Uncertainty, Emerging Risk, and our Blind Spots

Uncertainty in Emerging Risk. One question is "not if but when, and will we be ready”? Another question is “how are we blinding ourselves”?

Assumptions are deep-seated, institutional and cultural. These influence us, particularly when looking at Emerging Risks and expectations of our ability, collectively, commercially and personally, to assess and respond. The Covid-19 Pandemic should have stripped bare, but probably did not, the assumptions that we can respond effectively. Another lesson we should take is that hubris and myopic cultural confidence can cloud our vision when considering Emerging Risks. 

The 2019 Global Health Security Index ranked countries on a number of factors, coming up with a combined score. That score provides a surrogate for perceptions of countries ability to respond to a pandemic or other major health emergency. Of course, ‘rich’ countries scored better than ‘poor’ countries. Developed countries scored better. ‘Western’ countries scored higher. Every way you look at their data and estimates, the ‘Western’ developed countries come out ahead. 

The United States was ranked as number 1 overall, with the UK ranking as number 2 overall. China was ranked 51st. However, it seems that these two countries failed when confronted with the emergence of a risk that has been on risk registers for years, if not decades. 

The WHO, Bill Gates and others have shouted the warnings of the dangers of a pandemic, and even the CDC had a Pandemic Response team and plan before Trump dismantled it. In the UK, the 2017 version of the “National Risk Register Of Civil Emergencies” from the UK Cabinet Office, National security and intelligence, contains a section dedicated to Pandemic Flu. While Covid-19 is not an influenza virus, the principles and responses are the same. 

Why did Risk Managers miss this, and why were Western countries so, on the whole, ineffective in their response? What should Risk Managers take away from the events we have been living through, and hope will come out of this year?

Before going further I would like to remind any reader that this Pandemic is only one of the potential pandemics that could envelop our world. Pandemic influenza remains a real danger, even though the personal distancing, lockdowns and quarantines, and use of personal protective equipment (PPE) by most people has resulting in 2020 being the “Flu season that never happened”. 

What are some of the lessons that I have taken from this?

1. Assume a Western bias in all materials developed in, researched in, or presented in Western countries and media.
2. Accept that national hubris overestimates our governments' and societies' ability to identify the actual level of the threat.
3. Be confident that elected leaders will, in most cases, make the hard decisions too late, and in half-measure.
4. Do not accept that a “free society” is any more capable of an effective response. 
5. Reject the idea that we cannot or could not see this coming.
6. Be ready to be amazed by the resiliency of businesses of all sizes.
7. Finally, please agree that Capitalism is not the best system to allocate capital, and that government ‘guidance’, no matter how flawed, is required to save Capitalism from itself.

None of those is meant to result in or generate political arguments, though some economic discussions may result. There are no intended value statements about the moral, cultural or philosophical supremacy or superiority of any country or political system. Humans have a limited attention span, both in time and distance. The Strategic Planner’s, and I would argue the Risk Manager’s role is to inculcate a wider attention span. To look beyond the horizons that otherwise limit our ability to plan and respond.

1. Western bias. We’ve seen it again and again, in reports such as the WHSI referenced above. It is natural to consume information written by people with the same cultural and historical references, and living in the same economic (and in many cases) political structures. We read what they write because they write in our language, our culture, and we understand their references. If anyone writes about Enron or Parmalat, there is a good chance that an accountant, and auditor or a risk manager in a Western company will understand the references without having to learn an entire backstory.

We read and learn from the experiences of those around us, not from those in other cultures or in different continents. Because we speak the same culture and references, we take our lessons from those references. That makes it too easy to accept that ours is the one-true-way, and that we have the answers.

Yet look at the Middle East and Asia, and you will find that they have their answers, that work for them, and have worked for them. By Western measures, China should not be possible. Year-on-year 6.5% to 8% annual growth is not sustainable. And it isn’t. But that is only if we are looking at the Western experience and economies. The Asian economies have created that growth through a combination of public sector spending and private sector export-driven growth, founded on economies with large numbers of newly urbanised and well-educated workers. 

Can this continue in a straight line? Absolutely not. We’ve long bet the growth has been exhausted and that stimulus can no longer support that growth; a crash is coming. We’ve been mistaken thus far. How much longer will we be mistaken? And, while it hasn’t happened yet, an econcomic collapse with consequent social unrest in China remains an Emerging Risk, as does economic turmoil in Europe.

2. National hubris. The introduction to the “National Risk Register Of Civil Emergencies” mentioned above states:

The United Kingdom has an enviable reputation for resilience. In a rapidly changing world, we are at the forefront of embracing new opportunities and seeking innovative solutions to emerging problems. Our openness and integration of technological developments brings us huge benefits but also introduces risks and vulnerabilities. As such, resilience is crucial to protecting our people and businesses, and through them our society and economy.

These are the stories we tell ourselves, and these are the stories we believe. Each country has its reasons for pride, and is blind to aspects of its strengths and weaknesses. The British believe that the UK the Financial system is the best in the world. The Americans think they have a monopoly on “Freedom” (whatever that is) and that their capitalist system is the best at allocating capital, creating jobs and making money. Militarily they are unassailable, and from a technology perspective, they lead the world. France has culture (as does Italy), Greece has history, and Germany has order and discipline (translating into the best workforce globally).

Yet what about China and Japan? They have history that we know nothing about, and cultures that we do not understand. Therefore they must not be as advanced or as capable as “we” are. 

Why does this matter to Emerging Risks? We overestimate our ability to see the risks coming, just as we overestimate our ability to respond. If the USA has the greatest military and the ability to sail an aircraft carrier and support ships to respond to a disaster, then surely America can respond best to any disaster. If the UK Financial system is the best in the world, it will surely see financial crises developing and respond to such crises? If Asia (whatever that means) are not as advanced as the West (a badly flawed supposition), then surely we cannot rely on them to either see events coming, or to respond to them as effectively as “we” can and will. Our national hubris blinds us.

3. “Our” systems of democracy are superior, and our elected officials, supported by professional civil services, have the best interests of the people in mind, and will mobilise the resources required to respond to Emerging Risks effectively.

We might want to reconsider that, and remember that elected officials respond to what they believe is the “will of the people”, as manifest by what actions and programmes will ensure their re-election. The civil service's role is to implement the will of the people, as determined and funded by elected officials. This includes cadres of civil servants whose primary jobs are to scan the horizon for upcoming risks (and opportunities) and provide the elected officials with a foresight to craft policies and allocate budgets. 

