8
HOW Do We Conduct Enterprise Risk Management?
“The more you practise risk management in your day-to-day decisions, the stronger your programme becomes.” Chrystal V.
I felt a sense of urgency within Justin as we held the remaining training sessions at PJ Investment’s (PJI’S) offices. The intention of the move to the office was threefold: (a) get more employees enrolled in their risk management programme, (b) allow their employees to practise using risk management tools and (c) uncover what was bothering the partners.
On the first day, even though it was tight, we crammed 90 people into a meeting room designed for approximately 65 people. Employees were sitting on the floor, on tables and leaning against the wall. The non-management employees joining us that day were already briefed on PJI’s risk management programme.
After welcoming them and making a few jokes about the lack of elbow room, I posed this question to them, “Who is a big fan of the Star Trek series?”
Several people raised hands, one of whom was Mateo.
“Mateo, do you recall the episode in The Next Generation where Capt. Picard gives a visitor a tour of the starship? He points out her planet through a window. She asks about the size of glass it takes to stand up to the pressure of space. Picard surprises her when he says, ‘It is not glass. It is a force field. A field of energy that separate us from the uninhabitable environment of space.’ He informs that this powerful energy keeps people alive.”
Mateo responded, “Yes. I remember that scene because I always assumed those were glass or plastic windows, and it blew me away that it was just a field of energy.”
“Thanks, Mateo. I too was amazed by that ‘fact’ and developed a new respect for the dreamers behind the Star Trek saga. For those who did not see this show, please imagine there is a wall of energy that keeps oxygen in and the deadly gamma rays of space out. This energy field, when working properly, keeps people living inside safe, and when it fails causes instant death.
“Now imagine that we had a similar field of energy protecting PJI’s people, assets and buildings, and there are several force fields instead of one. One layer of protection surrounds you keeping you safe. Another envelopes this room keeping us all safe. A third force field serves as a protection around this building while a fourth provides a protective bubble around this neighbourhood.”
I pointed to Martha, an analyst. “Martha, imagine that these force fields are designed to protect you from bad luck, bad weather, bad food, bad people and unexpected things like a falling tree, a runaway car, even the flu bug. Would you feel safe?”
“Yes. Of course I would.”
“How would a feeling of security that someone or something has your back affect you personally and professionally?”
“I’m a cautious person, so I get nervous when driving at night, trying out new foods or meeting new people. Personally I think my concern to feel safe would be lessened, but I would need to trust the people who put up the shields before I would let my guard down.” The room broke out in laughter. (My guess is Martha had a reputation for caution.) She continued as if no one laughed, “Professionally speaking at work, I might be willing to stick my neck out more.” More laughter. Martha covered her face with her hands.
“Thanks for your honesty, Martha. I have a quotation for you that you might use to remind yourself that opportunity is always out there for you.”
“Fear of failure must never be a reason not to try something.” Frederick Smith
In a formal risk management programme, these force fields actually exist because you create them. One is created and managed by employees as they seek out needless risk that might exist within the scope of their jobs. A second force field is created and managed by the team as they study unwarranted or unprotected risk in their collective goals. A larger force field exists around each business unit created and managed by those making critical decisions that requires them to analyse risks and ensure their actions are congruent with the unit’s mission. Finally a larger force field is created and managed by your senior leaders who examine the business as a whole and look for potential harm emanating from inside the organisation, via strategies and tactics, and approaching from outside, such as the environment or marketplace.
When people see this protection exists and trust those who create the protection, employees will invest more energy and attention into their work and lessen their desire to protect themselves or be cautious. It does not mean you can be rash and heedless within this protection. In a working enterprise risk management (ERM) programme, employees feel safe enough to be creative and innovative, share ideas, and learn new things.
From Top to Bottom
A survey sponsored by CFO magazine and conducted by Towers Perrin, found that companies are more interested in systematic solutions to risk management than they have been in the past. Nearly half the respondents expect to implement broad changes to their risk management policies and practices that will affect both the shop floor and board.
Source: http://www.cfo.com/pressreleases/pressrelease.cfm/12343938
Fifteenth Principle of Risk Management
The more a person practises risk management, the more risks he or she is willing to take due to a feeling of security. Similarly the more an organisation practises risk management, the greater its risk appetite.
When it comes to taking risk in a business setting, some people feel confident because they are unaware of, or blind to, the perils and potholes ahead. Other people feel confident because they know how to deal with those perils and potholes. In ERM the programme builds confidence to take risks, which comes from knowing as opposed to not knowing. In fact pretending that risk is always beneficial or denying that risk does not exist can lead to the failure of an enterprise faster than any risk.
Process for the Leadership Body to Implement Risk Management
Most people can see a picture and quickly grasp its meaning. To assist you and others to fully understand the responsibility that leaders own in your how-to of risk management, I give you the next graphic, Figure 8-1:
Each organisation has its own way to implement risk management. You have already read about places to start the integration, such as incorporating it into your budget, reporting and decision making processes. This section gives you a checklist approach to implementation.
Checklist for Implementing Risk Management
□ Protocol 1: Risk Identification
Your key decision makers—risk owners—identify risks, assess their scope and size, use tools to measure their cost or impact, then with tools and guidance place them in a priority queue so they can be managed and reduced.
□ Protocol 2: Risk Management
Building on the information and momentum of the first ingredient, the owners of risk proactively develop their action plan on what to do about the peril or pothole. They have numerous options that include controlling it, mitigating it, deferring it and avoiding it, in any combination that makes sense.
□ Protocol 3: Risk Monitoring
Continuing on with their plan, risk owners then monitor the problem or opportunity. Notice that the monitoring is carried at four levels of your organisation.
□ High-Level Planning
The process you use to for your highest level planning is a good place to introduce risk management. This is your strategic planning process.
