CHAPTER 1
From Stagnant Tokenism to Effective Capitalism
Counting Tokens
Most executive managers would admit openly that they see the consumption of resources by risk management in their organisation as a necessary defensive measure for a 21st-century enterprise. But few would see it as a primary vehicle for delivering a substantially enhanced shareholder return, and even less would be delivering on that vision. Yet, in a small number of organisations, risk management does deliver substantially enhanced shareholder returns on a continuous basis. In order to realise this state, however, risk management needs to be taken out of the hands of the defensive minded and handed over to those who don't need a prescribed pathway to work out what delivers most for their organisation. In other words, there is a need to let go of the follow- the-pack philosophy and think freely. Let's see if we can persuade you to do so.
First — a question for readers. How do you react when the shopping precinct and traffic-light predators (aka charity collectors) step into your eye line and shame you into a donation? Perhaps, like us, you get a little peeved because no matter how many donations we make, badges we buy, third world children we support, or raffles we enter, they always want more. It's not even a serious drain on our income, but it keeps us in a kind of Groundhog Day where each morning on the way to work, or as we walk to lunch, somebody approaches us for a contribution to something they believe makes a difference ... and quite frankly, we're not at all sure that it does.
If we thought raffles and badges were a real game changer, we'd all jump in the deep end. Half our income so that Africa has no more hungry children? What a bargain — where do we sign? But we don't believe it's the case, so we mumble some apple pie and motherhood encouragement to the collector and keep putting the tokens in the collection box. We're buying off the annoying collector and diluting our guilt a little, but it's a long way short of achieving genuine peace of mind.
This is also what has happened to risk management in most organisations. Executive management donated generously to the cause for a long time and had hopes of a no-more-surprises world. After a while, they saw little real change in their business, but it's now neither politically correct nor in some cases legally possible to say, 'Enough! Let's use these resources to better effect'. Like the targets of street collectors, executive management keeps the tokens flowing long after belief in the cause has faded.
Consumed by Process
From 1990 to 2002 the world saw increasing focus on corporate risk management acts, guidance notes and standards. You may recognise some of the titles that became folklore, including Sarbanes Oxley, COSO, Cadbury and Turnbull, and AS 4360 and its offspring ISO 31000 (more on all this in Chapter 2). The corporate world was too sluggish to make risk management its own initiative; it was now a matter of compliance, and corporations through the decades have argued that compliance is a poor route to excellence.
Even the smartest people are prone to stop thinking when the early promise isn't delivered and compliance-capture offers an easy way out. Our risk management champions may never have been the smartest people in the room, but the zombie-like lovers of process — people who want to check what they do against a piece of paper and not real outcomes — have taken firm control. As a result, the risk world is teeming with conveyor-belt facilitators following the simplest possible interpretation of risk standards, and auditors aplenty doing what they do best — checking that we do what we say we do, whether it makes an iota of difference or not.
Compliance isn't the only road to tokenism. An unfounded but passionate belief that your organisation manages its risk brilliantly because it is inherently good at what it does will take you there too. In the early days of the risk management surge (circa 1992), a risk consultancy was engaged by one of Australia's largest companies to undertake a major risk review. The results were to be presented to a regulator to obtain permission to undertake a major development. The chief operating officer was a hard, confident character who laid down the following parameters for the report to the consultant:
'It will cost no more than $80,000, will be two inches thick, and it will promise nothing other than this company will always hire the very best people.'
It never occurred to this extremely talented man that any process he hadn't already adopted could possibly add benefit to his massive project. The regulator accurately described the resultant report as 'both confused and confusing' and approval was withheld. By the time the second version was completed by the same consultant, but with no parameters other than to get approval on reasonable grounds, the individual had sanctioned several fundamental changes to the project that had been uncovered by a genuine attempt to undertake a thorough risk review. In fairness to that manager, he went on to make the risk process mandatory on all of the company's developments around the world, including locations where no such process was stipulated by law.
The point here is that this larger-than-life character was not afraid to show his confidence (arrogance?), and it was therefore possible to account for it and go on to reach a good outcome. In fact, there is little doubt that the regulator and the consultant were in some degree of conspiracy to bring this outcome about. The problem today is that arrogance and complacency are not outwardly displayed when it involves widely endorsed risk processes or values that find themselves deep in the political correctness zone. It's a motherhood, apple pie and risk management world in the 21st century.
