Risk Management is all about Choosing; Sometimes it is Personal

About three months ago, a dear friend was diagnosed with a serious condition. At some time, a medical intervention would be required, either major surgery, or potentially keyhole surgery. He, with advice from his specialist, had to choose; surgery now, or monitor the situation and plan surgery at a later date. There were many reasons that either choice would have been acceptable – get the surgery out of the way quickly to reduce the risk of a catastrophic event, or wait six months until the family was in a good position to be able to handle the disruption.

The condition could manifest itself any time, or might not for a few years. What should be done? If they agreed to go ahead with the surgery immediately, then it would probably take six to eight weeks to schedule the surgery, and only the major surgery option would be available.

In weighing up all the factors and eventualities, his specialist suggested that the situation be monitored, but that if he had any events that were of concern, to contact the hospital immediately, and they would schedule the surgery, major or keyhole depending on what was happening or required. With other factors in his family life at that time, a delay would have been best, as long as the doctor felt it was safe to do so. He chose to delay. He also choose to "mitigate" through continuing his exercise programme, and ensuring he was as fit as possible.

Risk Management is been defined in many ways, as has Risk itself as a concept. ISO31000 uses the very bland “effect of uncertainty on objectives”, while my own definition for the past 25 years has been “the possibility of something bad happening, or something good not happening”. Of course, risk by itself exists in everything we do, and in all the decisions and choices we make, as individuals, companies, families, cultures and countries.

But that misses the primary point of Risk Management. There is too much talk of supporting decision-making, providing insights, developing or supporting the development of risk appetites, and on the list goes. But what Risk Management is really all about is “choosing”. When we remember that the decision to do nothing is a choice, as is a decision to do something, then we get to the heart of what is Risk Management, and that is the very act of choosing, to do something or to do nothing, in an informed manner, with intent and with expectation of the choice made delivering a more desired and desirable outcome that the alternative choices.

Is there a role for fate? Of course. After all, it is not possible to influence all choices, or even to identify the full range of choices that must be made. It is, however, the proactive choices that prepare for the potential for fate to intervene, that can influence the severity of the results and impact. 

We can look at this from two directions. In order to make an effective decision, all risks and rewards need to be considered and Risk Management is instrumental in assisting with that decision making. Looking from the other direction, Risk Management should only be providing support to enable those with the authority and responsibility to choose. Therefore, if there is no choice, then does Risk Management have anything to offer (in this particular case) and should Risk Management then be focusing on where choices must be made?

This feeds directly into the prioritisation of Risk Management attention, to focus on the areas that require decisions. Yet how does Risk Management achieve that? Unfortunately by looking across the spectrum of potential choices and attempting to assess which of those meet the following criteria:

• Biggest impact (positive or negative) that may result from choosing
• Criticality of the timing of choosing
• Underlying longer-term impacts of not choosing
• Level of authority required to choose

For each of these criteria, any risk (or control, and yes there is a relationship to internal controls and Internal Audit here) needs to be considered, at a level of attention commensurate with the balance of the four criteria. Operational level decisions (choices) should already be subject to appropriate oversight and consideration, and probably are not the most effective allocation of Risk Management resources, while the processes of consideration and authorisation of those operational choices at the senior level may be of considerable interest. The processes (and resulting choices) for determining and confirming delegations of authority will have lasting impacts on the culture and associated effectiveness of decision making.

Six weeks after choosing to delay the surgery, “The Event” happened, and my friend very nearly died. He is recovering, after truly heroic efforts of a simply magnificent surgical and ICU team. He has a long road to recovery ahead, but he will make it.

Had they decided to go ahead with the surgery at the time of diagnosis, in all probability the event would have happened before the surgery could have been scheduled.

So was the choice the right one? How can we know? We do now know that his fitness (a choice) and effective diagnosis before the event (another choice) ensured that when the event happened, he was physically most able to sustain the terrible damage. We also know that with the diagnosis, the emergency services were able to get him from the local hospital to the best specialist hospital in the country, immediately.

The Risk Assessment in this entire situation was the identification of the potential problem through effective diagnosis, and a defined and agreed treatment plan. The choosing was when to intervene, and this was the Risk Management.