Elements of a Strategic Planning Process
Mission. Make sure the mission includes your philosophy for a healthy balance between risk taking and risk protection.
Vision. Include in the vision statement how ERM will benefit you.
Values. Check that your core values reflect the amount of creativity, awareness, autonomy and accountability you want employees to display around managing risk and opportunity.
Strategies. As you develop or enhance the strategies you will use to grow, sustain and profit, seek out the inherent risks in each one.
Strategic goals. Add to each a mitigation plan on what you will do to address strategy risk.
Environmental scan or risk assessment. Conduct a global assessment of where risk currently resides in all you do.
Measurements (key performance indicators and key risk indicators). As you establish targets for the year, select a few metrics that will measure risk, innovation and opportunity and serve as early warning signs. Add these to your regular scorecards.
Performance targets and budgets. Establish realistic targets that prevent unwarranted risks. Include funding for risk monitoring, measuring, mitigation and training.
Timelines for Integrating ERM into Your Planning Cycle
If you are committed to applying risk management, it will take two or three cycles of strategic planning for full integration to occur.
Very few organisations implement ERM within one planning cycle because there is a learn-as-you-go element to ERM. According to “Strategic Risk Management at the LEGO Group,” an article in the February 2012 issue of Strategic Finance magazine, LEGO Group, the global toy maker, employed ERM after experiencing several years of losses and accomplished ERM in stages, one risk area after another. Its leaders realised years later that a large risk, fostered by its aggressive growth strategy, was omitted from their ERM programme. In 2006 LEGO added strategic risk management to its ongoing ERM activities and appointed Hans Lœss0e as the person to lead it. Two years later Hans added Monte Carlo simulation to the mix. Each year LEGO improves its ERM protocol as it uses it.
Although there is no official timetable, on average, it will take your organisation between two and five years for ERM to be completely ingrained and integrated, but the benefits start in the first year. Be patient, and remind everyone that you are transforming the culture, which can take as long as six years to accomplish.
□ Analysis of Risk Versus Reward
The next step is for the leaders to discuss what risk looks like in terms of their global risk appetite or the cost they cannot afford. Not all risks are equal or of similar priority. Some perils you face are worth dealing with, but others are not. These discussions between the board and executives are critical because the employees who will implement ERM need specific guidelines on what the risk-to-reward ratio looks like and also the firm’s acceptable risk appetite.
Continuing with the February 2012 article in Strategic Finance magazine, LEGO Group executives use the amount of “earnings the company is likely to lose compared to budget if the worst-case scenarios happen.” LEGO’s board sets a threshold of 5% worst-case loss as the upper limit. This means the cost they can afford goes as high as 5% of profits lost. “That guides management toward understanding and ‘sizing’ the risk exposure.” Knowing this “has helped the LEGO Group take more risks and be more aggressive than it otherwise would have dared to be and grow faster than it otherwise could have done.”
□ Resources Assignment
“Put your money where your mouth is.” You may have heard that expression, and it applies to implementing ERM because you will incur both hard and soft costs. Unless you approve and fund the programme, your implementation will stall. You will spend budget money on consultants and advisors, new technology, temporary employees, and tools. Employees’ time will be diverted from their daily work to undergo training, learn how to use the tools, attend numerous meetings and analyse their work processes. You must plan for this necessary work for the first two years of implementation.
□ Tools in the H ands of Employees
ERM’s benefits will flow once employees use the tools they are trained on, but expect a long learning curve. Some employees who have experience or perform risk management in their current jobs will speed this up. It will be your employees who are new to risk management or resistive that will lengthen the learning curve. Be patient and plan to continually reinforce the new behaviours.
□ Process Goals
Your implementation efforts are next directed towards your key processes. Your executives kick this off by answering this question: Is the level of risk we face in this process acceptable to managers and those we are accountable to in the dogged pursuit of the process objectives?
Each time the answer is “No,” the process owner must examine the purpose or intent of the process to ensure its objectives include risk detection, prevention and balance.
□ Integrate into Existing Processes
Each process needs to be evaluated and improved to add risk monitoring and measuring to it. Each major work process, in ERM, should detect risk if there is any. If the work does not involve any sort of peril, the process, at a minimum, should at least add to transparency of the key decisions made within it.
□ Responsibilities and Ownership
The next step is to determine who serves as the chief risk officer and form the oversight group. You also establish every employee’s accountability towards risk awareness and mitigation. You can accomplish this through risk management tool ten, discussed in chapter 6, “WHERE Do Our Efforts Need to Be?". A critical part of this work is to identify the owner of each risk category. Your sales executive owns all sales risk. Your operations executive owns all operational risk. The CEO owns all strategic risk. Ownership of risk cannot be delegated.
□ Make it a Priority
All along the journey of implementation, your executives must make it clear that risk management takes priority over everything else. The message needs to be posed in a way that employees understand that they look at their work differently and put more thought into it. When employees do work in a rote manner, without thinking about what they are doing and why, they will overlook opportunity, miss undetected perils or not question actions and decisions that could put your firm at risk.
Minimum Elements to Establish Risk Awareness
Even if you decide not to implement a full-blown ERM but plan to institute the discipline of formal risk management, six foundation pieces need to be installed to ensure risk awareness gets embedded in your culture.
Feedback Loops
If you embark on a trip somewhere you haven’t been before, you need to know where you are compared to where you are headed. This holds true for the major shift in thinking that ERM requires. You must create numerous feedback loops and place them in your regular reports, metrics, action plans, employee surveys, customer surveys, employee performance evaluations and other areas that you organisation uses to know where you are and where you are heading. Behaviours that are measured will get managed.
Quality Loops
Feedback on whether risk management is being practised is not enough. You also need feedback on the quality of decisions made and actions taken after risk management becomes the norm. Employees may be finding little vulnerabilities and miss the big one. Line managers may take so long sizing up a risk that they miss an opportunity.
