Monday, November 3, 2008

Rethinking ERM

The world has changed irrevocably over the summer of 2008. The world’s banks have gone through the most traumatic period in living memory. As a consequence, governance and risk management are back on the agenda (see what the EU’s Charlie McCreevy has to say on the subject). Hector Sants of the FSA has linked remuneration with “sound risk management systems and controls” (see here for details). Gordon Brown has reminded bankers of the need for morals (see here). And in the meantime, Standard & Poor’s, who, along with other rating agencies are under some pressure as the consequence of market turmoil, are introducing ERM as part of their review of credit ratings for non-financial organisations as well as banks and insurance companies (see here).

Perhaps we should also take this opportunity to review just what part risk management played in the turmoil – or even, what part it failed to play. Many might argue that ERM has its own problems: it only scratches the surface; it is difficult to keep up to date; it does not add any value; it is too bureaucratic; the CEO doesn’t care; it only ever gets lip-service; there are insufficient funds available; it is not my problem and it does not help me do my job better? These may be some of the reasons that it did not work in Northern Rock (which of course had a fantastic Corporate Governance statement just before they collapsed), Bradford & Bingley and others. Surely a well functioning approach to ERM should have rung warning bells that would have allowed institutions to override what seems now with hindsight to have been a reckless and dangerous pursuit of ever more risky instruments and paths to profitability.

There are concerns that in many banking organisations, risk management was relegated to financial models and spreadsheets. Important as they are, once they come from their hothouses and are face to face with the chill reality of people, they seem to have fallen apart as rapidly as you can say credit-crunch. There are several keys that boards and risk practitioners should focus on:
  • Where are their risk obsessions (for example the financial risk modelling) and where are their risk omissions (for example looking at human behaviour, or pulling the whole picture together so that proper inferences can be drawn)?
  • Is there an appropriate balanced approach to engaging with risk?
  • Does the approach to risk taking and risk avoidance fit with the organisational strategy?
  • Has the board and senior management fostered a proper risk culture?
  • Is there a language of risk that is shared across the organisation?
  • Once risks are identified are appropriate strategies developed to respond to them?
    Is everyone who needs to know kept in the loop?
  • Does risk management reach right across and through the organisation – as an enabler rather than as a dampener of entrepreneurial spirit? And
  • Do the tentacles of risk management reach out into the value chain as a whole so that systemic risks can be identified and addressed?

Perhaps the watchword, for risk management, coming out of the credit crunch is: “don’t forget the people”. The question we must ask is whether ERM failed our businesses because profit trumped caution almost every time? Was ERM only in place to demonstrate compliance with the Combined Code? Now is the time to introduce a new model of ERM, which we might call ERM2.0, and this is the Risk Management that will be implemented by organizations that have learned from the crisis.

A new model of risk management
We need a new model of risk management: one where some of the key issues that we come across in working with risk management at organisations are dealt with; one where the human interface is not forgotten. Virtually everyone has had a stab at implementing risk management – some have stuck with the Combined Code guidance, many have gone a lot further. Plenty have done some of it very well, but just like major ERP systems, managers are asking themselves if they have driven the maximum value from their risk management programmes. The answer is almost always "no".

So, just like ERP systems, we are beginning to see managers asking how they might drive better value from the enormous investment of time and money that they made in ERM. And we are differentiating between two forms of ERM:

  • ERM1.0 was heavy on risk management processes, was limited in its scope and paid lip service to the risk management culture – through Turnbull's "embeddedness".
  • ERM2.0 on the other hand recognises these shortcomings and addresses the risk management culture in depth, acknowledges a full scope, identifies the context for risk management and rectifies some of the errors inherent in old-style risk management thinking. It does what it says on the tin: it helps managers to manage risk throughout the enterprise.