But the Pandemic has taught us that our elected officials can fail, and do so spectacularly. The response from the major Western countries to the Pandemic has been one of gauging public perceptions of the risk and attempting to determine the level of response acceptable to the electorate, resulting in responses that have been too late and frequently too little.

Consider the potential contribution or impact of government support of intervention in the event of a large systemic event .

4. Freedom. Now we come to one of our worst blind spots. We in the West are free. And that means that we can choose what we want to do. I’m afraid we have lost sight of the two sides of the scale; Freedom is balanced by Responsibility. Responsibility as the counterbalance to Freedom has been subverted by using the phrase “Cancel Culture” to escape responsibility and avoid consequences.

AS Risk Managers we need to be looking at the responsibility side of the equation, and assessing what may occur if this is forgotten. The lack of responsibility felt by the “wage slave” works directing into the hands of the corporate leader and shareholder and into the hands of the fraudster. Too often “freedom” can result in the suppression of the sense of responsibility, resulting in individuals who feel no meaningful responsibility to the company, the customers or companies’ role or place in society. 

From an Emerging Risk perspective, we need to be questioning individuals’ and society’ perceptions of the role of Freedom and Responsibility. 

We also need to be careful when assessing the capability for an effective response to an Emerging Risk, and to consider the level of social and personal responsibly that will be required to deliver the response required. Where the response is top-down, there may be less risk of a Freedom/Responsibility gap. Command and Control is able to dictate responsibility. But not all situations are suited to such a response.

5. “Didn’t see that coming”. Please. We’ve seen every major crisis of the past two decades coming, and have ignored the signs, or underestimated the potential impact, with the exception of two major natural disasters; the Fukashima earthquake and associated nuclear accident, and the Boxing Day 2004 Tsunami.

The GFC (Global Financial Crisis) did not come as a surprise. Certainly, there were wailings of angst, many by learned or senior individuals all bemoaning how impossible it was to have seen what was coming. Yet we know from the literature that it was foreseen by those very leaders in business and government. 9/11 was a shock, but those with access to the intelligence reports knew that something was coming. The warnings were ignored. 

The Pandemic was foretold for years, and ignored. In late 2019 I was shown an Emerging Risk list, with estimated timeframes for the emergence of the various risks. Pandemic was on the list, but estimated to be in the 5 – 10 year range. I commented that, for all we knew, a Pandemic could already be underway, and that my own assessment of the emergence period for a Pandemic was “yesterday – 10 years”. I’ll hasten to add that this was before it did begin November or December 2019. I claim no unique insight or prescience. 

For most Emerging Risks, we can see them coming. What we cannot see is precisely when, and this makes planning difficult. It also adds difficulty to encouraging management to dedicated limited resources to prepare for a situation that may or may not happen (within the planning horizon). But not freeing resources is not the same as not seeing it coming. 

6. Corporate Resilience. All that being said, be ready to be amazed at corporates and peoples’ resiliency in the face of “the event”. I’ve seen companies go through existential events and come out stronger. Indeed, we hear of companies that fail (other than the great failures due to frauds as mentioned above), sometimes spectacularly. But so many companies recover quickly. Do not underestimate the human capacity for adaptability and perseverance, and when employees are part of a culture that empowers, the ability to rapidly respond to and recover during a crisis if phenomenal. 

7. Capitalism is the answer. When scanning for Emerging Risks, consider that the prevailing economic system may be a contributor to a coming crisis. We will ignore for a moment that Western Capitalism is, in virtually all countries, actually a form of Capitalist/Socialist mutant. An economic system that enables and encourages “moral hazard” exposes itself to greater systemic ecomonic risk. Conversely, Japan has proven to the world that it is possible to monetise debt for two decades (so far) and still have a functioning economy and society. Hyperinflation has not struck Japan, and the Yen has not collapsed. But Japan is not France or Greece, and it certainly it is not the United States or Great Britain. 

The greater the reliance on the state to maintain the economy, the greater the risk of systemic crises, or so we are told and expect. Yet we need to look deeper when considering Emerging Risks. Chinese government policy supports and encourages business growth, and through the GFC, was active in stimulating the economy and supporting businesses. While the Chinese economy may be rife with zombie companies, it is hardly alone in this. The major drag on Chinese growth in future may ‘consumption’ of the pool of under-employed labour as the working-age population shrinks.

There are too many biases and factors that influence our consideration of Emerging Risks, and I’ve not covered them all by any means. But what I have covered should be enough to demonstrate that we need to be aware of these factors. The Strategic Planner and the Risk Manager's role is to look beyond what is within our day-to-day sphere, and look beyond the prejudices that we take for granted. 

Doing so will help us to more objectively assess the Emerging Risks on our registers. Objective assessment is the first step to present the case as to why any Emerging Risk warrants attention. Sometimes a watching brief is all that is required. For others, a “plan” on the shelf will speed and simplify responses. I know a Risk Manager whose organisation had a “Pandemic Response Plan”. It wasn’t much, and was focused on the risk of an influenza outbreak that would stop staff from coming to work, while concurrently increasing customer inquiries. They were able to take that plan off the shelves for the first few weeks of the Covid-19 Pandemic. They were also ‘lucky’ in that their IT department had a large stock of laptops in the process of being refreshed or ready for disposal, so there was more stock than at a ‘normal’ time.

Still, it was an initial plan that enabled them to respond quickly. The plan did not take significant resources to develop, and since testing was not possible, it remained theoretical. Yet having a plan did enable a faster response.

Why did they have that plan at all? Because they recognised that a health event (such as a significant flu outbreak) would happen. There was (and remains) uncertainty as to when an outbreak would happen, but they had absolute certainty that there would come a day when it would happen.

Uncertainty demands that we scan the horizons constantly, and that we consider what will happen when, not if. It demands that we look past the natural and human boundaries and prejudices that shape our thinking. It also demands that we prepare, enough at least, to be ready to respond, and not to be taken by surprise. 

In search of a seamless relationship between Operational Management, Risk Management and Internal Audit.

I continue to be amazed by the too frequent disconnect between Internal Audit, Risk Management, and Operational Management. The artificial, though regulator sanctified, “second line” and “third line” functions are too often used to justify two (complementary) functions seeking complete independence from each other, independence that can undermine the effective identification and management of risks.

Operational Management (OM) is responsible for delivering the objectives of the organisation, and specifically the objectives of their function(s). Risk Management (RM) provides support to OM by providing the framework for identifying and helping OM determine and implement the most appropriate management strategies to cover the risks to the accomplishment of the objectives. Internal Audit (IA), by focusing limited resources on the areas of highest risk, confirms that key controls are in place and that they are functioning effectively to ensure that risks to the achievement of objectives are managed within the risk appetite of the business.

