Risk Reimagined!
A Conversation about the Effective Management of Risk
Risk Reimagined!
Welcome and introductions
Risk Reimagined!
Introductions from:• Brian Link – Resolver• Hussain Hasan – RSM US
Principal speakers:• Richard Anderson• Norman Marks
Risk Reimagined!
What are risk and risk management?
Risk Reimagined!
Achieving objectives depends on...
Avoiding unnecessary problems
Creating the right performance culture
Setting appropriate corporate “ethics” and behaviours
Taking more managed risk
Risk Reimagined!
Achieving objectives depends on...
– risk of taking on too much risk which becomes unmanageable
Avoiding unnecessary problems
– risk of avoiding everything, resulting in total inaction
– risk of over-stretch resulting in burn-out
Creating the right performance culture
Setting appropriate corporate “ethics” and behaviours
– risk of sclerosis as every stakeholder of every decision is consulted
Taking more managed risk
Risk Reimagined!
Long
Ter
m P
erfo
rman
ce
Low
Hig
h
Low High(i) Managed Risk Taking or (ii) Avoiding
Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours
Attribute:
And doing the right amount of each
Risk Reimagined!
Zone
3D
ead
Zone
Zone
1D
ead
Zone
Zone
2Pe
rfor
man
ceZo
ne
Long
Ter
m P
erfo
rman
ce
Low
Hig
h
Low High(i) Managed Risk Taking or (ii) Avoiding
Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours
Attribute:
And doing the right amount of each
Risk Reimagined!
Balanced Risk
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
Risk Reimagined!
Enron? Or the Big Banks?
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
Risk Reimagined!
UK plc?
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
Risk Reimagined!
The objective
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
Risk Reimagined!
Relating this back to the balanced risk model
Risk Reimagined!
The bottom line
Risk Management should be the disruptive intelligence that pierces
perfect-place arrogance
Risk Reimagined!
Why do risk programs fail?
Risk Reimagined!
The importance of people
Risk Reimagined!
Regulators are getting excited by culture
Regulator Year No of Pages Culture Risk CultureNAO 2011 18 4 Nil
Department of Justice 2011 43 6 Nil
FRC 2014 28 20 Nil
FSB 2014 14 100+ 73
Risk Reimagined!
Its all about people
Any organization is an assembly of people: people who take risk as they manage and direct the enterprise; decide how much risk is acceptable or even desirable; and provide oversight of the management of risk across the extended enterprise.
Risk Reimagined!
Its all about people
“Culture is how organizations ‘do things’” — Robbie Katanga
“Organizational culture is the sum of values and rituals which serve as ‘glue’ to integrate the members of the organization” — Richard Perrin
Risk Reimagined!
“Culture eats strategy for breakfast” – Peter Drucker
Risk Reimagined!
Polling Question 1
Has the risk culture in your organisation been reviewed internally or by consultants? Yes, it is reviewed on a regular basis Yes, once We are thinking about it It would never fly It is not possible
Risk Reimagined!
Is there a single culture?
Risk Reimagined!
Is there such a thing as a single risk level?
Risk Reimagined!
Compliance area Level of riskBribery and corruption 50
Environmental regulations 20
Financial reporting 30
Export/import regulations 20
Product safety 30
TOTAL 150???
Is there such a thing as a single risk level?
Risk Reimagined!Why do so many of us take different views of exactly the same risks? How does an organization decide which view is “right”?
Risk Reimagined!
Why do people matter?
Human nature is …Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?
Risk Reimagined!
Why do people matter?
Human nature is …Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?
The way we live …“superiors” tell “inferiors” … or … “equals” negotiate the “rules”
Prescribed/In-equal … versus … Prescribing/Equal
Tell or Negotiate? T or N? Which way does it work?
Risk Reimagined!
And cultural theory...
Fatalist
Individualist
Egalitarian
Hierarchist
I C
Tell
Negotiate
Risk Reimagined!What is the difference between the “risk” culture and the “organisational” culture? How can it be analysed?
Risk Reimagined!
IRM Risk Culture Framework
IRM’s risk culture framework looks at component parts making up an organisation’s risk culture• How will I react?• How will I respond in
recognition of other competing needs?
• What will I do?• What will we do?• Our overall risk culture
Risk Culture
Organisational Culture
Behaviours
Personal Ethics
Personal Predisposition to
Risk
Risk Reimagined!
Risk culture aspects model
Risk CultureTone at the
Top
Ris
k Le
ader
ship
Dea
ling
with
B
ad N
ews
Governance
Acc
ount
abili
ty
Tran
spar
ency
Decisions
Ris
k In
form
ed
Dec
isio
ns
Rew
ard
Competency
Ris
k R
esou
rces
Ris
k S
kills
Risk Reimagined!