Recognising you have a sickness is the first step to curing it, so let's take a look at some of the many ways the tokenistic approach to risk management in organisations can be detected.
Risk Management in a Box
One-stop packaging is everything today. We pay the required sum and all of our problems go away. In an executive committee meeting at a major resources company a few years back, the tension in the room was higher than normal when discussing the introduction of SAP, a life-changing and expensive enterprise resource-planning IT system. This was somewhat surprising, given that these same individuals regularly discussed massive investments where an inappropriate decision, or lack of one, could cripple the company. The tension was explained when an executive director reminded the committee members that more executive heads have rolled over failed business management systems than over any core business performance issue. When asked why the hell the company was doing it at all then, the answer was much less succinct.
The most likely explanation is that the decision was peer pressure. Most of the top resource companies had made the move, and the company, which had rapidly moved up the stock exchange list, wanted this latest badge of corporate honour to prove it was indeed part of the elite. Whilst the business case was unclear, executives and directors were as influenced by the pressures of the latest corporate trend as any youngster looking to get the latest Nike shoes by protesting that absolutely everyone at school has already got them.
Whatever the real need, the articulation of the project value to all of the people that would go through the pain of its implementation was centred on the efficiencies of an integrated system — a one-stop shop. However — and this was foreseen by executive management — one of the first outcomes was a series of requests from department heads for permission to continue to use their current self-developed databases or bespoke software instead of the relevant SAP module. Mostly, refusal was withheld and many general managers felt the effectiveness of their department had taken a step backward as a result.
A packaged vacation analogy when assessing integrated system software versus bespoke alternatives can provide a useful perspective. Consider the integrated IT system as a 'packaged tour' where you just get yourself to the starting point and don't have to engage your brain at all to travel, eat, sleep, shop and party in London, Paris, Rome and New York. In the bespoke independent travel approach, however, you have to think up front. You set your own itinerary and go to places you want to go when you want to go to them, and you're free to adjust if you see something better along the way. It would be nice to take a survey of executives and directors and find out how many of them go on packaged tours, but we suspect that bespoke itineraries would be the norm. So why would they be less inclined to think for themselves on risk management when wearing the organisation hat?
One reason is that there are some quick wins when you select a packaged tour to the exotic island of risk management. It's a great way for ambitious internal risk bandits to shop if they are too ill-equipped or time poor to actually think for themselves. Frankly, it's a pretty low-risk option, given the CEO and board are unlikely to probe with questions like 'how does this package influence our annual planning?' or 'how does this drive our internal audit program?' or 'why is a delay in an environmental permit an "environmental" risk when it doesn't harm the environment one jot?'
A shiny, slick integrated software solution full of data is also an effective way of convincing external risk bandits (internal auditors, regulators, etc.) that the organisation has mastery of its risk profile. As with the packaged tour, peer pressures are minor, as everyone has the same experience as their travelling companions. It's the smart way to go ... if you're a sheep. If you're a pack leader, however, the following option may be of interest to you.
This "Risk Management for Dummies" packaged approach has to be targeted at the lowest common denominator to ensure an adequate market size and it focuses on solutions that are largely independent of the human dimension. It never ceases to amaze us, that some of the biggest companies in the world are happy to accept that the risk management package to meet their needs is the same one that meets the needs of the industrial and commercial minnows. The very same giant organisations that would laugh at the suggestion that a small business bookkeeping package is totally adequate for their complex accounting and financial management needs, will nonetheless assume their risk management needs are identical to the needs of the little guys. Now there's wishful thinking in a big way.
The simplistic nature of the risk assessment "engine room" in most risk-software packages is mind-blowing. It most commonly involves a crude selection of likelihood and consequence with little real definition of causal interfaces. As a result, few assessments will take more than an hour and most less than 15 minutes to nail a risk answer. Whilst this may be good enough for screening out scenarios that are clearly low in terms of the most severe credible consequence, it is delusional to consider it adequate for anything else.
If the above seems to suggest that all risk software is bad we have given the wrong message. It isn't that it's all bad — but even the good packages can't do the job in isolation of a good organisation risk framework — and that in turn involves the smart guys and girls at the head of the organisation taking a very proactive role. It's quite difficult for board members and executives to oversee a process they have only ever looked at from a great height. They first need to understand it at ground level where they can prod and probe it, perhaps like we would a prospective son or daughter-in-law. Ask the questions that they fear may be stupid and they will not only be the brightest person in the room but the most informed too. Board members and executives may not, however, entirely enjoy this experience, but avoiding the early recognition of unpleasant truths is likely to have serious outcomes whether the issue is risk management or cancer.
