridezilla and Workers’ Comp Fraud  

I am drawn to agree that this is a low level of failure. I’m not sure it is so low that it would be acceptable.

Let’s talk reality.

While it looks and sounds good to say that an organization has zero tolerance for fraud, corruption and a failure to comply with laws and regulations, that zero level is just about impossible to achieve.

You would need somebody looking over everybody’s shoulder all the time to ensure that no inappropriate activity was happening, and somebody looking over that person’s shoulder to make sure they were watching properly.

All you can do is have what a prudent person would believe is a reasonable level of control, given the risk of fraud.

According to studies by the Association of Certified Fraud Examiners, the typical company loses about 6% of its annual revenue to fraud. That number includes theft of time, personal use of the company’s laptop and so on.

Is that an acceptable level? Maybe it is; maybe it isn’t. You decide for your company — and consider the cost of reducing the fraud risk. Is the cost greater than any reduction in fraud risk?

The same goes for compliance issues or the activity reported at Wells Fargo. Was a reasonable level of control in place? Could controls have been improved to reduce the risk without incurring substantial cost? I suspect the answer is yes, but we don’t know enough of the facts yet.


Let’s also consider other forms of fraud, abuse and corruption.

Are these acceptable practices, or are they another form of fraud?

  • The CEO of a multibillion-dollar company approves the funding of a charity of which his wife is the chair. There is no clear benefit to the company, no link to its operations.
  • In response to falling revenue and profits, the CEO of another company lays off about 10% of the workforce. The board awards him a $1 million bonus for completing the reduction in force. At the same time, the CEO spends $1 million to renovate the executive suite of offices.
  • A senior manager in IT refuses to provide support for the implementation of a disaster recovery plan because it is not included in his personal objectives.
  • The vice president of procurement for Malaysia refuses to follow instructions from the executive vice president (EVP) of procurement (to whom she does not report) and adhere to global contracts with major vendors negotiated by that EVP. Instead, she negotiates successfully with the local subsidiaries of those vendors. While she obtains better prices for Malaysia (for which she and her boss, the president of that region, are rewarded) she puts the corporate contract in serious jeopardy.
  • A senior executive decides to hire a friend.
  • The chairman puts pressure on the company to select as a director an individual whom he knows will vote his way rather than searching for a director who will add critical expertise.

All of these are situations where, in my view, individuals put their personal interests ahead of those of the enterprise as a whole.

They act in a way that brings them rewards but that hurts the company as a whole.

See also: How Bad Is Insurance Fraud Really?

While technically they have not stolen and have not broken any laws, they have acted inappropriately. I will let you decide what to call their behavior.

But let’s be honest: Self-dealing is ripe around the world. Very few are selfless, putting the interests of others ahead of their own.


So what does this all mean? Where am I going?

  1. What we have seen at Wells Fargo (based on the few facts we know) is, in some ways, normal human behavior. When people believe that the behavior is encouraged or at least not discouraged and that they will not be caught, they will “game” the system.
  2. While we focus on fraud, we might be better off focusing on behavior and actions. There are many forms of behavior that will harm the organization.
  3. We cannot prevent or even detect all actions that result in a loss to the organization. We need to understand all of its forms, the impact and likelihood of each, and ensure that we have the controls in place that provide a reasonable level of assurance that risk is at acceptable levels.
  4. Management must take ownership of the design and operation of those controls.
  5. Internal audit should provide assurance on the management of the more significant risks.
  6. When the level of risk that the controls are failing rises, the root causes must be investigated.
  7. A low level of fraud, if left alone, will normally grow until it is unacceptable.

I welcome your views.

Risk Management, in Plain English

For a while, I have been saying that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.

Leaders of the organization speak in plain English about the achievement of corporate objectives such as earnings, profits and projects.

Leaders of the risk management function talk about risks, impact or consequences and sometimes talk in technobabble about terms that only risk practitioners and statisticians understand, such as “risk capacity,” “alpha” and “residual risk.”

