Chapter 8 Examples and Illustrations

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

These final chapters give some examples, old and new, of how, and especially how not, to manage risks.

These are taken from personal experience, public information, and hearsay.

Controls that Do Not Control Anything

I have often come across the kind of thinking that introduces or maintains controls regardless of their effectiveness.

Money bags. Carrying cash in a box or bag obviously made for the purpose acts as an advert to thieves.
Matting under climbing frames. The better the landing surface, the more daring the children will be, and the more injuries will occur, and the more likely it is that parents will blame the owners of the facility.
IT controls. Many controls in IT departments serve only to shift blame between teams, creating complacency and doing nothing to reduce errors.
Superfluous audit checks. Sometimes, the most time-consuming checks are the least effective (let alone cost-effective) as only honest people comply, while fraudsters can easily get around them.
Inspection systems. If not backed up with rapid repair responses, these can simply prove that you were aware of the defect, and thus liable!

What Are the Causes of This Wrong Attitude?

The natural and justifiable concern to prevent undesirable consequences of our actions, sometimes taken to an extreme.
Lack of communication between managers, insurers, and health and safety, leading to knee-jerk reactions, rather than properly considered solutions.
The requirements of funding agencies and regulatory bodies, often lacking in detailed knowledge and understanding of the activities they are trying to control.
The culture in some organizations, where failure is punished more than success is rewarded.
Fear of being sued as a result of the claims culture, especially in the light of a few well-publicized high-cost cases, sometimes with unexpected outcomes.
Fear of adverse publicity if the press should take a one-sided view of an incident, regardless of the real blame.

Sadly, if you have worked in an organization where managers adopt control measures mainly because they make them appear to be doing something, rather than for their effectiveness, you will have gained the impression that risk management is a waste of time and resources, and you will probably have become frustrated and disillusioned too. Risk management is badly served by managers who create excessive controls. This reminds me of the rhinoceros, which has a horn, supposedly to defend itself. In fact, the rhino’s worst enemies are poachers who want the horn for its high value due to its imaginary medicinal properties. Therefore, as a defense, it is worse than useless, like a lot of risk control measures. Or, like the cowboy who wore two guns in case he missed six times and was still alive! When you review your risks, ask how effective your control measures really are, and assess the cost of the measures. Then, be ruthless. Or, you could become as endangered as a rhino.

How to Avoid Giving Away Money Unintentionally

The following three types of fraud have implications for almost all businesses, and we all need to think of ways of reducing the risk they pose. I have written about cyber fraud in an earlier chapter. It is a growth area. But, these three old-fashioned methods of taking your money are still with us.

Ghosts on the Payroll

I remember a woman who worked in the payroll section of a company. She paid herself a lot more than she was supposed to and then paid her husband and other members of her family a lot of money even though they did not work there. It was eventually discovered by the year-end audit.

Always design your systems of work so that no one person can add people or increase pay rates without anyone else approving.
Do not rely on a once-a-year audit. People should never be sure auditors will not appear unexpectedly.
Routine cost statements should be produced. Someone should notice unplanned increases.
A list of payees should be produced every payday, and someone should notice any new employees.

Car Sales Scam

A garage owner rented out his forecourt to a stranger who wanted it for second-hand car sales. He paid a month in advance in cash. There was a Grand Opening Sale with massive discounts. Cash only. All the cars were quickly sold.

Soon people came back with complaints about the cars. They were all faulty and not worth even the discounted prices. The dealer was nowhere to be found.

The garage owner found himself on the receiving end of a lot of claims and accusations, of which he was innocent. He managed to defend himself successfully but incurred legal costs and his reputation suffered a lot.

Beware of anything that seems too good to be true. It probably is.
Beware of anyone who insists on cash only.
Always check the credentials and identity of potential business associates, even if you think the association is very armslength.

Motor Insurance Scam

A broker added elements to genuine claims as he forwarded them to the insurers. These included injuries, additional passengers, and car hire. He always had the cheques or other payments made to him, from which he paid the claimants, keeping large profits for himself. He colluded with a car-hire firm, a lawyer, and a doctor who produced phoney medical reports on demand. He was aware that different insurers had different practices regarding investigating claims. He always ensured he kept his claims just below the threshold. He was caught when a claimant contacted his insurers direct and was amazed to learn of all the payments they had made to him for his minor accident. He and they went to the police.

Even if you are not in the insurance business, think how this could apply to you. And, these are some controls you could apply:

Avoid letting one person channel all payments through himself or herself.
Do not have a rigid policy for investigating anything.
Be suspicious if someone always uses the same subcontractors, for example, the car-hire firm and the doctor.
At least sometimes, insist on bypassing the middle-man and speak to the end client.

Do not give away money unless you intend to!