A Selection of Risk Management and Internal Audit Posts

Over the past year, I have posted a number of articles relating to Risk Management and/or Internal Audit. the objective of these has been to focus on the practical yet strategic, and not on individual risks or reporting standards. A selection of those articles includes:

1. Strategic Audit or Strategic Auditing, and horror story
2. Risk Geography and Waterfalls
3. Delegations of Risk Authority
4. Inherent and Residual Risk is Inadequate; What is the Appetite?
5. What about your Target Risk?
6. Single Points of Failure (SPOFs)
7. Risk Quantification and Physics Envy
8. Three Lines of Assurance
9. Beyond Three Lines of Defence; Risk Management and Internal Audit
10. After 22 years, InfoSec remains important
11. The Importance of Emergency Lighting; a cautionary tale

Strategic Audit or Strategic Auditing. The ability to perform audits or strategy, or to perform strategic audits it a critical element of successful Internal Audit. The willingness and ability to report the findings and recommendations requires courage; something too often lacking. I provide a specific example, that I believe contributed to the fall of a very major financial services company.

In Risk Geography and Waterfalls I discuss a simple methodology to add to your suite of risk identification and assessment tools, and how the use of Waterfall diagrams can reduce the likelihood of missing important risks. We've used this to some success, and the direct linkage of risk identification to the critical income and expenses waterfall improves coverage. Bringing the right people to the table is facilitated by this methodology, further improving risk identification and assessment.

Delegations of Risk Authority: Too often we hear people say "We've accepted that risk" when what they really mean is "this is too hard; either I'm not able to explain it adequately, or I know remediation costs won't be approved, so I'm not going to try". Just as companies have Delegation of Financial Authority, so should there be a Delegation of Risk Authority. This article discusses this in more depth, and suggests are way forward.

Inherent and Residual Risk is Inadequate: What is the Appetite? Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite. Without understanding the agreed Risk Appetite, Internal Audit risks imposing its assumptions of what the Risk Appetite should be, not what Senior Management and the Board have agreed.

What about your Target Risk? following on from assessing the Inherent and Residual risk levels, if you do not know what your target risk level is, you will not know if your controls are effective, you will not know if the investment in remediation is appropriate, and most of all, you will not know when you have reached a level of control that meets the Risk Appetite of Senior Management and the Board.

Single Points of Failure:  While not a Risk Management or Internal Audit issue specifically, SPOFs (Single Points of Failure) are probably what will take the company down, at least for a short time. Yet these are also the area where you will probably see the most examples of "we've accepted that risk" from people with no authority to accept such risks.

Risk Quantification and Physics Envy: There is no question that the quantification of the potential negative (and positive) impact of the actualisation of a risk can help to clarify thinking, and support activities required to manage the risk. Yet quantification can also be a waste of time, and can be used to create rubbish results that mask as science. Poor quantification and simulation are easily as bad as or worse than poor subjective assessments.

Three Lines of Defence: The preferred model of various financial regulator and that has been embraced by the Insititute of Internal Audit, provides a sound framework, as long as we recognise that all lines of defence provide assurance. These two articles address the importance of Assurance from all three lines, and the linkage between Risk Management and Internal Audit.

Three Lines of Assurance:  It is time for a fundamental shift in the thinking about the concept of Three Lines of Defence and the value that Internal Audit and Risk Management deliver, and an equally fundamental shift in the role of management in the delivery of assurance and value creation. Over the past decade, the role of provider of assurance to the Board has been defined by the Internal Audit profession, and enshrined in the IIA's presentation of the Three Lines of Defence (TLD) model. That presentation of the TLD model and the associated assumption of who provides assurance undermines the responsibility of professionals across businesses, and presents an overt statement that management is not to be trusted. As such, it is time to review that model and introduce new thinking.

Beyond the Three Lines; Risk Management and Internal Audit: This article is focused on the relationship between two elements of the Three Lines; Risk Management (in theory 2nd line) and Internal Audit (the 3rd line). These two lines of defence provide Directors, the Board, shareholders and stakeholders with confidence that the system of internal controls is functioning effectively, that risks are being identified and managed, and where appropriate, accepted or assumed deliberately.