The rest of this document sets out some of the major opportunities for real gain by adopting ERM2.0

  • Obsessions and omissions: Does the organisation address all risk areas, including for example Strategic, Compliance, Disaster and Operational, or is there an excessive focus on one area of risk, one process, one department or one type of risk which leads to an imbalance, the loss of perspective, lost opportunities and increased exposure to unwanted risks. On the other hand balanced attention to risk, across all domains, in a unified approach minimises misunderstanding, releases management time and effort and allows a better focused approach to achieving goals.
  • Engaging with risk: Is the organisation’s engagement with risk all to do with avoidance, or does it include risk taking. Does it look at the performance culture and corporate ethics and behaviours? Focussing on the downside alone can make risk management very negative and is unlikely to enthuse managers.
  • Linking to strategy: Are risks linked to strategy? Is the strategy clearly articulated? Does the strategy set out how it will impact on the key value drivers? Aligning risks to the strategy is key to ensuring that risk management has a focus on the business context.
  • The risk management culture: Is the organisation a risk intelligent organisation, or does it just do the risk management process for the sake of compliance? Does it deal with risk systemically throughout the organisation, with partners, is it nimble with new issues and can it leverage risks to its own advantage? Does it have top level buy-in, does it link risk management to strategic and operational management, does it aim for simplicity and action, not bureaucracy and is it constantly conscious of risk management performance? If it does these things, then it will be able to take more, better managed risks, it will be hit by fewer surprises, it will live by established principles and it will expect excellent performance from everyone.
  • Risk definitions: Are risk definitions capable of being interpreted by anyone (with appropriate local knowledge) who picks up the risk register? Better risk definitions (context, event, consequence) are contrary to a lot of current thinking in risk management which has been to abbreviate risk descriptions to the smallest number of words possible – that really does not work.
  • Responding to risks: Lots of risk registers dump everything, including the kitchen sink into responding to risks. In fact there are five key dimensions to consider. Strategy: by which we mean do you want to prevent a risk from happening or allow it to happen and deal with the consequences, by, for example devising an appropriate contingency or disaster recovery plan. People: by which we mean do you want the risk to be managed by specific individuals, or is it something that needs to be managed throughout the organisation.
  • Detail: by which we mean do you want to manage general risks or specific risks. Tasks: by which we mean the activities of gathering information, devising plans, procedures or approaches to managing the risk and then the actions, including implementing the plans, and looking for assurance that the proposed action has been taken. Drivers: by which we are referring to the need for someone or something to make sure that the whole process takes place. These drivers include managers in the organisation, outside regulators or the culture of the organisation.
  • Stakeholders and guardians: Does your risk management approach recognise the importance of people who are not directly involved in the management of a given risk, but who might be impacted if you change the way it is addressed?
  • Scope: Does your risk management deal with all parts of the business, and all aspects of risk: for example geography, business units, climate change, the US Federal Sentencing guidelines, Corporate Governance and Solvency II?
  • The extended enterprise: Are there important parts of your value chain that are outsourced to others, or where you depend on key suppliers or joint venture partners? Do they manage risk as well as you do, and in a manner which is compatible with your approach?

What is to be done?
There are two answers to this: firstly for regulators, governments and professional bodies, we must ensure that models of risk management are sufficient for the job; and secondly, there is an answer for organisations, which do not have to wait for others. For these organisations they need to implement ERM2.0 as soon as possible.

There are five stages to successful implementation of ERM2.0:

  1. Review: what does your current ERM look like: ERM1.0 or ERM2.0? What are its aims? What does it achieve? What does the board think about it? What do those who have to implement it think about it? How much do people at the coalface actually bother about it? We normally do this by a combination of interview and survey, using our RM3 approach (see here).
  2. Design: how can you improve what you are doing so it achieves the advantages of ERM2.0? Will this feed in to your strategic thinking? Can you hit compliance requirements as well as targeting business benefits? Can you address business disasters as well as operational risks?
  3. Implement: how do you train your people and migrate to the new ERM2.0 approach without losing the strengths of your previous approach or cutting against the grain of your culture? What (if any) software do you need to support ERM2.0?
  4. Operate: Having rolled ERM2.0 out through pilot studies to the full organisation, do people continue to work with it, or does it begin to fade away? What needs improving or fine-tuning? Is ERM2.0 providing the expected benefits?
  5. Monitor: On a continual basis, review, refresh and renew so that ERM2.0 stays at the forefront of mind and risk management becomes the norm.

