trustee conference am4: effectively managing risk
TRANSCRIPT
Drinks sponsors:
AM4: EFFECTIVELY MANAGING RISK
IAN WHITE, ASSOCIATE CONSULTANT, NCVONICK RUDNAI, DIRECTOR, CASE INSURANCECLARE BALL, DIRECTOR, SHIFT.MS
7 NOVEMBER 2016
Partner sponsor:
Media partner:
Lead sponsor:
EFFECTIVELY MANAGING RISK FOR BOARDS
OF TRUSTEES
WHAT IS RISK
• A noun: “a situation involving exposure to danger”
• A verb: “expose (someone or something valued) to danger, harm or loss”
• Potential impact of uncertain events on an organisation or its objectives, whether positive or negative
What is Risk?
WHY WORRY ABOUT RISK?
• A necessary part of business life - without risk there would be no business
• Nearly always viewed in negative terms
• But can be positive - business opportunities - Dyson
• Need to ensure that the balance does not get out of control
• Doing nothing can indeed lead to dire consequences –Kodak
• Some third sector examples
Why worry about Risk?
Impact of Poor Risk Management:
• Reputation BP
• Strategic failure Retail
• Solvency Lehmann
• Failed targets UK Government!
• Potential litigation Payment Protection Insurance
• Organisational disruption Terminal 5
• Loss of morale NHS
• Wasted resources Many examples!
Why worry about Risk?
THE IMPORTANCE OF RISK MANAGEMENT
• Need for effective identification, assessment and Prioritisation of risks.
• Failure to do this can lead to:
• Loss of reputation
• Solvency issues
• Regulatory and criminal sanctions
• High costs
• Wasted management time
The Importance of Risk Management
Examples:
• BP
• Once largest member of FTSE 100
• Risks not fully assessed or catered for?
• Dramatic decline to share price; USD 20 billion for claims; dividend suspended
• CEO resigned after PR gaffes
• Lessons: prepare for risk and manage it effectively when it does occur
• Arthur Andersen and Enron
• 2002 85,000 employees; 2007 200 employees!
The Importance of Risk Management
Risk management in context:
• Health and Safety at Work etc Act 1974
• Employers duty to take reasonable care for employees
• But all employees have duties - retail example
• Corporate Manslaughter and Corporate Homicide Act 2007
• Substantial fines of up to 10% of turnover - huge impact
• Publicity required
• But not effective use so far? Few prosecutions
The Importance of Risk Management
HOW SHOULD TRUSTEES APPROACH RISK
MANAGEMENT?
• Charity Commission recommend all charities carry out proportionate annual risk assessment
• Requirement to make statement in annual report on risk for those charities subject to a statutory audit – identify major risks and procedures to manage.
• Trustees should take the lead in risk management but with participation of staff and other stakeholders.
• Not just a long set of risk registers
• Risk is strategic!
