Mastering 21st Century Enterprise Risk Management - 2nd Edition: The Future of ERM - Book 1 - Executive's Guide

2020.

Chapter 1Firing Failed Risk Practices

1.1Brexit and the failure of ERM

There has been much written on the over-emphasis of Black Swans¹ in risk management. The 2016 Brexit vote not only sent shock waves through financial markets but also created a completely new paradigm to world economic stability both short and long term. If risk is defined as uncertainty, then today this must be one of our greatest risks.

Figure 1-1

So what happened with Brexit? After all, the vote was a 50/50 risk! I believe it was an enormous accident. No one really thought it would happen. Just look at the graphic above to see the odds bookies were offering of the U.K. staying in the EU! Over 2 to 1. Even I bought shares that Thursday, discounting the vote as a non-event. From the petitions still circulating in the U.K., I would say complacency amongst the media, middle classes, and business community was the major culprit.

The same complacency with nutter politics voted in Donald Trump (as shown by his absurd congratulation on taking your country back comment on landing in SCOTLAND, which voted No!).

So where to from here?

My guess is that the U.K.’s exit from the EU (now exacerbated by COVID) will result in a Thatcherite period of recession, social unrest, and economic restructuring. I believe this, like its namesake, will leave U.K. stronger. Ireland will boom as the new English-speaking base for European access, and the EU will devolve back to its roots, plus maybe the Czech Republic. This is not because of any political bias, but purely economic rationalism. Proven both in business and the USSR, management of large dispersed operations (like the EU) must be delegated and decentralised. This is why small start-ups outperform large market leaders, and why the short-lived Intrapreneurship fad failed.

The trap of the Risk Matrix and Heat Maps

The first requirement for resilience is awareness. Awareness of how different aspects affect your processes and objectives is a foundation of risk management. Like a 1980s entrepreneur, the EU has been fixated on expansion (a historical trait for Germany) at all costs. Most of these 1980s entrepreneur companies ended up unravelling, but some restructured back to core business and survived. I see this as the only way of survival for the EU and ERM.

Sadly, ERM’s over-concentration on risk heat-maps and dashboards that have created a false sense of security. They distract from the effort needed to develop interactive risk models that allow senior management to understand and manage disruption. Just as the EU has been hijacked from its original economic purpose, so I see ERM being hijacked from its original intent to strengthen organisational resilience.

The fixation with Emerging Risks

Whether my guesses about the future are right or wrong, ERM is a navigation tool, not a crystal ball. Invariably, our biggest disruptions are sudden, momentous, and for which we are not prepared.

Instead of occupying our time and effort with trying to predict the future, risk management functions would do better building business resilience to handle major disruptive events. It should empower you to identify the best course when there is an unexpected change in your business environment and highlight any likely threats or obstacles. Yes, keep one eye on the horizon but make sure your navigation system is operational.

Brexit also raises several issues for modern risk management. First, is your effort in identifying emerging risk really cost justifiable? Second, how does it add to your resilience? Finally, can your ERM tell you where you stand now, AFTER the event has occurred? If you cannot answer these three questions, then your ERM is a failure.

1.2Past Failures

What do I mean by failed? By failed, I mean that risk management has failed to deliver the promised benefits. Outside the governance, risk, and compliance (GRC) fraternity, most senior executives will agree that risk management is, at best, an evil necessity, and at worst, a bureaucratic waste of time. But most likely, that it is just another failed management fad.

In the same way that a weed is a plant in the wrong place, a management fad is a strategy poorly implemented. Unfortunately, in risk management many of those working in the field are debating the furnishing fabrics while the house is burning, or believe they can fix it if people work harder. I believe we need to reassess how we do risk management.

Although in recent years there have been a plethora of case studies on large-scale business failures, I have used Ford and QANTAS as they are companies that were heralded as benchmark examples of Risk Management practices.

Ford Australia’s closure

Ford was an iconic brand in Australia for nearly 100 years. Supporter rivalry of Ford vs. General Motors was the stuff of legends; the automotive equivalent to Liverpool vs. Manchester United fans. No other product could dream of this level of consumer advocacy.

In the 1970s, Ford produced the ultimate muscle car still talked about today, and its luxury models limos for visiting heads of state.

Ford Motor Company management claimed it was no longer economical to manufacture in Australia due to the high labour costs. However, German manufacturers BMW, Mercedes, Audi and Volkswagen somehow seem to manufacture with higher labour costs, environmental controls, and taxes. So maybe there is something else going on at Ford.

Writing about Ford’s decision in The Australian newspaper, Maurice Newman argued government needed to work urgently to restore our international competitiveness. He wrote, … why invest billions in modernising? The decision to shut down in October 2016 was the only rational one.

