Mastering 21st Century Enterprise Risk Management - Firing Dated Practices | The Best Practice of ERM | Implementation Secrets

Part I. Learning from the Past: Firing Failed Risk Practices

What do I mean by ‘failed’? By "failed" I mean that risk management has failed to deliver the promised benefits. Outside the governance, risk, and compliance (GRC) fraternity, most senior executives will agree that risk management at best is an evil necessity, and at worst a bureaucratic waste of time but most likely just another failed management fad. In the same way that a weed is a plant in the wrong place, a management fad is a strategy poorly implemented. Unfortunately, when it comes to the current perception of risk management, many of those working in GRC have their heads in the sand. Instead of debating the furnishing fabrics while the house is burning, or believing we can fix it if we work harder, I believe we need to reassess our approach to risk management.

Case in point: Ford Australia closure

Ford has been an iconic brand in Australia for nearly 100 years. Supporter rivalry of Ford vs. GM was the stuff of legends, the automotive equivalent to Liverpool vs. Manchester United fans. No other product could dream of this level of consumer advocacy.

In the 1970s Ford produced the ultimate “muscle car” -- still talked about today -- and its luxury models were used as limos for visiting heads of state.

Ford Motor Company management claims it is no longer economical to manufacture in Australia due to the high labour costs. However, German manufacturers including BMW, Mercedes, Audi and Volkswagen somehow seem to be able to compete. All face similar labour costs, environmental controls, and taxes. So maybe there's something else going on at Ford.

Writing about Ford's decision in The Australian, Maurice Newman argues that government needs to "work urgently to restore our international competitiveness." He writes, "...why invest billions in modernising? The decision to shut down in October 2016 was the only rational one."

In my opinion, the fault can be firmly placed at the feet of Ford's management. The purpose of management is to cater to the push and pull of the business environment and ensure not only survival but also growth.

When management sleeps on the job

Of course, Ford didn't jump straight from dominance to closing up shop. Ford “slipped” from selling 84,000 vehicles in Australia in 2003 to only 14,000 in 2012. I think free-fall is a more apt description. An 83 percent drop in sales?

Has management at Ford been asleep the last 10 years? There is a dire lesson in this for anyone in business. Look at Ford worldwide. Ford Focus is one of the top selling cars in Europe, while the Ford F150 is one of the biggest selling pickups in the US. On top of this, Ford had a well-publicized enterprise risk management framework. Since 4 cylinder compacts and 4-wheel drive vehicles account for up to 80% of the Australian market, how could Ford Australia become “no longer economical”?

Death by 1,000 cuts

In my opinion, Ford’s product is stuck in the ‘80s. Marketing is non-existent. Customer service is laissez faire. But where were Ford’s executives, and should they have acted? They had 10 years, and that's the key. Ford suffered death by 1,000 cuts. Too many managers accepted poor results as being out of their control. They kept using last year's results to budget for next year, which only breeds decreasing performance. Those approaches, along with cost cutting to shore up the dwindling bottom line, may feed executive short term bonuses but lock in long term failure.

Simple good governance consists of proactive risk management plans with mitigation strategies, not charts. Proactive risk management is about planning for the future not reporting the past.

Customer feedback, like risk, must be tied to hard corporate objectives, not soft feel-good values. Product development must be oriented to advancing customer expectations, not cost cutting.

Marketing must be aimed at developing the market, not merely beating last year's results. Good governance should no longer be considered a luxury enjoyed by large profitable companies but a survival skill for all businesses.

The greatest threat to your business is mediocrity. Mediocre management is easily identified by their contempt for compliance and risk management. They prefer frenetic activity (a.k.a. fire fighting) to prevention and planning.

Risk managers must lift their game or risk seeing risk management consigned to the trash heap of management fads.

Why 20th century risk management failed

Who says current risk management practices are failing? I believe risk management practices are failing based on 30 years’ experience working in areas where risk really matters, including Department of Defence, Motorola and Victorian Infectious Diseases Reference Laboratory. However, this belief was reinforced at the 2013 15th OpRisk Europe conference.6

At the conference in London this year, several speakers raised concern of the adequacy of current operational risk models with the key finding “that the risk management landscape has vastly changed over the last 10 years, and Op Risk models need to keep pace”.

For those not used to the term OpRisk, operational risk, is the area of risk around the internal operations of a business, predominantly dealing with people and systems. Why am I referring to OpRisk when the topic is enterprise risk management? Because when most people talk of enterprise risk management today, they are really referring to operational risk. I will have more to say on enterprise risk management systems later on in the chapter titled “Enterprise risk management systems that aren’t.”

In addition, Operational Risk Modelling Frameworks, a 2013 research report7 from Milliman, one of the worlds’s leading actuarial and risk consulting firms, found:

3. That operational risk is a major cause of organisational failure and erosion of shareholder value.8

4. Basic indicators and standard formula approaches are a simple but, ultimately, very blunt tool.

5. There is a wide divergence of regulatory maturity levels for operational risk across regions, countries, industries and companies.

This is a pretty damning picture of the current state operational risk as practiced globally.

Not enough?

A survey9 of more than 1,000 C-level executives worldwide by KPMG International, "Expectations of Risk Management Outpacing Capabilities - It’s Time For Action," was conducted by the Economist Intelligence Unit. It found:

6. Most don’t have a consistent way of assessing risk.

7. 20%, say there is no process to develop and aggregate risk

8. 38% rely on a self-assessment by the business units.

9. And half have difficulties in knowing their enterprise-wide risk exposure.

“It’s a case of outdated thinking being applied to a new world economy,” said Michael J. Nolan, KPMG International Global Leader for Risk Consulting. He added, “corporations have to rethink their approach to risk from every aspect of their business.”

How did it come to this!?

Risk management, as practiced by most through the latter 20th century and still today, was:

• Over promised

• Incorrectly structured

• Inaccurately implemented, and

• Inappropriately focused

The result rendered it ineffective. Most of this stems from a plethora of mediocre management and consultants jumping on the bandwagon while not understanding the subject matter or framework.

Over-promised

Chaos & expectations

False promises have been peddled by some of the less experienced risk management professionals in the field, such a claiming that risk management could predict the future. These same professionals have fed a widespread disillusionment with risk management.

Risk management cannot predict the future! Given all the elaborate risk management models major banks and finance houses around the world were running in 2007, nearly all failed to predict the global financial crisis. All aspects of life, including business, are controlled by three laws:

* The Second Law of Thermodynamics - things tend to get worse

* The Uncertainty Principle - you can’t tell when

* Chaos Theory - you can’t predict the weather (but you can take an umbrella)

The Butterfly Effect

Contrary to popular belief, chaos is not random. Rather, chaos is the variable outcomes in a deterministic system due to minor aberrations within the system. That is, given a specific starting point and identical environment and path, you can predict the result.

However, the real world and the Uncertainty Principle prevent one from having a specific starting point and identical environment and path. There will always be slight differences, and those differences can produce vastly differing results. A high-pressure system will always give way to a cold front which will have strong winds in front of it and heavy rain behind, but we still can’t predict the weather.

Chaos Theory is commonly referred to as the Butterfly Effect, where theoretically the air displacement from a butterfly beating its wings in the Amazon rainforest can cause a compounding series of events that result in a cyclone in another part of the world. It can’t, and I know they call it a typhoon, but it’s a good metaphor.

Chaos can best be represented by a Lorenz attractor diagram, which uncannily looks...