For more information on how we can help you to implement ERM2.0 in your organisation, contact us here.

Tuesday, October 21, 2008

The EU gets tough on Risk Management

Lest anyone be in any doubt: risk management and governance improvements are on the EU’s agenda. At a recent speech, Charlie McCreevy, European Commissioner for Internal Market and Services spoke on Corporate Governance at the Institute of Chartered Secretaries and Administrators (ICSA) EU Corporate Governance Summit in Brussels on 8 October 2008. He said:

Risk management
It is clear that poor, indeed, sometimes disastrous, risk management by financial institutions was partly to blame for the current financial turmoil. In the final analysis, such poor risk management is, in part, a result of failing internal governance.

Financial institutions will have to examine their internal governance framework with a view to embracing risk management. Risk management should be part of the strategy of the firm, and indeed the culture of the organisation.

It is the duty of senior management in financial institutions to address this and it is the role of the board to oversee it. In their respective roles, both senior management and the board need to ensure a holistic approach to firm-wide – and group-wide - risk management.

I do not want to go into details how best to integrate a firm's internal risk management strategy. But one area which I think would provide a good early warning of faults in a firm's risk management system is the firm's approach to transparency.

Transparency has to be meaningful for it to mean anything. Disclosures about risk exposures, risk management and accounting policies are crucial. Disclosures in these areas must be targeted and relevant if shareholders are to make sense of them and exercise their role.

This goes to the very heart of the "comply-or-explain" principle. Only if industry delivers on the quality and accessibility of information provided to shareholders and investors alike, can we make this system function in practice.

Then, the ball will be in the court of shareholders and investors.

They should then use this information to ensure the proper management of firms. This would mean applying their judgement to the financial institution’s overall risk management strategy. From the risk exposures of the products that have been sold in the case of investors, to remuneration incentives of employees and executives in the case of shareholders. It would also greatly assist policy makers and regulators who would then have a feel for the exposures of financial institutions.

Sounds to me like some organisations might be encouraged to get their act together on risk management rather quicker than they might have expected and to take it more seriously than they might have done in a bull market! For the full details of the speech see

Wednesday, October 1, 2008

Trusting me, trusting you

What an awful week: banks collapsing all over; problems with the Paulson rescue plan; contaminated milk in China killing children; Cadbury recalling chocolate in China; publisher firebombed in London. But, Gordon Brown has signalled the end of the “Age of Irresponsibility” – so that’s alright then.

I think that all of these headlines are inextricably linked by one major factor: trust, or rather the absence of trust. I have been pondering this for a while, first triggered by some mock university interviews at my daughters’ school this time last year. As a “pretend” interviewer, together with a real economist, three girls faced the question of what was the most pressing economic issue facing the world at the moment (a year ago, remember). To a girl, they all responded: China and the Credit Crunch. That made me think: we (at that stage) were mesmerised by the failure of Northern Rock and were concerned about the possibility of further problems, although some doubted they would come to fruition. And we were concerned about cheap manufacturing in China undermining our economy. At first it is hard to see any links between the two, but on reflection it seems to me that a complete absence of trust is symptomatic of both situations.

The word “trust” has come up a lot recently and the use or abuse of trust by those that once we would have admired has fatally undermined it. Trust, like reputation accumulates in tiny amounts by repeated demonstrations of “trustworthy” behaviour. Like reputation, trust can be lost instantaneously and will take a lifetime of those self-same demonstrations of “trustworthy” behaviours to re-build. But that leaves us with a fundamental problem, because no-one, but no-one is going to trust anyone who describes him or herself as a banker. Already no-one trusts a politician (although with the credit crunch they might just have risen one up from the bottom of the rankings). Enron and the rest had already broken society’s trust in big corporations. And yet trust is the very foundation stone of our economy.

