how do you embed risk at board level? nhf board...
TRANSCRIPT
How do you embed risk at board level? NHF Board Members Conference
8th February 2014
Presented by:
Mike Morley-Fletcher
Devonshires Business Advisory Service
07876 240405
AND
Jon Sawyer
Chair, HouseMark
07976 358553
• What part of the UK is your
association from?
• How long have you been a
Board member?
• Are you a member of your
Audit (& Risk) Committee?
A bit
about
you
Welcome
Who are these drivers?
Who are these drivers?
Risk Management is
about seizing
opportunities as well
as reducing risk
Danger and opportunity
Chinese definition of “risk”
Danger Opportunity
Danger and opportunity
Chinese definition of “risk”
Danger Opportunity
Look at
upside risk
as well as
downside
risk,
seize the
opportunities
“What is the reward for the risk?”
From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the
1976 Formula 1 World Championship title ………………..
Niki Lauda has met a lady he wants to
impress and has been asked to drive
her to the station. He drives rather
sedately and she asks why is he not
driving fast like a F1 driver:
Niki Lauda: “There's no need to drive
fast. We're not in a hurry, we're not
being paid. There is no reward for the
risk. So why would I drive fast?”
Marlene Knaus: “Because I'm asking
you to”.
[He speeds up and
marries her shortly afterwards]
“What is the reward for the risk?”
From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the
1976 Formula 1 World Championship title ………………..
Niki Lauda has met a lady he wants to
impress and has been asked to drive
her to the station. He drives rather
sedately and she asks why is he not
driving fast like a F1 driver:
Niki Lauda: “There's no need to drive
fast. We're not in a hurry, we're not
being paid. There is no reward for the
risk. So why would I drive fast?”
Marlene Knaus: “Because I'm asking
you to”.
[He speeds up and
marries her shortly afterwards]
“What is the reward for the risk?”
From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the
1976 Formula 1 World Championship title ………………..
Link
risk to
reward
Niki Lauda has met a lady he wants to
impress and has been asked to drive
her to the station. He drives rather
sedately and she asks why is he not
driving fast like a F1 driver:
Niki Lauda: “There's no need to drive
fast. We're not in a hurry, we're not
being paid. There is no reward for the
risk. So why would I drive fast?”
Marlene Knaus: “Because I'm asking
you to”.
[He speeds up and
marries her shortly afterwards]
“What is the reward for the risk?”
Niki Lauda argues for cancelling the
1976 German Grand Prix, due to
atrocious weather conditions:
Niki Lauda: “I accept that every time I
get into my car, there's a 20% chance I
could die …. and I can live with that.
But not 1% more! And today, with the
rain, the risk is more”.
[They raced, he crashed
and almost dies]
From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the
1976 Formula 1 World Championship title ………………..
Link
risk to
reward
Niki Lauda has met a lady he wants to
impress and has been asked to drive
her to the station. He drives rather
sedately and she asks why is he not
driving fast like a F1 driver:
Niki Lauda: “There's no need to drive
fast. We're not in a hurry, we're not
being paid. There is no reward for the
risk. So why would I drive fast?”
Marlene Knaus: “Because I'm asking
you to”.
[He speeds up and
marries her shortly afterwards]
“What is the reward for the risk?”
Niki Lauda argues for cancelling the
1976 German Grand Prix, due to
atrocious weather conditions:
Niki Lauda: “I accept that every time I
get into my car, there's a 20% chance I
could die …. and I can live with that.
But not 1% more! And today, with the
rain, the risk is more”.
[They raced, he crashed
and almost dies]
From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the
1976 Formula 1 World Championship title ………………..
Link
risk to
reward
Know
your risk
appetite
1) the regulator’s latest views
on risk
2) how your board should be
covering risk at board
meetings
3) identifying new risks and
managing them
The challenge?
How to make
risk
management
less a
wearisome
compliance
exercise
and more
a winning
competency?
Agenda
Governance standards
Regulator expects?
Plus, skills &
experience needed
The
challenge?
How do you
provide
sufficient
assurance to
the
Regulator?
1) Regulator’s view on risk?
Governance standards
• UK Corp Gov Code = • “determine the nature and extent of significant risks it
is willing to take in achieving its strategic objectives”
• HCA’s Governance Standard = • “have an effective risk management and internal
controls assurance framework”
Governance standards
• UK Corp Gov Code = • “determine the nature and extent of significant risks it
is willing to take in achieving its strategic objectives”
• HCA’s Governance Standard = • “have an effective risk management and internal
controls assurance framework”
• High level of expectation, to • Set direction of risk, and of risk appetite
• Ask challenging questions of risks and RM process
• Gather assurance to confirm
Regulator expects?