Meanwhile, some stories never get old, and those tend to be around the practical, head-shaking events that we remember, but that could well manifest themselves again.

22 years later, and InfoSec remains a problem. In fact, it is probably a much bigger problem. How to convince the IT Manager that he really needs to take security seriously? Sometimes it takes a practical lesson.

The importance of Emergency Lighting. Have you ever been in a situation where you were simply bumbstruck by the lack of thought that went into a potentially life threatening situation?

Risk Geography and Waterfalls

“Row, row, row your boat, gently down the stream”. Gently is pleasant and enjoyable, if you know where the rocks are, if you have an idea of the flow of water, and if there are no waterfalls. Knowing where the hazards are at each point along the river, where the bank is too wide, or where the fallen trees are, and then deciding the path, is all part of Risk Management. Most important are knowing where and how to navigate the rapids, and not being thrown over the waterfall.

Not seeing all the swirling currents, the rocks, and the potential drops is akin to missing material risks.

Have you ever been faced with the occurrence of an event that was both material to the business, and yet was not on your radar (or risk register)? That rock in the river and that thumping, scraping feeling and sound when the boat hits that rock. It happens, and it is personally painful when it does. It is difficult to look an executive team in the eyes and say “we, I mean, I missed that one”. Once you’ve done that, the question is “what else are we missing?”

Faced with that situation, and after being assured “we ALL missed it”, I asked myself what process I could put in place to reduce the likelihood of such a mistake in future.

This has led me to thinking about systemic risks and Black Swans as much as thinking about “internal” risks that might have been missed. This post provides an outline of my methodology change to improve completeness of risk consideration, with a focus on material risks.

Exploring the Black Swan world

Over the past few weeks, I’ve published a number of posts on both Risk Management (operational level) and Global Economic conditions and Black Swans. What can, and should, Risk Managers be doing concretely to address these risks?

The first step, of course, is to acknowledge that there are potential systemic risks, and that the enterprise needs to be considering these, macro and micro. Internal resilience is as important as is a level of prudential preparation to weather external shocks.

For example, would the entities investment portfolio as managed by the treasury function, stand up to a “Mark-to-Market” post an event that resulted in bonds demanding a 5% additional return? Are banking agreements sufficient to ensure continuity of payments in the event of the failure of a key financial intermediary?

Risk Appetite and Acceptance

Risk Management cannot identify all risks, internal and external, and cannot prioritise those risks in a vacuum. Senior management (and the Board for validation) should be confirming the risk universe, the risk hierarchy, and should be determining the level of acceptable risk. This is the Risk Appetite, and provides a foundation for acceptance of the residual risk position acceptable to management and the Board.

Of course, understanding the Risk Appetite for anyparticular risk requires understanding of the risks, the identification of the gross potential impact, an assessment of likelihood of occurrence, the current situation in relation to the control environment, and more importantly, the acceptable final risk position (“target” risk score).

The “Target” risk score, or the Risk Appetite for a particular risk, should only be set and accepted by someone with the authority to accept that final risk position. Anyone else “accepting” that risk is doing so on behalf of the shareholders, and  very probably is doing so significantly outside the level of authority that the shareholders have vested in that person. Thus the need for a Delegation of RiskAuthority.

Seeing the “Same Thing”

One of the most difficult activities is the identification of all material risks, internal and external. Lists and brainstorming seem to be the most common ways that these sets of risks are identified. And of course generic lists by industry are readily available online, modifiable to your business. These lists reflect a range of risks at a period in time, from the perspective of the list compiler. The next step to get past the list and identify the hidden or out-of-mind risks.

All risk identification must start with the objectives of the business, even before the structure of the business. From there, a common model is needed, that all participants in the risk identification process are either familiar with, or can easily map to their experience and knowledge of the business.

While it cannot be said that all participants in the risk identification process will be familiar with all aspects of the Balance Sheet or Cash Flow statement, there is a very good probability that they will be very familiar with their areas, and how those areas impact discrete elements of the Balance Sheet of Cash Flow.