Charities and risk
• Areas of risk to be assessed as recommended by Charity Commission:
– Governance
– External
– Regulatory and Compliance
– Financial
– Operational
Charities and risk
• Dealing with risks
– Prioritise
– Determine risk appetite
– Mitigate/controls
– Assurance
Charities and risk
• 2007 - Tony Hayward becomes CEO of BP - insists coffee cups have lids
on when person walking
• 2010 - Deepwater Horizon occurs
• Need to identify and properly evaluate, communicate and address
risk
• Risk management often treated as compliance issue that is solved by
rules
• Rules based risk management alone won’t prevent further disasters
And when you don’t prioritise…
Guidance on Risk Management, Internal Control & Related Financial/Business Reporting (FRC, 2014):
• The Guidance is focused on the culture of the Board (roles and responsibilities) and the “tone from the top”
• Checklist of the types of questions the Board should consider when assessing risk (Reference)
• Dividing these into the broad sections of:
• Risk Appetite and Culture
• Risk Management and Internal Control Systems
• Monitoring and Review and Public Reporting
Boards and Risk Management
Role of the Board in Risk Management:
• The board must determine its willingness to take on risk, and the desired culture within the organisation
• Risk management and internal control should be incorporated within the organisation’s normal management and governance processes, not treated as a separate compliance exercise
• The board must make a robust assessment of the principal risks to the organisation’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment the board should consider the likelihood and impact of these risks materialising in the short and longer term
• Once those risks have been identified, the board should agree how they will be managed and mitigated, and keep the organisation’s risk profile under review. It should satisfy itself that management’s systems include appropriate controls, and that it has adequate sources of assurance
Boards and Risk Management
Role of the Board in Risk Management:
• Once those risks have been identified, the board should agree how they will be managed and mitigated, and keep the organisation’s risk profile under review. It should satisfy itself that management’s systems include appropriate controls, and that it has adequate sources of assurance
• The assessment and management of the principal risks, and monitoring and review of the associated systems, should be carried out as an on-going process, not seen as an annual one-off exercise
Boards and Risk Management
On top of this, the Board should satisfy itself that it is informed of:
• The nature and extent of the risks facing, or being taken by, the organisation which it regards as desirable or acceptable for the company to bear
• The likelihood of the risks concerned materialising, and the impact of related risks materialising as a result or at the same time
• The organisation's ability to reduce the likelihood of the risks materialising, and of the impact on the business of risks that do materialise
• The exposure to risks before and after risks are managed or mitigated, as appropriate
• The operation of the relevant controls and control processes
• The effectiveness and relative costs and benefits of particular controls
• The impact of the values and culture of the organisation, and the way that teams and individuals are incentivised, on the effectiveness of the systems
Boards and Risk Management
RISK MANAGEMENT IN PRACTICE
Risk Management Process and Methodology
• Identification
• Assessment
• Action Planning
• Monitoring
• Reports
Risk Areas
Risk Management in Practice
1. Guidelines on how to complete the legal risk template
Identifying the risks First, you need to consider what the risks are.
Please consider all the possible risks in your area. You should then list all the risks that occur to you under each heading using the template in Appendix B which you should adapt as appropriate to ensure that all risks are accommodated. The risks should be noted even if it is believed that there are sufficient controls in place to manage the risk within the risk appetite of the business.
A risk is something that may cause loss to the company. It may be a loss resulting from the failure to achieve a specific objective or a more general loss such as a liability to pay damages. It could also be a loss resulting from a missed opportunity such as the failure to exploit intellectual rights.
An example of a risk relating to intellectual property rights would be as follows:
“Damage to the value of the brand due to a failure to register trademarks resulting in other businesses acquiring equivalent or superior rights in those marks e.g. The company may not be able to use those marks or others may be entitled to use them as well”.
Risk Template
Impact The next thing you need to do is to assess the impact of the risk if it were to occur. The financial, reputational and customer impact should be considered. The impact of the risk should be scored as if there were no controls in place – this is known as the inherent risk.
You will need to assign an impact rating for financial, customer and reputational impact. The options are set out in the table in Appendix C. These are in line with the impact scales used within the Quarterly Risk Assessment (QRA) process as defined in the Risk Management framework
Failure to protect the Company’s trademarks, being arguably the Company’s most important assets, would be high impact, i.e. a score of 4
Probability After this you need to assess the probability of the risk happening ignoring any controls that may be in place (again, the inherent risk).
Again, the options are set out in Appendix C and are in line with the QRA process.
The likelihood of the impact occurring in the case of trademarks not being protected is “Likely” i.e. a score of 4.
Risk Template
Magnitude Having identified the universe of all risks and assessed their probability and impact, it is important to prioritise them by working out the magnitude of each risk. This is arrived at by multiplying the highest impact score for that risk and multiplying it by the probability score for that risk.
Controls You then need to describe what controls are in place to mitigate the risks and who is responsible for the particular control and assess the adequacy of the risks. Controls may reduce the likelihood of a risk occurring or mitigate the impact or both.
Risk Appetite You will then need to assess whether the risks are managed and controlled within the stated risk appetite of the business having regard to the controls and any actions that have been agreed with the business. The options are set out in Appendix C. These are colour coded through red, orange, yellow and green.
