chicago risk reimagined

Risk Reimagined!

A Conversation about the Effective Management of Risk

Risk Reimagined!

Welcome and introductions

Risk Reimagined!

Introductions from:• Brian Link – Resolver• Hussain Hasan – RSM US

Principal speakers:• Richard Anderson• Norman Marks

Risk Reimagined!

What are risk and risk management?

Risk Reimagined!

Achieving objectives depends on...

Avoiding unnecessary problems

Creating the right performance culture

Setting appropriate corporate “ethics” and behaviours

Taking more managed risk

Risk Reimagined!

Achieving objectives depends on...

– risk of taking on too much risk which becomes unmanageable

Avoiding unnecessary problems

– risk of avoiding everything, resulting in total inaction

– risk of over-stretch resulting in burn-out

Creating the right performance culture

Setting appropriate corporate “ethics” and behaviours

– risk of sclerosis as every stakeholder of every decision is consulted

Taking more managed risk

Risk Reimagined!

Long

Ter

m P

erfo

rman

ce

Low

Hig

h

Low High(i) Managed Risk Taking or (ii) Avoiding

Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours

Attribute:

And doing the right amount of each

Risk Reimagined!

Zone

3D

ead

Zone

Zone

1D

ead

Zone

Zone

2Pe

rfor

man

ceZo

ne

Long

Ter

m P

erfo

rman

ce

Low

Hig

h

Low High(i) Managed Risk Taking or (ii) Avoiding

Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours

Attribute:

And doing the right amount of each

Risk Reimagined!

Balanced Risk

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

Risk Reimagined!

Enron? Or the Big Banks?

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

Risk Reimagined!

UK plc?

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

Risk Reimagined!

The objective

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

Risk Reimagined!

Relating this back to the balanced risk model

Risk Reimagined!

The bottom line

Risk Management should be the disruptive intelligence that pierces

perfect-place arrogance

Risk Reimagined!

Why do risk programs fail?

Risk Reimagined!

The importance of people

Risk Reimagined!

Regulators are getting excited by culture

Regulator Year No of Pages Culture Risk CultureNAO 2011 18 4 Nil

Department of Justice 2011 43 6 Nil

FRC 2014 28 20 Nil

FSB 2014 14 100+ 73

Risk Reimagined!

Its all about people

Any organization is an assembly of people: people who take risk as they manage and direct the enterprise; decide how much risk is acceptable or even desirable; and provide oversight of the management of risk across the extended enterprise.

Risk Reimagined!

Its all about people

“Culture is how organizations ‘do things’” — Robbie Katanga

“Organizational culture is the sum of values and rituals which serve as ‘glue’ to integrate the members of the organization” — Richard Perrin

Risk Reimagined!

“Culture eats strategy for breakfast” – Peter Drucker

Risk Reimagined!

Polling Question 1

Has the risk culture in your organisation been reviewed internally or by consultants? Yes, it is reviewed on a regular basis Yes, once We are thinking about it It would never fly It is not possible

Risk Reimagined!

Is there a single culture?

Risk Reimagined!

Is there such a thing as a single risk level?

Risk Reimagined!

Compliance area Level of riskBribery and corruption 50

Environmental regulations 20

Financial reporting 30

Export/import regulations 20

Product safety 30

TOTAL 150???

Is there such a thing as a single risk level?

Risk Reimagined!Why do so many of us take different views of exactly the same risks? How does an organization decide which view is “right”?

Risk Reimagined!

Why do people matter?

Human nature is …Individualist … or … collectivist

What do you believe … ?

I or C? Which do you think?

Risk Reimagined!

Why do people matter?

Human nature is …Individualist … or … collectivist

What do you believe … ?

I or C? Which do you think?

The way we live …“superiors” tell “inferiors” … or … “equals” negotiate the “rules”

Prescribed/In-equal … versus … Prescribing/Equal

Tell or Negotiate? T or N? Which way does it work?

Risk Reimagined!

And cultural theory...

Fatalist

Individualist

Egalitarian

Hierarchist

I C

Tell

Negotiate

Risk Reimagined!What is the difference between the “risk” culture and the “organisational” culture? How can it be analysed?

Risk Reimagined!

IRM Risk Culture Framework

IRM’s risk culture framework looks at component parts making up an organisation’s risk culture• How will I react?• How will I respond in

recognition of other competing needs?

• What will I do?• What will we do?• Our overall risk culture

Risk Culture

Organisational Culture

Behaviours

Personal Ethics

Personal Predisposition to

Risk

Risk Reimagined!