There are very few transactions that we enter into where there is no need for trust: in fact paying cash for your newspaper in the local corner shop is about where it stops. There are of course transactions where my personal supervision might just substitute for the need for trust. For example, do I need to trust my builder? Somewhat, but I can check up on him on a daily basis, and I can quite easily replace him if he is not doing what he is supposed to do. Do I need to trust my investment advisor? Yes, given that I cannot carry out all the research he has at his finger tips. Once you move above and beyond that most trivial transaction and once you cannot exercise direct supervision, then trust has to enter into the equation.

As a society, and as consumers, investors, voters, our trust has been abused so often that it is no longer good enough for your doctor, lawyer, teacher, banker, politician, accountant, to say: “trust me: I am your...”. They now have to demonstrate why they are trustworthy, why we should trust them. And the answer to this? I would suggest that we have to go back to our model of Corporate Governance. All those in the City who said a system based on enlightened self-interest, on comply or explain, all those who called for self-regulation and light touch, need to ask themselves: was it enough? The City, Wall Street, and investors at large encouraged bankers to look out for increasingly large returns form increasingly arcane instruments. The pressure to deliver resulted in obscene payments for those who developed and traded these instruments, while shareholders demanded the high returns in a collective wave of excitement at the sight of the latest set of the emperor’s new clothes. How many boards called a halt to this behaviour? How many non-executives really got to the bottom of the risk profile of the organisations? How many investors sought to really pay more than lip-service to the balance between managed risk taking and avoiding elephant traps? Or the balance between enormous rewards and the need for corporate responsibility and ethical behaviours?

Our corporate governance needs to reflect three pillars: namely the structure of the board, the activities of the board and compliance with the code. In the UK we have focussed extensively on the first, a bit on the second and have shied away from the third. It is time for that to change. But calling for change right now is not going to help kick-start the economy. So what can organisations do to retain or rebuild trust? I think there are three things:

1. Organisations have to demonstrate that they take an ethical view of business. This does not just mean “green” or environmental issues, but it includes demonstrating that they will take the right (by which I meant ethical) short term decisions, even if they are painful, when the easy approach would have earned short term gain. This culture of ethical behaviour has demonstrably to be endemic to the organisation. It is no good saying you are “ethical” if you cannot demonstrate it, both by your actions, and if the culture of ethical behaviour is not inculcated into the culture of your organisation.

2. Organisations need to demonstrate that corporate governance is not something that they do because some code requires it. They should go out and recruit an awkward squad of non executives who will challenge, not merely sit back and take their shilling. They should demonstrate how the structure of governance fits with their culture, with their strategy and with the interests of stakeholders at large.

3. Finally they need to make sure that their risk management is not merely of the Turnbull variety. That nonsense: a chat about risks at the board a few times a year is NOT sufficient. All organisations now owe it to all of us, the public at large, to demonstrate that they understand their risks and are managing them appropriately. (And at this stage, I would probably start with a check to see if yours is what I would term a “disaster-prone” organisation.)

Many, many organisations (including in the recent past, banks) have claimed that managing their risks is their day to day activity. So it should be. What I am suggesting is that it now needs to be systematic and properly understood throughout the organisation, from top to bottom, throughout the value chain, by all participants in the value chain. If all of these things are done, then maybe, just maybe, a few organisations can begin to rebuild that trust that seems such an ephemeral concept right now.

For more information on this see or contact me here.

Friday, September 26, 2008

A new platform for the discussions

I don't yet know if this will be any better, but I am hoping that you will be able to comment on this blog more easily than on Microsoft's Live Spaces, which required you to create a Live Spaces account - you should not need to do so for this one (I hope).

For the sake of completeness, I have transferred most of the previous enties to this new format - the dates won't necessarily be right, but the content is.

Let me know if it works or not.


A case of déjà vu diligence

It’s funny how these things happen. Back in about 1996 I started to play with the idea of risk based due diligence. This sprung from the oft-quoted statistic (as I recall it now) that some disproportionate number of acquisitions failed, way over 50% and by some accounts up to 75% – either because they were just simply value destroying, or because they did not achieve their stated objectives. In essence this meant (to me anyway) that maybe we were looking at the wrong things in due diligence, even though this had been one of my major lines for a number of years.