Victoria, Iguazu or Angel

A remarkable thing about waterfalls is that if you carefully measure all the water that comes in at the top, minus mist and vapour, the amount of water that comes out the bottom end is the same. So with Balance Sheets and Cash Flow statements. The totals in, minus items and added items, equals the amounts “going out”.

A tool that I have found useful for the identification of risks, and to ensure a conversation about risk with senior management is the use of the waterfall diagram. Each element can be de-constructed to whatever level of detail is required, but the inputs, minus and plus interesting other “stuff”, equal the outcomes or outputs. 

The example above provides a very basic (and imaginary) Cash Flow statement for a commercial and industrial company. It would look fundamentally different for a financial institution or insurance business. But in all companies, regardless of industry, after revenues and various costs, we have the output: Net Income.

Every element along the way, to a greater or lesser extent, inputs and outputs, contribute to the eventual result. More important, if each element represents a set of definable business objectives, then each element provides us with a specific area of potential risk. For example, a business objective like “complaints per X-thousand customers” relates to specific elements such as SGA (Sales, General and Administration Expenses), or in Insurance and Financial Services entities, in their Compliance costs as well as SGA.

Let’s add some geography

A waterfall itself is influenced by factors well beyond the flows of water. The height of the drop, the width of the flow, the internal structure of the river and terrain around it all contribute. So we need to be considering all these facets when looking at our waterfall. Certainly, we have experts internally on the type, flow and quantity of water (internal factors), but how about our understanding of the shoreline and associated geography (external factors).

Risk Identification and associated Risk Assessment need to consider all these factors, or critical risks (I must keep remembering to say “risks and opportunities”) will be missed - critical risks that have a fundamental baring on the likelihood of the business achieving its objectives.

While the metaphor may be imperfect, it does provide a framework.

If we want to ensure that we have identified as many of the material risks as possible, then we need to look at each element of the Waterfall, and consider both the external and internal contributors to that element. In so doing, we identify the potential risks to the achievement of each of those elements.

For a manufacturing and distribution company, the cost of distribution is a material component of the Cost of Goods Sold, and therefore any risks impacting distribution should be included. Consideration of the impact of the sub elements of distribution can be used to determine what specific risk mitigations should be put in place.

In the 2000s, a major FMCG (Fast Moving Consumer Goods) company did not adequately consider distribution costs, or more importantly, the impact of changes in fuel costs as an element of their distribution costs. When fuel costs rose, so did their distribution costs, significantly. Net Income suffered badly.

The inclusion of the potential for an external risk (increased fuel costs) occurring may have suggested the need for mitigation in the form of forward hedging of fuel costs, or hedging of transportation costs for rail costs.

Flipping the Waterfall diagram on its side, and we have an excellent tool to help us identify “missed” risks. While we did not use this exact presentation, we did use the waterfall diagram a year ago, and it helps us focus on, and in some cases identify, material risks.

It also enables the people with the most knowledge of each waterfall element the opportunity to discuss their elements, the make-up and breakdown of the elements, and to confirm the associated key risks. In addition, it supports challenge and common agreement of the material risks.

In the example above, Internal and External components of the waterfall element are listed, and discussed to confirm that associated risks have been identified. Quantification of the materiality of the risks was a secondary task, but by using this methodology, it was easy for the participants to understand quickly how any change in the one of the waterfall elements impacts the overall performance of the business.

Of course, at the core of a successful risk identification (and confirmation - this should be done annually at least) is ensuring the widest range of people are involved. This most especially includes subject matter experts on each of the element of the waterfall, and representation from Internal Audit to ensure a common risk universe is agreed.

The result is likely to be a much better aligned assessment of risk against business objectives.

Why Inherent and Residual Risk are Inadequate: What is the Appetite?

Too often the practice of internal auditing, when performing risk assessments, looks at Inherent Risk (the level of risk before any remediation) and Residual Risk (the level of risk after remediation. This is inadequate and forgets one of the most important aspects of Risk: the Risk Appetite.

