How do you embed risk at board level? NHF Board Members Conference

8th February 2014

Presented by:

Mike Morley-Fletcher

Devonshires Business Advisory Service

mike.morley-fletcher@devonshiresbas.co.uk

07876 240405

AND

Jon Sawyer

Chair, HouseMark

jon@.co.uk

07976 358553

• What part of the UK is your

association from?

• How long have you been a

Board member?

• Are you a member of your

Audit (& Risk) Committee?

A bit

about

you

Welcome

Who are these drivers?

Who are these drivers?

Risk Management is

about seizing

opportunities as well

as reducing risk

Danger and opportunity

Chinese definition of “risk”

Danger Opportunity

Danger and opportunity

Chinese definition of “risk”

Danger Opportunity

Look at

upside risk

as well as

downside

risk,

seize the

opportunities

“What is the reward for the risk?”

From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the

1976 Formula 1 World Championship title ………………..

Niki Lauda has met a lady he wants to

impress and has been asked to drive

her to the station. He drives rather

sedately and she asks why is he not

driving fast like a F1 driver:

Niki Lauda: “There's no need to drive

fast. We're not in a hurry, we're not

being paid. There is no reward for the

risk. So why would I drive fast?”

Marlene Knaus: “Because I'm asking

you to”.

[He speeds up and

marries her shortly afterwards]

“What is the reward for the risk?”

From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the

1976 Formula 1 World Championship title ………………..

Niki Lauda has met a lady he wants to

impress and has been asked to drive

her to the station. He drives rather

sedately and she asks why is he not

driving fast like a F1 driver:

Niki Lauda: “There's no need to drive

fast. We're not in a hurry, we're not

being paid. There is no reward for the

risk. So why would I drive fast?”

Marlene Knaus: “Because I'm asking

you to”.

[He speeds up and

marries her shortly afterwards]

“What is the reward for the risk?”

From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the

1976 Formula 1 World Championship title ………………..

Link

risk to

reward

Niki Lauda has met a lady he wants to

impress and has been asked to drive

her to the station. He drives rather

sedately and she asks why is he not

driving fast like a F1 driver:

Niki Lauda: “There's no need to drive

fast. We're not in a hurry, we're not

being paid. There is no reward for the

risk. So why would I drive fast?”

Marlene Knaus: “Because I'm asking

you to”.

[He speeds up and

marries her shortly afterwards]

“What is the reward for the risk?”

Niki Lauda argues for cancelling the

1976 German Grand Prix, due to

atrocious weather conditions:

Niki Lauda: “I accept that every time I

get into my car, there's a 20% chance I

could die …. and I can live with that.

But not 1% more! And today, with the

rain, the risk is more”.

[They raced, he crashed

and almost dies]

From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the

1976 Formula 1 World Championship title ………………..

Link

risk to

reward

Niki Lauda has met a lady he wants to

impress and has been asked to drive

her to the station. He drives rather

sedately and she asks why is he not

driving fast like a F1 driver:

Niki Lauda: “There's no need to drive

fast. We're not in a hurry, we're not

being paid. There is no reward for the

risk. So why would I drive fast?”

Marlene Knaus: “Because I'm asking

you to”.

[He speeds up and

marries her shortly afterwards]

“What is the reward for the risk?”

Niki Lauda argues for cancelling the

1976 German Grand Prix, due to

atrocious weather conditions:

Niki Lauda: “I accept that every time I

get into my car, there's a 20% chance I

could die …. and I can live with that.

But not 1% more! And today, with the

rain, the risk is more”.

[They raced, he crashed

and almost dies]

From the 2013 film, Rush, about James Hunt and Niki Lauda’s rivalry for the

1976 Formula 1 World Championship title ………………..

Link

risk to

reward

Know

your risk

appetite

1) the regulator’s latest views

on risk

2) how your board should be

covering risk at board

meetings

3) identifying new risks and

managing them

The challenge?

How to make

risk

management

less a

wearisome

compliance

exercise

and more

a winning

competency?

Agenda

Governance standards

Regulator expects?

Plus, skills &

experience needed

The

challenge?

How do you

provide

sufficient

assurance to

the

Regulator?

1) Regulator’s view on risk?

Governance standards

• UK Corp Gov Code = • “determine the nature and extent of significant risks it

is willing to take in achieving its strategic objectives”

• HCA’s Governance Standard = • “have an effective risk management and internal

controls assurance framework”

Governance standards

• UK Corp Gov Code = • “determine the nature and extent of significant risks it

is willing to take in achieving its strategic objectives”

• HCA’s Governance Standard = • “have an effective risk management and internal

controls assurance framework”

• High level of expectation, to • Set direction of risk, and of risk appetite

• Ask challenging questions of risks and RM process

• Gather assurance to confirm

Regulator expects?