So what to do? Quite simple really: I argued that what should really matter to acquirers, corporate or private equity (not that we necessarily used that term then) was firstly the risk profile of the company being acquired, and of course how those risks were being managed, and secondly what I might describe as the project risks in the course of the acquisition. While we managed to produce an interesting booklet and some collateral, there was a distinct lack of interest. After all we were making (and I assume the large accounting firms are still making) enormous sums of money at higher than normal rates for producing the traditional due diligence report. You know the sort of thing: a couple of hundred pages including a section on why debtor days had moved by five minutes over the last five years. So that was an idea that was left to fester in the corner although I occasionally used to dust the covers off and wave it around, but I could not even persuade some of the more enlightened partners or private equity houses to have a look.

So blow me down when, as I was researching the Standard and Poor’s material on ERM recently (of which more in a later e-mail – I can’t use it all up in one...) I came across a section entitled “Using Enterprise Risk Management To Evaluate Mergers & Acquisitions Of Financial Services Firms”. Let me quote from their report:

"Two major issues relating to ERM are part of the process to resolve the placement on CreditWatch. The first, and most important, is the project risk management of the integration and implementation project. Second is the impact of the M&A on the risk profile of the acquiring firm, which includes assessing the ability of the firm's risk management system to control risk in the newly created firm. If the resolution of these issues is positive, the M&A is expected to create a fully controlled new entity. If one or both of these issues do not have a favorable resolution, a significant possibility exists that there could be either a poor return from the transaction or an increased possibility of an unexpected loss and a negative rating."

It looked familiar! This was what I had been saying over ten years ago, which all goes to show that a risk prophet is never recognised in his or her own time. But at least I can say “I told you so”, dust the covers down, update the material and say: “now risk based due diligence – that’s a good idea!”

Needless to say, I would be delighted to discuss this further, because I really DO believe that due diligence is more than overdue for a radical overhaul.

Your thoughts welcome!

Risk Management – the theme of the moment

Just to continue with a theme I have written about before – that is that risk management is here to stay, and with a reason. There was an interesting article in the FT on 25 August this year. Entitled “Private equity focuses on risk managers”, it looks at the acquisition of Iris by FRSGlobal, which in turn is backed by Carlyle and Kennet. “Regulators are increasingly asking banks to demonstrate that the risk management solutions they use are sound,” said Fernando Chueca, an associate director at Carlyle. “Banks are now realising the ‘silo approach’ isn’t working.”

Interestingly, the article talks about the controlling aspects of risk management: “Lax risk controls, for example, allowed a Société Generale trader allegedly to amass unauthorised positions that cost the bank €4.9bn ($7.2bn), in addition to €4m in fines by French banking regulators.” What it does not do is talk about what I might describe as the enabling facility of risk management. For a long time risk managers in Financial Services have been those in credit or other areas who say “no”. Of course they maybe said “no” to infrequently in the foot-to-the-floor approach to building banks over the long bull run. Of course, as any driver of an automatic car will know, you have to take your foot off the accelerator to brake. And that self-same heavy foot is now pushed firmly down to the metal so that the brakes are squealing and the whole (global) economy is screeching to a standstill.

I like to think of risk management as being the balancing act of four attributes that fall into two pairs of tensions. On the one hand we have good old risk management attempting to stop bad things from happening. And yet (as the credit crunch has graphically illustrated) if you stop taking managed risks, you will stop dead in your tracks. These are different attributes (stopping pitfalls, and taking more managed risk) which tend to operate in contrary directions. The other pair of attributes that influence risk behaviours are the performance culture (who has not just occasionally thought that the bonus culture of the big investment banks might just skew risk taking in one direction or another?) and the corporate ethics and behaviours. Imagine each of these attributes individually mapped against the long term profitability of the organisation, and you will see that the more you do of each of them, the better the long term profitability, until, suddenly you are doing too much: taking so much managed risk, that people cannot manage; avoiding so many pitfalls, real and imagined, that they cannot progress; suffering from a performance culture that forces rile breaking and burn-out; or corporate ethics that becomes so debilitating that it is a question of not treading on egg-shells. Now take those and map them on the same diagram, and suddenly we can see what happened to all of those banks: exorbitant risk taking combined with a noxious performance culture and stunted risk avoidance combined with little regard to the real corporate ethics.