Control and Support
Employees need to feel they are in control and supported in what you are asking them to do. The group with accountability to oversight also needs to believe they have say in what needs improving and that their hard work is valued and taken seriously.
Value of Risk Auditor
The risk auditor role is not for the faint of heart. You need mental toughness, a high Ethics Quotient and thick skin. Those who have served on a risk compliance team warn that dealing or working in risk compliance is not a job that wins friends and influences your fellow employees. It is a thankless job. Don’t just take my word. Thomas Quilty, CEO of BD Consulting and Investigations, said, “The compliance officer is the most hated person in the company.” When commenting on the risk compliance employee, Sam E. Antar, the former CFO of the now-defunct electronics chain Crazy Eddie, advises, “Companies often retaliate against them.” Tracy L. Coenen, a fraud investigator and leader of Sequence, a forensic accounting firm, shares another opinion about the role. “Most fraud today is uncovered by whistle-blowers, or by accident—a tip, a rogue piece of mail, or by happenstance. Compliance staff frequently ends up pushing paper just so it looks like the company has tried to do the right thing in case there’s an investigation. They’re not effective.”
Communication
Risk management, if properly employed, should foster better and more frequent communications about opportunities and threats and what is being done about them. Your redesigned reports should clearly indicate the areas being monitored and the progress being made to lessen your vulnerability. All leaders need to look for indications that communications are taking place and appropriate.
Rigorous management of risk using an established framework allows managers to have some tough conversations that are beyond the limiting scope of their job duties because senior leaders task the next level with implementing changes and improvements. This onus contributes to risk exposure. In these open conversations about potential risks regarding size and impact, your managers address each risk as they simultaneously select those opportunities that are worth pursuing. This requires your managers to communicate with courage, conviction and credibility.
Accountability
Because you are asking line and administrative managers to own the risks inherent in their specialties, accountability must be extolled, honoured and rewarded. True accountability requires that solutions replace blame, truth and honesty replace filtered communications and hidden agendas, and real ownership replaces passing responsibility and excuses.
ERM provides a useful evaluation tool for leaders to stay informed about their employees’ abilities to identify, prioritise and respond to apparent risk. This way everyone becomes informed of potential risks. Your framework requires managers to create an action plan in order to mitigate or address each risk. With such a structure, managers are able to understand and acknowledge all potential risk, thus increasing individual and collective accountability.
Rewards and Penalties
Behaviours that are rewarded will happen again. They best way for you to drive employees’ behaviours towards adopting risk management in their daily activities is to reward them. You want to tell employees that you are serious about this way of operating, and one visible and impactful way to get their attention is with a reward.
The second best way you drive employees’ behaviours is to visibly penalise the employee who does not take risk management seriously. You will most likely have to replace employees, managers and executives who refuse to embrace this new operating standard. This is why you add the behaviours you want from employees into your employee performance evaluation process. When employees who are on the fence about risk management learn that someone lost a bonus, was demoted or got fired because he or she did not adopt the new attitude, the fence sitters or resisters will either join the effort or quit. This is painful to hear and experience, yet it is necessary in any culture transformation.
Starting to Implement ERM
Murphy’s Law of Risk Progression
The greater the urgency to get a control or security system in place, the faster someone can slow it down.
You cannot rush ERM implementation because it requires education and training. Integrating elements of risk management into existing ways of working is like trying to remodel your kitchen while using it. You can influence the speed of its adoption and acceptance through many of the activities you control:
Training
Action planning
Rewards and performance evaluations
Meeting agendas
Employee scheduling
Executive utilisation
Executive communications
ERM Works as Risk Grows
In 2010, the Committee of Sponsoring Organisations of the Treadway Commission commissioned a formal survey regarding the state of ERM. The data were collected during June and July 2010 from different organisations. The individuals who were most likely involved in leading the ERM-related processes or knowledgeable about the efforts within the organisation were the study’s target. The conclusion was, “Despite growing complexities in the risk environments of most organisations, the level of risk management sophistication in these organisations remains fairly immature.”
Source: http://www.imanet.org/PDFs/Public/SF/2010_11/11_2010_beasley.pdf
Every organisation, not just yours, starts from scratch when adopting and implementing formal risk management. That is why this material was developed for you, so you know what to do and expect.
The good news in this is that there is no formula to follow because ERM is not a turnkey process. You design its structure around your needs. (Some readers may deem this as the bad news!) Even better news is a wealth of consultants are willing to help you create your own ERM methodology. Enter “risk management” in a search engine, and you will see software tools, consultants, books, magazines, conferences and even a risk management professional group. Assuming you have the money, time and interest, these resources prove that you will not need to feel alone when adopting ERM or a more simplified version of risk management.
ERM Step Five: Recover Quickly from the Negative Impacts of the Risk
Murphy’s Law still exists despite your best planning, anticipating and analysis. There will always be things you cannot anticipate, your implementation will go awry, or you will make human errors in judgement. Yes, even smart, talented leaders can make mistakes. I believe every innovator, investor, business owner, CEO, COO and CFO should have the statement, “Risk happens,” tattooed on their foreheads, so they can remind themselves each day.
You create an imperative within your risk management plan for your employees to have specific methodology for quickly recovering from a negative, costly or painful event. The key element in this fifth step is to make sure you hone employees’ recovery skills on the small lapses. The reason is explained in this analogy.
Assume that you get the itch to run a marathon—42 kilometres. You are not a runner and have never run a marathon. Instead of going out and immediately trying to run 42 kilometres, health experts suggest you prepare by taking small steps. Your first task is walking and setting a milestone of being able to walk two hours without stopping. Next you alternate walking and jogging until you can go 2 kilometres without stopping. Your next task is to build up stamina until you can run 2 kilometres without walking. When you are comfortable with 2 kilometres, you extend it to 4 kilometres and then 6 kilometres. You continue with these smaller goals until you are able to run more than 42 kilometres in one outing. Can you be ready for a marathon in one day or even one month? Of course not!
