A risk management strategy is more than just a box to tick.
Britain's markets authority increased fines for risk-management failings by more than seven times last year – and, over the past 10 years, Australia’s regulatory watchdog has steadily ramped up its standards governing companies’ risk frameworks.
Last year the UK Financial Conduct Authority levied £292 million in fines for inadequate risk management and not having appropriate controls in place, up a remarkable 77 per cent from £38 million in 2011.
One of the biggest penalties imposed was on Barclays Bank, Britain’s second-largest bank, which was fined about £60 million for trying to manipulate the crucial London Interbank Offered Rate (Libor), according to a report by the Chartered Institute of Internal Auditors (CIIA).
“The financial crisis and scandals like Libor and interest rate swaps mis-selling have underlined how easily weak controls can lead to inappropriate conduct, and at the extreme even let potentially criminal practices go unnoticed,” says Ian Peters, chief executive of Britain’s CIIA.
A failure of operational risk management is widely regarded as one of the major contributors to the 2008 global financial crisis, the reverberations of which are still being felt.
Such failures wreak financial and reputational damage on organisations and the wider community in numerous ways.
A standout is oil and gas multinational BP, with its series of disasters in the early 2000s that culminated in the explosion on the Deepwater Horizon offshore oil rig in the Gulf of Mexico in April 2010.
The gas blast killed 11 rig workers and let 4.9 billion barrels of oil escape, causing untold environmental damage. A US Government investigation found poor risk management was one of the causes of the disaster.
BP is still cleaning up the mess – environmentally and financially – while it works to rebuild its business and moral reputation.
Where risk sits in the organisational psyche is more sharply in focus among thinkers and practitioners today than it was a decade ago. It’s a matter of culture, rather than strict rules and regulations: consequently, it needs leadership from the top at executive and board levels.
The Australian Prudential Regulation Authority (APRA) regards risk management as fundamental to the prudential management of an institution, in tandem with sound capital management.
A culture that supports risk management allows people to ask questions and to report openly and transparently, says Peter Whyntie, a risk and compliance consultant who formerly headed KPMG’s national compliance practice in Australia.
Risk needs to be approached as synonymous with “achieving your business objectives rather than avoiding bad things”, Whyntie says. “You are much more likely to be able to operate in a world where you can be reasonably certain that your risks are known, and that when they materialise you are told about them, things don’t get hidden.”
Organisations with strong risk cultures share certain traits, reports global consulting group McKinsey & Company.
First, the organisations acknowledge risk, discussing it internally, with shareholders and even regulators, but only confident managers can do this. Second, they encourage transparency. “The best cultures actively seek information about and insight into risk by making it everyone’s responsibility to flag potential issues,” McKinsey says. Finally, organisations with a strong risk culture ensure respect for risk.
Mike Ritchie, KPMG partner in charge, risk consulting, agrees that the tone needs to be set at the top if a company wants to establish a strong risk culture.
The chief executive, the CFO and the chief risk officer all have to speak credibly, strategically and openly in support of effective risk management, Ritchie says. “When those senior people are talking about it, people know they’re serious.”
"Risk needs to be approached as synonymous with achieving your business objectives rather than avoiding bad things." – Peter Whyntie
For example, if the CEO is a member of the risk committee, he or she needs to turn up to meetings. “In organisations where you see risk falling down it’s those sorts of things falling down as well,” Ritchie says. Real, day-to-day involvement and tangible commitment are required.
Crucially, executive risk committees can provide a helicopter view of risk, Ritchie notes, doing scenario analyses and weighing up “black swan” events against the company strategy.
But for day-to-day operational risks, managers of business units and their staff are much more adept at identifying them. “They’re the only ones who can see what’s likely to go wrong in their particular part of the business,” he says.
And, at this level significant issues emerge over managers’ biases when making decisions about risk.
Personal biases influence decisions made in the workplace. Even the most sophisticated people get it wrong sometimes because of internal human biases, observes Dan Lovello, a professor at the University of Sydney and a senior research fellow at the Institute for Business Innovation at the University of California.
A popular mistake is overstating the likelihood of a project’s success and minimising its downside, Lovello says.
“Executives need to realise that the judgement of even highly experienced, superbly competent managers can be fallible. A disciplined decision-making process, not individual genius, is the key to good strategy,” Lovello wrote in a paper co-authored with Daniel Kahneman, who won the 2002 Nobel Prize for economics for his work on cognitive biases.