The credit crunch has slammed this into reverse (into what I used to describe as UK plc’s risk profile): very little or no risk taking, combined with redundancies; and total pitfall avoidance combined with a new ethical model (perhaps this is stretching a point, but you get the drift).

To me, the challenge is about working out where you are on these four attributes, where you want to be (the sweet spot) and how you get there. It’s not just about an overall group-wide approach; it’s about each of the businesses and teams and how they interact with one another. This is what I call Balanced Risk. And understanding their own business risk profile might just be what would help organisations to begin, ever so cautiously to take their foot off the brake and to start gently applying pressure to the throttle.

Happy to discuss!

ERM to impact the cost of capital… really!

It sounds like the Holy Grail, but finally, all of those assertions that better risk management will reduce the cost of capital – all of those assertions that we all believed intellectually, but found it hard to justify in practical terms – are now coming true. Earlier this year Standard & Poor’s, the rating agency, declared that they are going to include the quality of an organisation’s ERM in its evaluation of credit ratings. This is due to start now in the third quarter of 2008, with preliminary discussions with organisations and which will lead to a benchmark that will inform ratings in due course, but probably not before 2009.

S&P talk about recognising a company’s adoption of standards such as COSO or the Australian/NZ risk standard. Presumably, although not yet published, this will also include the new BS31100. This will provide a big impetus for companies that are subject to S&P ratings to review their ERM practices. As they helpfully indicate, they see "ERM as:
  • An approach to assure the firm is attending to all risks;
  • A set of expectations among management, shareholders, and the board about which risks the firm will and will not take;
  • A set of methods for avoiding situations that might result in losses that would be outside the firm's tolerance;
  • A method to shift focus from "cost/benefit" to "risk/reward";
  • A way to help fulfill a fundamental responsibility of a company's board and senior management;
  • A toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming; and
  • A language for communicating the firm's efforts to maintain a manageable risk profile."

Also of relevance is what they feel that ERM is not, namely:

  • A method to eliminate all risks;
  • A guarantee that the firm will avoid losses;
  • A crammed-together collection of longstanding and disparate practices;
  • A rigid set of rules that must be followed under all circumstances;
  • Limited to compliance and disclosure requirements;
  • A replacement for internal controls of fraud and malfeasance;
  • Exactly the same for all firms in all sectors;
  • Exactly the same from year to year; nor
  • A passing fad.

We could not agree more wholeheartedly.

So what is this going to mean? Helpfully S&P set out in some detail what this will address:

“Our industry-focused rating analysts will incorporate an ERM discussion into the regular credit reviews on each company, emphasizing risk-management culture and strategic risk management, which are the most broadly comparable and critical of the four areas outlined in our original proposal. In the risk-management culture analysis, discussion topics will include:

  • Risk-management frameworks or structures currently in use;
  • The roles of staff responsible for risk management and reporting lines;
  • Internal and external risk-management communications;
  • Broad risk-management policies and metrics for successful risk management; and
  • The influence of risk management on budgeting and management compensation.

"In addition, we will incorporate our existing review of governance, accounting policies and issues, and derivatives into this much broader analysis of a company's risk-management culture.

"Under strategic risk management, our analysts will explore:

  • Management's view of the most consequential risks the firm faces, their likelihood, and potential effect on credit;
  • The frequency and nature of updating the identification of these top risks;
  • The influence of risk sensitivity on liability management and financing decisions; and
  • The role of risk management in strategic decision making.”

Does this represent the death knell for the overview Turnbull approach to risk management which has merely scratched the surface, and in our view often undermined more wholehearted approaches to risk management? Nigel Turnbull’s suggestion that risk management needed no more than a conversation at the board about the top-10 risks does not look like it will fit comfortably with the approach adopted by S&P.