Action plan If the controls are inadequate i.e. the risk even after taking into account the controls is outside the risk tolerance levels then an action plan needs to be put in place and summarised in the template. The date for completion of the task should be indicated.
Risk Template
The following template can be used by different business areas to review different risks. Each risk should be entered separately and grouped as appropriate. Suggestions include, but are not limited to:
•Compliance (considering the legal requirements regarding competition, finance, sales & marketing, production, corporate, environment, data protection, property and employment).
•Rights and Remedies (e.g. customers, employees, third parties, intellectual property, internal and external communications, disputes and litigation)
•Other risks (e.g. changes in laws and regulations)
Risk Template
Risk Template
Risk Template
Risk Template
Risk Template
Examples of things to consider:
• How frequently is the risk management framework reviewed/stress-tested?
• How do organisations ensure their risk management plan isn’t just filed away? A living document?
• What risk management training is in place?
• Is the positive side of risk considered? Most companies just look at the negative elements
• Is any of the above audited?
• Remember the Black Swan – you cannot predict everything!
• Focus on an effective risk CULTURE! Remember that this is the overriding principle -without this in place all of the processes, procedures and policies will be of little effect
Reporting and Oversight of Risk
Risk Culture:
• Risk appetite translates throughout the business
• Honesty and promptness of reporting especially escalation
• Transparency of information and evidence
• Consistent decision making and action on the basis of evidence
• Individuals take full accountability for their actions
• Aligned incentives and rewards consistently applied
• Consistency of behaviours and practice throughout the organisation
• Unnecessary complexity removed to create clarity
• Many ways to speak out
Reporting and Oversight of Risk
• Risk is a necessary part of business life
• Risk can be negative and positive - look for opportunities
• Align compliance risk to the organisation’s risk appetite
• Focus on material risks - too much detail may result in difficulty resourcing all the risks
• Ensure the business understands its compliance risk landscape and where risks may exceed its risk appetite
• See the bigger picture and do not just look at compliance risks in isolation
• The risk of doing - or not doing - the deal may be greater than the compliance risks
• The organisation should own and manage the risk - the audit/risk/compliance is (usually) there to advise and guide
Risk Management - a Recap
• Get input internally and externally where appropriate
• Compliance should ensure the risks are within the risk appetite of the business not to eradicate the risk
• Give the business options
• Manage the risk not the regulation
• Beware conventional wisdom and remember…
• The importance of culture over process and…
• The Black Swan!
Risk Management - a Recap
Effectively Managing Risk
Why Bother?(Beyond your legal and moral duties)
• When you sign up to be a trustee you are committing to manage the risks of your charity as best you can, its as simple as that!
• Your charity will be better placed to achieve its charitable objects and aims and less likely to fail its stakeholders
• Remember, the business of business is risk, its also true for charities.
So what is a risk? What do I work to?
• The effect of uncertainty on objectives –positive or negative – i.e. Uncertainties that Matter
Risk Management ProcessYou are not required by law to have a risk management process for your charity, nor to follow a particular method. But the Charity Commission strongly recommends that you have a clear risk
management policy and process.
• establish a risk policy & strategy• identify risks – Workshops/scenario
analysis/questionnaires• assess and record risks• evaluate what action to take• review, monitor and assess periodically - Risk Registers,
Action Plans and Heat Maps • Your charity should have a structured approach to risk
management that is appropriate for its size and complexity
• Often based around ISO 31000
Material Risks Under Discussion at Present• Risk one – Loss of funding and financial instability• Risk two – Continuity and crisis response• Risk three – Erosion of traditional values• Risk four – Negotiating the commissioning environment of new payment
frameworks and public service delivery models• Risk five – The rise of social media (Zurich Municipal)
• termination of funding from other bodies• the future of contracts• fundraising from the general public• fluctuations in investments• an unforeseen rise in demand for services (Charity Commission)
• Brexit and the effect of sustained uncertainty on charitable giving• People – Having the right talent and capability to achieve strategy (CB)
The Risk Management StatementAll charities that are under a legal requirement to have their accounts audited must make a risk
management statement in their trustees’ annual report.