In summary, the main problem with one-stop solutions is that the organisation's risk bandits believe that they only have to administer the software and good risk outcomes are somehow assured. It's all about process and not results. Risk bandits will know exactly how many risk assessments have been carried out and who was responsible. They will know how many actions were promised and sometimes even the percentage that were completed on schedule. Sadly, they will never know whether the right risk assessments have been undertaken and how they relate to each other and they will never know whether the actions being completed are having any effect at all on the level of risk to which the organisation is exposed. Bandit brains were switched off long before the box was unwrapped ... it is up to board members and executives to change things.
Which Risk Management System Do You Believe?
We're now going to ask you to be candid with yourself by giving your honest responses to three considerations. We'll never know what you answered, nor will any of your colleagues so hey, why not go for it? What we're hoping to do is give you an insight into how much, or how little, you walk the risk management talk.
Test 1 — Double or Nothing!
You're a CEO who has the chance to buy out your closest competitor. Your market share has always been a little less than theirs but lately they've had poor results and the market in your sector is a bit twitchy, so their share price is illogically low. One of their major institutional investors has expressed their displeasure and has indicated they'd be supportive of any takeover attempt by your organisation. Knowing you have their support means a well-presented case is very likely to succeed.
The efficiency benefits would be amazing and you'd be the clear sector leader, with your nearest competitor a long way back in second place. Finance is freely available and your M&A department say it's a great opportunity to create a dominant brand. However, the risk register has a major acquisition assessed as an "Extreme" risk and the risk-mitigation strategy included setting a firm gearing debt/equity ratio for the business. When you ask the risk manager why it's an "Extreme" risk you are told it's because it would exceed the organisation's gearing guidelines by a large amount and because the two organisations have very different work cultures. She points out that the General Manager M&A was in the risk workshop. You remain keen to proceed because the upside is phenomenal. Do you ...
A. Accept the risk register and comply with the findings re gearing and cultural mismatch?
B. Have a new risk assessment undertaken and attend personally?
C. Have a new risk assessment undertaken and advise the M&A GM of your thoughts on gearing and culture differences?
D. Disregard the risk register; everyone knows it's unrealistic anyway?
Answer A would put you in a very small minority and the decision would be admirable, assuming it is a very good risk management system, and plain dumb if it isn't.
Answers B and C are effectively the same, because either way you don't believe the register but want the record to suggest otherwise. These answers would probably be the most common responses, which is sad because they show no belief in the system but a willingness to pretend it means something.
Answer D scores high on honesty but low on responsibility, because once again a poor system is not repaired.
Test 2 — What's in a Register?
A second test is much easier; think of a business issue that really concerns you and look for it in your organisation's current risk register. Then answer the following questions:
A. Was there an assessment of your issue?
B. Did the risk ranking reflect your concern accurately?
C. Did the information in the register show the assessment had recognised the critical aspects of the issue and responded to them effectively?
Clearly a "No" answer to any of the three questions is indicative of a poor risk management process that may require a solution. Irrespective of the answers to the three questions; why hadn't you gone to the risk register before we asked you to do so?
Test 3 — Where is it Anyway?
How many times have you taken a risk assessment or risk register into a meeting with you?
Would you even know where to look?
Sometimes Management Don't Want to Know
Earlier in this chapter we touched on executive management oversight of risk management, but it's worthy of more attention. The largely superficial oversight of risk management by the executive team (e.g. a few probing questions occasionally in their individual area of professional expertise to let them know they're nobody's dummy) in the great majority of organisations presumably means one of three things:
i. Executive management believe risk management is well managed and will continue to be well managed without their help, or
ii. They're uncomfortable with how risk is managed but feel it is difficult to exert significant influence from their position, or
iii. They just don't get risk management and find themselves shying away from it as a result
A possible fourth option is that executives believe that there is no substantial risk in their business, but we won't waste our time commenting on that option because they wouldn't waste their time reading this book. Executives who think risk management in their organisation is well under control by line management and therefore can't add much are in line for a risk bandit badge of dishonour. Investors, who are funding their salaries, sure as hell want them to sweat a great deal over risk on their behalf.