Within that previous paragraph, there are a number of important words and concepts, too frequently considered separately, when they should be viewed as part of a seamless set of processes and responsibilities. Sadly too often the three are not seen as part of that seamless delivery, with the second two being detached from OM and from each other.

Operational Management is responsible for delivery of results, and as such is provided with resources (budget) that are almost always limited in relation to the provision of any “extras”. Managers face annual budget challenges, and not infrequently are asked to make “savings”. Sometimes this can (sacrilege) include reducing headcount or increasing the level of output expected without increasing resources. Frequently it is the control environment that suffers when this happens. 

Risk Management can help OM to identify and consider the risks that they face, and can assist OM in identifying the controls that would be needed to manage the risks to the level acceptable within the business’s risk appetite. It remains, however, OM’s responsibility to implement the controls and to ensure the controls are functioning. RM can, and should, provide ongoing monitoring at an observation level of the risks and controls across the business.

(There is, of course, also the critical role that RM plays in the identification and mitigation of Emerging Risks and External Risks, but for our purposes here, we are looking only at the internal relationships and management of risks.)

RM confirms with OM that the control environment is functioning, as confirmed by OM and reviewed selectively by RM. The assessment of the current status of any risk is the responsibility of OM who own the risk and who is responsible for managing the risk. RM can suggest alternative views on the effectiveness of the management or the risks, both to OM and to senior management and the Board, but ultimately OM is responsible for the risks and controls. Furthermore, OM is responsible for determining how the provided resources will be applied for the achievement of objectives.

In this the assessment of the effectiveness of the control environment if firstly the responsibility of OM, and unless there is a fundamental disagreement with RM, it is OM's prerogative as to how resources should be applied. This includes the development and implementation of controls. While RM (and IA) can recommend, as it is OM that ultimately carries the responsibility, it is OM's decision. Escalation is appropriate only when there is a fundamental disagreement between RM (and IA) and OM.

Of course, it is appropriate that the Board be provided with additional comfort that the control environment is effective. Sadly the conflicting priorities of OM can lead to misreporting or inaccurate reporting of the effectiveness of the control environment. Likewise, limited RM resources can provide a general level of comfort that risks are identified, and that controls appropriate to the risk appetite have been implemented. 

This means that, while RM can and does support the implementation and operation of a framework for identifying and managing risks, it may be outside RM's resources to perform "deep-dives" into all areas of risk.

I am reminded of a bank that told their regulator that they treated all customers as "high risk" customers for due diligence purposed. The regulator's response was that if all customers were "high risk", then no customers were, and the real "high risk" customers would slip past the due diligence process. The bank was required to segment its customers and implement a higher level of due diligence than they had been performing.

IA’s role is to fill the gaps and to provide additional assurance that key controls in high-risk areas are functioning as per asserted by OM and that such controls are functioning with the risk appetite. So, IA’s role is the provision a “deep-dive” assessments of high-risk areas, to ensure that the key risks have been identified, that appropriate responses have been considered and agreed, and that controls have been put in place that brings management of the risks within risk appetite.

To summarise then:

1. OM is responsible for delivering business objectives,
2. OM applies limited resources to accomplish this,
3. RM assists OM in identifying and assessing risks to the accomplishment of objectives,
4. OM provides RM (and others) with regular reporting to confirm that objectives will be achieved within the acceptable risk appetite,
5. RM confirms that risk across the enterprise is being managed within risk appetite, as reported by OM and as reviewed by RM,
6. IA provides detailed “deep dive” assessments of the effectiveness of controls in the highest risk areas of the business, or where there may be limited confidence that risks are being managed within risk appetite,
7. OM, RM and IA jointly provide assurance to the Board that there can be a reasonable expectation that business objectives will be accomplished with risk appetite.

A quick word about risk appetite: the risk appetite of the enterprise is set by the Board (with the assistance of senior management and RM) and it is the responsibility of OM to deliver objectives within that risk appetite. 

This means that RM should continuously confirm that OM understands the risk appetite as it applies to their areas and objectives, and should confirm that there is an effective control environment commensurate with the level of risk and the enterprise’s risk appetite. OM does not set the risk appetite; neither does RM or IA.

Being practical, this influences the reporting to the Board on risk and the effectiveness of the system of internal controls. Some practical suggestions that come from this:

1. All IA findings should include discussion of the risks that have been identified,
2. There is an IA finding only if the control environment is failing (or is expected to fail) to manage identified risks within risk appetite,
3. All actions agreed by OM should be reflected against the risks as recorded and managed through the risk register,
4. All IA findings and actions should be recorded against their associated risks, or new risks should be added to the risk register where there is no corresponding risk,
5. OM and RM then need to update their review processes to ensure that the identified risk and mitigation is actually functioning.
6. Where IA has requested confirmation of the implementation of new or updated controls, this should be provided.
7. Annual review and approval of the updated risk appetite should then drive a review by OM and RM of the risk and control environment and will inform the IA review cycle by potentially changing the perceived highest risk areas.

These steps will lead to a more seamless integration of OM, RM and IA, and will improve both relationships at the operational level, and provider greater confidence to the Board that the control environment if well established, operating and being effectively monitored. 

A Selection of Risk Management and Internal Audit Posts

Over the past year, I have posted a number of articles relating to Risk Management and/or Internal Audit. the objective of these has been to focus on the practical yet strategic, and not on individual risks or reporting standards. A selection of those articles includes:

1. Strategic Audit or Strategic Auditing, and horror story
2. Risk Geography and Waterfalls
3. Delegations of Risk Authority
4. Inherent and Residual Risk is Inadequate; What is the Appetite?
5. What about your Target Risk?
6. Single Points of Failure (SPOFs)
7. Risk Quantification and Physics Envy
8. Three Lines of Assurance
9. Beyond Three Lines of Defence; Risk Management and Internal Audit
10. After 22 years, InfoSec remains important
11. The Importance of Emergency Lighting; a cautionary tale

Strategic Audit or Strategic Auditing. The ability to perform audits or strategy, or to perform strategic audits it a critical element of successful Internal Audit. The willingness and ability to report the findings and recommendations requires courage; something too often lacking. I provide a specific example, that I believe contributed to the fall of a very major financial services company.

In Risk Geography and Waterfalls I discuss a simple methodology to add to your suite of risk identification and assessment tools, and how the use of Waterfall diagrams can reduce the likelihood of missing important risks. We've used this to some success, and the direct linkage of risk identification to the critical income and expenses waterfall improves coverage. Bringing the right people to the table is facilitated by this methodology, further improving risk identification and assessment.