Your risk management statement should include:• an acknowledgement of the trustees’ responsibility to
identify, assess and manage risks• an overview of your charity’s process for identifying
risks• an indication that major risks have been reviewed or
assessed• confirmation of the systems and processes set up to
manage risksLarger charities or those with more complicated activities should provide a more detailed risk management statement.
Risk Management Strategy –
Keep it simple and proportionate to the charity
Put Simply, it’s
• Direction – How will risk management support the strategy
• Scope – what activities will be undertaken
• Priorities – what must be managed first
All of which you can and must help shape
The need for simplicity in the charity sector
Simplicity
• In my experience even more important in the charity sector than in the commercial sector
• Often a feeling of “do we really need this, isn't it just bureaucratic red tape? As a trustee I understand that its part of my role to demystify risk and make it relevant
• A place for complexity in data and MI• Ease of access aids simplicity, make risk processes
instinctive to the user• The importance of feedback in the campaign for simplicity
cannot be overstated, but once you have it you must do something with it, your reputation depends on it
Requests from the business ……….Does this feel relevant in the charity sector?
• Request for every risk document to be clear, succinct and beautifully simple and so universally understood. “Needless complexity and unnecessary content is unforgiveable”
• In the words of Donald trump 10 Jan 2015 - I realised that complexity is the enemy of execution. If I can distill an idea down, people know the game is winnable.” Donald J. Trump
Culture & BehaviourWhat does history tell us?
• Cranfield researchers interviewed executives, management and staff with risk management responsibilities, including CEOs, at eight chosen organisations. They found overwhelmingly that the key to achieving resilience is to focus on behaviour and culture. This may involve fundamentally re-thinking and challenging prevailing attitudes towards risk. Traditional risk management techniques, whilst essential, do not in themselves create a culture of resilience. (AIRMIC Road to Resilience)
• “You’ve got to have the right culture; otherwise you’re never going to embed anything. Nobody’s going to do the training, nobody’s going to put it on their personal agenda and talk about it, the networks aren’t going to happen, the network is where your culture lives” (SVP, Head of Global Risk Management, IHG).
• “It has got to start at the top of the organisation, with supportive language that shows we are more interested in how we learn and move forward, than holding an individual accountable” (CEO, UK General Insurance, Zurich).
The Importance of Culture and Behaviour and the part you play - Examples
MPs’ report blames charity trustees for fundraising failures.
• If trustees do not improve how they monitor and set standards for their charities’ fundraising, then statutory regulation will follow.
Kids Company: MPs say 'catalogue of failures' led to collapse
• "an extraordinary catalogue of failures of governance and control at every level - trustees, auditors, inspectors, regulators and government"
The Importance of Culture and Behaviour and the part you play - Examples
Charity Commission finds failings in the Air Ambulance Service
• A loss-making fundraising event and a £27,000 loan to its deputy chief executive involved serious failures by the trustees, says the regulator
So, in practical terms, how can you help charities manage risk?
• Make good governance part of the culture, just the way we do things around here, be that healthy “tone at the top”
• You have a duty to oversee the running of the charity - Don’t be afraid to ask awkward or difficult questions, its your responsibility, you will be open to criticism if you don't
• Understand your charities early warning indicators and how it benefits from lessons learnt
• Commit to structured regular review of risks and satisfy yourself that controls are effective, be a part of the solution generation if they are not
• Undertake an annual board risk session to include a review of your risk appetite and current and emerging risks
• Undertake Risk Understanding & Awareness Training and keep it current• Ensure that the risk reporting process is giving you what you need to make
risk informed decisions• Ensure that risk communication is effective and the risk management
process is fit for purpose, this is an iterative process
A thought to end on?
Effectively Managing Risk
Nick Rudnai
CaSE Insurance
51
Murphy’s Law revisited …
“Anything that can go wrong, will go wrong.”