Will you be able to reduce your exposures or increase your risk appetite from the first day? Of course not! That is why Step five is vital to a viable ERM programme. Think about getting prepared for “the big one” when getting ready for it is a group task. Like the investment you make in preparing your body for the rigorous marathon, you make a similar investment in preparing your employees. The first tollbooth you encounter on the path to empowering employees and the cost you face (before training) is asking employees to think for themselves.
Empower Employees to Act
This recently happened. I was leaving the next morning for an out-of-town consulting project, and I stopped at an office supply store to get some hard-to-find protective covers I use for documentation purposes. I found only one box containing 50, but it had been opened. I searched but could not find other boxes. I took my purchase to the counter, showed the clerk the torn box and asked her if she can locate another box. She checked the stock and said that was their last box. I expressed my concern that protectors could be missing, so she counted them and found only 49 sheets. At that point the sales clerk did not know what to do next. I was anxious to leave because I had several things to do before the end of the day. She was the only cashier, and now several customers were impatiently waiting behind me. Because the clerk was at a loss, I suggested she call for a manager. We waited and waited. I then suggested she just deduct $0.05 from the box price to cover the cost of the missing protector. She replied that she wasn’t authorised to give any discounts. We waited and waited.
That evening the office supply store created much customer ill will, not over $0.05 but because its culture is one in which employees are discouraged from thinking for themselves.
Compare that experience to the Marriott Hotel group that has a policy for all its frontline employees that they can spend up to $2,000 to satisfy any customer problem. Marriott employees must mentally answer a test of five questions before they spend Marriott’s money to solve a specific problem. The five-question test that empowers Marriot employees is as follows:
Will this action harm the reputation of the hotel?
Will this action cause a problem for another guest?
Will this action only defer a problem?
Will this action upset the guest even more?
Is this action illegal or unethical?
If the answers to all five questions are “No,” the employees can take the action they deem necessary to satisfy a guest or customer. What Marriott has learned from its empowering policy is that it usually takes approximately $100 to satisfy the customer or solve the problem. It might be buying the guest a meal; paying for cab fare somewhere; paying one night’s stay at another hotel; or providing a gift, such as a bottle of champagne or wine. Rarely has the entire $2,000 been spent.
I posed these questions to PJI’s employees. “Contrast the two examples of the office supply store and Marriott. Which one wants its frontline employees to think for themselves? Which one uses empowering tools that allow employees to solve problems before they turn into risks or big issues?”
Several shouted out, “Marriott!”
I asked the next question of the managers in the room. “Do you trust in your employees enough that you would give each of them $2,000 of PJI’s cash to only be used to save a customer relationship without coming to you for permission? Raise your hand.”
By the number of hands in the air, their overall response rate was similar to those of most manager and supervisors. Fewer than 25% are comfortable empowering their employees this much. If you are among the 75% who feel uncomfortable, that is why employees either fail to notice risks and opportunities or, even worse, say nothing about them. The managers who did not raise their hands were looking at the ground in embarrassment. They were not able to look at their employees while admitting they did not trust them.
I selected specific managers and supervisors who, by not raising their hands, implied they did not trust their employees. I then posed this question, “Why do you hesitate to give your employees the key to the door? I am putting you on the spot because if you do not know the real reasons, we cannot improve the situation.”
Their reasons were as follows:
I don’t know the extent of my own authority, so how can I define it for someone I delegate to?
Each time I try to think for myself, my boss gets mad that I did not ask for her advice (an employee’s comment).
My employee asks too many questions, so I just make the decision because I don’t have time to debate him.
I try to let my employees work without intervention, but lately when one of them makes an error, my boss blames me.
I have over 20 years of experience, and my employee has three years. I know more than she does.
I got burnt in the past. Each time I gave money to my employees, they wasted it, and I had to explain to my boss why that happened. He was not happy with me.
Please notice from their comments that the reasons managers and supervisors fail to truly empower their employees can be summed up in three culturally embedded problems:
Unclear or undefined responsibilities that make it hard to equalise authority and responsibility
A preference for micromanaging the employee, which means the manager’s employees are discouraged to think for themselves and quickly give up the desire
Employee performance problems are not addressed in a timely manner, which means the problem gets reclassified as, “I cannot trust my employee because he or she is not trustworthy.”
The following risk management tool fourteen will solve the first problem of unclear responsibilities and improve the conditions for solving the second problem of micro management. The third problem must be fixed by your human resource and performance management process, and if you fail to fix the problem, it will increase your vulnerably to lawsuits and worse.
Match Authority with Responsibility
PJI, like many other organisations, lacks the commitment to equalise responsibility with authority. A culture in which employees are not empowered will undermine your ERM efforts.
Murphy’s Law of Opportunity Empowerment
The person with the best understanding of the problem is never asked for his or her ideas.
An important aspect of your culture transformation plan to lower overall risk by recruiting your employees in the effort is to conduct an authority and responsibility analysis. An underlying intent of an effective ERM programme is to foster constant awareness by everyone throughout your organisation about large and small risks. Leaders all too often make a mistake that is detrimental to fostering awareness, and that is simply failing to give employees the authority or latitude to take action. In formal risk management, when you ask people to be accountable and empowered to reduce vulnerability or take advantage of opportunity, you must be 100% sure that you have given employees specific authority equal to their responsibility.
I did a session on this topic in Reno, Nevada, and one very wise woman summarised the importance of this need to equalise authority with responsibility. She told us, “If you make employees responsible for unlocking the door, give them the key!” In your organisation you are asking employees to monitor risk—asking them to unlock the door—but you may not be giving them the key—tools, knowledge or authority—to do something about the risk.
