Risk Oversight: Learning to Swim in the Deep End
by Brian Barnier
The ominous message read, “There’s been a drowning.” I was serving on the board of a non-profit that provided community arts and recreation services. We had our own facilities and managed one of the city’s swimming pools. My mind raced through our procedures. In the end, it kept coming back to, “What improvements should we have implemented more quickly?”
While it was no consolation to the victim’s family, the drowning did not occur in the pool we managed. Yet, it struck home for our organization. It was one of many lessons learned; that capabilities need to be strengthened in the face of unfolding situations. This is real risk in the real world.
Too often board members are confronted by “risk management” that is a pile of reports and charts reflecting stuff scattered across the organization. We look at these and think, “I know they must be saying something, but I have no idea what.” It feels a bit like when your child or grandchild explains the latest sensation in social networking by saying they’ve been pinged, poked and pinned, and you just nod as though you understand.
If you’re reading risk management reports – not about the sovereign debt crisis – and the pile-o’-reports leaves you saying, “sounds like Greek to me” – then your risk management is structurally broken. You need to probe more deeply. Simply ask your head of risk management, “Would you please explain that again without jargon or the word ‘risk’?”
Risk management is fundamentally simple. It’s about managing risk to business performance objectives. Whether share price, earnings growth, production levels or customer service, it’s prioritizing the removal of challenges to your objectives. A simple risk management cycle asks:
• What’s happening in our environment?
• What’s the strength of our capabilities?
• What situations could unfold and hurt us or create opportunities?
• What are the warning signs?
• How effectively do we prioritize our responses?
• How efficiently do we design and implement those solutions?
• How well do we prepare to react?
• How crisply do we manage our response?
These are basic questions. The ease with which we can answer them starts with one simple question – How well do we know the business?
A friend of mine designs combat helicopter pilot support systems. He thinks a lot about simple risk management procedures that a pilot can loop through in the seconds that mean life or death. Because real life is so complex and changing, risk management must be robust, yet simple. It must be simple in the sense of being efficient so it can be constantly running; helping everyone more easily watch for warnings and make critical daily decisions. Costly, complicated, cumbersome processes are only periodically run for fear of churning the organization. This is bad.
Yet, there’s more. Being easily, daily used also means avoiding unnecessarily complex terms. This is what the U.S. Federal Emergency Management Agency demands of rescuers who are jointly responding to an incident so they can all understand each other – especially under pressure and with static on the radio. Even individual city departments are switching to this. Are you wasting time trying to redefine “appetite,” “tolerance,” “profile” and other terms? Or, are you following real-world, proven practice?
Back to the swimming pool. The Red Cross understands this focus on the fundamentals in training people in first aid and CPR. They understand that situations are complex and changing. This applies in busy pools on hot days, financial market trading floors, Deepwater Horizon, Costa Concordia, new product rollouts, rain in Thailand, corporate acquisitions or hostile proxy fights. To face the real, dynamic world, board members must probe to sharpen a robust, simple risk management process, including jargon-free language.
With this simplicity in mind, your board can more easily be a better lifeguard watching over your company as it swims in the deep end or even the surf. Be ready for the rough water.
Brian Barnier of ValueBridge Advisors, has also served on non-profit and private company boards. He writes and presents widely, and is the author of The Operational Risk Handbook for Financial Companies(Harriman House, London, 2011). He can be reached at firstname.lastname@example.org.