Risk Appetite provides management with a view of the level and type of risk that the entity is willing to take, and the risks that the entity will pursue. Missing from the IIA’s (and others) assessment of risk is the Target Risk level. This represents the level of risk acceptable for any individual risk based on the Risk Appetite of the entity.

The delta between Inherent Risk and Residual Risk measures only the current assessed level of control or risk. It does not provide a link to what is the acceptable level of risk (and control) for the entity.  This means that Internal Audit could, in theory, report that the entity is well controlled as the Residual Risk level is accurately stated and the controls to enable that level of Residual Risk are functioning effectively. 

Equally, in theory, the Residual Risk level could actually be fully in-line with the Risk Appetite, and in such a case there would be no Internal Audit findings other than “(Auditable area) appears to be well controlled with the current Residual Risk being within the Risk Appetite”.

I do say “in theory” because I have only seen one Internal Audit report in the past 35 years that did not contain findings and recommendations, even when reporting that the audited area is effectively controlled. Internal Auditors simply, almost pathologically, count the number of findings, and too few findings are seen (by the Internal Auditors) to indicate a poorly performed or ineffective Internal Auditor. For a candid discussion of the “7 deadly Internal Audit sins” I would only point you to the video from Richard Chambers, IIA President and CEO.

The concept limiting risk to Inherent and Residual is sound – IF that remediation reduces risk to within Risk Appetite.

From the IIA

The reality is that Inherent and Residual Risk scores do not cater for the situation in which the level of residual risk is inconsistent with the entity’s Risk Appetite. This is left to Internal Auditor to attempt to determine what the control environment should include to bring it within the Risk Appetite, sometimes in the absence of a defined Risk Appetite.
In this case, we need to know what the Target Risk score is, in terms of the Risk Appetite. The most important delta then is between the Residual Risk level and the Target Risk level, not between Inherent and Residual.

Of course there is the common problem that many (most?) entities do not have a well-defined Risk Appetite, and therefore it is almost impossible to confirm that a Residual Risk position actually is within the Risk Appetite. This make development and communication of the Risk Appetite a critical step for an entity in its journey to becoming “well controlled”.

Therefore, as the Risk Appetite frequently is either non-existent or not well communicated and understood, the probability is that the Residual Risk position will not be in line with what would be the Risk Appetite. What is needed then is to determine what management considers the “Target” risk position should be for any risk, thus creating the de-facto Risk Appetite at that particular risk level.

Then, with a Target Risk score, it is possible to clearly communicate the difference between the Residual and the Target. That difference is the Internal Audit finding, and can be used to demonstrate the need for improved or additional controls, or can be used to demonstrate that existing control are not operating effectively.

In an ideal world the entity will have a defined Risk Appetite statement, or Target risks scores for each identified risk, therefore having a de-facto Risk Appetite at the risk level. And in such an entity, all Internal Audit findings and recommendations should demonstrate how those recommendation will enable achievement of the Target, and therefore Risk Appetite. This will also allow management to petition an adequately senior authority to “accept” the risk or authorise resources to plug the gap. 

Such “acceptance” should of course be in line with the Delegations of Risk Acceptance, but that is a topic of a different article.

Risk Acceptance - the need for a Delegation of Risk Authority (DRA)

Over too many years, when pointing out a risk or situation, either management of below may respond with "it's okay, we've accepted that risk".

Really? Who accepted that risk, and did they have the authority to accept that much risk on behalf of the business. In too many cases the risk identified was significant, and if presented to senior management or the Board, that risk would not have been "accepted", at least not without consideration of the implications and costs of remediation or reduction of the risk.

What actually happened is that the person or people dealing with the risk have been unable to quantify or otherwise clarify the risk and potential impact, or develop a costed and realistic plan to mitigate the risk. Because of this, they have failed to convince themselves of the severity of the risk, and therefore are unable to communicate that exposure to senior management. Having failed to effectively communicate, they fall back on "we've accepted that risk". 

Too often what was missing was an actual assessment of the risk, either subjective or quantitative where possible. Included in such as assessment should be a definition of the existing controls and an assessment of the effectiveness of those controls.