A risk management programme requires employees at every level who are making decisions and taking action to let you know when something is going wrong. Employees need to believe and trust that you will not punish them for blowing the whistle or waving the red flag. That is why you strive to match authority with responsibility, so that employees can and will think for themselves.
In Figure 8-2 you will see the two circles coming together. Your goal is to try to match them up as closely as possible. You will never get it to be a 100% match because the need for oversight affects unlimited empowerment and authority. However any checks and balances you require need to be perceived as empowering employees to take action, not impeding their ability to influence the outcome.
Five Tools to Help Clarify Accountability and Empower Employees to Act
Risk Management Tool Fourteen-Risk Authority and Responsibility Chart
A tool that will allow you to equalise responsibility with authority is called a risk authority and responsibility chart, examples of which are subsequently shown in Tables 8-1 and 8-2. You will notice that you can use this tool to easily highlight specific areas of concern, in this case actions oversight, approval decisions and asset protection.
Table 8-1 Risk Authority and Responsibility Tool
Table 8-2 Risk Authority and Responsibility Tool
The chart uses symbols signifying role, authority and ownership. “FA” means this person has the ultimate accountability for the process working as designed. “R” means this person has a responsibility to recommend or contribute to the action or decision. “A” and “JA” mean this person has the authority to take the action or decision. Because many decisions require other people’s input, the chart uses symbols to clarify this. “BI” means this person is to be informed. “Inc” means this person is to be included in meetings. Remember, even though it is your job to keep the supervisor informed, it is the supervisor’s job to stay informed. Communication is a dual responsibility. Because risk is ever present, the employee who owns the risk is designated “FA.”
Notice in this process for issuing a proposal that the principal consultant (a senior leader) has ultimate responsibility for this yet has clearly delegated authority to the project manager and project administrator. The chart clarifies the authority of the employees who support the project team: the credit manager for approving credit terms and the research assistant for researching information about the prospect.
Look at the authority structure for the process to reduce safety risks on the job. The senior leader who owns the accountability is the director of major projects. Each employee who is involved in managing the project has his or her own authority based on expertise, such as the electrical technician and safety director. Notice also that the jobsite manager and jobsite foreman share in deciding what to put on the all-important inspection report. This joint authority deters one person from hiding a risk. One more thing to note is that everyone, including the client, has a responsibility to raise a concern on safety violations, which prevents someone from saying, “It wasn’t my job to say anything.”
This tool works in conjunction with both the responsibility statement and formalised action plan. When employees know exactly what is expected of them, they will meet or exceed the expectations over 90% of the time. This tool assists you in defining and communicating these expectations. It also serves to ensure that you provide authority with delegated responsibility in equal measure. It quickly rids your culture of the often given excuse of, “I didn’t know I was supposed to do that. No one told me.”
Risk Management Tool Fifteen-Formalised Action Plan
The tool that communicates what to do is the formalised action plan. An action plan is a visual definition or map of what it will take to make significant progress on a specific objective. The payoff from using formalised action plans is the ability to communicate accountability to people. The contents of an action plan include the following:
Overall strategic goal
Deliverables and due dates
Major steps
Detailed steps or tasks
Individual responsibilities of participants
Anticipated obstacles and challenges
Performance metrics
Risk assessment summary
Each action plan should define each level of change responsibility at the outset. Action plan participants include the
sponsor, who is the person who has the ability to pay for the change and has ultimate accountability.
advocate, who is the person who drives, wants or demands the change.
customer, who is the person(s) who benefits from the change.
agent of change, who is the person(s) who carries the responsibility for facilitating the change.
accountability partner, who is the person who will help keep pressure on the change agent and is usually an executive the change agent regularly reports to about the progress (or lack of) made towards the plan’s end state.
risk owner, who is the person who serves in an oversight capacity to ensure that any risk is addressed and mitigated once it gets identified.
The action plan tool is for
highlighting overall global or high-level objectives.
showing expected or desired results.
keeping track of actual results.
holding employees to their authority.
identifying risks in advance.
allocating resources to something that needs to get accomplished.
Case Study: The Risk of Obsolete Stock
To demonstrate the power in this tool, I selected an important project that was currently underway at PJI. With the help of an investment manager, Roy, who was accountable for making his company profitable, I walked everyone through the action plan Roy and I jointly developed.
Roy told everyone the tale of woe.
“Two years ago we invested in an emerging electronic game company with the hope that their games could be turned into applications for the Apple iPad and Kindle Fire. Unfortunately the company’s management was so focused on this effort they lost sight of an important thing: managing their existing stock of games. In the video games industry, if a game does not sell out within 60 days, it becomes harder to sell because something better comes out, but our client’s company is starved for cash. So simply writing off the stock is not an option. They need to generate some amount of money to help pay for the game’s development costs.”
Exhibit 8-1 shows the action plan Roy will now use to make this problem go away, thus reducing Roy’s client’s risk and the risk to PJI’s investment:
Exhibit 8-1
Strategic Action Plan
A Strategic Action Plan (Strategic Initiative)
Overall Strategic Goal: To profitably dispose of obsolete and dropped stockof games.
Connection to War Games’ (WG’s) Strategic Plan: Reduce WG’s stock by 20%, and improve the turnover from four times to six times per year. (This is a measurable tactic of the strategic plan that WG’s management team adopted for the year. This demonstrates that this action plan is aligned with what management is trying to accomplish at a high level.)
Connection to WG’s Risk Management Programme: In the company’s risk management plan we addressed the concern that, as a new company, we have not established sufficient processes and controls to deal with obsolete inventories. We acknowledged in the company’s risk management plan that we currently are in the negative cash flow position and will be for the next 1 8 months. Therefore our inherent risk is that we may focus too much attention on managing cash, accounts receivable and accounts payable and not enough attention on the balance sheet items unrelated to immediate cash flows. Our operational risk is that the problem of existing stock will be of no value unless we are proactive in selling it faster.