All of this of course will need some review by S&P. They say: “While we cannot audit assertions by company managers about their ERM procedures, we will closely examine the consistency between their statements and historical performance. We will specifically inquire about how they handled actual risks in the past. A discussion of ERM will become a regular part of our follow-up after significant drops in earnings or losses, significant restatements of past financial results, or material impairment losses and write-downs. Our discussions with managers about ERM will be to understand how consciously they have taken and retained risks and why they are comfortable with their net risk positions.”

So how much change will this represent? As S&P themselves conclude:

“Just as the introduction of ERM for a company is unlikely to radically change extant decision-making processes, we do not see ERM analysis radically altering our existing credit rating opinions. Its value will be incremental in most cases, negligible in a few, and eye-opening in some others. We expect that ERM analysis will drive some rating and outlook changes, but not before we have been able to benchmark companies against each other and over time.”

SO IS THIS THE BIGGEST DRIVER FOR RISK MANAGEMENT THAT WE HAVE SEEN? and will it help to address the questions that were being discussed below???


Thursday, September 25, 2008

Breaking down the barriers

I have been prompted by a recent e-mail to try and start a discussion about breaking down the barriers when you are setting up or refining your enterprise risk management framework. Now it may be that none of you can get onto this blog, in which case I am probably wasting my time... However, just in case that is not the problem, I am hoping that many of you will be able to add to this bit of discussion... If you can't, would someone mind e-mailing me to say whether there are technical obstacles to you joining in the discussion...

My view is that much that goes for Enterprise Risk Management these days is overly prescriptive and focussed on process rather than culture. But more than that it also has to have something to say to the managers in the business. So the challenge is to create an Enterprise Risk Management framework that has the right processes, but which goes with the grain of the culture and also is built into the context of the business.

In summary I see this as being a requirement to create a risk intelligent organisation. To me risk management is about bringing a perspective to the management of complicated issues in complex organisations. It is about the management (and not the avoidance) of risk. It helps to prioritise your work and that of others in a fast moving context with an approach that is better than simple intuition and which facilitates communication between people. It is a style of thought, and is definitely not a paper chase.

So where to start? I suggest (but I would wouldn't I) a review of the maturity of your organisation vis-a-vis risk management. I have found that powerful in that it can help management to see where their and their peoples' blind spots are, it can help people to see where they are in relation to their peers and it can help to define very effectively where the initial efforts are required.

But I am going to stop at this point and invite others to contribute (please...)

The dawning of the truth

Three news stories and a thought-piece in the Times today caught my attention. In amongst all the gloom and despondency about the economy, three stories stood out:
  • The potential saving of Fannie Mae and Freddie Mac continues to spook the markets with falls in share prices around the globe (;
  • David Cameron (leader of the opposition here in the UK for overseas members) believes that we need something akin to Chapter 11 as we head towards recession (my word, not his!) (;
  • And yet, BT are talking about investing £1.5bn ($3bn) in fibre optics to upgrade our national apology for broadband (
  • And the thought piece? Daniel Finkelstein writes about the tipping point as behavioural sciences begin to impinge on the national consciousness and policy-makers ( Well there is a thought!

    All of these are grist to the mill for risk maangers. I can't help but feel that this (almost) recession has in part been brought about by a woeful failure of risk management, originally in US financial services, where, I am led to believe, risk management as we understand it is generally very immature. And we are feeling the consequences of that right round the rest of the globe. My reading is that unethical mortgage brokers spotted a fast buck in selling mortgages to customers who had to lie on their applications and did not have a cat's chance of paying them back if the economic conditions tilted ever so slightly against them. Combine that with what can only appear to have been poor product analysis and inadequate governance over the product innovation that went by the name of CDO's, where these lying application forms were piled one on top of the other by mathematicians with brains the size of a jumbo jet, but zero experience of human behaviour. Then factor in a rather large dose of the emperor's new clothes (remember Hans Christian Andersen?) and before you can say "default" you have a credit crunch that brings down Northern Rock, IndyMac and possibly many, many more, including, in the fullness of time perhaps Gordon Brown... How's that for the law of unintended consequences?

