July 2018
Questions for Audit Committees About Your Risk Register
26/Jul/18 12:18
Once upon a time, I was a CFO who dutifully prepared and updated our company's Risk Register and reviewed it with our Audit Committee. Over time, however, I came to appreciate this tool's shortcomings as well as its strengths. Indeed, this could also be said for our overall Enterprise Risk Management process. I've now had six years to further reflect on and write about these issues here at Britten Coyne Partners as we've interacted with our clients and conducted additional research. I've concluded that there are some important questions that Audit Committees need to ask about their Risk Registers, which can lead to discussions that produce deeper and more important insights about risk governance.
Question #1: What risks are included? And more important, what's missing?
The Risk Registers I've seen over the years are generally long risks whose likelihood and potential impact are easy to quantify, and short those that are not. Moreover, the easier a risk is to identify (i.e., discrete risk events) and quantify, the easier it is to price and transfer, via insurance or financial derivative markets. Hence this also makes it easy to identify and quantify the impact of risk mitigation options. Unfortunately, uncertainties that represent true existential threats to companies survival typically don't meet these tests.
How many Risk Registers include risks to the growth rate and size of served markets, or to the strength of a company's value proposition within those markets, or to the sustainability of its business model's economics, or the health of its innovation processes? Because these are usually true uncertainties, rather than easily quantified risks, too many Risk Registers fail to include them, or do so in a manner that is far too generic.
Question #2: Do Risk Likelihood and Risk Impact capture what really kills companies?
Think about all the stories you've read or heard about how different companies failed. What is perhaps the most common plot line you hear? In our experience, it is this: "They waited too long to act."
This brings us to the most glaring omission from the Risk Register concept: Time Dynamics. Our education and consulting work with clients focuses on three issues: (1) early anticipation of emerging threats; (2) their accurate assessment; and (3) adapting to them in time. We stress the need to estimate the rate at which a new threat is developing, and the time remaining before it reaches a critical threshold.
In light of this, it isn't enough to simply develop "mitigation actions" or "adaptation options." You also need to estimate how long it will take (and how much it will cost) to put them in place, and the likelihood they will be sufficient to adequately respond to the threat (at minimum, this means keeping the company from failing because of the new threat).
Unfortunately, few Risk Registers tell you anything about time dynamics. Instead, they focus on the likelihood a threat will develop, but usually don't discuss what "develop" means in terms of a specific threshold and time period.
Question #3: Will those mitigation actions really reduce the potential risk impact?
Many Risk Registers significantly reduce the potential negative impact of different risks by netting them against the presumed benefits of various risk mitigation options. This can make them look far less dangerous than they really are.
In too many cases, however, little or no detail is given about how long those mitigation actions will take to implement, how much they will cost, where they stand today, their chances of success, and the range of possible positive impacts they could have if the risk actually materializes. Rather, these Risk Registers blithely assume that the legendary "Risk Mitigation Cavalry" can be counted on to ride over the hill in time to save the day. Too many non-executive directors have learned the hard way that believing in this story without asking tough questions about it can turn out to be a very costly decision.
Question #1: What risks are included? And more important, what's missing?
The Risk Registers I've seen over the years are generally long risks whose likelihood and potential impact are easy to quantify, and short those that are not. Moreover, the easier a risk is to identify (i.e., discrete risk events) and quantify, the easier it is to price and transfer, via insurance or financial derivative markets. Hence this also makes it easy to identify and quantify the impact of risk mitigation options. Unfortunately, uncertainties that represent true existential threats to companies survival typically don't meet these tests.
How many Risk Registers include risks to the growth rate and size of served markets, or to the strength of a company's value proposition within those markets, or to the sustainability of its business model's economics, or the health of its innovation processes? Because these are usually true uncertainties, rather than easily quantified risks, too many Risk Registers fail to include them, or do so in a manner that is far too generic.
Question #2: Do Risk Likelihood and Risk Impact capture what really kills companies?
