2 October 2016 – Malta Helping to Frame the Board’s Risk Conversation A Profession in Transformation John Hurrell and Julia Graham
2 October 2016 – Malta
Helping to Frame the Board’s Risk Conversation
A Profession in Transformation
John Hurrell and Julia Graham
2
www.airmic.com
The Association for those responsible for risk management and / or insurance in their organisations
1200 members in 450 companies generally with turnover in excess of £1bn
Extensive research programme into risk related issues
The Way Ahead
Leadership needs to
think the unthinkable
Ineffective
Complacent
Striving
Strong culture of trust and respect
Board and management challenge each other
Chairs run meetings well
Feedback
Conduct regular evaluations
Chairs ask for input after each meeting
Risk managers need to be equipped and positioned to support the Board
Member Survey 2016 findings
For the first time the top two risks associated with cyber
Lower levels of confidence for less ‘traditional’ risks
Risk management not fully integrated with wider business units
Risk education not fully integrated within the organisation
Budget constraints
Risk culture not embedded within organisation
Risk management not integrated with strategy
Risk management team better access to the Board
The focus on risk has never been greater
Airmic member views
Most risk failures are directly or indirectly a consequence of inappropriate behaviours.
Effective risk governance is achieved through the promotion of effective cultures and behaviours.
Good behaviour and culture are key factors in the successful
delivery of the purpose and objectives of an organisation and the
creation of value.
Culture and Behaviour – Airmic research findings
Why did companies fail?
Lack of board skill and NED control
Board risk blindness
Leadership failures
Poor communications
Organisational and risk complexity
Inappropriate incentives
Risk management ‘Glass Ceiling’
‘Roads to Ruin’
‘Roads to Resilience’
1. Exceptional Risk
Radar
2. Flexible and diverse
resources and
assets
3. Strong relationships
and networks
4. Rapid response
capability
5. Constant review and
adaptation
Why do companies succeed?
Exceptional Risk Radar
Everyone is responsible
Constant vigilance
Complacency engineered out
Constant questioning and challenge
Communication critical
Flexible and Diverse Resources and Assets
Actively managed dependencies
Active networks with ability to switch rapidly
Availability of crisis management expertise
Strong Relationships and Networks
Shared common purpose
No blame culture – (“fix the problem”)
Flatter Structures
Engaged leaders
Rapid Response Capability
Quick and appropriate action
Defined processes and teams
Ability to identify appropriate resources quickly
Rehearsing and practising
Constant Review and Adaptation
Investigation through scenario analysis
Learning as a core value
Near misses must be communicated
Active and transparent responses
Risk Responsive Roads to Resilience
Roads to Ruin Risk Compliant
Respond, Recover, Review
Prevent, Protect & Prepare
• It’s all about behaviour and risk culture ….
Why do so many companies appear unprepared and
unresponsive when the crisis hits?
Risk Governance perceptions – Before the crisis
The reality - After the crisis
Black Swans
Black Swans represent 'unknown unknowns'
As such, how can you plan for them?
But our research shows that you do not need to
It's not Black Swans which are the biggest threat!
Grey Rhinos represent ‘known unknowns'
You can you plan for them
Highly probable, high impact neglected threats
Warnings and visible evidence but leaders fail to address obvious dangers
Acting in time can make a situation better or keep a crisis from deteriorating
But it’s not Black Swans or Grey Rhinos that are the biggest threat, it’s ............
It's Black Elephants!
It’s the Black Elephant
The Black Elephant was always in the (board) room
But nobody saw it!
Or if they did, they chose to ignore it
But this Black Elephant has been visible to many within organisations
And obvious to all once the crisis had hit!
Most risk failures are directly or indirectly as a consequence of inappropriate behaviours
Effective risk governance is achieved through the promotion of effective cultures and behaviours
Culture is in the spotlight
The UK Corporate Governance Code 2014 sets out explicit responsibilities for risk management and internal controls
Guidance includes specific reference to risk culture and assurance – to ensure that an appropriate culture is embedded throughout the organisation, including embedding risk considerations into reward systems
Drivers of risk culture
Managing risk culture is a cyclical process
When organisations get into trouble, fixing the culture is usually the
‘cure’
… but culture isn’t something you fix
Cultural change is what you get after you’ve learned lessons and
implemented them
Culture is not the culprit – it’s about people
Source: Lausanne University 2016
Beware of Board risk blindness and complacency
Research indicates that there can be a gap
between perception and reality
Boards report high confidence levels on a
range of subjects
Yet rarely discuss some of them in depth ...
Integrated process across all departments, functions and levels
Integrated with the business model, strategic decision making and planning
Appropriate performance reward structures in place
Monitoring process including annual effectiveness review in place
Educated and informed people across the organisation
Educated and informed stakeholders
Peer to peer team working
Proactive and insightful professionals
Future gazing skills
Educated and informed risk leaders
Roadmap to the new risk leadership
Key findings
Digital – a great change driver
Data – the great differentiator
Innovators and futurists –
forward looking
Expanding the range of
expertise – imperative
Professionalism – key to
cementing hard-earned
influences imperative
Make friends in the right places – business and
governance
Do not seek to become an expert in everything –
look internally and externally for the best advice
Become a storyteller – encourage risk thinking
Communicate with knowledge and confidence – this
will help to drive influence at all levels
Understand the power of data analytics – and how
this can be integrated into existing risk management
practices
Develop techniques like horizon scanning and
scenario analysis
Use a common language for business and data –
avoid jargon
The role of the risk manager
is transforming
Priorities for the next generation of risk managers
The Changing Role of the Risk Manager: ACE 2015
Thank you
for your attention
WWW.FERMA.EU