9
What Happens NEXT?
“When people do not talk about their concerns and fears, the silence can destroy a perfectly good relationship.” Teri W.
We met the next day at PJ Investments (PJI). Someone provided us with a mountain of doughnuts; cookies; small pastries; and, of course, coffee. Sweet smells filled that room today. Because this was the last session, I would miss the people but not the heat. It was 39° Celsius at 8.00 am.
Reconciling Different Views of Risk
All through the sessions I noticed that Paul and Justin always sat far away from one another. This was strange behaviour for peers who had built a successful and profitable business together. As I obtained a greater understanding about the inner workings of PJI, I came to realise why Justin hired me. Something placed a wedge between them, and Justin hoped I would remove it and rescue his company.
When we first met, Justin said, “I am in a quandary about what to do with a recent opportunity for my company,” but he never spoke about it again. I broached the subject with Paul, who refused to say anything. Today I would attempt to define and maybe remove that wedge.
On this second day, while their employees worked on an assignment, I invited Justin and Paul to lunch at a nearby restaurant. After giving the waitress our orders I said, “I commend the two of you for getting this risk management programme implemented, but I guarantee that the programme will fail if the two of you do not support it, and I sense there is one risk that each of you want to talk about and do not want to talk about. Right now is a perfect opportunity to prove to me that you are committed to practising risk management.”
While they ate, refusing to look at one another, I related a story about two friends.
Teri and Kris
Tears fell from Teri’s eyes as she told me about how close she and Kris came to ending a lifelong friendship. Teri and her friend Kris are single professionals who love each other’s company. People who meet this fun-loving duo for the first time think they are sisters; however, Teri is spontaneous and creative, but Kris is a methodical planner with a list for everything. They prove that opposites attract.
Now in their mid-30s, Kris and Teri have jobs that leave them less time for adventures and exotic vacations. Last spring they carved out two weeks from their hectic schedules to vacation in Curacao, a remote island in the Caribbean. Unfortunately this dream vacation nearly tore them apart.
Kris’s dream vacation consisted of working through a long list of activities and explorations. Teri’s new job was taking a toll on her, so her dream was to spend most of her time on the beach reading while sipping mojitos.
What started out as fun quickly turned into a disaster. First, just before leaving home, an unusual snowstorm delayed their flight for one day. While waiting at the airport, Teri spent the time napping or relaxing to music, but Kris frantically made calls to rearrange their itinerary. They landed the next day in Miami, Florida, to more bad news: they were bumped from their connecting flight to the island. Kris took this change personally and loudly argued with an airline representative to Teri’s embarrassment. After waiting for nine hours in the Miami airport, the agent was able to get them on another flight. The only two seats available were middle seats at opposite ends of the jet.
When they finally arrived at their hotel two days later than planned, it was raining hard. The hotel clerk warned that a tropical storm was headed for the island and suggested that Kris and Teri return to the United States. “No, we are staying!” Teri screamed. Because of the high winds and drenching downpour, they were stuck in their hotel room for three straight days. Kris was fuming because many of the things on her list were cancelled. Meanwhile Teri felt miserable and achy, most likely a reaction to the stress.
Even the good news turned bad. The storm passed the island, and the sun returned, but the hotel lost power, so Kris and Teri spent the next two days without hot water or hot meals. It was too hot to be outside yet too humid and stuffy to be indoors. By this time they weren’t on speaking terms, somehow blaming the other. They spent the remainder of the trip apart, each resenting the other for having “fun.”
The only thing that eventually saved Teri’s and Kris’s friendship was a willingness to take a risk by apologising and ending the blame game. Teri and Kris each had to swallow their pride and embarrassment over their reactions under stress in order to reclaim their friendship.
Over coffee weeks later, Teri asked me, “What should I have done differently, so that the vacation might have turned out better? Do you think that what happened was inevitable?”
I gave Teri the same advice I will give the two of you.
“A big skirmish like yours was inevitable because you each approach life from a different place. Justin, you sweat the details, while Paul you do not. Paul, you like to act first and then decide what to do while Justin decides first and then acts. Neither way is right or wrong, but when you stop communicating about your concerns and fears, you tear apart what you have so carefully built. Your business could end up like Teri’s and Kris’ vacation.