Thinking about risk is managed…
1. Risk informed decision2. Deals with risk systemically3. Throughout the
organisation4. With partners5. Nimble with new issues6. Can leverage risks7. Takes more, better-
managed risks8. Gets hit by few surprises
9. Lives by established principles10. Expects excellent
performance11. Top-level buy-in to risk
management12. Links risk management to
strategic and operational management
13. Aims for simplicity and action, not bureaucracy
14. Constantly conscious of risk management performance
Risk Reimagined!
Holding a mirror up...
Risk Reimagined!
Holding a mirror up...
Risk Reimagined!
Holding a mirror up...
Regular findings Non-execs normally refuse to take part. Exec directors are ALWAYS more optimistic about their risk
management maturity than the rest of the workforce. Risk managers, heads of internal audit etc ALWAYS know when
they are using smoke and mirrors to report up the line. Few others even care...
Risk Reimagined!
Assessing the Risk Culture
Desk TopResearch Surveys Interviews
Risk Reimagined!
Assessing the Risk Culture
Desk TopResearch Surveys Interviews
Conversations in Risk
Risk Reimagined!
Conversations in risk management
Me
CEO EE Partners
Suppliers Clients
IP ownerBack Office
Risk Reimagined!
Production and Projects
Sustainability and HSE
Drilling Exploration & New Business
Finance Other0%
25%
50%
75%
Production and Projects
Risk Reimagined!
Production and Projects
Sustainability and HSE
Drilling Exploration & New Business
Finance Other0%
25%
50%
75%
Sustainability and HSE
Risk Reimagined!
Risk v Organisational Culture
Culture:The culture of the organisation is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.
Risk Culture:“The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”
Risk Reimagined!
And where they clash…
Issues which any board should want to know about:• Values: Significant deviations from the board’s values.• Silos: Especially where an organisation is facing complexity in its dealings
internally or externally. • Layering: Layered management reporting prevents new issues being spotted on a
timely basis.• Short-termism: Extrapolation from past behaviours is not necessarily good enough
for dealing with new futures.• Control v Risk: Control (or risk control) management instead of risk management.• Obstruction: Individually obstructive nodes can be very dangerous.• Black holes: Sometimes it is difficult to discern any volume of conversations about
risks.
Risk Reimagined!
Balanced Risk revisited
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
Risk Reimagined!
Balanced Risk revisited
PerformanceCulture
CorporateEthics
Here-and-Now Tomorrow
PerformanceZone
DeadZones
Risk Reimagined!
Leadership in complex systems
Relationships & behaviours
Draw on widely diverse
perspectives
Adopt open enquiring mind set
Go out of your way to
make connections
Tasks& ideas
Be Clear
Be Curious
Be Courageous
Invest in promoting
values
Establish compelling
vision
Embrace uncertainty
Distribute leadership &
decisions
Risk Reimagined!
Risk appetite and tolerance
Risk Reimagined!
Risk appetite: the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.
Risk tolerance: the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.
What is risk appetite? What is risk tolerance?
Risk Reimagined!How can you help the board and top management set desired levels of risk and also help decision-makers take the right level of the right risks?
Risk Reimagined!
Does it make sense to be “risk averse”?
Risk Reimagined!Is risk appetite a useful concept or an overly complicated piece of mumbo jumbo?
Risk Reimagined!
Lightening doesn’t strike twiceBut sometimes it makes multiple hits in the same strike:
Risk Reimagined!
Lightening doesn’t strike twiceBut sometimes it makes multiple hits in the same strike:
Risk Reimagined!
The board should maintain sound risk management and internal control systems.Source: UK Corporate Governance Code, 2010.
The board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems…Source: UK Corporate Governance Code, 2010.The board is responsible for determining
the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.Source: UK Corporate Governance Code, 2010.
Behavioural change
Risk Reimagined!
http://tinyurl.com/ztwrm9s
Risk Reimagined!The word “appetite” brings connotations of food, hunger and satisfying one’s needs. We think that this metaphor is not helpful in understanding the phrase “risk appetite”. When those two words appear together we think it is more appropriate to think in terms of “fight or flight” responses to perceived risks. Source: Risk Appetite & Tolerance, IRM, 2011
The word “appetite” brings connotations of food, hunger and satisfying one’s needs. We think that this metaphor is not helpful in understanding the phrase “risk appetite”. When those two words appear together we think it is more appropriate to think in terms of “fight or flight” responses to perceived risks. Source: Risk Appetite & Tolerance, IRM, 2011
Our interpretation of risk appetite is that it represents a corporate version of exactly the same instincts and cognitive processes. Except of course, as a legal fiction (as opposed to a biological reality) organisations do not have their own brains, nervous systems, sensory organs and instincts. Source: Risk Appetite & Tolerance, IRM, 2011
Risk Reimagined!