To the same end, psychologists have been employed at Dutch bank De Nederlandsche Bank to examine how behaviour and culture influence the financial institution’s performance. The bank believes risks are often reflected in corporate decision-making processes.
This view is supported by an interim report on the project (which runs from 2010-14) which revealed well-balanced, consistent decision-making was not always evident. Decisions were not being made in line with the company’s strategic objectives, it said, citing the evidence as “insufficient risk awareness, group optimism, management dominance and docile staff, and a strong focus on consensus, compromise and harmony”.
Lovello says many mid-level managers operate through an entrenched risk bias and this translates to opportunities lost for the company.
Often reward structures lead managers “to become risk-averse or unwilling to tolerate uncertainty, even when a project’s potential earnings are far larger than its potential losses.”
Risk aversion stymies innovation and impacts the bottom line, with loss aversion at many companies being the primary driver of risk aversion.
“The right level of risk aversion depends on the size of the investment,” Lovello says. “CEOs making decisions about large, unique investments are typically more risk-averse than overconfident – and they should be, since failure would cause financial distress for the company.
“In contrast, mid-level executives making decisions about many smaller investments a company might make during a year should be risk neutral. Decisions about projects of this size don’t carry the risk of causing financial distress – an aversion to risk at this level stifles growth and innovation.”
Ritchie says reward systems need to be structured so staff are rewarded for managing risk effectively and penalised for disregarding it.
“If something goes wrong and people are immediately proactive, get engaged and bring it to the surface openly, then those people should be recognised and rewarded rather than potentially being penalised for something going wrong in their area of the business,” he says. “One of the signs of mature risk management in an organisation is active recognition of the fact that things go wrong, along with the ability to deal with them robustly.”
Management needs to acknowledge and confront the risk and to earn the respect of the staff. “One of the challenges for risk functions is they’re not necessarily populated with the highest-calibre individuals in the organisation ... it can be a bit of a parking lot,” Ritchie says.
“A well-positioned, mature, well-respected risk function is required to work with the business and not against it. You want them working in partnership to identify, analyse and address risks to the business.”
"A well-positioned, mature, well-respected risk function is required to work with the business and not against it." – Mike Ritchie, KPMG
This extends even to whistleblowing. Eva Tsahuridu, a policy adviser on professional standards and governance at CPA Australia, says that those inside an organisation who would disclose risks are often discouraged from doing so.
She says many organisations have a culture of not talking about bad news in general.
“When people report up they tend to report good news, not the not-so-good news,” Tsahuridu says. “Such people are seen as disloyal and a threat to the organisation and what it stands for, which is interesting because when we look at the motivations of those whistleblowers most of them want to protect the organisation and ensure the wrong-doing is stopped.”
APRA says every company needs an “embedded risk appetite statement”. It says the risk management function needs clout, experienced staff, buy-in from the executive level and a strong mandate.
The risk framework then needs strong risk governance, and this is where the regulator places great responsibility on the board, its risk committee and the CEO.
The board sets standards that have a big influence on the culture and management of the business, says the regulator.
In May, APRA’s Ian Laughlin told the Institute of Actuaries Australia that a board should show:
It is providing clear direction and leadership, evidenced in a clearly articulated risk appetite statement, risk management strategy and overall business strategy
Effective reports with metrics showing performance against board policies
That the risk appetite framework is clearly embedded in the institution
A strong and independent compliance framework and internal audit function.
This article is from the August 2013 issue of INTHEBLACK.
- A survey earlier this year shows that risk management is not advancing quickly enough at most companies.
- KPMG found that of nearly 1100 C-level executives surveyed globally, only 66 per cent of companies often or consistently build risk management into strategic planning.
- “Executives say they take the ‘business of risk’ very seriously, but the survey shows many enterprises are not rising to the challenge,” KPMG says.
- Less than a fifth of companies surveyed have developed a formal risk appetite statement. KPMG notes that without one, it is hard to calibrate risk.
- Some 42 per cent of respondents say a lack of skills is the main obstacle to the convergence or integration of risk and control functions in companies, while 43 per cent said there was a weak link between risk management and compensation.
- Companies say the greatest risk they face is regulatory pressure and changes in the regulatory environment, with nearly 60 per cent of financial services companies ranking this the top issue.