Tag Archives: norman marks

Key Misunderstanding on Risk Management

Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now senior fellow and Marvin Bower professor of leadership development, emeritus at the Harvard Business School. (I have never had the privilege of meeting him.)

His colleague, Anette Mikes, was with him at Harvard, and she is now professor of accounting and control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes her. (I have heard her speak but have never met her one-on-one.) She has made important contributions to the academic study of risk management that includes a case study of John Fraser’s Hydro One and a similar case study on Lego.

I have shared my thoughts with her on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.

Kaplan and Mikes recently published a Harvard Business School working paper, “Risk Management – the Revealing Hand.”

While there is some value in the paper — such as its insistence that risk management must be continuous as well as its discussion of overreliance on models — it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organizations to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in its 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believe risk management supports their ability to develop and execute on business strategy very well.

See also: How to Remove Fear in Risk Management

How can risk management practitioners demonstrate value and significantly contribute to the success of an organization when they:

  • Focus on a list of potential harms;
  • Don’t focus on enabling intelligent and informed decisions from strategy to tactics; and
  • Talk in technobabble instead of the language of the business?

I see risk management as about the following:

  • Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization toward its objectives.
  • Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives and what (if anything) we need to do about it.
  • Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo.
  • Knowing how to evaluate the potential for any event or situation to have good, bad or a combination of good and bad effects — and providing a structured process for making decisions about the path forward.
  • Promoting intelligent and effective management that enables the organization to succeed.

Kaplan and Mikes say there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note: EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)

Is the conclusion by Kaplan and MIkes because they don’t understand what risk management should be, that it is not about managing a list of potential harms (what Jim DeLoach calls “enterprise list management”)? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out, or, would you dismiss the pessimist with disdain?

Here are just a few quotes to support my view:

  • “Enterprise risk management helps an entity get to where it wants to go.” – COSO (the acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which published “Internal Control—Integrated Framework” in 1992).
  • “[Risk management enables] a greater likelihood of achieving business objectives [and] more informed risk-taking and decision-making.” – COSO
  • “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
  • “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in [and affects] everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
  • “You need [risk management] to become part of the rhythm of the business — meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
  • “The job of risk (management) is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved.” – Deloitte

I can tell you that the risk management programs at Hydro One and Lego do not limit their work to potential harms. They consider the potential for reward as well as harm and work to help management succeed.

See also: Moving to Real-Time Risk Management

So how is it that Kaplan and Mikes have such a narrow view? Perhaps it is because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks (enterprise list management).

That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.

How do you expect a CEO to believe risk management enables success when all the chief risk officer (CRO) gives him is a list of what could go wrong? The CEO needs help to see what might happen, both good and bad, and what to do about it. In other words, the CEO needs to see risk management as helping him or her get where he or she needs to go.

Do you share my view?

If so, how do we convince both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?

I welcome your views.

This article was originally posted here.

Should We Take This Risk?

  • Who takes risk?
  • Who decides whether the risk should be taken?
  • How do they know what the desired level of risk is?
  • How do senior management and the board obtain assurance that the right risks, at the right level, will be taken?

These are important questions, and every risk (and audit) practitioner should understand the answers.

Richard Anderson and I will be taking these on in April and May, and you are invited to join us. Details are at riskreimagined.com.

Taking the first one first: Who takes risk? The correct answer is “everybody”: everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.

In general, the organization’s structure and delegation of authorities dictates who should be making which decision, who should review and approve that decision and what limitations are put on the “value” or magnitude of that decision.

In other words, the normal approval hierarchy established in any organization typically determines who makes which decision – and therefore who takes which risk.

Some people consider risk as static, the possibility of an event or situation that could affect an objective or two. But our world is anything but static; the environment in which we operate changes all the time, as regulators, markets, customers, vendors and other factors change. Our own organization also changes, as employees leave or join, get promoted, change their minds or intentions, feel differently about their or the company’s prospects, develop new products, retire old products, change pricing and so on.

So, risks are being taken all the time in an environment that is changing all the time.

The normal approval structure will also dictate who decides whether the risk should be taken. The decision maker is the person charged with making that decision, subject to review and approval.

The decision maker will normally weigh all the options, given the information available to her, and try to make an informed, intelligent decision. If there are risk-reward trade-offs, they will be considered in the decision-making process.

But how does the decision-maker know how much risk he should be taking? How does he know whether the risk level for the organization as a whole will now exceed the levels approved by more senior management and the board?