Delegations of Risk Authority: Too often we hear people say "We've accepted that risk" when what they really mean is "this is too hard; either I'm not able to explain it adequately, or I know remediation costs won't be approved, so I'm not going to try". Just as companies have Delegation of Financial Authority, so should there be a Delegation of Risk Authority. This article discusses this in more depth, and suggests are way forward.

Inherent and Residual Risk is Inadequate: What is the Appetite? Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite. Without understanding the agreed Risk Appetite, Internal Audit risks imposing its assumptions of what the Risk Appetite should be, not what Senior Management and the Board have agreed.

What about your Target Risk? following on from assessing the Inherent and Residual risk levels, if you do not know what your target risk level is, you will not know if your controls are effective, you will not know if the investment in remediation is appropriate, and most of all, you will not know when you have reached a level of control that meets the Risk Appetite of Senior Management and the Board.

Single Points of Failure:  While not a Risk Management or Internal Audit issue specifically, SPOFs (Single Points of Failure) are probably what will take the company down, at least for a short time. Yet these are also the area where you will probably see the most examples of "we've accepted that risk" from people with no authority to accept such risks.

Risk Quantification and Physics Envy: There is no question that the quantification of the potential negative (and positive) impact of the actualisation of a risk can help to clarify thinking, and support activities required to manage the risk. Yet quantification can also be a waste of time, and can be used to create rubbish results that mask as science. Poor quantification and simulation are easily as bad as or worse than poor subjective assessments.

Three Lines of Defence: The preferred model of various financial regulator and that has been embraced by the Insititute of Internal Audit, provides a sound framework, as long as we recognise that all lines of defence provide assurance. These two articles address the importance of Assurance from all three lines, and the linkage between Risk Management and Internal Audit.

Three Lines of Assurance:  It is time for a fundamental shift in the thinking about the concept of Three Lines of Defence and the value that Internal Audit and Risk Management deliver, and an equally fundamental shift in the role of management in the delivery of assurance and value creation. Over the past decade, the role of provider of assurance to the Board has been defined by the Internal Audit profession, and enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model. That presentation of the TLD model and the associated assumption of who provides assurance undermines the responsibility of professionals across businesses, and presents an overt statement that management is not to be trusted. As such, it is time to review that model and introduce new thinking.

Beyond the Three Lines; Risk Management and Internal Audit: This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

Meanwhile, some stories never get old, and those tend to be around the practical, head-shaking events that we remember, but that could well manifest themselves again.

22 years later, and InfoSec remains a problem. In fact, it is probably a much bigger problem. How to convince the IT Manager that he really needs to take security seriously? Sometimes it takes a practical lesson.

The importance of Emergency Lighting. Have you ever been in a situation where you were simply bumbstruck by the lack of thought that went into a potentially life threatening situation?

Risk Geography and Waterfalls

“Row, row, row your boat, gently down the stream”. Gently is pleasant and enjoyable, if you know where the rocks are, if you have an idea of the flow of water, and if there are no waterfalls. Knowing where the hazards are at each point along the river, where the bank is too wide, or where the fallen trees are, and then deciding the path, is all part of Risk Management. Most important are knowing where and how to navigate the rapids, and not being thrown over the waterfall.

Not seeing all the swirling currents, the rocks, and the potential drops is akin to missing material risks.

Have you ever been faced with the occurrence of an event that was both material to the business, and yet was not on your radar (or risk register)? That rock in the river and that thumping, scraping feeling and sound when the boat hits that rock. It happens, and it is personally painful when it does. It is difficult to look an executive team in the eyes and say “we, I mean, I missed that one”. Once you’ve done that, the question is “what else are we missing?”

Faced with that situation, and after being assured “we ALL missed it”, I asked myself what process I could put in place to reduce the likelihood of such a mistake in future.

This has led me to thinking about systemic risks and Black Swans as much as thinking about “internal” risks that might have been missed. This post provides an outline of my methodology change to improve completeness of risk consideration, with a focus on material risks.

Exploring the Black Swan world

Over the past few weeks, I’ve published a number of posts on both Risk Management (operational level) and Global Economic conditions and Black Swans. What can, and should, Risk Managers be doing concretely to address these risks?

The first step, of course, is to acknowledge that there are potential systemic risks, and that the enterprise needs to be considering these, macro and micro. Internal resilience is as important as is a level of prudential preparation to weather external shocks.

For example, would the entities investment portfolio as managed by the treasury function, stand up to a “Mark-to-Market” post an event that resulted in bonds demanding a 5% additional return? Are banking agreements sufficient to ensure continuity of payments in the event of the failure of a key financial intermediary?

Risk Appetite and Acceptance

Risk Management cannot identify all risks, internal and external, and cannot prioritise those risks in a vacuum. Senior management (and the Board for validation) should be confirming the risk universe, the risk hierarchy, and should be determining the level of acceptable risk. This is the Risk Appetite, and provides a foundation for acceptance of the residual risk position acceptable to management and the Board.

Of course, understanding the Risk Appetite for anyparticular risk requires understanding of the risks, the identification of the gross potential impact, an assessment of likelihood of occurrence, the current situation in relation to the control environment, and more importantly, the acceptable final risk position (“target” risk score).

The “Target” risk score, or the Risk Appetite for a particular risk, should only be set and accepted by someone with the authority to accept that final risk position. Anyone else “accepting” that risk is doing so on behalf of the shareholders, and  very probably is doing so significantly outside the level of authority that the shareholders have vested in that person. Thus the need for a Delegation of RiskAuthority.

Seeing the “Same Thing”

One of the most difficult activities is the identification of all material risks, internal and external. Lists and brainstorming seem to be the most common ways that these sets of risks are identified. And of course generic lists by industry are readily available online, modifiable to your business. These lists reflect a range of risks at a period in time, from the perspective of the list compiler. The next step to get past the list and identify the hidden or out-of-mind risks.

All risk identification must start with the objectives of the business, even before the structure of the business. From there, a common model is needed, that all participants in the risk identification process are either familiar with, or can easily map to their experience and knowledge of the business.

While it cannot be said that all participants in the risk identification process will be familiar with all aspects of the Balance Sheet or Cash Flow statement, there is a very good probability that they will be very familiar with their areas, and how those areas impact discrete elements of the Balance Sheet of Cash Flow.

Victoria, Iguazu or Angel

A remarkable thing about waterfalls is that if you carefully measure all the water that comes in at the top, minus mist and vapour, the amount of water that comes out the bottom end is the same. So with Balance Sheets and Cash Flow statements. The totals in, minus items and added items, equals the amounts “going out”.

