Wednesday, 14 March 2018
In my spare time, I like to read about current affairs. I have an interest in Brexit and its resulting economic impact which I covered well before the referendum here. My current reading list is here. My interests include the Middle East, and it was with that in mind that I picked up a book by the late Shimon Peres, former President of the State of Israel, which he completed just before he passed away in September 2016. He also served as Finance Minister when hyperinflation was one of the main features of the economy and initiated a bold programme that tamed inflation successfully.
I found the title of the book, No Room for Small Dreams, a bit puzzling. I guess I did not expect a book title that reflects on someone’s achievements to start with ‘no’. In any case, the book was quite interesting, articulating Peres’s role in some of the policy challenges of the State of Israel. However, I can never stray too far from my professional interests, and I found that the book included a good many observations relevant to the practice of risk management.
The first observation is that often, not taking a risk is a risk in itself.
So many times in our lives, we struggle to confidently leap forward, averse to the possibility that we will fall flat. Yet this fear of taking risks can be the greatest risk of all.
People in risk and compliance functions should bear this in mind when they advise against a course of action. However, if you want to take risks or are implementing regulatory risk requirements, you will need to consider meaningful options:
I’d come to believe that when you have two alternatives, the first thing you must do is look for a third—the one you did not think of, that doesn’t yet exist.
I learned about the virtue of imagination and the power of creative decision making. ... We were quick and creative, and boldly ambitious, and in that we found our reward.
The challenge is really about options being meaningful. That is not straightforward and requires consistent support from leadership:
“We have to use our imagination and examine any idea, as crazy as it may seem,” I insisted to those assembled. “I want to hear the plans you have.” “We have no plans,” responded one. “Then I want to hear the plans you don’t have,” I replied.
If leaders demand allegiance without encouraging creativity and outside inspiration, the odds of failure vastly increase. … [W]ithout emboldening people to envisage the unlikely, we increase risk rather than diminish it.
Interestingly, it is Peres’ view that leadership also has an obligation to understand the technical details of the subject matter.
I felt it essential to gain a degree of mastery in the science that would be driving the project. In previous endeavours, I have come to understand that in addition to a clear vision and strategy, true leadership requires intricate knowledge—a facility with the granular details of every aspect of the mission.
And finally, a word of caution about learning too much from failures:
It is only after we see failure that we can know if we misjudged the risk. ... But one must avoid the temptation to overlearn specific tactical lessons born out of failure or success. … This is one of the hardest things for some leaders to understand: a decision can be right even if it leads to failure.
This is something that I have covered here. It is not an easy perspective for politicians and business leaders, though I’d like to think that this is where governance might prove itself valuable.
Monday, 5 March 2018
I wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with a few people in banking and consulting about it, and to reflect further on the subject.
By way of background, my working definition of risk assurance is a structured activity undertaken by the risk function (second line) which is aimed at evidencing that risk management is embedded in the business. Feel free to comment on this definition.
The important thing about risk assurance is that it matters because it contributes to shifting (or to maintaining, if you wish) the appropriate risk culture in the business. What do I mean by this? I hope we can all agree that the appropriate risk culture in financial services is one that includes the following:
- the business takes into account risks in decision making and can evidence that, including compliance with regulatory requirements; and
- the risk function provides the parameters for taking into account risk in decision making (risk appetite framework, stress testing, etc) and aggregate risks.
Truly achieving that is a challenging journey that takes time. Many insurers and banks started the risk management journey as a result of regulatory requirements—Solvency 2 or Basel. In practice, this has meant that sometimes risk functions have taken up activities like approvals that belong to business functions. Risk assurance will generate evidence about how risk management operates in practice. It will also help to shift the focus of the risk function—and, in turn, the business—in the appropriate direction.
I have worked with a number of clients to implement programmes of risk assurance. Interestingly, these engagements have turned out to be rather different because they must reflect the starting point for the business. In one case, the risk function was well resourced, and the focus was planning. In another case, the focus was a combination of up-skilling and evidencing through pilot risk reviews that the activity can add value.
Leaving aside the considerations associated with implementation, it is important that there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated assurance’. This reflects two simple observations:
- internal audit functions already provide assurance about the overall control environment;
- from a Board perspective, assurance is assurance, regardless of which team/line of defence provides it.
In other words, the aim would be to develop a risk-based assurance plan which covers deliverables by 2LOD and 3LOD in such a way that the Board can understand where independent assurance has been provided.
I would be interested to hear your thoughts.
If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.