Major Action Steps:
Create and implement a process to dispose of all game inventories older than 45 days.
Create and implement a process to proactively identify game products that are not selling, and find a buyer who will purchase them in bulk before they become obsolete at 60 days.
Establish controls to ensure the old and obsolete products are sold for their highest value.
Establish an incentive programme for a sales employee to sell the old products without hurting the sales of current products.
Anticipated Obstacles and Challenges:
Assigning the responsibilities to sell and ship the products to an already overburdened staff.
Finding a cost-effective way to move stock from our Ohio warehouse to the buyer.
Protecting WG’s reputation for innovative games while disposing of the obsolete games.
Paying adequate incentive compensation to employees who sell the stock because there will be no profit margin to WG.
Determining the negative financial impact of selling overstocked games and communicating this to the board and bank without creating alarm.
Maintaining the momentum or sense of urgency needed to fully dispose of all obsolete games.
Detailed Activities or Tasks (specific tasks already identified or under way):
Select the products for disposal (see separate games stock reduction plan).
Have the product manager provide an analysis of the saleability of all games over 40 days old.
Contact any companies that buy video games in bulk.
Hire a telemarketing person to handle the sale of smaller quantities.
Establish a commission or incentive plan for sales of obsolete games.
Determine the approval levels for authorising a discounted sale price.
Prepare weekly updates and the status of sales and negotiations with companies identified in step three.
Financial Resources Required:
(Intentionally omitted)
Due Dates and Deliverables:
(Intentionally omitted)
Economic or Financial Impact of the Plan:
The plan will increase sales by $50,000 in the first year and $135,000 in the second year. The costs incurred to generate the sales and implement the new processes are estimated to be $27,600 in the first year and $55,000 in the second year. The costs include temporary personnel, one telemar-keter full-time equivalent, shipping and incentives.
Action Team:
Change Agents-Paula P., Keith K. and Donovan D.
Sponsor-Junie Z. (WG CEO)
Champion-Roy R. (WG COO and PJI executive)
Tool’s Lesson
After Roy explained his newly developed plan for solving the mess, I solicited questions about the tool from people in the room.
Q: This looks like it takes a long time to write. It is worth the time?
From experience the time it takes to write an action plan—between two and six hours—will pay for itself right away. Without it the employees involved in the effort could spend days trying to figure out what to do and who should do it. Better yet, by fostering both communication and coordination up front, you save the time and frustration normally devoted to those areas.
Q: Who writes this plan?
It is co-developed by the sponsor, lead change agent and champion. We assemble them together in one room and ask them to randomly throw out ideas that get entered on flipchart paper, on a white board or into a Word document. Later in the process the group organises these thoughts into a mind map and then into a logical linear plan.
Q: You mentioned this tool fosters greater accountability. Can you explain how that works?
Think about how often you have heard these excuses:
I didn’t know I was supposed to do that.
I forgot.
It wasn’t a priority, so I didn’t get to it.
What did we decide to do?
My notes from the meeting are different than that.
All these excuses show a lack of clarity and commitment to do what was expected. The formal action plan establishes expectations from the onset of the project or goal. It also specifies who is responsible for each task. No one can get away with those excuses.
The final way this tool raises accountability to produce a result or accomplish a goal is to raise the project’s visibility, and this is accomplished through a related tool used for action plan reporting.
Risk Management Tool Sixteen-Formalised Action Plan Summary
To raise the visibility of the various action plans that are underway, the executive team needs a way to track them and stay informed of their current status. The action plan summary in Exhibit 8-2 is a tool that accomplishes that and more.
Quite frequently managers and others ask for resources to get something done and promise higher sales or lower costs as the rationale. Yet just as often, there is no verification if the promised financial benefits are ever achieved. This tool requires that the action plan’s sponsor regularly report on the resources expended and the financial impact achieved as of the reporting period.
Think about that. If you ask for $500,000 to accomplish something, and you must undergo a monthly face-to-face check-in with the CEO to tell him or her what has been accomplished with the money you were granted, I will bet that you’d take this endeavour seriously. As a result, tracking the financial and budgetary aspects of each action plan really enhances accountability.
Action without follow-up and reporting leads to weak accountability. Weak accountability leads to increased risk. In ERM you will have many employees taking actions designed to reduce risk or take advantage of opportunities. This tool requires that your employees be ready and able to account for their actions and resources on a regular basis. This transparency enhancement prevents employees from wasting time and resources.
Murphy’s Law of Risk Simplicity
A simple solution will lead to a more complex problem. A complex solution will create numerous simple problems.
Risk Management Tool Seventeen-Pitfall Analysis
A recently hired supervisor at PJI raised his hand, “In a prior session you told us about scenario planning for potential problems that is done at a high level. I like to think about different scenarios when I have a problem that needs solving. Do you have a simple tool for me and my employees?”
“Of course I do, Charlie. Can you think of a problem that you face right now on which I can demonstrate the tool for pitfall planning?”
“Yes.” he said.
“I work for Grace, our treasurer, and she asked me to investigate software that will enable me to manage our cash. Currently I have to look at four different screens daily. One to determine how much money to borrow, another to see how much was deposited, a third to see our cash position and another to manage our temporary investments. Where I worked previously we used a treasury work station, and I believe one would work here.
“The problem is that it will take about nine months to get the software up and running. My lone employee and I are already swamped with work, so how will I get the implementation done and still manage the company’s cash? I have too many scenarios rattling around in my brain. What can you suggest?”
The tool for helping you quickly recover is a pitfall analysis. You may already think in terms of pitfalls and coming up with alternative plans. It is a way of life for many, but other people do not think like this. This tool works for both planners and people who normally spontaneously act. This tool forces the user to think of options. Using this decision making tool, you can create ways to lessen your risk exposure.