A tool that I have found useful for the identification of risks, and to ensure a conversation about risk with senior management is the use of the waterfall diagram. Each element can be de-constructed to whatever level of detail is required, but the inputs, minus and plus interesting other “stuff”, equal the outcomes or outputs. 

The example above provides a very basic (and imaginary) Cash Flow statement for a commercial and industrial company. It would look fundamentally different for a financial institution or insurance business. But in all companies, regardless of industry, after revenues and various costs, we have the output: Net Income.

Every element along the way, to a greater or lesser extent, inputs and outputs, contribute to the eventual result. More important, if each element represents a set of definable business objectives, then each element provides us with a specific area of potential risk. For example, a business objective like “complaints per X-thousand customers” relates to specific elements such as SGA (Sales, General and Administration Expenses), or in Insurance and Financial Services entities, in their Compliance costs as well as SGA.

Let’s add some geography

A waterfall itself is influenced by factors well beyond the flows of water. The height of the drop, the width of the flow, the internal structure of the river and terrain around it all contribute. So we need to be considering all these facets when looking at our waterfall. Certainly, we have experts internally on the type, flow and quantity of water (internal factors), but how about our understanding of the shoreline and associated geography (external factors).

Risk Identification and associated Risk Assessment need to consider all these factors, or critical risks (I must keep remembering to say “risks and opportunities”) will be missed - critical risks that have a fundamental baring on the likelihood of the business achieving its objectives.

While the metaphor may be imperfect, it does provide a framework.

If we want to ensure that we have identified as many of the material risks as possible, then we need to look at each element of the Waterfall, and consider both the external and internal contributors to that element. In so doing, we identify the potential risks to the achievement of each of those elements.

For a manufacturing and distribution company, the cost of distribution is a material component of the Cost of Goods Sold, and therefore any risks impacting distribution should be included. Consideration of the impact of the sub elements of distribution can be used to determine what specific risk mitigations should be put in place.

In the 2000s, a major FMCG (Fast Moving Consumer Goods) company did not adequately consider distribution costs, or more importantly, the impact of changes in fuel costs as an element of their distribution costs. When fuel costs rose, so did their distribution costs, significantly. Net Income suffered badly.

The inclusion of the potential for an external risk (increased fuel costs) occurring may have suggested the need for mitigation in the form of forward hedging of fuel costs, or hedging of transportation costs for rail costs.

Flipping the Waterfall diagram on its side, and we have an excellent tool to help us identify “missed” risks. While we did not use this exact presentation, we did use the waterfall diagram a year ago, and it helps us focus on, and in some cases identify, material risks.

It also enables the people with the most knowledge of each waterfall element the opportunity to discuss their elements, the make-up and breakdown of the elements, and to confirm the associated key risks. In addition, it supports challenge and common agreement of the material risks.

In the example above, Internal and External components of the waterfall element are listed, and discussed to confirm that associated risks have been identified. Quantification of the materiality of the risks was a secondary task, but by using this methodology, it was easy for the participants to understand quickly how any change in the one of the waterfall elements impacts the overall performance of the business.

Of course, at the core of a successful risk identification (and confirmation - this should be done annually at least) is ensuring the widest range of people are involved. This most especially includes subject matter experts on each of the element of the waterfall, and representation from Internal Audit to ensure a common risk universe is agreed.

The result is likely to be a much better aligned assessment of risk against business objectives.

It's all about the Target (risk assessment)

In my previous post I commented on the importance of adding a “Target” risk position to the traditional "Inherent" and "Residual" risk assessments, and the linkage to the Risk Appetite. More importantly, the “Target” level for any risk provides a focus on the future.

Let me explain.

Inherent to Residual: Inherent risk is the level of risk before remediation. This is important to ensure that we are focusing on the areas of risk that represent this greatest threat or opportunity for the entity. Inherent risk scoring is subjective, but then so is almost all risk scoring. Yet an assessment, subjective or quantified, of the risk before controls or other remediation ensures that we invest our limited resources on the areas that pose the greatest to achievement of the entity's objectives.

So we’ve assessed the Inherent risk, and we have applied controls for remediation, mitigation, etc. Now we have our “Residual” or “Net” risk position. Again, this is by nature subjective, and fraught with assumptions. But it does provide an assessment of our current state of risk and the level of risk that is being taken by or accepted by the entity. But this is subjective. And it will be wrong.

There will be too many missing controls, controls that are functioning ineffectively, mitigation that is unfocused or not in place. The assessment of the Residual risk position provides a snapshot of the current situation, with no insights into either the level of risk that is acceptable, the actual level of risk being taken, or the level and type of risks that the entity wants to take.

Target: And to we get to the “Target” risk level or assessment. What level of risk does the entity want to take, and what level of risk is acceptable. This fundamentally an assessment of the desired future-state of the risk environment that the entity wishes to work within. And yes, this too shall be subjective. It will also probably be achievable.

As Risk Managers we need to consider and advise on the level of acceptable or desirable risk to be taken or accepted by an entity, across the spectrum of risks. This means that we need to assess not only the raw (Inherent) risk environment and support the allocation of resources to highest or least desirable risk areas, and of course allocation of resources to those areas where we want to take risk. 

We also need to work with management to objectively assess the desired, or acceptable level of risk to take; the Risk Appetite. This should be done globally, and should be done at the level of each identified and recorded (and managed) risk. This is our Target risk level for each risk.

Now, and only now, can we meaningfully assess our “Residual” level or risk, and determine if that level of risk is appropriate. 

If our current (“Residual” or “Net”) equals our Target, then we are running at our desired level of risk. And if we are not, then we now know that our desired future state does not equal our current risk managed state for this, and all other risks where Residual does not equal Target. 

Example of Residual to Target tracking

In the example above, a number of interesting observations can be made, including that the Residual and Target risk assessments change, as risks are reviewed by the Risk Owners. It is also clear that Residual are Target are not the same. Within the data there will probably be a number of individual risks where the Residual assessment equals the Target assessment; the current risk situation for those risks equals the entity's Risk Appetite for those specific risks.

So why does Residual not equal Target? There are three possibilities:

1. Our control environment is ineffective and or does not include all the controls that are already in place to manage the risks (and these then need to be identified).
2. Our aspirational level of risk management for risk is too high.
3. Conversely, we are over-controlled (where Residual is lower than Target for specific risks) and we are potentially stifling the business through excess controls.