How a Minor Weakness in the Design of a System Nearly Led to a Big Financial Scandal

When looking at the financial risk, it is important to remember that fraud is not the only risk in this category. Errors of all kinds can have serious financial consequences. Here is the story of an unfortunate sequence of events leading to a highly embarrassing outcome. The one good thing about it was that the financial cost was minimal. The damage to the organization’s reputation was the real loss. I will point out some of the failings and how they could have been avoided, as I see things. Perhaps, you will think of some others. You may also notice that those same shortcomings could have left the organization vulnerable to a fraud.

It happened in the early 1970s when many organizations were just beginning to use computers for their principal financial functions. In this instance, the function in question was creditor payments. The whole system had been reviewed, including the manual operations that linked to the computer. Like most IT functions at that time, a batch input system was introduced. A payment slip was stuck onto each invoice to be paid. A number identifying the creditor had to be entered on the slip, as well as the invoice number, an expenditure code, and the amount. It then had to be signed by an authorized person to certify that it was to be paid.

Completed invoices were bundled together into a batch on the front of which a batch-header form was attached giving a batch number and the total of the amounts to be paid, which was produced by using an adding machine. The batch was then passed to the IT department where all the information on the creditor payment slips and the batch header were input. The totals had to agree, and the other details had to be valid. The computer then generated a listing of all this data and produced the cheques and remittance advices. An independent group of people, known collectively as Dispatch, checked that the cheques agreed with the list before putting them into envelopes, and dispatching them. Where more than one payment was being made to a creditor, the computer combined them onto one cheque, but showed the separate amounts on the remittance advice.

A period of parallel running had apparently proven that the system worked properly. The problem that defied the system concerned a credit note. The arrangement was that a credit note should be treated in the same way as an invoice, but a negative amount shown on the creditor slip. Usually, a credit would be attached to an invoice from the relevant creditor, but that was not considered essential, as the computer would automatically deduct the amount from anything being paid to that creditor in the same run, which usually included several batches. The thing nobody had thought of was how to deal with the situation where a credit note went through the system in a week when there was no invoice against which it could be offset. Inevitably, like most unforeseen circumstances, it occurred in due course.

The computer, unable to produce a cheque for a negative amount, deducted the figure from the highest number it could process. The system was designed to prevent any payment of a million pounds or more from going through. In the event of a genuine million-pound payment being necessary, it would have been handled manually. Thus, a cheque was produced for a million pounds less a penny less the amount of the credit note. The credit note was for less than a pound. The creditor took a photocopy of the cheque and sent it to the local paper. He framed the original. Had he tried to bank it, it is possible that it would have been queried at that stage. It is also possible that he could have been charged with fraud, as he must have known he was not owed anything like a million pounds. The resulting furor and internal enquiry left a lot of blood on a lot of carpets. You might have a view on whose it should have been. The programmers and systems analysts were asked why they had not thought of the eventuality, which did, in fact, occur. So was the system owner, the creditor payments manager. It should have been possible to arrange for unaccompanied credit notes to be rejected. The cheque list could have been checked against the actual invoices. Someone should have noticed that the total far exceeded the batch total. Someone might have used their common sense and queried a payment of nearly a million pounds, especially as the creditor did not supply goods of anywhere near that value.

Perhaps, you need to review your financial systems, online and offline, to ensure they are (still) fit for purpose.

Are You Managing the Right Risks or Are You Unsure of Your Objectives? Learn a Lesson From 1794

Are you sometimes disappointed at the results you get from risk management or indeed from any other management technique? Do you seem to have followed all the right steps and not got the result you wanted?

There can be many reasons for this, but I want to look at one of the most important and easiest to overlook. It concerns knowing the difference between your targets and your real objectives. It is illustrated by the difference in thinking between some at the Admiralty and Admiral Lord Howe in 1794. Such differences can be seen today all too often, and not just in the navy.

In 1794, Britain was in the second year of the war against France following the French Revolution. It was not going well. There was great fear of invasion. Admiral Lord Howe was in command of a division of the fleet sailing off the south west of England, aware that the French had assembled a fleet in the port of Brest in Brittany. Throughout the 18th century, both navies had fought by keeping their ships in a line-ahead formation, resulting in very few decisive outcomes of sea battles. Howe had seen that, whenever there was a British victory, something had happened to cause the lines to be broken and allow, or even force, captains to use their initiative. Therefore, he worked out a plan for defeating the French by breaking their line.

In May 1794, Howe was informed that a convoy of merchant ships was bringing grain to France from the Americas. Both countries were trying to use attacks on merchant shipping to disrupt each other’s economies and to reduce food supplies.

He received orders giving him two objectives:

to keep the French fleet blockaded in port,
to intercept the grain convoy.