I lay the fault at Ford management’s feet. The purpose of management is to cater to the push and pull of the business environment, and not just to survive, but to grow.

When management sleeps on the job

Of course, Ford did not jump straight from dominance to closing up shop. Ford slipped from selling 84,000 vehicles in Australia in 2003 to only 14,000 in 2012. I think free-fall is a more apt description. An 83 percent drop in sales?

Had Ford management been asleep for 10 years? There is a dire lesson in this for anyone in business. Look at Ford worldwide. Ford Focus was one of the top selling cars in Europe, while the Ford F150 was one of the biggest selling pickups in the U.S.. On top of this, Ford had a well-publicised ERM framework. Since 4-cylinder compacts and SUVs account for 80% of the Australian market, how could Ford Australia had an 83% drop in sales and become no longer economical?

Death by 1,000 cuts

Ford is stuck in the 1980s. Marketing out-of-date and mediocre. Customer service was laissez faire at best. Last year, while looking for a new car, I went to Ford to test drive the latest Mustang (yes, showing my age). Not only did I have to return the next day as the boss was out to lunch (what difference did that make?), but I did not even get a sales call-back for 3 weeks. By that time, I had bought an Audi.

But I digress. Where were Ford’s executives during the company’s free-fall? Should they have not acted before it got to that point? They had 10 years. That is the key. Ford suffered death by 1,000 cuts. Too many managers accepted poor results as being out of their control. They kept using last year’s results to budget for next year, which only breeds decreasing performance. Those approaches, along with cost cutting to shore up the dwindling bottom line, may feed executive short-term bonuses but locks in long-term failure.

Simple good governance comprises proactive risk management plans with mitigation strategies, not charts. Proactive risk management is about planning for the future, not reporting the past.

You need to tie customer feedback, like risk, back to hard corporate objectives, not soft feel-good values. Product development must be oriented toward advancing customer expectations, not cost cutting. In the 2020s, customers expect innovation and to be wowed. Apple and Tesla have proven this paradigm.

Marketing is for developing the market, not merely beating last year’s results. In addition, if you accept reputation is a key factor in customer decision-making, then developing the corporate image must be a key aspect of a company’s marketing strategy. A key element of reputation comes from good governance. Good governance is no longer a luxury enjoyed by large profitable companies, but a survival skill for all businesses.

The greatest threat to your business is mediocrity. You can easily identify mediocre management by their contempt for compliance and risk management. They prefer frenetic activity (aka firefighting) than prevention and planning.

I do not believe anyone would question that we are living in a changing world. That requires management to not only to keep up with changes but to anticipate it and gain the requisite skills to be ready. Coming from an IT background, where technology completely reinvents itself every 5 years, I learnt to be continually retraining, exploring new opportunities, and monitoring changes to identify technology shifts. Being situationally aware and remaining flexible is a survival skill in IT. Operating in a fast changing environment is no longer just the preserve of IT. It is now the standard operating environment for all management.

Regardless of how much mediocre managers would like to consign Risk to the trash heap of management fads, it is now embedded as a regulatory requirement, so will not be going anywhere in the near future. So the question is whether it is to be an overhead and albatross around your neck, or a strategic tool for driving growth.

If the latter, as an executive, you will need to understand at a strategic level how to deploy these skills to weaponise risk management in the 2020s:

1. Probability and Statistics (simulations, distributions, Bayesian inference, visualisations)

2. Organisation behaviour (psychology, decision theories, communications)

3. Artificial Intelligence (both as a tool for ERM and its threats when used in business)

4. Cyber Security (you need to be all over your single largest risk)

5. Change Management (ironically, it keeps changing)

Failure of risk management is not just an operational weakness. As Boards have responsibility for risk, they too need to lift their game. Just as with due diligence, ignorance is no excuse. Case in point QANTAS.

QANTAS $3 Billon Loss in 2014

Understandably, QANTAS reported a $2 billion loss in 2020 due to COVID-19 shutdown. However, back in 2014, where was the QANTAS Board Risk & Audit Committee during the previous 6 years of Alan Joyce’s systematic destruction of, at one time, one of the world’s leading airlines?

Following the 2014 announcement of the QANTAS $3 BILLION loss, there was a wave of calls for the sacking of Alan Joyce, as CEO. However, there was still a strong chorus of supporters saying the result was just a myriad of complex problems, i.e. another death by 1000 cuts. To the outside world, it looks more like Monty Python’s mutilated Black Knight maintaining 'Tis but a scratch'.

In a series of focus groups conducted February that year, participants agreed, Joyce and his team have ruined QANTAS for their own ends and QANTAS needs to heal the rift between its staff and management to gain more confidence and thus more patronage from the public. See this link for more detail.