See also: How to Remove Fear in Risk Management

The traditional way of explaining the risk management process is (per ISO 31000):

  • Establish the context
  • Identify risks
  • Analyze risks
  • Evaluate risks
  • Treat risks
  • Communicate and consult (throughout the above)
  • Monitor and review (continuously)

Can this be translated into plain English?

How about this:

  • Anticipate what might happen
  • Analyze the possibilities
  • Ask: Is there a problem? Can we do better?
  • What are the options? Can we improve them?
  • Which is best?
  • Decide
  • Act
  • Review/monitor/learn

I especially like the work anticipate. It’s better than talking about “uncertainty,” another word that risk practitioners understand (I hope) but that executives find difficult.

See also: How Risk Management Drives Up Profits

Isn’t risk management all about anticipating what might happen between where we are and where we want to be?

I welcome your thoughts.

Can we practice risk management in plain English and help leaders make intelligent and informed decisions without even knowing that this is “risk management”?

Key Misunderstanding on Risk Management

Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now senior fellow and Marvin Bower professor of leadership development, emeritus at the Harvard Business School. (I have never had the privilege of meeting him.)

His colleague, Anette Mikes, was with him at Harvard, and she is now professor of accounting and control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes her. (I have heard her speak but have never met her one-on-one.) She has made important contributions to the academic study of risk management that includes a case study of John Fraser’s Hydro One and a similar case study on Lego.

I have shared my thoughts with her on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.

Kaplan and Mikes recently published a Harvard Business School working paper, “Risk Management – the Revealing Hand.”

While there is some value in the paper — such as its insistence that risk management must be continuous as well as its discussion of overreliance on models — it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organizations to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in its 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believe risk management supports their ability to develop and execute on business strategy very well.

See also: How to Remove Fear in Risk Management

How can risk management practitioners demonstrate value and significantly contribute to the success of an organization when they:

  • Focus on a list of potential harms;
  • Don’t focus on enabling intelligent and informed decisions from strategy to tactics; and
  • Talk in technobabble instead of the language of the business?

I see risk management as about the following:

  • Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization toward its objectives.
  • Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives and what (if anything) we need to do about it.
  • Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo.
  • Knowing how to evaluate the potential for any event or situation to have good, bad or a combination of good and bad effects — and providing a structured process for making decisions about the path forward.
  • Promoting intelligent and effective management that enables the organization to succeed.

Kaplan and Mikes say there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note: EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)

Is the conclusion by Kaplan and MIkes because they don’t understand what risk management should be, that it is not about managing a list of potential harms (what Jim DeLoach calls “enterprise list management”)? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out, or, would you dismiss the pessimist with disdain?

Here are just a few quotes to support my view:

  • “Enterprise risk management helps an entity get to where it wants to go.” – COSO (the acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which published “Internal Control—Integrated Framework” in 1992).
  • “[Risk management enables] a greater likelihood of achieving business objectives [and] more informed risk-taking and decision-making.” – COSO
  • “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
  • “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in [and affects] everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
  • “You need [risk management] to become part of the rhythm of the business — meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
  • “The job of risk (management) is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved.” – Deloitte

I can tell you that the risk management programs at Hydro One and Lego do not limit their work to potential harms. They consider the potential for reward as well as harm and work to help management succeed.

See also: Moving to Real-Time Risk Management

So how is it that Kaplan and Mikes have such a narrow view? Perhaps it is because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks (enterprise list management).

That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.

How do you expect a CEO to believe risk management enables success when all the chief risk officer (CRO) gives him is a list of what could go wrong? The CEO needs help to see what might happen, both good and bad, and what to do about it. In other words, the CEO needs to see risk management as helping him or her get where he or she needs to go.

Do you share my view?

If so, how do we convince both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?

I welcome your views.

This article was originally posted here.