• a co-regulatory approach • RPs manage organisation and risks
• HCA seeks assurance RP understands risks and provides governance and viability rating
• RP demonstrate proficiency by showing: • structured approach, process to identify, assess & manage risks
• utilisation of risk management in key decision making
• protecting assets, ‘ring fencing’
• stress testing of business plans, worst case scenario, ‘living wills’
• platform for review and open ‘critical challenge’
• Evidence:
• evidence of board decisions and timely/ appropriate assurance
Regulator expects?
• a co-regulatory approach • RPs manage organisation and risks
• HCA seeks assurance RP understands risks and provides governance and viability rating
• RP demonstrate proficiency by showing: • structured approach, process to identify, assess & manage risks
• utilisation of risk management in key decision making
• protecting assets, ‘ring fencing’
• stress testing of business plans, worst case scenario, ‘living wills’
• platform for review and open ‘critical challenge’
• Evidence: • evidence of board decisions and timely/ appropriate assurance
• If not, • reflect in published judgements and ratings
• may offer support, work with (if show willing and able)
• if not, intervene using regulatory, enforcement & general powers.
Plus skills & experience needed?
• Not = RM specialist, micro-managing process and risks
• Yes = practical, working knowledge of RM
Plus skills & experience needed?
• Not = RM specialist, micro-managing process and risks
• Attributes = • independence
• external perspective
• relevant sector experience
• ability to challenge constructively
• Yes = practical, working knowledge of RM
Plus,
Plus skills & experience needed?
• Not = RM specialist, micro-managing process and risks
• Attributes = • independence
• external perspective
• relevant sector experience
• ability to challenge constructively
• Yes = practical, working knowledge of RM
Plus,
Collectively responsibility vs
use of Audit (Risk) Committee
Risk Map
Risk Appetite
Risk dashboard
The challenge?
How do you
make
presentation
and discussion
of risk more
valuable to the
Board and the
Association?
2) Board cover risks?
LIKELIHOOD (over Business Plan period)
IMP
AC
T (
max p
a)
4) critical
1) manageable
2) moderate
( £ 50 – 100k)
3) serious
(g) high (d) high (b) critical (a) critical
(k) medium (h) medium (e) high (c) critical
(n) low (l) medium (i) medium (f) high
(p) v.low (o) low (m) medium (j) medium
1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)
(< £ 50k)
( £ 100 – 200k)
(> £ 200k)
RISK MAP (net risk)
Risk Map – what is the risk?
what should it be?
LIKELIHOOD (over Business Plan period)
IMP
AC
T (
max p
a)
4) critical
1) manageable
2) moderate
( £ 50 – 100k)
3) serious
(g) high (d) high (b) critical (a) critical
(k) medium (h) medium (e) high (c) critical
(n) low (l) medium (i) medium (f) high
(p) v.low (o) low (m) medium (j) medium
1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)
(< £ 50k)
( £ 100 – 200k)
(> £ 200k)
RISK MAP (net risk) G
N
T
= Gross exposure, before controls
= Net exposure, after controls
= Target exposure, after further actions
Risk Map – what is the risk?
what should it be?
Score Description Relative %
Actual (eg, on a Surplus of £1m)
4 Critical > 20% > £200K
3 Serious 10 - 20% £100 – 200k
2 Moderate 5 – 10% £50 – 100k
1 Manageable 0 - 5% < £50k
Score
Description Likelihood
4 Likely > 80%
3 Probable 50 - 80%
2 Possible 10 – 50%
1 Remote 0 - 10%
IMPACT Criteria
LIKELIHOOD Criteria
LIKELIHOOD (over Business Plan period)
IMP
AC
T (
max p
a)
4) critical
1) manageable
2) moderate
( £ 50 – 100k)
3) serious
(g) high (d) high (b) critical (a) critical
(k) medium (h) medium (e) high (c) critical
(n) low (l) medium (i) medium (f) high
(p) v.low (o) low (m) medium (j) medium
1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)
(< £ 50k)
( £ 100 – 200k)
(> £ 200k)
RISK MAP (net risk)
G
N
G
N
T
= Gross exposure, before controls
= Net exposure, after controls
= Target exposure, after further actions
Risk Map – what is the risk?
what should it be?