But was Alan Joyce the root cause? The Board appointed a person with a track-record of Ansett, the airline collapsed, and Jetstar, a low budget regional airline, to a premium end global company? Could lack of understanding of the industry be an issue? Of the QANTAS board members, only three had direct previous airline experience compared to BHP where nine of the fourteen board members have mining/energy experience. Yes, diversity on boards is important, but they require a core of strong industry experience. This over emphasis on diversity is because QANTAS was largely government owned.

According to the QANTAS governance statement, "Material risks and management’s responses to managing these risks are escalated to executive management, board committees, and the board". A $3 billion loss! If escalation of risk to the Risk & Audit committee occurred, and on to board level, how was it not mitigated? Without being present at QANTAS board meetings, no one knows if it was the result was a lack of understanding or capability. One thing is for certain, it was a failure of the QANTAS risk management framework.

Unfortunately, there is a widespread attitude in boardrooms that risk management is a regulatory compliance issue. Also that the purpose of the Risk & Audit Committee is to publish the annual compliance statement. Although legislated, the real purpose of the Risk & Audit Committee is to inject breadth and longevity into board deliberations. Over focusing on specific issues such as ownership and cost cutting invariably results in the destruction of shareholder value. As I will cover in a later chapter on Strategic Imperatives, the balance of competing objectives develops the overall health of a business that drives growth.

Reputational risk, of which QANTAS still does not appear to be aware, is a company’s greatest risk, and I believe is the primary cause of the QANTAS predicament. Joyce’s war on its workforce and his obsession with ownership, (which is the reason for the focus group’s comment that they have ruined QANTAS for their own ends) has been instrumental in the brand’s destruction and company image. QANTAS’s image as the only airline never to have crashed, a la Rain Man, was gutted with his public brawl with aircraft maintenance engineers and Joyce’s comments on the need to change ownership to update their ageing fleet.

QANTAS second principal attraction was the friendly and personal nature of its service staff. You wouldn’t believe it now, but at one time the welcoming smile at check-in and the genuine personal interest of in-flight cabin staff was a trademark of QANTAS. It featured in their advertising and made them the envy of the airline industry. Recently at the Melbourne Comedy Festival, three separate comedians did skits on the poor customer service levels now at QANTAS, a derision once reserved for communist airlines and Air France. The leading airline mantle has now been taken by the likes of Emirates and Etihad (and even worse, Air New Zealand).

And Mr Joyce, it has nothing to do with cost savings and ownership.

Message to QANTAS board: Apple was never the cheapest PC or phone. Consumers bought the product based on image, vision, and great service. Customer satisfaction drives reputation, which drives seat numbers. Customer satisfaction comes from staff attitude and commitment, which comes from the top, but sadly long lost at QANTAS.

So what does all this have to do with risk management? If QANTAS had a truly effective risk management system and a functioning Risk & Audit Committee, they could not have continued to ignore the deterioration in risk profiles of reputation, sustainability, and shareholder value. A proper profile has mitigation strategies and key risk indicators that would have gone red long before hitting $1 billon, let alone $3 billon. Previously, I asked whether Ford Australia’s management were asleep at the wheel. One must now wonder when those at the controls of QANTAS will ever wake up.

1.3Why Risk Management is broken

First, we must understand why the traditional approach to risk has failed.

Why Risk Management is Failing

The vendor agenda

Over the last 10 years, the buzzword in risk has been Enterprise Risk Management (ERM). Software vendors pushed it predominantly. The problem is that most software systems attempt to apply the same risk methodology across all aspects of an organisation. This is regardless of the differences in their operations, their approach to risk and their individual risk appetites.

Risk management is 80 percent art and 20 percent science. The 20 percent science relates to the mathematics of technical risk management, while the 80 percent art relates to organisational behaviour. The common complaint is that risk management focuses too much on operational risk and not enough on technical risk management (e.g. financial risk). That is true, but only because, like market forces, that is where the need is. Management of financial risk didn’t prevent the global financial crisis, nor was it the cause. The global financial crisis can be put down to systemic issues, whether inappropriate modelling, rogue trading, or poor decision-making, not technical issues.

Improved technical risk management would not have prevented the global financial crisis. Improved operational risk management would have.

Regardless, I agree with the criticism that most people in the field lack technical (mathematical) expertise. The sad truth is, that even with the 80/20 rule, outside the finance and insurance industries a 20 percent technical ability would be a stretch for most involved in risk management today. Regardless, for all those financial risk managers complaining about the qualification of operational risk management, I would ask them their view on cyber-security prevention techniques. There is the rub. Current enterprise risk management is intrinsically flawed in trying to treat all risk management the same. Risk management in each