Risk Reimagined!

The importance of people and culture to effective risk management

Risk Reimagined!

Risk Management author and evangelist

Former Chairman of the Institute of Risk Management and risk manager

Webinar #1: December 1st, 2015

Webinar #2: December 8th, 2015

www.riskreimagined.com

Richard AndersonNorman Marks

Risk Reimagined!

About this webinar:

• CPE: 1 Credit    • Program Level: Intermediate

to Advanced    • Prerequisites and

Advance Preparation: N/A    • Delivery Method: Group

Internet Based• Category: Specialized

Knowledge and Applications  

To receive a CPE credit:

• Remain joined to webinar for entire duration of programming (full hour)

• Answer all 3 polling questions• Answer all evaluation questions

Join the conversation on Twitter with #RiskReimagined

Risk Reimagined!

Regulators are getting excited by culture

Regulator Year No of Pages Culture Risk CultureNAO 2011 18 4 Nil

Department of Justice 2011 43 6 Nil

FRC 2014 28 20 Nil

FSB 2014 14 100+ 73

Risk Reimagined!

It’s all about people

Any organization is an assembly of people: people who take risks as they manage and direct the enterprise; decide how much risk is acceptable or even desirable; and provide oversight into the management of risk across the extended enterprise.

Risk Reimagined!

It’s all about people

“Culture is how organizations ‘do things’” — Robbie Katanga

“Organizational culture is the sum of values and rituals which serve as ‘glue’ to integrate the members of the organization” — Richard Perrin

Risk Reimagined!

“Culture eats strategy for breakfast” – Peter Drucker

Risk Reimagined!

Polling Question 1

Has the risk culture in your organization been reviewed internally or by consultants? Yes, it is reviewed on a regular basis Yes, once We are thinking about it It would never fly It is not possible

Risk Reimagined!

Is there a single culture?

Risk Reimagined!

Is there such a thing as a single risk level?

Risk Reimagined!

Compliance area Level of riskBribery and corruption 50

Environmental regulations 20

Financial reporting 30

Export/import regulations 20

Product safety 30

TOTAL 150???

Is there such a thing as a single risk level?

Risk Reimagined!

Why do so many of us take different views of exactly the same risks? How does an organization decide which view is “right”?

Risk Reimagined!

Why do people matter?

Human nature is …Individualist … or … collectivist

What do you believe … ?

I or C? Which do you think?

Risk Reimagined!

Why do people matter?

Human nature is …Individualist … or … collectivist

What do you believe … ?

I or C? Which do you think?

The way we live …“superiors” tell “inferiors” … or … “equals” negotiate the “rules”

Prescribed/In-equal … versus … Prescribing/Equal

Tell or Negotiate? T or N? Which way does it work?

Risk Reimagined!

Polling Question 2

Are you: Individual/Negotiate Collectivist/Negotiate Individual/Tell Collectivist/Tell None of the above Don’t know Don’t Understand

Risk Reimagined!

And cultural theory...

Fatalist

Individualist

Egalitarian

Hierarchist

I C

Tell

Negotiate

Risk Reimagined!What is the difference between the “risk” culture and the “organizational” culture? How can it be analyzed?

Risk Reimagined!

IRM Risk Culture Framework

IRM’s risk culture framework looks at component parts making up an organisation’s risk culture• How will I react?• How will I respond in

recognition of other competing needs?

• What will I do?• What will we do?• Our overall risk culture

Risk Culture

Organisational Culture

Behaviours

Personal Ethics

Personal Predisposition to

Risk

Risk Reimagined!

Risk culture aspects model

Risk CultureTone at the

Top

Ris

k Le

ader

ship

Dea

ling

with

B

ad N

ews

Governance

Acc

ount

abili

ty

Tran

spar

ency

Decisions

Ris

k In

form

ed

Dec

isio

ns

Rew

ard

Competency

Ris

k R

esou

rces

Ris

k S

kills

Risk Reimagined!

Thinking about risk is managed…

1. Risk informed decision2. Deals with risk systemically3. Throughout the

organization4. With partners5. Nimble with new issues6. Can leverage risks7. Takes more, better-

managed risks8. Gets hit by few surprises

9. Lives by established principles10. Expects excellent

performance11. Top-level buy-in to risk

management12. Links risk management to

strategic and operational management

13. Aims for simplicity and action, not bureaucracy

14. Constantly conscious of risk management performance

Risk Reimagined!