“You need to see eye-to-eye again because today your stakes and risks are high, and other people are now impacted by your spontaneous or planned decisions. Neither of you seem to want to accept the other person’s point of view regarding risk, assuming that the other needs to be more like you. The two of you must find common ground regarding the cost you are willing to pay with each risk you face or opportunities you chase.”
Paul said, “You’re right. For the last six months we have avoided talking about this, but we can’t go on acting like the tension does not exist. Ron, here is the deal. In the past we have invested in land and buildings but always with the goal of finding the right property for a business unit, taking on very little risk.”
Justin cut in, “I disagree! I think we do take on a lot of risk each time we buy a property.” He glared at Paul who responded in kind.
I spoke up, “So this is what the two of you are in disagreement about: Paul feels the risk is predictable, and Justin feels it is unpredictable, right?” Both nodded in the affirmative.
Paul ploughed on, “About seven months ago a banker colleague approached me about helping with a distressed property. An out-of-town developer created a planned community nearby, and unfortunately both the contractor and developer went bankrupt. The community is nearly finished, and the banker wants to know if we would invest money in exchange for the rights to manage it while she puts together a consortium of lenders to complete the project. Our role would be to actually manage the retail and organisational part of this community.
“Up to this point in our history we would invest in a viable business that was established. In this situation we would need to establish businesses from scratch and attempt to recruit or operate 10-15 of them in this planned community. Even though we have never done something like this, I believe we can handle this, even if we have to hire the talent who can help us.”
It was Justin’s turn. “This is where I disagree with you, Paul. Taking this project moves us away from serving as adviser and landlord, a position where we limit or control our exposure. Managing a large-scale community means more of an investment, and I doubt we have the time and talent to take on a project of this size.”
I could see both of them were armed to argue the point.
I said, “I can apply a risk management tool to address your overall concerns. Even if, based on the tool’s analysis, you decide not to invest your money, you will be comfortable with using this tool, and I guarantee it will prevent the animosity I feel that is threatening your partnership.”
Murphy’s Law of Opportunistic Hindsight
After a major catastrophe everyone will say, “I saw it coming.” No one thought to say anything. Everyone excuses their culpability by saying, “There was nothing that I could do.”
Risk Management Tool Nineteen-Criteria Checkerboard
A tool called a criteria checkerboard allows you to analyse the exposure of a specific risk and then use the information to determine how to proceed. It is a key tool used by consultants for defining and matching the criteria for success with the possible alternatives. Using this information you can analyse your exposure to a risk and then use the data to decide the best solution or path to take.
How to Use the Criteria Checkerboard:
Step One: Describe the risk or problem.
Step Two: Select your criteria for a best decision.
Step Three: Brainstorm alternative solutions. Every alternative is acceptable and possible, and no idea is too outrageous. You write down every idea as it is presented. You stay open to the idea no matter the source or rationale for it. Later you go back and narrow the list down to the more reasonable or realistic alternatives.
Step Four: List the criteria and alternatives on a checkerboard tool.
Step Five: Check off, using symbols, how well each solution meets your criteria.
Step Six(A): Examine the original criteria to determine their validity or reasonableness.
Step Six(B): Alter or revise the criteria and retest.
Step Seven: Add or change the scenarios (solutions) to test how well they match up with your success criteria.
Step Eight: Answer these questions:
How will this alternative or course of action reduce our exposure to the negative consequences of this risk?
Which of these alternatives meets our need for a best solution?
Why is it optimal?
Is there any other criterion or alternative we have not considered?
What will we do with this information?
Step Nine: Make your decision based upon which solution satisfies the most criteria.
Case Study: Opportunity to Find Common Ground
Step One: Describe the risk.
By investing in this planned community, we would go from managing land and buildings to managing a town. Managing the community would mean that we act like a government (eg, establish policies and regulations); manage infrastructure, such as roads, water, sewer and landscaping; recruit businesses to locate in the community; coordinate our efforts with the other community leaders; and operate small businesses instead of investing in them.
Step Two: Select your criteria for a best decision.