In fact, how do people know how their decisions will affect others, which objectives at the enterprise level might be affected and what the desired levels of risk to those objectives are?

For example, if you consider a recruiter in the HR department who is vetting candidates, prior to their being considered by the hiring manager, does he really know how his decisions on which to take forward will affect the organization?

Does he realize how much value and impact an individual with additional experience will bring to the sales operation, or how a lack of familiarity with ethical practices could increase compliance risk?

Does he understand that a major IT initiative might suffer if he delays a decision on which IT specialist candidates to consider? The risk may be to objectives in IT and in the objectives of the IT function’s customer – the one affected by the delay in completion of the project, or even the possibility of a failure of the project.

There are ways to address these issues that center on communication and collaboration. In the recruiting example, it is incumbent on both IT and HR to ensure the hiring urgency is understood and the value of different levels of experience and technical talent is appreciated and informs the recruiter’s decisions. Similarly, it is up to the IT customer to convey to the IT team the value of the IT project and the various risks (i.e., the effect on their and others’ objectives) should the project fail or be delayed.

Setting acceptable levels at board or top management is not the answer; it may be part of the answer, maybe even a significant part of the answer, but every decision maker needs to know what is desired at her level, and it is impractical to believe that the enterprise risk appetite statement can be translated and cascaded down in a useful and actionable way to every individual actually taking the risks.

In addition, in a dynamic world, desired levels of risk are (or at least should be) changing dynamically.

In some cases, more granular risk criteria can be defined – but, again, not for every single decision.

No, risk is taken and must be taken by individuals at all levels across the entire enterprise. If you want them to take the right risk at the right level, they must be informed and trained in the consideration of risk – and not just the risk to their personal or team objectives, but the effect on others and, eventually, how that can affect enterprise objectives.

Senior management should help by ensuring the people on their team get that decision-making training, with the help as needed of the risk officers.

How, then, do the board and senior management know that the right risks at the right levels are and will be taken? It’s not possible to be certain that they will be taken. Perfect assurance is not possible, as decision makers are human, and they will make mistakes even when all the information is available and they have taken all the required training.

Only reasonable assurance can be obtained.

A few things contribute to obtaining that reasonable assurance:

  • Care and attention to the decision-making process, ensuring that decision makers consider what might happen as an integral element in that process: what needs to go right as well as what could go wrong.
  • Care and attention to the “risk management process/framework/whatever-you-want-to-call-it,” thinking through how desired levels of risk are defined and communicated, the appropriate review and approval process, how people are provided the information they need to make risk-informed decisions and so on.
  • The objective assessment by management (and the chief risk officer) of that risk management process – an honest assessment of whether it provides the necessary assurance and whether it is delivering the value to the organization it should by improving the quality of decisions. I think this assessment should be shared formally with the board.
  • Careful monitoring, after the fact, of actual risk levels and determining what failed when risks exceed desired levels.
  • An independent and objective assessment of the enterprise’s management of risk by the internal audit function.

This is a quick essay on the topic, which is complex and tough to achieve in practice. I welcome your thoughts and hope to discuss it further with you in April or May.

risks

Why Do Some Take Risks, Others Not?

Every time you breathe, you take a risk. But, usually, the potential for harm is greater if you don’t breathe. (There are exceptions, such as when your head is under water without a breathing mask.) Every time you make a decision, you take a risk; we take risk all the time, in pretty much every facet of our personal and professional lives.

But, when faced with the same situation, people will act differently from one another. A person may assess the risk differently from someone else. He may make a different decision regarding whether the risk is acceptable and which fork in the road he should take to address it.

In risk management, it’s fine to have defined risk criteria or appetite statements, but these rarely cover every decision a manager has to make. So, the manager has to make a decision based on what she thinks is best.

A number of experts will point to risk culture as the answer to this variance in decision-making. The experts seem to believe that some organizations are more risk-averse than others. But organizations are composed of people—different people in leadership roles with different backgrounds, experiences and biases. Organizations are not homogeneous. In fact, sections of an organization are not staffed with people who are identical in their attitude toward risk.

For example, on whether to select vendor A, B, C or a combination of the three, different people are likely to make different decisions. Manager X may have had a bad experience at another company with vendor A, while Manager Y used to work for that vendor. Manager Z may have lived through a disastrous experience where a sole-source vendor failed, so she will opt for a combination of two or more vendors. Manager Y may have just suffered a loss on the stock market that affects his desire to take risk, while Manager X has just heard he is a grandparent again. Even something such as a state of mind can influence a risk decision.