• a co-regulatory approach • RPs manage organisation and risks

• HCA seeks assurance RP understands risks and provides governance and viability rating

• RP demonstrate proficiency by showing: • structured approach, process to identify, assess & manage risks

• utilisation of risk management in key decision making

• protecting assets, ‘ring fencing’

• stress testing of business plans, worst case scenario, ‘living wills’

• platform for review and open ‘critical challenge’

• Evidence:

• evidence of board decisions and timely/ appropriate assurance

Regulator expects?

• a co-regulatory approach • RPs manage organisation and risks

• HCA seeks assurance RP understands risks and provides governance and viability rating

• RP demonstrate proficiency by showing: • structured approach, process to identify, assess & manage risks

• utilisation of risk management in key decision making

• protecting assets, ‘ring fencing’

• stress testing of business plans, worst case scenario, ‘living wills’

• platform for review and open ‘critical challenge’

• Evidence: • evidence of board decisions and timely/ appropriate assurance

• If not, • reflect in published judgements and ratings

• may offer support, work with (if show willing and able)

• if not, intervene using regulatory, enforcement & general powers.

Plus skills & experience needed?

• Not = RM specialist, micro-managing process and risks

• Yes = practical, working knowledge of RM

Plus skills & experience needed?

• Not = RM specialist, micro-managing process and risks

• Attributes = • independence

• external perspective

• relevant sector experience

• ability to challenge constructively

• Yes = practical, working knowledge of RM

Plus,

Plus skills & experience needed?

• Not = RM specialist, micro-managing process and risks

• Attributes = • independence

• external perspective

• relevant sector experience

• ability to challenge constructively

• Yes = practical, working knowledge of RM

Plus,

Collectively responsibility vs

use of Audit (Risk) Committee

Risk Map

Risk Appetite

Risk dashboard

The challenge?

How do you

make

presentation

and discussion

of risk more

valuable to the

Board and the

Association?

2) Board cover risks?

LIKELIHOOD (over Business Plan period)

IMP

AC

T (

max p

a)

4) critical

1) manageable

2) moderate

( £ 50 – 100k)

3) serious

(g) high (d) high (b) critical (a) critical

(k) medium (h) medium (e) high (c) critical

(n) low (l) medium (i) medium (f) high

(p) v.low (o) low (m) medium (j) medium

1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)

(< £ 50k)

( £ 100 – 200k)

(> £ 200k)

RISK MAP (net risk)

Risk Map – what is the risk?

what should it be?

LIKELIHOOD (over Business Plan period)

IMP

AC

T (

max p

a)

4) critical

1) manageable

2) moderate

( £ 50 – 100k)

3) serious

(g) high (d) high (b) critical (a) critical

(k) medium (h) medium (e) high (c) critical

(n) low (l) medium (i) medium (f) high

(p) v.low (o) low (m) medium (j) medium

1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)

(< £ 50k)

( £ 100 – 200k)

(> £ 200k)

RISK MAP (net risk) G

N

T

= Gross exposure, before controls

= Net exposure, after controls

= Target exposure, after further actions

Risk Map – what is the risk?

what should it be?

Score Description Relative %

Actual (eg, on a Surplus of £1m)

4 Critical > 20% > £200K

3 Serious 10 - 20% £100 – 200k

2 Moderate 5 – 10% £50 – 100k

1 Manageable 0 - 5% < £50k

Score

Description Likelihood

4 Likely > 80%

3 Probable 50 - 80%

2 Possible 10 – 50%

1 Remote 0 - 10%

IMPACT Criteria

LIKELIHOOD Criteria

LIKELIHOOD (over Business Plan period)

IMP

AC

T (

max p

a)

4) critical

1) manageable

2) moderate

( £ 50 – 100k)

3) serious

(g) high (d) high (b) critical (a) critical

(k) medium (h) medium (e) high (c) critical

(n) low (l) medium (i) medium (f) high

(p) v.low (o) low (m) medium (j) medium

1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)

(< £ 50k)

( £ 100 – 200k)

(> £ 200k)

RISK MAP (net risk)

G

N

G

N

T

= Gross exposure, before controls

= Net exposure, after controls

= Target exposure, after further actions

Risk Map – what is the risk?

what should it be?