The French managed to slip out of port evading the British, partly due to the weather reducing visibility. Howe attacked on June 01, using his new tactics, resulting in one of our most decisive victories over the French at sea for a long time. The grain convoy reached France, but most of the French fleet was either captured or sunk, significantly reducing the risk of invasion for many years.

The news was welcomed by most British people as a great relief, a big uplift in morale, causing the battle to become known as The Glorious First of June. However, some criticized Howe severely for disobeying his orders and failing in his two objectives in that

the French fleet got out of harbor,
the grain convoy reached France.

Fortunately for Howe, his critics were silenced in the jubilation that we had won a battle for a change and were safe from invasion. The people at the top saw that winning the war was our real aim. Howe had placed that above his immediate objectives of blockading the French fleet in port and intercepting the grain convoy.

What Has This to Do With Your Business?

I have too often come across situations where people were so obsessed with their immediate objectives that they lost sight of their real aims. Targets and action plans can make this mistake more likely if they are not interpreted in the light of something bigger. This can apply to all aspects of management, but you can certainly apply it to risk management.

Are you managing the real risks? Or, are you too focused on your specific immediate ones? Above all, think about this when carrying out a review of your risk management strategy. Yes. The one you were meaning to do sometime soon.

Miscellaneous Examples: Good, Bad and … Well, Make Your Own Mind Up!

The Noonday Gun

I have spent many years in internal audit in various organizations, managing some of their financial risks. I have often studied and tested the controls they had in place, with often worrying results. This was sometimes wrongly interpreted as overzealousness or even malice, but my concern was to find out how the control measures were supposed to work and whether they actually did.

I often remember a story told to me by an old auditor whose enquiring mind did not shut down when he was away from the office. It merely found different subjects to enquire into. He said he had once been on holiday somewhere in the south west of England and noticed that, every day at noon, they used to fire a cannon, from a castle above the harbor. He was told it was “so reliable you could set your clocks by it,” and apparently, people did. He could not help wondering how it could be so reliable, and when he went on a tour of the castle, he asked how they always knew the correct time. This was before the digital age, although I do not know why they did not use the Talking Clock, which was created for that purpose. Anyway, they said, there was a particular official there whose watch was always right, and he supervised the firing of the gun. My colleague’s curiosity was not quite satisfied. He was as bad as me, you see. He asked the official in question, how he knew his watch was correct, and was told there was a jeweler’s shop in the town where they always ensured all the clocks and watches in the shop were showing the exact time. Of course, this inquisitor could not refrain from visiting the shop and asking the obvious question. He was told, “That’s easy. Every day at exactly twelve noon they fire a gun from up at the castle.”

That was just like some of the financial controls I have come across. Everything relied on everything else. There was no real independent check on anything. Therefore, if anyone had managed to fiddle one set of figures, all the rest would have agreed with them, by definition.

What are you relying on to check something? How independently is it verified?

The Fox and the Cat

It is quite frustrating in risk management when you come across businesses where nobody thinks there is a need to review their risks or how they are managed because there are already lots of controls in place. There is a very old story, one of Aesop’s Fables, which illustrates my thinking on this, which shows that very little is really new, at least not in management.

There was a fox who became friends with a cat. Yes, I know, just bear with me, this is a fable, it makes a point. It is not a natural history lesson. Well, one day, the fox and the cat were walking together, chatting about … whatever foxes and cats chat about, when suddenly they heard a noise in the distance. The cat said, “That sound like hounds. I think we had better start running or we’ll be in big trouble.”

“Oh, don’t worry!” said the fox. “I know a hundred tricks for escaping from hounds. Just stick with me.” The cat said, “I only know one.” So, he thought he had better keep close to the fox. In due course, or possibly sooner, the hounds arrived and started to chase the two friends. There were some trees nearby, and the fox ran in and out among the trees in a 100 different patterns, but the hounds just kept on the scent until in the end they caught him. Meanwhile, the cat had climbed the first tree he came to and stayed there until the hounds had given up, once they realized they could not climb trees.

What controls do you have in your business? Have you tested them? Do they really work? As Aesop (or whoever) said at the end of the fable: One trick that works is worth more than a hundred that don’t!

The Lion and the Hedgehog

Over the years, I have listened to quite a few inspirational speakers, some of whom I have found more helpful than others. One such speaker said that there are two kinds of people in business: lions and hedgehogs. His point was that, when a hedgehog is threatened, it rolls up into a ball and waits for the danger to pass. This is like a lot of managers who go on the defensive and resort to well-tried methods of survival. A lion, by contrast, takes the risk and goes on the attack. It was suggested that we all need to be like lions to seize every opportunity and tackle our problems dynamically.

The speaker did not seem to know that lions once roamed wild all over Europe, but became extinct many thousands of years ago, probably due to climate change. The last big cats to survive in what is now Britain were sabre-tooth tigers, which died out around 7000 BC. Some threats they obviously failed to deal with.