The next step of the tool is to select specific criteria for the best decision. This is what Paul and Justin listed, in no particular order:
Our criteria for a successful investment are
quickly create a positive cash flow.
invest in a property or an asset that can quickly and easily be sold.
manage the investment without a lot of overhead.
be the primary decision maker (eg, no joint ventures or partnerships).
enhance our firm’s reputation as a strategic investor.
diversify our portfolio of investments to lessen overall risk.
Step Three: Brainstorm alternative solutions.
Normally we would brainstorm alternative solutions that could possibly work to solve the problem or lessen the risk. In this situation we used only one option.
Steps Four and Five: List the criteria and alternatives on the checkerboard tool, as shown in Table 9-1. Check off how well each solution meets your criteria.
The next action is to compare how well each solution or scenario meshes with the criteria.
At this point our checkerboard on Justin’s whiteboard looked like this:
Table 9-1 Criteria Checkerboard
| Proposed Solution → | Serve as manager of a planned community |
|---|---|
| Criterion for a Best Solution: ↓ | |
| Quickly create a positive cash flow. | ✗ |
| Invest in an asset that can be quickly and easily sold. | ✗ |
| Manage the investment without a lot of overhead. | ✗ |
| Be the primary decision maker. | ✗ |
| Enhance our firm’s reputation as a strategic investor. | ✓ |
| Diversify our portfolio of investments. | ✓ |
| Symbols: | |
| ✓: Satisfies the criteria. | |
| ✗: Does not satisfy the criteria. | |
| ?: Lacking information-more research is required. |
“As you can easily see, the course of action that Paul wants only meets two of the six criteria for a low risk investment,” I pointed out. As we proceeded through this powerful analysis, I could see both Paul and Justin relax.
Paul commented, “I did not fully think this investment through. There is a lot of managerial commitment we would need to make, and I do not have the time or interest to do that. In addition I do not feel comfortable putting my future in the hands of a lot of different people making different high-level decisions.”
“That is what I have been trying to tell you,” Justin said, with a little more anger than necessary.
Paul started to protest but then sat back. “I guess the excitement of the deal appealed to me, and my ego did not allow me to hear you. I feel this is not something we should do.”
“But,” I interjected, “you now have a sound basis for your decision instead of relying on your gut approach. That is how you often make decisions, Justin. Is that correct?”
“Yes,” he admitted. “I sensed the amount of work we would be involved in, but I never analysed it fully. I guess that Paul may have put attention on last three criteria while I focused on the second and third.”
I asked, “Is that true, Paul?”
“Yes,” he replied.
I said, “The good news, besides the two of you now being in sync on this risk, you have a tool to use for further analysis. Use this tool to run through a few different scenarios before you tell the bank “Yes” or “No.” For example assume that you relax your requirement about not partnering. Assume that you offer to just manage the land and buildings of those retail businesses. Assume that you found a project management company to invest in, and they are the entity to run the community. Those are alternatives that might help you turn someone’s problem into an opportunity and a low risk.”
Paul spoke up first, “No. You can skip steps six through eight. My decision, which I know Justin agrees with, is that we won’t invest in this project. I finally see how this whole idea of risk management works. This particular thing that we just went through crystallised it for me. I really like this particular tool.”
Tool’s Lesson
Because every opportunity has a cost, it is important to use decision making tools to uncover these costs and analyse possible negative downsides, so you can quickly bring them under control. The criteria checkerboard can be used on small decisions, as well as major strategies. It may not always show you the best decision to make, but it will help you raise or lower your expectations and also decide your exit strategy.
ERM Makes You More Investor Worthy
Ernst & Young conducted a survey of 137 global institutional investors reading the impact of ERM in their investment decisions. The respondents reported that theywill pay a premium for companies that demonstrate successful risk management (82%).
will not invest where there is evidence of poor risk management (61%).
would withdraw investment when there is a perceived lack of appropriate risk management (41%).
Source: Investors on Risk. Ernst & Young, 2006.
ERM Step Five and One-Half: Learn Something
(So You Can Accept Even More Risk with Confidence)
Murphy’s Law of Risk and Progress
Just when you think you have all the answers, the question changes.
Normally I tell an audience a favourite quotation at the end of a session, but to set a tone for you to be open to this final step, Ill make an exception. The artist Michelangelo’s advice applies both to the need for a balanced attitude between security and insecurity and always looking back to see how far you have come when making your leaps of faith.