Score Description Relative %

Actual (eg, on a Surplus of £1m)

4 Critical > 20% > £200K

3 Serious 10 - 20% £100 – 200k

2 Moderate 5 – 10% £50 – 100k

1 Manageable 0 - 5% < £50k

Score

Description Likelihood

4 Likely > 80%

3 Probable 50 - 80%

2 Possible 10 – 50%

1 Remote 0 - 10%

IMPACT Criteria

LIKELIHOOD Criteria

LIKELIHOOD (over Business Plan period)

IMP

AC

T (

max p

a)

4) critical

1) manageable

2) moderate

( £ 50 – 100k)

3) serious

(g) high (d) high (b) critical (a) critical

(k) medium (h) medium (e) high (c) critical

(n) low (l) medium (i) medium (f) high

(p) v.low (o) low (m) medium (j) medium

1) Remote (< 10%) 2) Possible (10 - 50%) 4) Likely (> 80%) 3) Probable (50 - 80%)

(< £ 50k)

( £ 100 – 200k)

(> £ 200k)

RISK MAP (net risk)

G

N

T

G

N

T

= Gross exposure, before controls

= Net exposure, after controls

= Target exposure, after further actions

Risk Map – what is the risk?

what should it be?

Score Description Relative %

Actual (eg, on a Surplus of £1m)

4 Critical > 20% > £200K

3 Serious 10 - 20% £100 – 200k

2 Moderate 5 – 10% £50 – 100k

1 Manageable 0 - 5% < £50k

Score

Description Likelihood

4 Likely > 80%

3 Probable 50 - 80%

2 Possible 10 – 50%

1 Remote 0 - 10%

IMPACT Criteria

LIKELIHOOD Criteria

How much

risk are you

willing to

take?

How much risk

are you willing to

tolerate?

Key to

risk taking “Tipping point”,

calibrates

risk management

Risk Appetite: what is it?

• Shows the ‘tipping point’, the

difference between right and wrong

• Calibrates decision making, ‘how

much risk to get how much reward?’

• Sets level of Delegation of

Authorities

• Can be used to communicate and

monitor acceptable levels of risk

taking

• Challenges right level of reward and

control (including the cost of control)

• Board responsibility and renewed

focus for regulators

How much

risk are

you

willing to

take?

How much

risk are

you willing

to tolerate?

Key

to risk

taking “Tipping

point”,

calibrates

risk management

Risk Appetite: what is it?

• Shows the ‘tipping point’, the

difference between right and wrong

• Calibrates decision making, ‘how

much risk to get how much reward?’

• Sets level of Delegation of

Authorities

• Can be used to communicate and

monitor acceptable levels of risk

taking

• Challenges right level of reward and

control (including the cost of control)

• Board responsibility and renewed

focus for regulators

Board’s Risk Attitude scale

Risk Appetite: how to determine it?

Risk Attitude RISK ADVERSE

CAUTIOUS BALANCED OPPORTUNISTIC ENTREPENEURIAL

Characteristics Minimal/ 0 tolerance

Cautious tolerance

Balanced attitude

Enquiring appetite

Hungry appetite

% variance of outcomes

< 1% 1 – 2.5% 2.5 – 5% 5 – 10% > 10%

Illustrative examples

Corporate reputation

Safety

Trading

Asset investment

Operations 3rd party negotiations

Customer capture

New investments

Internet strategy

Board’s Risk Attitude Statement

Risk attitude An example Minimal

tolerance Cautious tolerance

Balanced Some appetite

Strong appetite

1 2 3 4 5

Val

ue

dri

vers

Resident/ tenant feedback

Surplus volatility

Capital requirement

Reputation

Credit rating

Regulatory standing

Board sets general direction Management responds with specific risk tolerances

Time

Value

£

Risk

Indicator

Risk

Tolerance

Risk

Appetite

Monitoring Risk Appetite

Time

Value

£

Risk

Indicator

Risk

Tolerance

Risk

Appetite

Monitoring Risk Appetite

Board’s Risk Attitude scale

Management’s Risk Tolerance,

using Key Risk Indicators

Risk Appetite: how to determine it?

Risk Attitude RISK ADVERSE

CAUTIOUS BALANCED OPPORTUNISTIC ENTREPENEURIAL

Characteristics Minimal/ 0 tolerance

Cautious tolerance

Balanced attitude

Enquiring appetite

Hungry appetite

% variance of outcomes

< 1% 1 – 2.5% 2.5 – 5% 5 – 10% > 10%

Illustrative examples

Corporate reputation

Safety

Trading

Asset investment

Operations 3rd party negotiations

Customer capture

New investments

Internet strategy

Board’s Risk Attitude Statement

Risk attitude An example Minimal

tolerance Cautious tolerance

Balanced Some appetite

Strong appetite

1 2 3 4 5

Val

ue

dri

vers

Resident/ tenant feedback

Surplus volatility

Capital requirement

Reputation

Credit rating

Regulatory standing

Board sets general direction Management responds with specific risk tolerances

Time

Value

£

Risk

Indicator

Risk

Tolerance

Risk

Appetite

Monitoring Risk Appetite

Time

Value

£

Risk

Indicator

Risk

Tolerance

Risk

Appetite

Monitoring Risk Appetite

Board’s Risk Attitude scale

Management’s Risk Tolerance,

using Key Risk Indicators

Risk Appetite: how to determine it?