Risk culture aspects model

Risk CultureTone at the

Top

Ris

k Le

ader

ship

Dea

ling

with

B

ad N

ews

Governance

Acc

ount

abili

ty

Tran

spar

ency

Decisions

Ris

k In

form

ed

Dec

isio

ns

Rew

ard

Competency

Ris

k R

esou

rces

Ris

k S

kills

Risk Reimagined!

Thinking about risk is managed…

1. Risk informed decision2. Deals with risk systemically3. Throughout the

organisation4. With partners5. Nimble with new issues6. Can leverage risks7. Takes more, better-

managed risks8. Gets hit by few surprises

9. Lives by established principles10. Expects excellent

performance11. Top-level buy-in to risk

management12. Links risk management to

strategic and operational management

13. Aims for simplicity and action, not bureaucracy

14. Constantly conscious of risk management performance

Risk Reimagined!

Holding a mirror up...

Risk Reimagined!

Holding a mirror up...

Risk Reimagined!

Holding a mirror up...

Regular findings Non-execs normally refuse to take part. Exec directors are ALWAYS more optimistic about their risk

management maturity than the rest of the workforce. Risk managers, heads of internal audit etc ALWAYS know when

they are using smoke and mirrors to report up the line. Few others even care...

Risk Reimagined!

Assessing the Risk Culture

Desk TopResearch Surveys Interviews

Risk Reimagined!

Assessing the Risk Culture

Desk TopResearch Surveys Interviews

Conversations in Risk

Risk Reimagined!

Conversations in risk management

Me

CEO EE Partners

Suppliers Clients

IP ownerBack Office

Risk Reimagined!

Production and Projects

Sustainability and HSE

Drilling Exploration & New Business

Finance Other0%

25%

50%

75%

Production and Projects

Risk Reimagined!

Production and Projects

Sustainability and HSE

Drilling Exploration & New Business

Finance Other0%

25%

50%

75%

Sustainability and HSE

Risk Reimagined!

Risk v Organisational Culture

Culture:The culture of the organisation is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.

Risk Culture:“The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”

Risk Reimagined!

And where they clash…

Issues which any board should want to know about:• Values: Significant deviations from the board’s values.• Silos: Especially where an organisation is facing complexity in its dealings

internally or externally. • Layering: Layered management reporting prevents new issues being spotted on a

timely basis.• Short-termism: Extrapolation from past behaviours is not necessarily good enough

for dealing with new futures.• Control v Risk: Control (or risk control) management instead of risk management.• Obstruction: Individually obstructive nodes can be very dangerous.• Black holes: Sometimes it is difficult to discern any volume of conversations about

risks.

Risk Reimagined!

Balanced Risk revisited

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

Risk Reimagined!

Balanced Risk revisited

PerformanceCulture

CorporateEthics

Here-and-Now Tomorrow

PerformanceZone

DeadZones

Risk Reimagined!

Leadership in complex systems

Relationships & behaviours

Draw on widely diverse

perspectives

Adopt open enquiring mind set

Go out of your way to

make connections

Tasks& ideas

Be Clear

Be Curious

Be Courageous

Invest in promoting

values

Establish compelling

vision

Embrace uncertainty

Distribute leadership &

decisions

Risk Reimagined!

Risk appetite and tolerance

Risk Reimagined!

Risk appetite: the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.

Risk tolerance: the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.

What is risk appetite? What is risk tolerance?

Risk Reimagined!How can you help the board and top management set desired levels of risk and also help decision-makers take the right level of the right risks?

Risk Reimagined!

Does it make sense to be “risk averse”?

Risk Reimagined!Is risk appetite a useful concept or an overly complicated piece of mumbo jumbo?

Risk Reimagined!

Lightening doesn’t strike twiceBut sometimes it makes multiple hits in the same strike:

Risk Reimagined!

Lightening doesn’t strike twiceBut sometimes it makes multiple hits in the same strike:

Risk Reimagined!

The board should maintain sound risk management and internal control systems.Source: UK Corporate Governance Code, 2010.

The board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems…Source: UK Corporate Governance Code, 2010.The board is responsible for determining

the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.Source: UK Corporate Governance Code, 2010.

Behavioural change

Risk Reimagined!

http://tinyurl.com/ztwrm9s

Risk Reimagined!The word “appetite” brings connotations of food, hunger and satisfying one’s needs. We think that this metaphor is not helpful in understanding the phrase “risk appetite”. When those two words appear together we think it is more appropriate to think in terms of “fight or flight” responses to perceived risks. Source: Risk Appetite & Tolerance, IRM, 2011

The word “appetite” brings connotations of food, hunger and satisfying one’s needs. We think that this metaphor is not helpful in understanding the phrase “risk appetite”. When those two words appear together we think it is more appropriate to think in terms of “fight or flight” responses to perceived risks. Source: Risk Appetite & Tolerance, IRM, 2011

Our interpretation of risk appetite is that it represents a corporate version of exactly the same instincts and cognitive processes. Except of course, as a legal fiction (as opposed to a biological reality) organisations do not have their own brains, nervous systems, sensory organs and instincts. Source: Risk Appetite & Tolerance, IRM, 2011

Risk Reimagined!