How to Conduct a Pitfall Analysis
Step One: List the possible pitfalls or obstacles of a particular course of action.
Step Two: Create a contingency action plan for each pitfall.
Step Three: Determine what would prevent implementing the solution.
Case Study: The Perils of Software Conversion
“We can understand this tool with a pitfall universally experienced and one fraught with exposure: implementing new software, like Charlie will soon be doing. Assume this is a major transformation. Assume that the cost of this real-time solution will be around $100,000. That’s a lot of money to waste should Charlie be unable to make this transformation successful. For anyone who has done this, you know that this project is a minefield.”
Our Exposure: Implementing new treasury software and a management system while managing cash daily.
“Charlie, as a lead on this project, please identify for us specific potential and common pitfalls based on your prior experience.”
He told us, “My worries are
Dana, my very knowledgeable and valuable employee, quits out of frustration or too much work.
the conversion process takes longer than the estimated six months.
Grace gave me a budget of $100,000 for software and hardware and consultants. What if I exceed that? Will the project be cancelled?
we have eight years of historical data to enter, and I am concerned about losing that data during the conversion process.
being so involved in the conversion, I might miss an investment opportunity, borrow unnecessarily or have too much cash on hand.”
“Charlie, I can see why you have insomnia.” He and others laughed. “The first thing to do is to list these pitfalls on the left side. Charlie, with Dana and Grace’s help, will come up with a solution for each scenario while the rest of us are at lunch. Don’t worry, there is a lunch waiting for them in the room where they will work.”
When Charlie’s team was finished, and everyone was in their seats, I showed them what the completed tool looked like (Table 8-3):
Table 8-3 Pitfall Analysis
| Pitfall | Contingency Plan |
|---|---|
| Losing a key member of the conversion process-Dana. | Hire a qualified temporary employee for the conversion project to do Dana’s regular work. |
| Suffering from burnout. | Hire a consultant with software conversion experience. Hire a second temporary employee to take on 40—60% of Charlie’s routine duties. |
| Conversion process taking longer than the expected six months. | Spend more time planning up front with a formal action plan, and hold weekly status meetings with entire conversion team. |
| Cost of conversion exceeds the budget of $100,000. | Prepare an updated cost projection with help of conversion consultant. |
| Losing important historical data during the conversion process. | Store two complete copies of data: one onsite for quick access and one offsite. |
| Being unable to keep up with the daily management of cash. | Prioritise daily tasks. Then train and delegate these. Automate current methods of cash management to reduce amount of time spent. Devote first two hours of each day to high-priority tasks that only Charlie can do. |
After we went through this tool, I asked Charlie to summarise what he learned from this. “How would this tool help you to minimise the negative effects of the exposure and recover quicker?”
He answered, “I can stop worrying. All these ideas were going through my head at all times of the day and night. Now that they are in the form of a plan, I can feel the tension leave my body. If Murphy’s Law appears, as I know it will, this tool gives me and my team a disciplined way to articulate the challenge and then think rationally how to mitigate it. Oh yeah, I’ll bet I sleep like a baby tonight, thanks to you!”
He pointed at me and grinned.
Tool’s Lesson
When employees believe they have no options, they feel helpless or disempowered. This tool proves the numerous ways to lessen or mitigate a pitfall or pothole. The act may seem insignificant at first, but what the tool does is instil the confidence that you always have options and that Murphy’s Law is rarely fatal.
We had time to learn one more tool.
Risk Management Tool Eighteen-Controllable, Negotiable and Given Analysis
Sometimes, despite your best plans, there are conditions in a risk, peril or challenge that you must accept and cannot change. I love sunshine, and I love living in Seattle, Washington, but one thing I accept about living in the northwest United States is that I won’t experience as much sunshine as I would in the Bahamas, Dubai or Hawaii.
Yet in risk management you can always influence the outcome, which may lower your exposure or help you recover faster. The tool you can apply to show you how to influence your vulnerabilities is the controllable, negotiable and given analysis. This tool allows you to identify some of the specific actions you can take in order to minimise or mitigate a risk.
How to Complete the Analysis
Step One: Write out a clear description of the risk to be undertaken.
Step Two: Prepare a chart that describes the various aspects.
Step Three: List all the givens for the risk or problem.
A given is a condition you cannot change or do much about, such as accepting that the Islands of the Bahamas have hurricanes each year that destroy some homes and accepting that you cannot afford to move to Seattle (where we have less sun but no hurricanes).
Step Four: List as many negotiable conditions you can think of.
A negotiable is an aspect of the situation that allows you to influence the outcome by substitution, bargaining or some other action. Living in the Bahamas, your insurance company raises the rates for homeowners coverage. You cannot go without insurance, but maybe you can work with your agent to lower coverage on your overall policy, so that the premium increase is affordable.
Step Five: List as many controllable conditions you can think of.
An aspect of a risk is considered controllable if you can do something to lessen the impact of an unchangeable given.
You may not be able to control the weather in the Bahamas, but you could reinforce your house’s foundation. You could install trees that block winds from hitting your house. You could invest in new designs of windows, doors and roof that are more resistant to high winds. As for personal protection you could store important papers, jewellery and other irreplaceable items in an underground storage facility.
Step Six: Turn the negotiable and controllable items you list into action steps.
Notice that, although you may not be able to avoid a hurricane, you can take steps to reduce your vulnerability while preparing to recover faster.
Case Study: The Opportunity to Save Purchasing Costs
To help you understand how the tool works, we will examine something that PJI is adopting: the use of purchasing cards. A number of companies are now using purchasing cards to replace costly purchase orders or the need for large quantities of petty cash. It is a major risk because it completely alters how you conduct purchases of many items. It makes you more vulnerable because some employees will try to abuse the system and use their purchasing card (P card) to pay for personal items. The P card is similar to a credit card issued by Visa or MasterCard, and the company that uses the P card is financially responsible for the charges.