Risk Attitude RISK ADVERSE

CAUTIOUS BALANCED OPPORTUNISTIC ENTREPENEURIAL

Characteristics Minimal/ 0 tolerance

Cautious tolerance

Balanced attitude

Enquiring appetite

Hungry appetite

% variance of outcomes

< 1% 1 – 2.5% 2.5 – 5% 5 – 10% > 10%

Illustrative examples

Corporate reputation

Safety

Trading

Asset investment

Operations 3rd party negotiations

Customer capture

New investments

Internet strategy

Board’s Risk Attitude Statement

Risk attitude An example Minimal

tolerance Cautious tolerance

Balanced Some appetite

Strong appetite

1 2 3 4 5

Val

ue

dri

vers

Resident/ tenant feedback

Surplus volatility

Capital requirement

Reputation

Credit rating

Regulatory standing

Board sets general direction Management responds with specific risk tolerances

Policies

Measuring and monitoring risks as part of performance

dashboard

– We do it for our cars, why not for our businesses?

– To go faster, further and more safely

Risk Dashboard – the theory

Measuring and monitoring risks as part of performance dashboard

– We do it for our cars, why not for our businesses?

– To go faster, further and more safely

Risk Dashboard – the theory

Measuring and monitoring risks as part of performance dashboard

– We do it for our cars, why not for our businesses?

– To go faster, further and more safely

KPI

KPI

KPI

Risk Dashboard – the theory

Measuring and monitoring risks as part of performance dashboard

– We do it for our cars, why not for our businesses?

– To go faster, further and more safely

KRI KRI

KRI

KPI

KPI

KPI

Speed

camera

detector

KRI

Risk Dashboard – the theory

Measuring and monitoring risks as part of performance dashboard

– We do it for our cars, why not for our businesses?

– To go faster, further and more safely

KRI KRI

KCI

KCI

KRI

KPI

KPI

KPI

Speed

camera

detector

KRI

Risk Dashboard – the theory

Risk Dashboard – the practice

KEY RISK INDICATORS for Period 6

Strategic Objective Key Risk Indicator Target Actual Variance Prior period YTD trend

1) SERVICE DEMAND - passenger journeys 219m 205m -14m 206

2) SUPPLY - % trains operated at peak 95.2% 95.0% -0.2% 94.7%

3) RELIABILITY - on time (per index) 83.6 77.4 -6.2 82.6

4) SAFETY - injuries 60 58 2 59

5) CUSTOMER SATISFACTION - "recommend" 78.3% 76.8% -1.5% 79.3%

6) PEOPLE - no. of staff 22,487 22,250 -237 22,123

- absence 1 day 0.96 day -0.04 day 1.1 days

7) KEY INITIATIVES - PM status80%

on target

77%

on target-3%

60%

on target

Better than/ equal to target Within 5% of target 5% or more off target

Transport operator

Real time risk information

integrated with performance

information

Internal risks

External risks

The challenge?

How do you

spot new,

emerging

ones?

How do you

manage them?

3) What new risks are emerging?

Possible new, emerging risks

External

- Public sector reorganisation

- Change in political direction in 2015

- More frequent extreme weather (maintenance, catastrophe)

- Pandemic (staffing, service capability)

Internal

- Changing housing needs (demographics, social/ ethnic groups)

- Increasing tenant expectations (quality and variety)

- Availability of land space, potential for innovative solutions

- Changes impacting brand/ reputation

What does this mean to

you as a Board member?

What does this mean to

you as a Board member?

- Get the risk culture right

- Honestly weigh up the risk

& the reward

- Honestly weigh up the risk

of doing something & the

risk of not doing it

- Carefully consider the

impact of more than one

adverse impact

- Assurance = data

- Use your instincts

Some thoughts

- Responsibility for risk

begins and ends with the

Board

The answer?

Niki Lauda, F1 champion

1975,

1977,

1984

James Hunt, F1 champion

1976

Risk Management, a winning competency?

Use it to gain a competitive advantage & help with

reassuring

the Regulator