Controls exist to provide confidence that risks are being managed. As such, on a quarterly, six-monthly and for some annual basis, management owners of controls should confirm that the controls associated with risks are functioning and are effective. Evidence should then be provided that demonstrates that the controls are functioning. 

Rarely is there a formal confirmation that the person responsible for the control actually has the authority to accept the associated risk.

Risk acceptance can be split into two parts:

1. First, is the Risk Appetite appropriate for this risk? It may well be that the entities Risk Appetite is too caution for this type of risk, and therefore the reduction of the risk to tolerable levels will be too expensive and result in a situation of "over-control". 
2. The second factor is the authority of the person accepting the risk. While companies generally have Delegations of Financial Authority (DFAs), rarely is there a formal Delegation of Risk Authority (DRA). 

To put that into a concrete example, a manager may have a financial delegation of up to $/€/£10,000. That is the level of expenditure that has been determined to be appropriate for that level or individual, without the need for additional authority. The next level up may have a delegation of $/€/£50,000. Finally, for major decisions, a Director or Board authority might be required, say for investment or programmes with a value above $/€/£1,000,000.

But how much Risk can a manager accept? 

What is missing from the picture is the Delegated Risk Authority to accept a residual risk position. All risks have an inherent level of risk and potential impact. We implement controls to reduce or manage the risks resulting in our residual or "net" risk position. Yet our residual risk position may not represent a level of risk that is acceptable to the entity within the bounds of the entity's Risk Appetite. 

Where the residual risk is above the acceptable level, either additional controls or mitigation needs to be put in place, or the residual level of risk needs to be "accepted" (which logically would alter the Risk Appetite for that particular risk). 

The question is; who has the authority to accept that residual level of risk?

My recommendation is that companies put in place a Delegation of Risk Acceptance (DRA) that mirrors their Risk Assessment levels. As most companies use, for better or worse, a Likelihood x Impact grid, that provides us with an example for the Delegation of Risk Acceptance.

When a ‘risk’ is accepted, this indicated that there is agreement that no additional actions or controls will be put in place to further reduce either the impact or the likelihood of the risk.

If, for example, the entity may have assessed the risk of a System Failure as a "High Likelihood / High Impact" pre-remediation of any kind. Controls in the form of effective governance over IT systems may have brought the assessed residual level of risk down the "Medium/Medium". However, the Risk Appetite may have been stated by the Board to be "Medium (Likelihood)/ Low (Impact)".

In this case, there is a disconnect between the residual risk position and the Risk Appetite, and either the residual risk must be "accepted" or additional control must be put in place.

The "solution" is the Delegations of Risk Acceptance.

For each risk (as per the Risk Appetite and/or grid) there should be an identified level of authority to accept a residual risk position. For example, a residual risk level of High/High should only be "accepted" by the Board, while a Low/Low residual risk position may be "accepted" by a manager.

In this case, the DRA may state that residual risk positions that are "Medium" (in likelihood or impact) require acceptance at the Cxx level. In which case, for this example, the CIO should be required to "accept" the residual "Medium / Medium" position, based on an assessment of the cost and effort to bring the residual risk to the Risk Appetite level of "Medium / Low".

The key to the Delegation of Risk Acceptance is that it is linked to the difference between the actual residual risk scoring and the Risk Appetite. Where there is no difference, and the residual risks score equals the Risk Appetite, there is no need to "accept" the risk.

Has this been implemented?

Yes, though with mixed success. As with all issues of Risk Management, the quality of Board, Director and Senior Management buy-in is critical. Communication is required, and an understanding of the risk and control environment, both internal and external.

When used effectively, the DRA can ensure that risk acceptance is being taken at the right levels, or additional investment is authorised to bring the residual risk situation into line with the Risk Appetite. I have seen this accomplished, and the risk environment has been demonstrably improved.

Likewise this provides Internal Audit with an effective tool to communicate and encourage the implementation of effective controls. On the one hand, IA "empowers" the auditee to perform their risk assessment and to then gain the required investment or reallocation of resources to resolve the audit issue, or management with sufficient DRA is then able to confirm that the risk as identified by IA has been accepted at an appropriate level.