And when we determine that our Residual risk position does not equal our Target risk position, we have four option:

1. Accept that it will not be possible to achieve the desired Risk Appetite for this risk, and, through a Delegation of Risk Authority process, change our Risk Appetite and therefore our Target level for this risk to equate to the current Residual risk level.
2. Subtly different, but we may determine that the Risk Appetite is not right, and that we do want to accept, or take, more of this risk, and therefore change the Target.
3. Identify the controls that are not effective and implement improvement programmes or introduce new controls.
4. Confirm that we are over-controlled and look at which controls are not actually required, or are burdensome and should be replaced with monitoring controls.

What is the role of Internal Audit in this?

The Internal Audit function provides some assurance that the system of internal controls is effective. This requires Internal Audit to determine what areas of business activity they will review. This selection should be risk-based, which means starting with the risk register and consider a balance between this Highest “Inherent” risk areas, and the highest “Residual” risk areas.

As part of each Internal Audit, the assessed level of Target risk should be considered, and Internal Audit should then perform an audit programme designed to confirm (or otherwise) that management’s assessment of the effectiveness of controls is accurate. If the controls are effective, and these controls have been determined to bring the entity to within Risk Appetite, than Internal Audit’s role is limited to questioning the appropriateness of the Risk Appetite. (Note I say question, not set, as that is the role of senior executives and the Board, other others within their Delegation of Risk Authority).

Where the Residual risk level does not meet the Target, Internal Audit should be determining if this is because the controls are ineffective, or because the control environment provides inadequate coverage of the risk. In which case, new controls may be appropriate.

In all cases, Internal Audit should be determining if Management's assessment of the effectiveness of the control environment matches the evidence provide to Internal Audit. If management's assessment is correct, and there remains a delta between the Residual and Target, and senior management and/or the Board are aware, then there is no Internal Audit finding other than the fact that senior management and/or the Board are aware of the difference, and are aware of and support management's plans for remediation.

It's all about the Future

The core message however is that the Inherent risk position represents a “past” with no controls, the Residual risk position represents the present (as assessed by management), while the Target risk represents the future, or desirable control and risk management state, and is one of the enunciation of the entity's Risk Appetite.

The question we ask of Risk Owners is: What are you doing to get from the Residual risk position to the Target risk position, and when will you get there?

Risk Acceptance - the need for a Delegation of Risk Authority (DRA)

Over too many years, when pointing out a risk or situation, either management of below may respond with "it's okay, we've accepted that risk".

Really? Who accepted that risk, and did they have the authority to accept that much risk on behalf of the business. In too many cases the risk identified was significant, and if presented to senior management or the Board, that risk would not have been "accepted", at least not without consideration of the implications and costs of remediation or reduction of the risk.

What actually happened is that the person or people dealing with the risk have been unable to quantify or otherwise clarify the risk and potential impact, or develop a costed and realistic plan to mitigate the risk. Because of this, they have failed to convince themselves of the severity of the risk, and therefore are unable to communicate that exposure to senior management. Having failed to effectively communicate, they fall back on "we've accepted that risk". 

Too often what was missing was an actual assessment of the risk, either subjective or quantitative where possible. Included in such as assessment should be a definition of the existing controls and an assessment of the effectiveness of those controls.

Controls exist to provide confidence that risks are being managed. As such, on a quarterly, six-monthly and for some annual basis, management owners of controls should confirm that the controls associated with risks are functioning and are effective. Evidence should then be provided that demonstrates that the controls are functioning. 

Rarely is there a formal confirmation that the person responsible for the control actually has the authority to accept the associated risk.

Risk acceptance can be split into two parts:

1. First, is the Risk Appetite appropriate for this risk? It may well be that the entities Risk Appetite is too caution for this type of risk, and therefore the reduction of the risk to tolerable levels will be too expensive and result in a situation of "over-control". 
2. The second factor is the authority of the person accepting the risk. While companies generally have Delegations of Financial Authority (DFAs), rarely is there a formal Delegation of Risk Authority (DRA). 

To put that into a concrete example, a manager may have a financial delegation of up to $/€/£10,000. That is the level of expenditure that has been determined to be appropriate for that level or individual, without the need for additional authority. The next level up may have a delegation of $/€/£50,000. Finally, for major decisions, a Director or Board authority might be required, say for investment or programmes with a value above $/€/£1,000,000.

But how much Risk can a manager accept? 

What is missing from the picture is the Delegated Risk Authority to accept a residual risk position. All risks have an inherent level of risk and potential impact. We implement controls to reduce or manage the risks resulting in our residual or "net" risk position. Yet our residual risk position may not represent a level of risk that is acceptable to the entity within the bounds of the entity's Risk Appetite. 

Where the residual risk is above the acceptable level, either additional controls or mitigation needs to be put in place, or the residual level of risk needs to be "accepted" (which logically would alter the Risk Appetite for that particular risk). 

The question is; who has the authority to accept that residual level of risk?

My recommendation is that companies put in place a Delegation of Risk Acceptance (DRA) that mirrors their Risk Assessment levels. As most companies use, for better or worse, a Likelihood x Impact grid, that provides us with an example for the Delegation of Risk Acceptance.

When a ‘risk’ is accepted, this indicated that there is agreement that no additional actions or controls will be put in place to further reduce either the impact or the likelihood of the risk.

If, for example, the entity may have assessed the risk of a System Failure as a "High Likelihood / High Impact" pre-remediation of any kind. Controls in the form of effective governance over IT systems may have brought the assessed residual level of risk down the "Medium/Medium". However, the Risk Appetite may have been stated by the Board to be "Medium (Likelihood)/ Low (Impact)".

In this case, there is a disconnect between the residual risk position and the Risk Appetite, and either the residual risk must be "accepted" or additional control must be put in place.

The "solution" is the Delegations of Risk Acceptance.

For each risk (as per the Risk Appetite and/or grid) there should be an identified level of authority to accept a residual risk position. For example, a residual risk level of High/High should only be "accepted" by the Board, while a Low/Low residual risk position may be "accepted" by a manager.

In this case, the DRA may state that residual risk positions that are "Medium" (in likelihood or impact) require acceptance at the Cxx level. In which case, for this example, the CIO should be required to "accept" the residual "Medium / Medium" position, based on an assessment of the cost and effort to bring the residual risk to the Risk Appetite level of "Medium / Low".

The key to the Delegation of Risk Acceptance is that it is linked to the difference between the actual residual risk scoring and the Risk Appetite. Where there is no difference, and the residual risks score equals the Risk Appetite, there is no need to "accept" the risk.

Has this been implemented?