Holding a mirror up...

Risk Reimagined!

Holding a mirror up...

Risk Reimagined!

Holding a mirror up...

Regular findings Non-execs normally refuse to take part. Exec directors are ALWAYS more optimistic about their risk

management maturity than the rest of the workforce. Risk managers, heads of internal audit etc. ALWAYS know when

they are using smoke and mirrors to report up the line. Few others even care...

Risk Reimagined!

Assessing the Risk Culture

Desk TopResearch Surveys Interviews

Risk Reimagined!

Assessing the Risk Culture

Desk TopResearch Surveys Interviews

Conversations in Risk

Risk Reimagined!

Conversations in risk management

Me

CEO EE Partners

Suppliers Clients

IP ownerBack Office

Risk Reimagined!

Production and Projects

Sustainability and HSE

Drilling Exploration & New Business

Finance Other0%

25%

50%

75%

Production and Projects

Risk Reimagined!

Production and Projects

Sustainability and HSE

Drilling Exploration & New Business

Finance Other0%

25%

50%

75%

Sustainability and HSE

Risk Reimagined!

What about when the actions of one impact the success of another?

Risk Reimagined!

Objective

Risk D

Objectives, Risks and Controls

Objective

Risk A Risk B Risk C

Control 1 Control 2

Control 3 Control 4

Risk to more than one objective

Control to more than one risk

Risk Reimagined!

Objectives, Risks and Controls

Objective

Risk D

Objective

Risk A Risk B Risk C

Control 1 Control 2

Control 3 Control 4

Department A Department BWho owns Control 4? Who has a guardianship interest?

Risk Reimagined!

Objective

Risk D

Objectives, Risks and Controls

Objective

Risk A Risk B Risk C

Control 1 Control 2

Control 3 Control 4

Company One Third party coWho owns Control 4? Who has a guardianship interest?

Risk Reimagined!

Risk vs. Organizational Culture

Culture:The culture of the organization is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organization and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.

Risk Culture:“The risk culture of the organization is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organization the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”

Risk Reimagined!

And where they clash…

Issues which any board should want to know about:• Values: Significant deviations from the board’s values.• Silos: Especially where an organization is facing complexity in its dealings

internally or externally. • Layering: Layered management reporting prevents new issues being spotted on a

timely basis.• Short-termism: Extrapolation from past behaviours is not necessarily good enough

for dealing with new futures.• Control vs. Risk: Control (or risk control) management instead of risk

management.• Obstruction: Individually obstructive nodes can be very dangerous.• Black holes: Sometimes it is difficult to discern any volume of conversations about

risks.

Risk Reimagined!

Balanced Risk revisited

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

Risk Reimagined!

Balanced Risk revisited

PerformanceCulture

CorporateEthics

Here-and-Now Tomorrow

PerformanceZone

DeadZones

Risk Reimagined!

Leadership in complex systems

Relationships & behaviours

Draw on widely diverse

perspectives

Adopt open enquiring mind set

Go out of your way to

make connections

Tasks& ideas

Be Clear

Be Curious

Be Courageous

Invest in promoting

values

Establish compelling

vision

Embrace uncertainty

Distribute leadership &

decisions

Risk Reimagined!

Polling Question 3

Does your organization have a healthy risk culture? Without question, yes With exceptions, mostly yes Only to a degree Not really Unsure

Risk Reimagined!

The bottom line

Risk Management should be the disruptive intelligence that pierces

perfect-place arrogance

Risk Reimagined!

DISCUSSION

Risk Reimagined!Risk Reimagined!

RiskReimagined! Events:

Tampa, FL March 3rd, 2016London, UK April 7th,

2016Chicago, IL April 22nd, 2016

Details for booking: www.riskreimagined.com

Risk Reimagined!

www.riskreimagined.com

Richard AndersonDirector, AndersonRiskrca@andersonrisk.comwww.AndersonRisk.com

Norman MarksRisk Management Author and Evangelistnmarks2@yahoo.com

Contact Us:

Resolver Inc.1-888-891-5500info@resolver.comwww.resolver.com

Hussain HasanPrincipal and Regional Leader for Risk Advisory Services, RSM US LLP1-312-634-3700Hussain.hasan@rsmus.comwww.rsmus.com