    And of course, in all of this, businesses are suffering. Not just the mortgage banks, but run of the mill organisations. Many could go under. So Cameron's thoughts on the insolvency laws are coming at the right time of the (potential) recession, even if they are unlikely to be acted on for years to come. It is just worth remembering that this was the whole point of of Sir Kenneth Cork's proposed reforms many years ago, although Administration (the major innovation of the last insolvency act) does not seem to have done the trick in the way that Chapter 11 does. Talking of Sir Kenneth, who remembers his top ten pointers to a failed company? I can only remember:

    • Company flag on company flagpole
    • Fish tank in the atrium (was an atrium itself one? That would be an indictment of many organisations...)
    • Chairman's Rolls Royce with personalised number plate

    Can anyone remember the others, and is there a more relevant new batch? Perhaps we could create the ERMA list of pointers to failing companies.

    So it was a bright light in the gloom to see the BT story. Although there is the vaguest resonance with 3G - "we don't yet know what people will do with all that bandwidth, but we are sure they will come up with ideas" (my interpretation - not their words exactly). Let's just hope that Alastair Darling doesn't see the resonance with 3G as well, otherwise BT will be in for an auction of 3G proportions, which, you will recall, virtually brought BT to its knees (and which is why O2, its mobile operator, is now owned by a Spanish company). Anyway, isn't it a pleasure to see a company set out its stall to take a managed risk in an adverse economic environment.
    So this then brings me back to Mr Finkelstein's comments. In the risk world it has long been recognised that culture is a fundamental part of "embedding" (horrible word!) risk management. Proces alone is not enough. Likewise, in policy terms regulation and law-making alone will not suffice to stop knife murders, drunken behaviour and the rest of it. Personally I have borrowed heavily from diverse academic disciplines:

    • Geography (Professor John Adams)
    • Law (Professor Rob Baldwin)
    • Economics (Professor Martin Cave)
    • Psychology (Professor Gaskell)
    • Anthropology (Mary Douglas and many others)
    • History (Professor Gwyn Prins)
    • and many many others...

    Long may we be able to inter-weave wide ranging thinking into mainstream risk management. And perhaps we can show the way to policy makers... Or was that where Professor Lord Giddens came in to the story with Tony Blair? Oh well!!!

    Anyone want to join me in pushing the thought leadership forwards?

    Do speak to me! A response, any response makes it worth writing this blog.



    As some of you will know, BSi are due to publish a new Code of Practice for Risk Management in the Autumn - BS31100. I have had the pleasure of being a member of the committee that is drafting the CoP. It has been a time consuming and challenging process, but I really think that we are beginning to get some traction with a good document. Yesterday we had what was billed as the last editing meeting to review some comments from one significant stakeholder (who shall remain nameless). Essentially their aim was worthy - to ensure that the document is not onerous or overly bureaucratic. Something that some of us believe that we had already achieved anyway!

    The aim is still to get a standard out in late September/early October. I expect the standard to be of interest to those who have only ever played with risk management so far, and potentially to those in a sophisticated supply chain where you want to know that others in that chain are reasonably sophisticated in risk management.

    I should add of course that this is a Code of Practice, and not a mandatory standard. Although claims of compliance will have to based on proper compliance and deviation from the standard would have to be justified.

    The intention is that in due course there will be various practice guides, for example for SME's or perhaps for specific industries.

    BSi will run an introductory conference. Together with another organisation, we will also run introductory workshop sessions - if anyone is interested in hearing more, let me know.

    Enterprise Risk Management Association


    I set up the Enterprise Risk Management Association on LinkedIn to see if there were other people itnerested in sharing information on risk management, either as professionals in enterprises or those who provide consulting to enterprises. After a slow start, people have started to join in increasing numbers - you should be able to see the membership on LinkedIn.

    At the moment this is all a bit free form and I will see what people want to do. In the short term I am planning on setting up some form of blog/discussion arena, an area where we can share war stories and perhaps an area where suppliers (like myself!) can put cross-references to their websites.

    However, I am keen that this should not just become an advertising space, and if it does we might look at some charging mechanism in due course. Rather I want it to become a genuine discussion forum for mutual assistance.

    Let me know what you think.