Yes, though with mixed success. As with all issues of Risk Management, the quality of Board, Director and Senior Management buy-in is critical. Communication is required, and an understanding of the risk and control environment, both internal and external.

When used effectively, the DRA can ensure that risk acceptance is being taken at the right levels, or additional investment is authorised to bring the residual risk situation into line with the Risk Appetite. I have seen this accomplished, and the risk environment has been demonstrably improved.

Likewise this provides Internal Audit with an effective tool to communicate and encourage the implementation of effective controls. On the one hand, IA "empowers" the auditee to perform their risk assessment and to then gain the required investment or reallocation of resources to resolve the audit issue, or management with sufficient DRA is then able to confirm that the risk as identified by IA has been accepted at an appropriate level.

Is Risk Management a Profession?

Is Risk Management a Profession?

So once again I have been invited to attend the ISO 31000 training programme. And at the end the 3 days I will, of course, pass my certification exam, and will be able to call myself a C31000 Professional. Wow am I excited, or not.

When I look at a range of "professions" I see a few things in common; years of experience and study, a professional body or association  (or bodies) that determine a set of standards for professionals, certification, and a set of disciplines. I also see regulatory bodies (even if self-regulating within the profession) that protect the name of the profession, and strike off those that fail to uphold the standards of the profession. I also see the profession seeking to protect itself from charlatans who do damage to the profession, and by pointing out clearly the standards required by the profession, to protect companies that employ such professionals.

So how does "The Google" define a Professional Association?

Somewhat limited I think, but for our purposes we can use this. What seems to be missing is protecting the integrity of the profession and professionals, but that might be included in furthering "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans.

Would the ACCA, ICAEW, IMA, AICPA, or the CICA stand by quietly as an organization or individual offered to create certified accountants in less than a week? The Medical Council would not allow someone to practice medicine without proper training and certification. Yet that is exactly what the Risk Management professional bodies do when someone offers three-day courses with a "professional" certification at the end. Where are the IRM, RIMS, GARP, PREMIA in protecting the reputation of the Risk Management profession and professionals?

So is Risk Management a profession? I'm sure that others have their definitions and expectation of what makes a profession and an professional. For me, as someone engaged in the profession, I like the definition from Google:

Considering this definition, I consider myself to be a Risk Management Professional. I have been advising companies on Risk Management, developed and ERM application from the concept to implementation, and I am a Risk Manager in a business. I am a member of a professional body, and have contributed to thought leadership published by that body, ranging from Risk Appetite and Tolerance, to Cyber Threats, and Risk in the Extended Enterprise.

Which apparently means that I should be "certified". Or at least, someone thinks that this will make me a professional.

So let us look at this kind invitation from Alex Dali again, the one that will, in three days, make me a Certified ISO 31000 Risk Management Professional.

The message from Alex Dali says:

I am pleased to inform you about the next training and certification session in London next month in May for you to become a Certified ISO 31000 Risk Management Professional with the official label C31000 certification.

It then gives the details of the course in London, for a very reasonable £1900, which includes the fee for the exam and certification.

It goes on to say:

Given your profile, I am sure that you will benefit a great deal from being a “Certified ISO 31000 Risk Management Professional” with in depth knowledge on the international ISO 31000 risk management standard. This session is also dedicated to those interested to become Certified ISO 31000 Lead Trainer.

Nice to see that my LinkedIn profile indicates that I would benefit from being such a certified professional. Or not.

So where am I going with this?

I expect my professional body to protect "the interests of individuals engaged in that profession" through protecting the name of the profession from charlatans. And that includes calling out examples like this, where people can claim to be a Risk Manager simply by paying for a three-day course.

To be very clear, any programme that offers a professional certification after a three day course and an exam (I wonder what the failure rate is, after paying £1900) is a joke. To be completely honest, I would have a difficult time taking someone seriously if they actually put C31000 or any other notification that they have receive this certification on their profile. I would then question every other certification that they claim, and I would wonder if that MBA or any other degree was from a mail-order "Institute" or "Institution" or just a postbox.

We as a Profession should be calling out specific examples like this, where someone sells certifications. We should be making it clear that we, individually and as professionals, will not accept bogus credentials.

For my part let me be very clear:

If you send me a CV with the C31000 certification on it, or if you have the C31000 certification on your LinkedIn profile, I will NOT be engaging with you. You are not a Risk Management Professional. You are the second definition of a Profession above: "an open but often false claim".

Just so there is not mistaking what I've just said:

To the professional bodies I ask, why are the Risk Management professional bodies and association such as the IRM, GARP, PRIMIA, RIMS and others not calling out the charlatans. Why are the professional bodies not protecting the interests of their members?

If my professional body will not openly state that this type of certification is a sham, then I need to do so, if for no other reason than to state categorically that I want my Profession to stand for something. When I say that I am a Risk Manager, I want it to be clear that this means I have years of experience, that I can back that up with evidence. That I am a professional.

Risk Managers in Uncertain times

Over the past few weeks I have been thinking about the world as we move into 2016. Most of that thinking is not about daisies and pixey dust, but about the changes over the past few years, many of which seem to be leading either to crisis, trouble, or the slow boiling of the frogs. Personally I'm hoping for a few crises that will, although probably fairly terrible at the time, actually bring about some fundamental changes that will create real change and improvement, at least in the medium term.


What's a Risk Manager to do? Below I contrast "the Usual Suspects" that we are (or should be) watching every day as Risk Managers, and then "the Big Stuff" and implications for Risk Managers now.

We are going to see the world change through 2016 and 2017, potentially dramatically - and not necessarily positive change. That is my view. Of course, I could be very wrong, and we could see a world that "muddles along". At heart are our individual answers to the question "how do we best help our businesses manage the coming risk world?"

I am not confident, but that is my view.

So let me suggest, based on my view, the potential impacts on Risk Managers for the coming couple of years. Two years is a very short time in a world of potential regulatory change and economic cycles. Anything shorter than two years would fail to consider the potential impact of major business and economic cycles such as the current commodity depression, the US (and China) manufacturing recession, and the very serious systemic debt and migrant issues that Europe may or may not manage through the coming year.

The Usual Suspects:

Of course the world of Risk will be both immediate and longer term, local or specific as well as systemic and international. We'll start by reminding ourselves of some basic risks that have no direct link to the wider situation.