Or …
When something goes wrong … it’s rarely what you thought might go wrong.
Good risk management is about behaving and acting “as if uninsured”.
52
Where’s the risk?
53
Insurance
• Insurance can deal with the things you can imagine could happen.
• Insurance can deal with what you can’t imagine can happen, but which does happen to other people.
• That’s why insurance people can be a good source for risk management advice. They see what happens to other people. And they can let you know if something is insurable or not.
• But they are just that – one good source. As are lawyers, accountants, banks, regulators, and … of course … your peers.
• And don’t forget, seek in-put from all your people. Asking the dive-school instructor might just stop you overlooking the coconut.
54
Insurance versus Cost of Risk – the iceberg syndrome
20% Insured
Risk
80% Uninsured
/ Uninsurable Risk
In other words, if you confuse risk
management with insurance
55
Un-insured Risk
The total potential effect on your organisation measured in
terms of the effect on your Profit & Loss Account and your Balance Sheet, and including
Opportunity Cost, for as long as the effects endure
Plus
The effect on other stakeholders
Trustees, Management and Staff
Clients & Service UsersFunders & Partners
56
Insurance versus Cost of Risk
20% Insured
Risk
80% Uninsured
/ Uninsurable Risk
57
Move it upand
consider it ‘dealt with’
The Insurance deal
• You take an identified risk, and offer it to an insurer in return for a premium.
• The risk doesn’t disappear. It just transfers.
• In return, you take on a new risk – that the insurer won’t (or won’t be able to) pay.
• Don’t rely on insurance to bail you out every time.
• GOOD RISK MANAGEMENT IS ABOUT BEHAVING AND ACTING “AS IF UNINSURED”.
• And work hard on your relationship with insurers in the long term to ensure that they are indeed there when you need them.
58
Insurance versus Cost of Risk
Uninsured ClaimsUnrecovered Claims
Intentionally self-insured losses
Unintentionally uninsured losses
Excess & Premium IncreasesUninsurable losses
59
Pragmatism
• Real life involves risk
• Risky stuff can hurt people (more often than coconuts)
• People have accidents
• Stuff catches fire
• Weather causes floods
• If you’re worried about crossing the road, don’t delay
do it quickly before a car veers off the road and hits you
60
Balancing Risk and Reward
Reward
61
Risk
Cautionary Tales
• The executive / non-executive relationship – is it balanced?
• Lemonade Insurance – Chief Behaviour Officer
• The risk register – a room with nice defined borders
62
Risk
Risk
Risk Risk
Cautionary Tales
Contractual Liability
• How do you identify and measure it?
• Is it within your field of experience & expertise?
• How do you control it?
• Is it clear about what everyone thinks you bring to the party?
• Is there a fair distribution of risk and reward when balanced against all parties’ capacity to take risk?
• The smallest, most insignificant contract can have the most damaging consequences
63
Cautionary Tales
The stakeholder environment
• You might not do anything wrong.
• But are you strong enough to swim in those waters?
• Who is a stakeholder, what are they like, what can you expect their behaviours to be?
64
Cautionary Tales
Unintended consequences
• Data sharing
• People sharing
• Unclear handover of responsibility
65
Cautionary Tales
And on the subject of Data …
• Understand the full extent, form, location and impact of data for which you may be responsible.
• Plan.
• Full supply chain and user-end management.
• Educate.
• Careful storage of hard-copy data.
• Watch out in case the wind blows.
66
In closing
• Good risk management is about behaving and acting “as if uninsured”.
• Don’t confuse insurance with risk management.
• Insurance mitigates but doesn’t eliminate risk.
• Risk is inevitable and can be good. Mine for conflict. Mine for risk. Find the elephants and coconuts. Get the risk and reward balance right.
• Do make sure that risk is part of your culture at all levels of your organisation, and that insurance is more than just a paper transaction.
• Consider whether the normal distance trustees like to keep between themselves and their organisation’s risk management advisers is really appropriate.
67
Effectively Managing Risk
Nick Rudnai
CaSE Insurance
68