Don’t take this any more
This book puts on record some unpleasant truths about organisations and their current standards of managing risk based on your authors’ experiences as risk professionals since the early 1990s. In the words of Howard Beale in the 1976 movie “Network”, we’re “as mad as hell and we’re not going to take this anymore”. We’re not asking you to stick your head out of the window and shout it out, but hopefully a small but critical number of board members, audit and risk committee members or CEOs will demand an audience with their risk manager and genuinely probe how much trust they should put in their organisation’s risk management framework. Why would you bother? …. Let us explain.
The nonsense spoken and the resultant waste of resources that occurs in the name of risk management in organisations around the world is mind-blowing and our experience, including the occasional candid conversation with a worried director or executive, tells us that much of executive management already knows this. However, as with the naked emperor, they are reticent to speak out because no one else seems to notice, and anyway, what would they do if risk management really is worthless? There are stock exchange expectations and regulations on risk management, we can’t just opt out!
Battling risk bandits
Your authors are putting our experiences on record now to help equip you to recognise the potentially critical weaknesses in your organisation’s risk management process and the risk bandits who consistently fail to address them. If you are at the top of your organisation, you didn’t get there without making important decisions so you will be well equipped to make a call on risk management effectiveness after reading this book. However, to cut to the chase, the simple, painful but inescapable truth is that we can’t just go out and buy good organisational risk management in a box no matter how much we’d like to. The components of a good system are explained in this book in order to allow you to make risk management work for your organisation … but only if you give a damn in the first place.
This would have been a brave book for your authors to write a few years ago because our careers may well have been cut short as a consequence. However, to retain our credibility with readers we must concede there is little bravery involved in writing this book now because with some talent, even more luck and the minimum of banditry we’ve reached a point in our careers where we enjoy the great luxury of working for whom the hell we want to. In regard to our credentials for building this paper pulpit, we have learned that neither of us could have done it alone but together we constitute one hell of a risk guru.
Our guess is that many of our readers will conclude that much of what we say is true but that it doesn’t apply to their organisation. We would remind such readers that in the last decade or so, the first initial of the listed companies that have identified blatantly high risks, concluded that their defences are fine and moved confidently unprepared into the perfect storm, would fill more than an alphabet. Try it for yourself, we’ll start you off with AIG and complete the alphabet with Zavvi. Our guess is you won’t even slow up until you reach the letter X. We suspect that every one of them would have spoken proudly of their risk management capacity if asked in the months preceding their downfall.
Oh, a reality check at this juncture, good risk management can’t fix all of the challenges that an organisation faces. The best risk manager in the world, assisted by Merlin the Magician and Glinda the Good Witch of the South (perhaps not so much reality after all), couldn’t have avoided the infamous financial disasters of the early 21st century in organisations with a moral void at the executive level.
Director discomfort
If directors’ understanding of financial statements were on the same level as their understanding of organisation risk management, share trading would have become extinct decades ago. Analysts can look at a balance sheet and reasonably assume it is professionally prepared to a strict and proven formula, the numbers within it are supportable by credible data, and that it is consequently auditable. Pick on any aspect and seek demonstration of accuracy and there will be a trail that can be followed. Valuations are carefully applied and all transactions are accounted for. All values will be aggregated to defined outcomes like total assets and shareholders’ funds. This is not to say that the resulting conclusions are never contested, but that they are based on a transparent process that provides a basis for reasoned argument.
Organisation risk profiles are however supported by risk registers, most commonly in the form of a simple descriptive spreadsheet, completed by people with no prescribed professional qualification and with no ability to follow any trail other than to determine whether a bunch of people sat down in a room and actually said what has been recorded. There is no control over the way the risk events across an organisation are broken down and as a result duplication and omission is rife. The data, irrespective of how it was generated, can only be aggregated to a trite organisational output that offers little as a basis for meaningful executive management or board review. It’s probably more reassuring for investors to conclude no one really looks at such risk registers because it would be considerably more worrying to think someone at a senior level actually found them plausible.
Of course, directors will dutifully partake in the truckload of training recommended by their professional association but most will exit the training knowing a lot more about the consequences of getting risk wrong (paranoid) than about how to manage it (empowered). This is not a useful state in a world where promising returns rarely arrive without substantial risk as their travelling companion.
Some directors may calm themselves by placing their trust in executive management and the apparent compliance with standards. If so, such individuals should prepare for a shock as they read on.
Spotting risk bandits
For the moment let us move the focus from those that have the oversight of risk management to those who implement the process. When we talk of ‘risk bandits’, we refer to risk professionals who take their organisation’s pay cheque or consulting fee and deliver little return to investors for their services. They’re less akin to bank robbers (too much risk in that) and more akin to confidence tricksters, although not in receipt of personal gain other than their ego and remuneration.
Sadly, whilst some bandits know full well they’re peddling snake oil, many actually think they’re doing something meaningful. They come into a room full of people, ‘solve’ anything from a score to a hundred complex risk scenarios in a day and leave the room genuinely thinking they’ve done a great job. We regard even those deluded souls as bandits, because ignorance is no excuse in the eyes of corporate law.