Score Description Relative %
Actual (eg, on a Surplus of £1m)
4 Critical > 20% > £200K
3 Serious 10 - 20% £100 – 200k
2 Moderate 5 – 10% £50 – 100k
1 Manageable 0 - 5% < £50k
Score
Description Likelihood
4 Likely > 80%
3 Probable 50 - 80%
2 Possible 10 – 50%
1 Remote 0 - 10%
IMPACT Criteria
LIKELIHOOD Criteria
LIKELIHOOD (over Business Plan period)
IMP
AC
T (
max p
a)
4) critical
1) manageable
2) moderate
( £ 50 – 100k)
3) serious
(g) high (d) high (b) critical (a) critical
(k) medium (h) medium (e) high (c) critical
(n) low (l) medium (i) medium (f) high
(p) v.low (o) low (m) medium (j) medium
1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)
(< £ 50k)
( £ 100 – 200k)
(> £ 200k)
RISK MAP (net risk)
G
N
T
G
N
T
= Gross exposure, before controls
= Net exposure, after controls
= Target exposure, after further actions
Risk Map – what is the risk?
what should it be?
Score Description Relative %
Actual (eg, on a Surplus of £1m)
4 Critical > 20% > £200K
3 Serious 10 - 20% £100 – 200k
2 Moderate 5 – 10% £50 – 100k
1 Manageable 0 - 5% < £50k
Score
Description Likelihood
4 Likely > 80%
3 Probable 50 - 80%
2 Possible 10 – 50%
1 Remote 0 - 10%
IMPACT Criteria
LIKELIHOOD Criteria
How much
risk are you
willing to
take?
How much risk
are you willing to
tolerate?
Key to
risk taking “Tipping point”,
calibrates
risk management
Risk Appetite: what is it?
• Shows the ‘tipping point’, the
difference between right and wrong
• Calibrates decision making, ‘how
much risk to get how much reward?’
• Sets level of Delegation of
Authorities
• Can be used to communicate and
monitor acceptable levels of risk
taking
• Challenges right level of reward and
control (including the cost of control)
• Board responsibility and renewed
focus for regulators
How much
risk are
you
willing to
take?
How much
risk are
you willing
to tolerate?
Key
to risk
taking “Tipping
point”,
calibrates
risk management
Risk Appetite: what is it?
• Shows the ‘tipping point’, the
difference between right and wrong
• Calibrates decision making, ‘how
much risk to get how much reward?’
• Sets level of Delegation of
Authorities
• Can be used to communicate and
monitor acceptable levels of risk
taking
• Challenges right level of reward and
control (including the cost of control)
• Board responsibility and renewed
focus for regulators
Board’s Risk Attitude scale
Risk Appetite: how to determine it?
Risk Attitude RISK ADVERSE
CAUTIOUS BALANCED OPPORTUNISTIC ENTREPENEURIAL
Characteristics Minimal/ 0 tolerance
Cautious tolerance
Balanced attitude
Enquiring appetite
Hungry appetite
% variance of outcomes
< 1% 1 – 2.5% 2.5 – 5% 5 – 10% > 10%
Illustrative examples
Corporate reputation
Safety
Trading
Asset investment
Operations 3rd party negotiations
Customer capture
New investments
Internet strategy
Board’s Risk Attitude Statement
Risk attitude An example Minimal
tolerance Cautious tolerance
Balanced Some appetite
Strong appetite
1 2 3 4 5
Val
ue
dri
vers
Resident/ tenant feedback
Surplus volatility
Capital requirement
Reputation
Credit rating
Regulatory standing
Board sets general direction Management responds with specific risk tolerances
Time
Value
£
Risk
Indicator
Risk
Tolerance
Risk
Appetite
Monitoring Risk Appetite
Time
Value
£
Risk
Indicator
Risk
Tolerance
Risk
Appetite
Monitoring Risk Appetite
Board’s Risk Attitude scale
Management’s Risk Tolerance,
using Key Risk Indicators
Risk Appetite: how to determine it?
Risk Attitude RISK ADVERSE
CAUTIOUS BALANCED OPPORTUNISTIC ENTREPENEURIAL
Characteristics Minimal/ 0 tolerance
Cautious tolerance
Balanced attitude
Enquiring appetite
Hungry appetite
% variance of outcomes
< 1% 1 – 2.5% 2.5 – 5% 5 – 10% > 10%
Illustrative examples
Corporate reputation
Safety
Trading
Asset investment
Operations 3rd party negotiations
Customer capture
New investments
Internet strategy
Board’s Risk Attitude Statement
Risk attitude An example Minimal
tolerance Cautious tolerance
Balanced Some appetite
Strong appetite
1 2 3 4 5
Val
ue
dri
vers
Resident/ tenant feedback
Surplus volatility
Capital requirement
Reputation
Credit rating
Regulatory standing
Board sets general direction Management responds with specific risk tolerances
Time
Value
£
Risk
Indicator
Risk
Tolerance
Risk
Appetite
Monitoring Risk Appetite
Time
Value
£
Risk
Indicator
Risk
Tolerance
Risk
Appetite
Monitoring Risk Appetite
Board’s Risk Attitude scale
Management’s Risk Tolerance,
using Key Risk Indicators
Risk Appetite: how to determine it?