“The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low, and achieving our mark.”
This last step may seem like an afterthought, yet it is very crucial to the success of your risk-planning efforts. Even when you identify the pitfalls and establish recovery actions, as in step five, unless you and your employees actually implement the identified changes and improvements, you wasted the time spent in understanding the causes of risks and how to avoid them. Nearly every organisation that has effective risk management programmes, especially those that implemented ERM protocols, believes that risk management must become a natural part of their continuous improvement efforts.
Evaluating Your ERM Efforts
There will not be any firework display or ticker-tape parade that lets you know your risk management efforts are paying off. You will, however, specifically notice that you capture opportunities quicker, employees have a better attitude towards both risks and risk taking, people are prepared to both defend and critique an important decision, and everyone seems to make more intelligent decisions. Even when an organisation does have some type of risk management and governance programme, there is always a concern about its effectiveness.
“With risk comes reward.” You have heard that adage many times. Here is the other side of that reminder: with opportunity (reward) comes risk. The world you live and work in is filled with opportunity, and you naturally desire to take advantage of it all. When applying ERM you have the discipline in place to do more and better risk taking. Organisations like the LEGO Group found their risk exposure goes down even as employees take more risks.
You want your people to make smarter, meaningful and intelligent decisions. When you see an increase in that behaviour, you know your ERM programme works. The improvement is evident because your employees use tools such as the criteria checkerboard, pitfall analysis or risk critical path in their thought process. The more ingrained the tools, the more they get used. Thus you end up with more disciplined and well-thought out decisions.
Still a Way to Go
Ernst & Young, in a 2010 survey of 567 companies across Europe, the Middle East, India and Africa, reported that two-thirds of the respondents acknowledge the need to enhance their risk management capabilities.
Source: Expectations on Governance, Risk and Compliance from the Management, Operational Leader and External Stakeholder Perspective. Ernst & Young, 201 0.
I assume you are familiar with continuous improvement, which means you are constantly working to improve what you are doing. This dissatisfaction with the status quo attitude integrates well with ERM because of the learning nature of its dynamic protocols. Continuous improvement includes streamlining processes, rethinking work, re-evaluating goals, and eliminating unnecessary work and wastage, all activities designed to make things better and lower the cost of doing business. This cultural norm must be included in an effective risk management programme because when it is absent, your employees will continue to take the same needless risks again and again. Learning does not take place!
New or improved courses of action will naturally arise from your cross-functional team approach of examining risk. Your chief risk officer (CRO), or leader of your ERM effort, is the person responsible for ensuring that the risk owner commits to implementing the changes and improvements that have been identified and quantified.
Some large organisations have turned this CRO role over to the internal audit department. Whether you want risk management oversight to be a function of internal audit or the risk management team, both groups are chartered to constantly seek out improvements that could potentially lead to better risk evaluation techniques, more tools for employees to use, ending weaknesses in strategies, identifying metrics, establishing goals and instilling rewards. The CRO’s team may be better able to monitor your firm’s culture mosaic.
It is essential to make sure your overall plan emphasises and obtains commitments from employees responsible to be on the lookout for the conditions that lead to unnecessary or costly risk to avoid falling into the same pit. This commitment requires the desire and ability to learn.
Every human has the capacity to look back and learn from the recent past. This is a cultural norm that also serves your risk awareness efforts. ERM instils a protocol to look back at both opportunities and risk in order to do better next time.
Interpreting Results
At first it will seem difficult to evaluate the effectiveness of ERM. This is where specific measurements aid you in knowing how well ERM pays for itself many times over. You may not see more profits, cash or donations because each of those financial metrics is affected by many things besides risk and opportunity. You will identify benefits once you establish key performance indicators (KPIs), along with key risk indicators (KRIs), which serve as pulse points to determine if the risks are cropping up, or opportunity is losing out to any negative impact.