Risk Appetite

Level Propensity to take risk

Propensity to exercise control

Strategic

Tactical

Project/ Operational

Measurement

Stakeholder Value

Risk Metrics

Control Metrics

Risk Taking

Exercising Control

Dele

gatio

nEscalation

Risk Reimagined!

A new balance

Propensity to take risk Propensity to exercise controlvv

Risk Reimagined!

Throughout the organisation

Strategic Tactical Operational

Risk Reimagined!

Risk Capability

A function of1. Capacity (how

much you can carry?); and

2. Maturity (how much can your people cope?)

Risk Reimagined!

Risk Measurement

Shareholder Value

Cashflow from OperationsOper

ational

Issues

1 Sales Growth

2 Operating Margin

3 Cash Tax Rate

Investmen

t Issue

s

4

CAPEX

5

Working Capital

6 Competiti

ve Advantag

e Perio

d

Discount RateDebt

7 Cost of Debt

Shareholder Value

= Cashflow from

Operations, discounted by the

Weighted Average Cost of

Capital -

Debt

Risk Reimagined!

Risk Measurement

Shareholder Value

Cashflow from OperationsOper

ational

Issues

1 Sales Growth

2 Operating Margin

3 Cash Tax Rate

Investmen

t Issue

s

4

CAPEX

5

Working Capital

6 Competiti

ve Advantag

e Perio

d

Discount RateDebt

7 Cost of Debt

RIS

KS

Risk Reimagined!

So what does this mean in practice?

A

B

t0 t1

Perf

orm

ance

Time

Current direction of travel for performance

A

B

t0 t1

Perf

orm

ance

Time

Where you might get to if everything goes right

D

CWhere you might get to if everything goes wrong

A

B

t0 t1

Perf

orm

ance

Time

D

C

Risk U

niverse

t0 t1

Perf

orm

ance

Time

Tolerance

t0 t1

Perf

orm

ance

Time

Appetite

1 2 3

4 5

Risk Reimagined!

Review of the morning’s discussions

Risk Reimagined!

The relationship between strategy, governance and risk

Risk Reimagined!

Risk reporting and assurance

Risk Reimagined!How does a senior executive or board member gauge the effect of risk on corporate objectives?

Risk Reimagined!

Is it enough to review a list of top risks at every board meeting?

Risk Reimagined!

What about when the actions of one impact the success of another?

Risk Reimagined!

Objective

Risk D

Objectives, Risks and Controls

Objective

Risk A Risk B Risk C

Control 1 Control 2

Control 3 Control 4

Risk to more than one objective

Control to more than one risk

Risk Reimagined!

Objectives, Risks and Controls

Objective

Risk D

Objective

Risk A Risk B Risk C

Control 1 Control 2

Control 3 Control 4

Department A Department BWho owns Control 4? Who has a guardianship interest?

Risk Reimagined!

Objective

Risk D

Objectives, Risks and Controls

Objective

Risk A Risk B Risk C

Control 1 Control 2

Control 3 Control 4

Company One Third party coWho owns Control 4? Who has a guardianship interest?

Risk Reimagined!

Discussions/Case Studies

Risk Reimagined!

Review of the day’s discussions

Risk Reimagined!

The way forward for risk management

Risk Reimagined!

The bottom line

Risk Management should be the disruptive intelligence that pierces

perfect-place arrogance

Risk Reimagined!Risk Reimagined!

The End – for today

Risk Reimagined!

Polling question 1

Do you believe that risk management at your organization is fully supported by the board and top management?

- Without question, yes- With exceptions, mostly yes- Only to a degree- Not really- Unsure

Risk Reimagined!

Polling question 2

Does your board receive sufficient information to assess whether risk management is effective?

- Without question, yes- With exceptions, mostly yes- Only to a degree- Not really- Unsure

Risk Reimagined!

Polling question 3

Does your management team provide sufficient guidance so that decision-makers at all levels can take the right amount of the right risk?

- Without question, yes- With exceptions, mostly yes- Only to a degree- Not really- Unsure

Risk Reimagined!

Polling Question 3

Does your organisation have a healthy risk culture? Without question, yes With exceptions, mostly yes Only to a degree Not really Unsure

Risk Reimagined!How does the board know whether risk management is adding value?

Risk Reimagined!

How do you measure success?

Risk Reimagined!

Where do reward and opportunity factor in?