It’s not only that different people make different decisions in the same situation but that each person may make different decisions at different times. This is important because, as risk professionals, we want decision-makers to only take the level of risk that top management and the board desires.

To have consistent decisions on risk, we need to know the temperature and overall health of the organization and its decision-makers. We need to answer these questions:

  • Who are we relying on to take the risks that matter most to the organization’s success?
  • How can we obtain assurance that they understand the desired level of risk?
  • How can we obtain assurance that they will act as we desire?
  • How will we know when their risk attitude changes?

A survey will, perhaps, give you a moment-in-time view. However, people change. Managers and executives leave, new ones join and people’s perspective and desire to take risk changes, especially if they see their compensation or termination is likely to be affected by their decision.

This is a complex issue that risk professionals need to understand and assess within, and across, their organization.

Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com.

In the meantime, how do you address this variability? How do you know that your decision-makers will take the desired level of risk?

Integrating Strategy, Risk and Performance

While many (including me) talk about the need for integrating the setting and execution of strategy, the management of risk, decision-making and performance monitoring, reporting and management, there isn’t a great deal of useful guidance on how to do it well.

A recent article in CGMA Magazine, 8 Best Practices for Aligning Strategy, Planning and Risk, describes a methodology used by Mass Mutual that it calls the “Pinwheel.”

There are a number of points in the article that I like:

  • “Success in business is influenced by many factors: effective strategy and execution; deep understanding of the business environment, including its risks; the ability to innovate and adapt; and the ability to align strategy throughout the organization.”
  • “The CEO gathers senior corporate and business unit leaders off-site three times a year. As well as fostering transparency, teamwork and alignment, this ensures that the resulting information reaches the board of directors in time for its meetings….The result: The leadership team is more engaged in what the company’s businesses are doing, not just divisional priorities. This makes them more collaborative and informed leaders. This helps foster a more unified brand and culture across the organization.”
  • “A sound understanding of global business conditions and trends is fundamental to effective governance and planning.”
    Comment: Understanding the external context is critical if optimal objectives and strategies are to be set, with an adequate understanding of the risks inherent in each strategy and the relative merits of every option.
  • “Strategy and planning is a dynamic process, and disruptive innovation is essential for cultural change and strategic agility. Management and the board must continually consider new initiatives that may contribute to achieving the organization’s long-term vision and aspirations.”
  • Key risk indicators are established for strategies, plans, projects and so on.
  • “Evaluation and monitoring to manage risks and the overall impact on the organization is an ongoing process….Monitoring is a continuous, multi-layered process. In addition to quarterly monitoring of progress against the three-year operating plan and one-year budget, the company has initiated bottom-up ‘huddle boards’ that provide critical information across all levels of the organization.”
  • “Effective governance requires a tailored information strategy for the executive leadership team and the board of directors…. This should include: essential information needed to monitor and evaluate strategic execution of the organization; risks to the achievement of long-term objectives; and risks related to conforming to compliance and reporting requirements.”
  • “Integrating the ERM, FP&A and budget functions can help to manage risks effectively and to allocate limited capital more quickly and efficiently.”

I am not familiar with the company and its methodology, but based on the limited information in the article I think there are some areas for improvement:

1. Rather than selecting strategies and objectives and only then considering risk, the consideration of risk should be a critical element in the strategy-selection process.

2. The article talks about providing performance and risk information separately to the corporate development and risk functions. Surely, this should be integrated and used primarily by operating management to adjust course as needed.

3. I am always nervous when the CFO and his team set the budget and there is no mention of how operating management participates in the process. However, it is interesting that the risk function at Mass Mutual is involved.

What do you think? I welcome your comments.

How to Evaluate the External Auditors

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them — especially chief audit executives (CAEs), CFOs and general counsel.

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each) and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of audit firms to detect serious issues (fortunately few, but still too many – the latest being the FIFA scandal) and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I said there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the corporate controller and the entire financial reporting team. I said that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the treasurer and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this situation. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO, whose policy it had been not to hire CPAs) to have the issue addressed promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why; whether he agreed with my assessment of the issue; why the firm had not identified this as a material weakness or significant deficiency in prior years; or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

  • Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
  • Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
  • Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.