The right KPIs and KRIs will provide feedback on the effectiveness and usage of ERM protocol. Assume your company sells to small businesses and has been hurt by numerous business failures and bankruptcies. One of your KPIs is the aging percentages of your accounts receivables (customer IOUs) and the amount of bad debts compared to net sales. Before implementing ERM the amount of customers in the 90-day category was 6%, and your write-off ratio was 1% of sales. One of the first areas where you apply ERM is your sales process that includes customer selection, credit granting and collections. Within four months of applying the tools of risk management, these metrics drop. Ninety day is now at 4.7%, and write-offs fall to 0.7%. One year later these measurements are much lower: 90-day is 2.6%, and write-offs are now 0.4% of sales. Clearly ERM is working because your exposure of not getting paid has significantly dropped.
Selecting the right set of metrics as KPIs and KRIs for a scorecard is a learning function because you have to exactly know where the risk exists, what creates the risk, how to change behaviours and how to measure the results of better behaviours. ERM benefits you because you have a standard framework process that will provide continuous and ongoing feedback on employees’ behaviour patterns and the firm’s operational results.
Your historical KPIs and projected KRIs simultaneously support both governance and the ERM programme. Currently most organisations can readily access 60-80% of the data required to get a better overview of the metrics that measure or monitor the intangible costs of risk taking.
Tracking Process Output Versus Reality
You may experience this situation: employees telling you they have identified a risk and dealt with it, yet the situation blows up in your face (figuratively of course). That is why in risk management you establish process outcomes using qualitative measurements. Most likely your employees are not intentionally trying to deceive you about using the tools, but the reasons behind this undesirable behaviour are threefold. First you are asking the devil-may-care risk takers to think before acting. That is like asking them to hand their wallets and car keys over to you. Second you are asking the risk-averse turtles to stick out their necks. To them that may feel like you asked them to walk around the office naked. Third you are changing the culture of your firm, which to some is like asking them to change their allegiance. People often resist attempts to shift a culture because the one you have now, pre-ERM, is their comfort zone, and you know how you react when you are forced to leave yours.
This is why you will rely on process outcome metrics to let you know if employees are actually applying ERM. Larger organisations track their feedback metrics using a dashboard reporting system. In reporting on risk a dashboard that displays key data points will be on every manager’s desktop or accessible using the firm’s intranet. The dashboard reports capture, analyse and present the most vital information in summary or pictorial form.
Your investment in a risk management infrastructure must be viewed the same as making a strategic investment in new buildings and equipment. Once you know the rationale for the investment, you establish feedback measures to ensure the spending was beneficial and pays for itself.
Scenario Planning Again
Another aspect of learning and improving that pays huge dividends is the scenario planning done in the early stages of risk planning. A scenario is simply a mental rehearsal of alternatives if your original plan does not work out. Professional athletes adjust their diet to their workout schedule. During intense practices they consume one diet, and when taking time off they reduce their calorie and carbohydrate intake. Soon this becomes second nature.
Scenario planning in ERM becomes second nature, so when Murphy’s Law attacks are larger and deeper than expected, you have specific or general plans on what to shift, add or subtract. Being able to comfortably do this adds to the backwards-looking and learning-as-you-go aspects of ERM.
Learning Lessons
Murphy’s Law of Risk Wisdom
The person who knows the complexities of the situation is never put in charge. The person who is clueless is put in charge.
Organisations and people that are considered the winners in life and business have a common trait: they are always in the learning mode. They know they do not currently have all the answers, so they pursue fresh ideas and insights by incorporating a lessons-learned habit into their routine.
You learned that, in ERM, involving many people in the process creates better and lasting solutions. ERM takes the more brains involved the better concept and suggests that employees involved in ERM regularly pause and share what they have learned and what has and has not worked. They also cross-pollinate improvement ideas by sharing best practices, which are ideas and techniques that have worked well for someone else.
Risk Management Tool Twenty-Plus/Delta Analysis
The plus/delta analysis shown in Figure 9-1 is an excellent learning tool for every aspect of risk management, especially looking back to learn from the recent past. The plus/delta analysis is a summary of actions worthy of repeating and that need improving. It spawns rapid improvements, shortens learning curves and increases accountability. The plus/delta analysis gives executives, managers, employees and the risk oversight team invaluable insight on what to continue doing and what to improve. You use this tool as you plan for each risky venture, as progress reports of an ongoing action plan and at the end of each opportunity taken. At every phase of your project or activity, the things that are working are identified as pluses, and the improvements, called deltas, are noted.