On the other hand, we often see hedgehogs. They have lived here long before any other mammals. I suppose they must be doing something right.

Escalators

I had to visit a relative in hospital. It was a well-run institution where health and safety were taken seriously and managed properly. I did, however, notice one example of going a bit too far. Just inside the main entrance, there were escalators as well as lifts and stairs to the next floor. There was a sign saying: “Do not use the escalator unless it is safe for you to do so. Please use the lift or stairs if necessary.”

I commented on this, suggesting the sign was superfluous, but was told people had been seen trying to use it when they could scarcely walk. Some on two sticks, others on Zimmer-frames. I did not enquire whether any had had accidents or if any had brought claims, but I could guess. So, reluctantly, I have to say the sign was not superfluous. The hospital needs to be able to defend claims.

By the way, many health and safety experts now are getting worried that there are too many signs around. It can be confusing and distracting to the point of being counterproductive. Less really is more, sometimes.

A Good and Bad Example of Data Protection by a Prime Minister

I heard about the theft of a laptop and other items from the car of Elio de Rupo, when he was the Prime Minister of Belgium.

The bad thing is that his driver left the car unattended with the laptop in the boot outside the gym.
The good thing is that it was encrypted, and in any case, did not hold any secret or sensitive information, according to a spokesman. We will probably know whether that is true or not in due course.

The two lessons to be learned are:

You cannot be too careful: anything left in an unattended car is at risk.
If you do not keep sensitive data on your computer, it makes stealing it, rather unrewarding.

Many of us could benefit from studying this example.

Too many people keep far too much information on their laptops and other devices.
Too many people seem to collect data for the sake of it without even asking why they need it.

Perhaps, we should all ask whether all our data is really necessary. And, we should be careful where we park.

Smartphone. Pity About the Owner

I met a guy who was a builder. He had been working on a job away from home and had been sharing a room in a hotel with one of his colleagues. One morning, he tried to check his phone for messages and found it was dead. The obvious explanation, he guessed, was that he had let the battery run down, so he plugged it into the charger. As soon as he turned on the electricity at the wall, there was a flash and a bang and a smell of burning. The phone had been cooked. His roommate looked embarrassed and said “I think I might know what’s happened. You know I came in very drunk last night after you’d gone to bed? Well I think I spilled a glass of water on your bedside cabinet. It must have gone over the phone.”

That phone had contained the names and contact details of all the man’s clients, prospects, employees, and former employees. Due to the nature of the incident, there was no hope of restoring or retrieving any of the data. And, there was no backup for most of the information. Could that happen to you?

Do you need to review your data handling and storing arrangements? Before it is too late.

False Friends

One of the many tourist attractions in Cornwall is the Shipwreck Museum at Charlestown near St Austell. There are many interesting, as well as sad stories illustrated there. One thing that struck me was the number of ships that went down among the nearby Isles of Scilly, often after successfully navigating halfway around the world. One reason for that was that many had sailed in close to land to shelter from high winds beneath the cliffs. When the wind changed, the ships were dashed against those same cliffs. Some would probably have survived had they stayed out in the open sea and weathered the storms. What looked like safety was the opposite.

Is there a warning there for us landlubbers? For you in your business? When you hit difficulties, could you be tempted to do something that looks attractive as a quick fix that might actually be catastrophic?

Cutting costs and so cutting quality or safety?
Boosting sales by doing something not quite honest?
Relieving stress by having another drink or several?

Would you do better to look long and hard at the real issues and find lasting solutions? Manage the risks.

What Could Landlubbers Learn About Risk Management From Sailors?

Some people think that risk management always means taking the least risky options. That can be very bad for business: not only can it be expensive, it can slow down progress and also lead to missing opportunities. I have always believed risk management to be about balance: balancing risk against cost, or balancing one risk against another. The same is true in many aspects of life.

I remember a pastor who used to illustrate his sermons with items from everyday life, often drawn on his memories of life back in his original home on Jamaica. Boats and the sea often featured. He once explained that a good sailing boat should have the right balance between keel and sails. The bigger the sails, the faster it could go, and the bigger the keel, the more stable it would be in the water. Too much sail in relation to the size of the keel would make the boat liable to capsize, whilst too much keel in relation to the sail would make it slow and cumbersome.

The parallel with risk management strikes me as remarkable. The sails could be the risks you might want to take in order to grow your business, whilst the keel could represent the risk control measures in place to prevent things going badly wrong. You can drive faster in a car with better brakes.

Do not assume all risks are to be feared and avoided, but do look for reasonable control measures to keep your business on an even keel.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 8 Examples and Illustrations

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 8 Examples and Illustrations