Risk Attitude RISK ADVERSE
CAUTIOUS BALANCED OPPORTUNISTIC ENTREPENEURIAL
Characteristics Minimal/ 0 tolerance
Cautious tolerance
Balanced attitude
Enquiring appetite
Hungry appetite
% variance of outcomes
< 1% 1 – 2.5% 2.5 – 5% 5 – 10% > 10%
Illustrative examples
Corporate reputation
Safety
Trading
Asset investment
Operations 3rd party negotiations
Customer capture
New investments
Internet strategy
Board’s Risk Attitude Statement
Risk attitude An example Minimal
tolerance Cautious tolerance
Balanced Some appetite
Strong appetite
1 2 3 4 5
Val
ue
dri
vers
Resident/ tenant feedback
Surplus volatility
Capital requirement
Reputation
Credit rating
Regulatory standing
Board sets general direction Management responds with specific risk tolerances
Policies
Measuring and monitoring risks as part of performance
dashboard
– We do it for our cars, why not for our businesses?
– To go faster, further and more safely
Risk Dashboard – the theory
Measuring and monitoring risks as part of performance dashboard
– We do it for our cars, why not for our businesses?
– To go faster, further and more safely
Risk Dashboard – the theory
Measuring and monitoring risks as part of performance dashboard
– We do it for our cars, why not for our businesses?
– To go faster, further and more safely
KPI
KPI
KPI
Risk Dashboard – the theory
Measuring and monitoring risks as part of performance dashboard
– We do it for our cars, why not for our businesses?
– To go faster, further and more safely
KRI KRI
KRI
KPI
KPI
KPI
Speed
camera
detector
KRI
Risk Dashboard – the theory
Measuring and monitoring risks as part of performance dashboard
– We do it for our cars, why not for our businesses?
– To go faster, further and more safely
KRI KRI
KCI
KCI
KRI
KPI
KPI
KPI
Speed
camera
detector
KRI
Risk Dashboard – the theory
Risk Dashboard – the practice
KEY RISK INDICATORS for Period 6
Strategic Objective Key Risk Indicator Target Actual Variance Prior period YTD trend
1) SERVICE DEMAND - passenger journeys 219m 205m -14m 206
2) SUPPLY - % trains operated at peak 95.2% 95.0% -0.2% 94.7%
3) RELIABILITY - on time (per index) 83.6 77.4 -6.2 82.6
4) SAFETY - injuries 60 58 2 59
5) CUSTOMER SATISFACTION - "recommend" 78.3% 76.8% -1.5% 79.3%
6) PEOPLE - no. of staff 22,487 22,250 -237 22,123
- absence 1 day 0.96 day -0.04 day 1.1 days
7) KEY INITIATIVES - PM status80%
on target
77%
on target-3%
60%
on target
Better than/ equal to target Within 5% of target 5% or more off target
Transport operator
Real time risk information
integrated with performance
information
Internal risks
External risks
The challenge?
How do you
spot new,
emerging
ones?
How do you
manage them?
3) What new risks are emerging?
Possible new, emerging risks
External
- Public sector reorganisation
- Change in political direction in 2015
- More frequent extreme weather (maintenance, catastrophe)
- Pandemic (staffing, service capability)
Internal
- Changing housing needs (demographics, social/ ethnic groups)
- Increasing tenant expectations (quality and variety)
- Availability of land space, potential for innovative solutions
- Changes impacting brand/ reputation
What does this mean to
you as a Board member?
What does this mean to
you as a Board member?
- Get the risk culture right
- Honestly weigh up the risk
& the reward
- Honestly weigh up the risk
of doing something & the
risk of not doing it
- Carefully consider the
impact of more than one
adverse impact
- Assurance = data
- Use your instincts
Some thoughts
- Responsibility for risk
begins and ends with the
Board
The answer?
Niki Lauda, F1 champion
1975,
1977,
1984
James Hunt, F1 champion
1976
Risk Management, a winning competency?
Use it to gain a competitive advantage & help with
reassuring
the Regulator