Compliance with the Sarbanes-Oxley Act of 2002 (SOX) in the US and similar legislation in Canada, Australia, Japan and the UK demands this sort of documentation because companies that got into trouble due to a high risk exposure were unable to prove the soundness of the reasons for taking the risk in the first place.
How to Use the Plus/Delta Analysis
Step One: In a normal or regular gathering of the participants, announce the purpose of the plus/ delta analysis: to learn what works and gather suggestions for improvement.
Step Two: Spend adequate time gathering a list of conditions, activities and decisions that have worked well and list them on the “pluses” side.
Step Three: Spend time gathering a list of conditions, activities and decisions that people would like to see changed and list them on the “deltas” side. An idea for the delta column must be stated as an improvement, not a complaint. For example, “The room was too cold,” is a complaint and not very actionable. “Someone appointed to monitor and adjust the room temperature,” is a suggestion and recommends an action to be taken.
Step Four: Before the next committee meeting or stage of work, address the changes (deltas) that were recommended and accommodate those that cannot be changed. Remember there are many ways to pare an apple.
Step Five: Early in the next meeting review the most recently completed plus/delta analysis.
Step Six: Remind people in your group to continue to do what is working (pluses).
Step Seven: Inform the group of the changes that will happen as a result of their suggestions (deltas).
Step Eight: Explain those improvements that cannot be implemented, and brainstorm alternatives.
Step Nine: Continue to use the plus/delta tool at each meeting, event or gathering.
Step Ten: Notice and celebrate how quickly improvements are taking place.
Retain all your plus/delta analyses because it is good documentation to prove you are being proactive in addressing risk to your boss, an insurance auditor, or your CA firm who may be checking for regulatory compliance.
To demonstrate the plus/delta tool’s impact, we spend time preparing one for the series of sessions the employees and managers attended together. Figure 9-2 is what they came up with:
I pointed out, “The pluses side of the tool helps me discover those things that were meaningful. The deltas are really suggestions for improvement that may or may not be valid, depending on the context, such as allowing employees to use their cell phones during the session. Every idea has merit, and when employees see their suggestions implemented, they get excited and are more enrolled in finding more improvements.”
The Risk Audit
Effectively managing the risk of doing business is becoming a critical driver in many companies’ success or failure. Periodically taking a comprehensive view of your risk management strategies through an audit or a formal review process is a good way to learn from your successes and misses. This risk management review (ie, audit) is an opportunity for your organisation to assess its ability to both handle risk and recover from its downside. The key element is to make sure you are actually learning something, so you see improvement over time. For example an acquisition, a merger or a significant change in corporate policy within the company can significantly change your organisation’s risk strategy.
A risk audit will help you know if your risk management programme stays in alignment with your organisation’s overall strategy and objectives. The goal is to make risk management review a part of your everyday business. You can use this review process to strengthen long-term relationships (and hopefully reduce premiums) with insurance brokers and underwriters.
As you gather information from your periodic risk audit, this information will be helpful in negotiating with underwriters. Resist the temptation to tie the timing of this review to the purchase of your insurance. The goal of the review is to identify the weaknesses in your system of controls regarding risk identification, oversight and mitigation. More than likely you will find in your review that your company has unintentionally retained a certain risk, either through benign neglect or a lack of internal communication.
Risk Audit Team
Your audit team consists of people throughout the organisation, including operations, accounting, IT, HR and any other service or support areas that are affected by risks, such as safety. It is critical that this cross-functional team communicate and relate well to each other because their charter is to ask one another, “What is keeping you awake at night beyond the normal risks?” This requires the team to creatively, organically and holistically think about the business. If properly applied the annual review will open employees’ eyes to the impact that one risk could have on multiple departments or functions within the business.
This audit team must be headed by a senior executive who represents both the company’s and shareholders’ interests as they relate to risk management. The goal of the committee is to develop a customised audit risk checklist, so that individual managers—the actual risk takers—can assess the risk versus reward of their particular area of responsibility. The checklist asks managers to indicate their awareness and knowledge of the potential risks, define those risks and identify how they are being addressed on an everyday basis. The key question could be, “How many resources are being spent to address or mitigate this issue?” Don’t forget to include resources such as people’s time, extra paperwork, audit verifications and energy. Pay close attention to the time that could be spent in more productive endeavours.