Risk Appetite
Level Propensity to take risk
Propensity to exercise control
Strategic
Tactical
Project/ Operational
Measurement
Stakeholder Value
Risk Metrics
Control Metrics
Risk Taking
Exercising Control
Dele
gatio
nEscalation
Risk Reimagined!
A new balance
Propensity to take risk Propensity to exercise controlvv
Risk Reimagined!
Throughout the organisation
Strategic Tactical Operational
Risk Reimagined!
Risk Capability
A function of1. Capacity (how
much you can carry?); and
2. Maturity (how much can your people cope?)
Risk Reimagined!
Risk Measurement
Shareholder Value
Cashflow from OperationsOper
ational
Issues
1 Sales Growth
2 Operating Margin
3 Cash Tax Rate
Investmen
t Issue
s
4
CAPEX
5
Working Capital
6 Competiti
ve Advantag
e Perio
d
Discount RateDebt
7 Cost of Debt
Shareholder Value
= Cashflow from
Operations, discounted by the
Weighted Average Cost of
Capital -
Debt
Risk Reimagined!
Risk Measurement
Shareholder Value
Cashflow from OperationsOper
ational
Issues
1 Sales Growth
2 Operating Margin
3 Cash Tax Rate
Investmen
t Issue
s
4
CAPEX
5
Working Capital
6 Competiti
ve Advantag
e Perio
d
Discount RateDebt
7 Cost of Debt
RIS
KS
Risk Reimagined!
So what does this mean in practice?
A
B
t0 t1
Perf
orm
ance
Time
Current direction of travel for performance
A
B
t0 t1
Perf
orm
ance
Time
Where you might get to if everything goes right
D
CWhere you might get to if everything goes wrong
A
B
t0 t1
Perf
orm
ance
Time
D
C
Risk U
niverse
t0 t1
Perf
orm
ance
Time
Tolerance
t0 t1
Perf
orm
ance
Time
Appetite
1 2 3
4 5
Risk Reimagined!
Review of the morning’s discussions
Risk Reimagined!
The relationship between strategy, governance and risk
Risk Reimagined!
Risk reporting and assurance
Risk Reimagined!How does a senior executive or board member gauge the effect of risk on corporate objectives?
Risk Reimagined!
Is it enough to review a list of top risks at every board meeting?
Risk Reimagined!
What about when the actions of one impact the success of another?
Risk Reimagined!
Objective
Risk D
Objectives, Risks and Controls
Objective
Risk A Risk B Risk C
Control 1 Control 2
Control 3 Control 4
Risk to more than one objective
Control to more than one risk
Risk Reimagined!
Objectives, Risks and Controls
Objective
Risk D
Objective
Risk A Risk B Risk C
Control 1 Control 2
Control 3 Control 4
Department A Department BWho owns Control 4? Who has a guardianship interest?
Risk Reimagined!
Objective
Risk D
Objectives, Risks and Controls
Objective
Risk A Risk B Risk C
Control 1 Control 2
Control 3 Control 4
Company One Third party coWho owns Control 4? Who has a guardianship interest?
Risk Reimagined!
Discussions/Case Studies
Risk Reimagined!
Review of the day’s discussions
Risk Reimagined!
The way forward for risk management
Risk Reimagined!
The bottom line
Risk Management should be the disruptive intelligence that pierces
perfect-place arrogance
Risk Reimagined!Risk Reimagined!
The End – for today
Risk Reimagined!
Polling question 1
Do you believe that risk management at your organization is fully supported by the board and top management?
- Without question, yes- With exceptions, mostly yes- Only to a degree- Not really- Unsure
Risk Reimagined!
Polling question 2
Does your board receive sufficient information to assess whether risk management is effective?
- Without question, yes- With exceptions, mostly yes- Only to a degree- Not really- Unsure
Risk Reimagined!
Polling question 3
Does your management team provide sufficient guidance so that decision-makers at all levels can take the right amount of the right risk?
- Without question, yes- With exceptions, mostly yes- Only to a degree- Not really- Unsure
Risk Reimagined!
Polling Question 3
Does your organisation have a healthy risk culture? Without question, yes With exceptions, mostly yes Only to a degree Not really Unsure
Risk Reimagined!How does the board know whether risk management is adding value?
Risk Reimagined!
How do you measure success?
Risk Reimagined!
Where do reward and opportunity factor in?