1. Cyber threats. This category of risk continues to be on the rise, and can be an existential threat to companies from a data-loss or damage perspective, while civil and regulatory sanctions continue to increase. This is a threat that has been growing, and increased access and growth in skill sets will increase the number of hackers and the breadth of tools and techniques they will use. Companies will be taken down by Cyber attacks. Companies can prepare for and attempt to limit the impact of Cyber attacks, but can do little to reduce the likelihood of such attacks (as exogenous threat likelihood is not subject to risk reduction activities on the part of the company). Reducing the impact requires planning, careful review of the potential threat (what are the data-crown jewels, and how are these protected?) and remediation where infrastructure is not adequately protected. Reputation damage limitation if an element of planned responses, and finally, consideration should be given to Cyber Insurance.

2. Fraud, Bribery and Corruption. If the economy continues to grow and unemployment continues to fall, there will be little impact on the likelihood of Fraud, internal or external, though of course these risks remain. However, if we see a degradation in economic conditions, this will probably lead to an increase in fraudulent activity, starting with external fraud and followed by an uptick in potential internal fraud. Of course, some fraud, bribery or corruption is simply due to greedy people, and has no linkage to economics. Exercise skepticism.

3. Solvency. For the insurance industry in Europe, this is the year Solvency II fully comes into effect, and insurers across the continent are getting their reporting houses in order. Yet the risk is not simply that companies may or may not be solvent, it is a question of the quality of internal processes supporting production and maintenance of the ORSA (Own Risk and Solvency Assessment). As risk managers we can learn from companies that have been through the process, such as the importance of the quality of documentation of the process, effectiveness of systems of control (nothing new there), and the ability to demonstrate how the ORSA contributes directly to business decision-making.

4. All Your Risks. Every risk on your Risk Register will remain as critical (or otherwise) through 2016 and 2017 as they are today. Some will increase in potential impact, many will eventuate in actual issues or problems. These risks will become incidents, and you will manage them through to resolution - or not. There will also be a host of issues and incidents that will result in you reviewing the Risk Register, and probably adding risks to the Register.

You can never go wrong keeping your eyes on the day-to-day risks, and ensuring that the business either has effective controls in place, or is building a control environment that can actually be monitored to indicate areas of existing or emerging risk.

Now for the Big Stuff:

A global correction may be underway, with no sign of a low for some time to come. Certainly there may be up days or weeks, but it appears that there is more likelihood of a longer down trend for the coming months. The questions now are "how far, how fast, how long, and how much stimulus"? There are no serious commentators calling for a near-term renewal of a global bull market. The IMF recently downgraded their expectations for global growth from 3.8 (July 2015 forecast) to 3.4 (January 20016) with developed economy growth downgraded from 2.4 to 2.1, the same level as 2015.

The US markets are down 15% from their highs (DJIA - 15,900 from 18,200 in 2015), and China is at 2014 levels (Shanghai is at 2750 from a high of 5100 in 2015). [as at 26 January 2016]  Where will they go?

Total global debt has continued to rise all through the supposed deleveraging after the Global Financial Crisis (GFC), increasing by $(US)57 Trillion since 2007 to almost 200 $(US) Trillion. The majority of this increase has been government debt, yet corporate debt (and personal debt) has also risen through that period. This also cannot continue without impact.

At the same time in developed countries we see a close to stagnation in growth in real incomes. Personal income in the UK has finally (May 2015) caught up with where it was before the GFC, and the strong employment growth has been reflected in falling unemployment and increased wages. The introduction of a "living wage" will also increase personal incomes (although some worry that imposed minimum wages reduce employment growth). All good news, but will the UK continue to grow as the rest of the world slows down, if the UK votes to leave the EU, or if markets continue to fall (the FTSE is now at 5800 from just over 7000 in 2015, and continues to fall). [as at 26 January 2016]

In the US, employment growth appears to be strong, at the same time that the labor participation rate continues to fall. The unemployment rate is around 5%, a level that is close enough to full employment that we should be seeing serious upward pressure on wages. Yet the continued fall in labor participation indicates that there remains a (growing) untapped pool of labor. The picture remains murky.

Recommendations for Risk Managers

The current economic situation is, in my view, as scary as it has been since the GFC. Fear has an impact on risk and companies' and individuals' perceptions of appropriate levels of acceptable risk. How do we translate this into meaningful decision-making by companies, and counsel from Risk Managers?

1. Risk Appetite. There should be no better time than now to review (or write) the Risk Appetite for the business. Risk Appetite will provide a construct for decision-making by management that is in line with the level of risk that is acceptable to the Board and through them the shareholders. Risk Appetite is not a single statement, but needs to be broken into key business activities or processes, and potentially high level business units / companies. When reviewing (or writing) the Risk Appetite, speak directly with the directors and in private companies, with the key shareholders.

2. Identify your Key Risk Indicators (KRIs). These are the indicators whose movement provides insight into the potential increase or decrease in the likelihood of the materialization of any particular risk. For example, this may include items such as average days receivables (expanding may indicate deteriorating customer business conditions), or less obvious indicators such as unplanned staff turnover rates (with falling unplanned turnover being a surrogate for a degrading jobs market for your employees).

3. Stress tests (EKRIs). Build the models, and then test them beyond what your CFO/Finance Director thinks are possible. Build in extremes such as cost of fuel for distribution networks, cost of capital, internal project huddle rates. Stress until the model breaks, then look at why the model broke. That will give you a strong indication of the most important factors to be watching on a daily basis - your External Key Risk Indicators (EKRIs). I know of a very large manufacturing company that failed to hedge fuel costs, resulting in significant business costs when oil did spike. While that may not be the case today, if cheap oil turns out to be transitory, will cost-reduction based profits evaporate?

4. Outside-In. Having built or reviewed the Risk Register, the KRIs and the EKRIs, how are the risks identified reflected in the Risk Registers and risk reporting? Is the current risk environment too inward looking, focusing on the specific risks, controls, actions and people that are within the organization and therefore "observable" to management? How strong is the monitoring of external factors, and how can this be built into risk reporting?

5. Regulation Watch. Times of crisis almost always breed new regulation, or changes to existing regulation. I'm not going to opine on the benefits or otherwise of regulation, but as Risk Managers we must ensure that our organizations has fully considered the potential impact of such changes. When SOx (Sarbanes Oxley) and the section 404 requirements were passed, who predicted $170/hour for bulk standard Internal Auditors spending thousands of hours documenting mundane financial reporting processes and identifying controls - followed then by the massive increases in compliance costs to test those controls? Something like this is in our collective futures.

These are a few of the considerations for Risk Managers today. Are these different from what Risk Managers should be doing or concerned with in good times or steady global growth? No. And that is the rub, and the message; times like today provide strong reminders of what we should be doing every day. The increased fear do however provide us with the energy to get this done.