Audit Findings
Once the risk review is complete, your company’s next step is to use the information that it gathers to improve its overall risk management. By incorporating the review’s findings into a specific plan for risk management, the company should be able to minimise the chance that the audit findings will gather dust on some executive’s shelf. It makes sense that the leader of this audit team is the CRO and that part of the team’s membership consists of members of the risk committee. In some larger organisations the risk oversight committee and risk audit team are the same.
Your risk audit will likely provide you with a great deal of knowledge about your current state of affairs as it relates to risk management and your overall state of risk taking or opportunity exploitation. Some of this knowledge will be beneficial and welcome, but other parts of it will be dreaded and unwelcome. In risk management, knowing the good with the bad makes the organisation stronger and better able to withstand serious and unanticipated risk. It may even give you a competitive advantage and build the confidence to risk more.
Lesson for Experience with ERM
In 2009 Ernst & Young sponsored a survey that was conducted by the Economist Intelligence Unit and that asked about experiences with ERM. Respondents
have seven or more risk functions (73%).
have overlapping coverage in two or more risk functions (67%).
reported gaps in coverage between risk functions (50%).
believe they can get better risk coverage for less money (62%).
Source: http://www.ey.com/Publication/vwLUAssets/The_future_of_risk_-_Protecting_and_enabling_performance/$FILE/EY_Future%20of%20risk_-_Protecting_and_enabling_performance.pdf
Ongoing Protection
Think of managing a risk and opportunity as protecting your personal computer from a virus. A virus can come through many different forms, so you establish a firewall to prevent viruses from coming through your ISP. Don’t forget that viruses can be attached to documents in an e-mail, purchased software downloads and memory sticks or when someone accesses your computer system through his or her unprotected home terminal. Even worse someone could send you what seems to be a harmless e-card that contains a virus that is not detected by your firewall. Even if you have the best firewall available, you must regularly update it and run a daily check for new viruses to make sure the tool is doing its job.
The same holds true for your risk management programme. You could have strategies and tools in place, but that will not always prevent a costly risk from negatively impacting you, especially if it comes from an unexpected source, such as a disgruntled employee, foreign government or strategic partner. Just as you update your firewall often and run a daily protection scan, you must also regularly review your risk effort by updating your strategies, examining your plans, and conducting a risk audit or looking back at lessons learned.
Lessons Learned
Fast Company magazine published an illustrative example of lessons learned in the article “Make Smarter Mistakes.” It lists six reality-tested ways to quickly learn from your mistakes that apply to the negative effects of risk taking:
The cover-up is always worse than the crime. The surest way to defuse a mistake is to quickly own up and face it.
If it is your team, it is your mistake. If something bad happens in your group or unit, you own the mistake and recovery plan. People forget the problem, but they remember your actions.
Follow-up is as important as follow-through. Little mistakes yield big insights.
Seize the moment of truth. Learn from the problem and its effects as quickly as possible.
It pays to make mistakes. Even when things are going well, we need to be shaken up and tested.
Sometimes the best fix is a quick fix. The quick solution can buy you time to learn and implement a lasting prevention.
Source: www.fastcompany.com/magazine/11/mistakes.html.
I asked the employees of PJI to share their lessons learned from taking risks, seizing opportunities or dealing with Murphy’s Law. These are a few of their suggestions:
If you wait until conditions are perfect, you will never act.
Each time you take a risk, review what you did and celebrate it, even if you didn’t achieve what you wanted.
I never use the word risk. I call them opportunities.
For a big risk, you can avoid drowning by going in the water one step at a time.
Look before you leap. Then don’t forget to leap.
I used to think I never took risks, but when I really thought about it, I always do. I just never classified them as risks. I called it living.
There are very few risks that you cannot recover from.
I do something scary every day. Then when I am faced with a big deal, I know I can handle it.
Start your day by eating a live worm. The rest of the day gets better.
From our experiences organisations are intensely aware of the need to transform their risk management capabilities to not only more effectively manage today’s risks but to also sustain what they have now while improving business performance. Yet despite the pressure and desire to change, many company owners and organisation executives have yet to realise that a major reinvention of their risk management approach cannot be achieved using incremental improvements. What you need is a thoughtful holistic approach instead of merely dealing with your lack of a viable programme on a piecemeal basis.