Companies that use P cards warn others that you must go into this with your eyes wide open. It is not a simple solution nor is it easy to implement. Most importantly you must change or address traits within your organisation and culture that may hinder successful use of purchasing cards. Aaron is PJI’s manager in charge of the purchasing function for PJI and some of the companies they invested in. Currently the company annually spends over $600,000 for purchases that average under $25. He calculated that the average cost to process each purchase order is $9.25, which means it costs PJI approximately $220,000 to make 24,000 purchase transactions. By paying for most of these 24,000 transactions with a P card, he saves the company over $200,000. Aaron convinced Paul and Justin of the need to switch to P cards, but Tracy’s concern about the risk has put that decision on hold. She is worried that the internal controls for P cards will not be strong enough to prevent employee abuse or misuse. Tracy believes that the processing of P cards will create a workload burden in accounting, but Paul and Justin have made it clear she cannot hire any more staff for the next 12 months.
I asked both Aaron and Tracy to explain all this to us, so I could demonstrate the tool.
Step One: The risk
“We will soon institute purchasing cards for use by every manager and supervisor. Most of the users are not trained adequately to deal with the value-added tax and account code issues inherent in the P card. No extra resources will be available to handle the additional administration of purchasing cards. Without adequate controls P cards can easily be used for non-company purchases.”
Step Two: With Aaron’s and Tracy’s help we completed the “Givens” section in Table 8-4:
Table 8-4 Given, Negotiable and Controllable Analysis
| Givens A spects of the risk that we cannot control or that are unchangeable |
Negotiables A spects of the risk that we can influence by substitution or alteration |
Controllables A spects of the risk that can lessen the impact of the given |
|---|---|---|
| We must use purchasing cards for all supplies and related buys under $5,000. | ||
| We will be unable to work with some existing vendors who cannot accept the P card. | ||
| We must be able to handle the administration of P cards with existing staffing. | ||
| Verifying the account coding of each purchase can be time consuming but is an important internal control. | ||
| The cards can contain only one account code in their memory. | ||
| Verification about the correctness of each purchase is an important control. | ||
| All managers will be issued a P card for use by their department. | ||
| Companies that use centralised purchasing will be issued a P card. |
Steps Three and Four: I assigned groups of employees the task of brainstorming specific actions that could be taken that would mitigate or lessen the risk. I suggested they not be overly concerned with whether it was a negotiable or controllable item. They should just consider actions that would protect the company from fraud and unnecessary paperwork and be easy to administer.
Their Solutions
The groups amazed Tracy and Aaron with their creative ideas to mitigate this risk, which told me they understood the tool and its purpose. There were too many to list, but the ones that Tracy and Aaron selected for their action plan, which took care of Step Five were
the user must attend training before he or she is issued a P card.
accounting administers the training on the P card’s use, proper coding and policies.
the employee’s immediate supervisor is accountable to ensure the appropriateness of the purchase and its coding. The supervisor is the first line of defence against misuse.
employees will scan their own receipts for accounting’s database.
PJI will purchase P card software that checks for inappropriate use and makes the digital receipts easy to locate and access.
update the policies for misuse of company resources by adding the proper use of P cards.
any purchase of non-business items results in immediate termination, and the purchase will be deducted from the employee’s pay packet.
accounting will create a regular audit routine on P card usage to verify the process works as designed.
Aaron will provide the management team statistics on the usage of P cards versus purchase orders and quarterly estimate the programme’s savings.
Tool’s Lesson
In this example notice that you have to accept certain things in every risk or opportunity. That does not mean you cannot lessen the perils. Parts of the risk that you can use to influence or minimise are called negotiables. These are things you ask for. Finally, when you proactively take control of the situation, you can reduce the danger or exposure of the risk. This tool empowers employees to act with purpose.
Onward
Today you discovered three important things. First you now have access to 18 unique tools that aid you in reducing the impact of Murphy’s Law or dealing with unforeseen potholes. To ensure your employees will use them, you need engaged and knowledgeable employees who think for themselves and feel empowered. Finally you explored how ERM provides multiple levels of reassurance that people are scanning the horizon for perils, and this leads to employees feeling more comfortable taking risks.
By now you can clearly see how all the concepts of formal risk management fit together like a blanket of protection and warmth when it is storming outside. We end this training tomorrow by learning the final step of risk management.
Before I delivered my closing quotation, Chrystal raised her hand. When asked for her thoughts, like a bubble, she popped up and excitedly said, “I got it! I can see what you have been trying to tell us all this time. I go to a yoga class nearly every day. My yoga instructor says that yoga is practice. We experience the poses to get comfortable with them, and the more we practise them, the easier our bodies can assume the pose. Yoga is practice, not perfection. I see now that managing risk is like yoga. The more we practise risk management in our day-to-day decisions, the stronger our programme becomes.”
“Risk! Risk anything! Care no more for the opinions of others, for those voices. Do the hardest thing on earth for you. Act for yourself. Face the truth.” Katherine Mansfield
Your Action Plan
Step One
List any tools employees in your organisation have access to or use that aid them in addressing risk. How are the tools used? How do employees know to use them? Do the tools enable smarter decision making?
Step Two
Where in your organisation could your employees use the risk authority and responsibly chart? If you used the chart, what difference, if any, would it make? What could prevent the chart from being instituted to enhance accountability?
Step Three
Consider a major project you are working on or a major goal that must get done. Using the format in this chapter, prepare a draft version of a formalised action plan for the effort. Assuming one had already been written, what difference could or would it make to your project or goal?
Step Four
Think about an opportunity, a risk or a challenge you have in front of you, and apply either the pitfall analysis tool or the given, negotiable and controllable tool. How did either of these tools assist you in deciding actions you could take to affect the risk or opportunity?