Onward
Step five and one-half, a healthy evolution in a business, is maturity. In the prior steps we acknowledged that the downside of risk taking exists and is inevitable. Now that you have this realisation employees are given tools they can use to learn from successes and failures. As in the example about protecting your personal computer from viruses, a formal risk management programme provides a firewall that benefits the entire organisation.
There is an old saying about the job not being done until the paperwork is done. You can make the same case for ERM. The plan is not fully executed until you see employees incorporating it into their daily behaviours. This is why this final, never completed step, is the bookend to Step 1 in which we define risk at a global level. To ensure your firm’s risk plan works, you must move it down to risk at the individual level. This last step is accomplished by holding people accountable to what they commit to doing regarding the awareness, analysis, measurement and management of risks undertaken.
After our meeting in Justin’s office, I asked them both to tell their employees how much they believed in this new way of working. Justin went first, “I want you all to know that risk management is vital to our future. There should be no question in your mind about our adoption and usage of this. We are going to and we can. It will take us all a while to get used to this, but I have the utmost confidence that we can do this.”
Although I was a little nervous about what he would say, Paul went next. “To be honest, at first, I was sceptical about this thing called ERM. Maybe you were, too, but I am 100% convinced that we want this and need this. You will see me practising risk management from now on, and I expect you to do the same. Let’s learn how to do this together. I cannot wait for the day that it becomes second nature for all of us.”
Employees actually clapped and cheered. I was pleasantly surprised.
End of the Line
After Paul and Justin sat down I told the employees of PJI, “I admire you for your courage and willingness to transform the culture to one where risk is faced bravely and boldly.
“I appreciate your honesty and willingness to share predicaments and challenges you face, so that I could use them as examples. Thanks for your hard work and ability to find the humour in a very serious topic. My grandfather used to say, ‘If you aren’t learning anything from your mistakes, don’t make any!’ There were a few chuckles and grins.
“To me his words highlight the importance of the step you took today. You will make mistakes, misjudgements and underestimate Murphy’s Law, but each time you take a risk or go after an opportunity, it is vital to look back and learn something from your reward or pain and use that to improve your ability to face risk the next time. I will leave you with a quick digest of what this training was all about. It removes common misperceptions that exist about ERM. Share it with co-workers.”
Five and One-Half Myths of ERM
Myth One: ERM is mostly about effective financial and operational internal controls.
Reality: ERM is about leadership, decision making and justifying the risks you undertake.
Myth Two: Auditors and accountants are mostly responsible for applying ERM.
Reality: Everyone in your firm is responsible for fostering and applying a risk management system.
Myth Three: If ERM works you will be assured that risks will not be costly or wasteful.
Reality: The failure of a risk could still be costly, but ERM allows you to quickly and confidently recover and know that the rewards exceeded the costs.
Myth Four: ERM mostly addresses external risks, such as market and regulatory.
Reality: Because risks can arise from anywhere and multiple sources, ERM requires both an internal and external focus and awareness.
Myth Five: The best measurement of ERM’s effectiveness is lower insurance and compliance costs.
Reality: The primary measurement of ERM is adding value to the firm, as defined by the stakeholders.
Myth Five and One-Half: ERM only applies to big for-profit companies.
Reality: Every firm that faces risk can benefit from applying the fundamentals of ERM. It is necessary for survival.
“And the day came when the risk to remain tight in a bud was more painful than the risk it took to blossom.” Anaïs Nin
ERM Tool Kit
Appendix A, “Roadmap” contains a recap of all the tools highlighted in this book. It is something to access whenever you are not sure what tool to use. You can also use it to teach others.
Your Action Plan
Step One
Think about something you are working on that has multiple options to it. Apply the criteria checker board to it. Be sure to write out your success criteria first.
Step Two
Think about an area where you could use the plus/delta analysis. Use it several times until you get the feel for it. Then use it in another area, and teach others how to use it.
Step Three
Reread the “Five and One-Half Myths of ERM” section. Which of these myths did you buy into before reading this book? Who else could benefit from improving his or her understanding of ERM?
Step Four
What will you do next? How and where can you apply what you learned about the proper way to manage risk?