Think about all the stories you've read or heard about how different companies failed. What is perhaps the most common plot line you hear? In our experience, it is this: "They waited too long to act."
This brings us to the most glaring omission from the Risk Register concept: Time Dynamics. Our education and consulting work with clients focuses on three issues: (1) early anticipation of emerging threats; (2) their accurate assessment; and (3) adapting to them in time. We stress the need to estimate the rate at which a new threat is developing, and the time remaining before it reaches a critical threshold.
In light of this, it isn't enough to simply develop "mitigation actions" or "adaptation options." You also need to estimate how long it will take (and how much it will cost) to put them in place, and the likelihood they will be sufficient to adequately respond to the threat (at minimum, this means keeping the company from failing because of the new threat).
Unfortunately, few Risk Registers tell you anything about time dynamics. Instead, they focus on the likelihood a threat will develop, but usually don't discuss what "develop" means in terms of a specific threshold and time period.
Question #3: Will those mitigation actions really reduce the potential risk impact?
Many Risk Registers significantly reduce the potential negative impact of different risks by netting them against the presumed benefits of various risk mitigation options. This can make them look far less dangerous than they really are.
In too many cases, however, little or no detail is given about how long those mitigation actions will take to implement, how much they will cost, where they stand today, their chances of success, and the range of possible positive impacts they could have if the risk actually materializes. Rather, these Risk Registers blithely assume that the legendary "Risk Mitigation Cavalry" can be counted on to ride over the hill in time to save the day. Too many non-executive directors have learned the hard way that believing in this story without asking tough questions about it can turn out to be a very costly decision.
Comments
Yoda is Right About Failure
09/Jul/18 14:39
In the movie “The Last Jedi”, Yoda utters this wonderful quote to Luke Skywalker:
“Heeded my words not, did you? ‘Pass on what you have learned.’ Strength, mastery, hmm...but weakness, folly, failure, also. Yes, failure, most of all. The greatest teacher, failure is.”
At Britten Coyne Partners, we could not agree more with Yoda. And with that in mind, we offer you this summer reading list of some of our favorite books about failure (from individual to organizational to societal), and the many lessons it can teach us.
· “The Logic of Failure”, by Dietrich Dorner
· “Normal Accidents”, by Charles Perrow
· “Flirting with Disaster", by Gerstein and Ellsberg
· “The Field Guide to Understanding Human Error”, by Sidney Dekker
· “Meltdown”, by Clearfield and Tilcsik
· "Inviting Disaster”, by James Chiles
· “Why Decisions Fail”, by Paul Nutt
· “Why Most Things Fail”, by Paul Ormerod
· “The Limits of Strategy”, by Ernest von Simson
· “How the Mighty Fall”, by Jim Collins
· “Surprise Attack”, by Richard Betts
· “Surprise Attack”, by Ephraim Kam
· "Pearl Harbor: Warning and Decision", by Roberta Wohlstetter
· "Why Intelligence Fails", by Robert Jervis
· “Military Misfortunes”, by Eliot Cohen and John Gooch
· “This Time Is Different”, by Reinhart and Rogoff
· “Irrational Exuberance”, by Robert Shiller
· “Manias, Panics, and Crashes”. by Charles Kindleberger
· “Crashes, Crises, and Calamities”, by Len Fisher
· “The Upside of Down”, by Thomas Homer Dixon
· “Understanding Collapse”, by Guy Middleton
· “Why Nations Fail”, by Acemoglu and Robinson
· “The Rise and Fall of the Great Powers”, by Paul Kennedy
· “The Rise and Decline of Nations”, by Mancur Olson
· “The Collapse of Complex Societies”, by Joseph Tainter
· “The Seneca Effect”, by Ugo Bardi
“Heeded my words not, did you? ‘Pass on what you have learned.’ Strength, mastery, hmm...but weakness, folly, failure, also. Yes, failure, most of all. The greatest teacher, failure is.”
At Britten Coyne Partners, we could not agree more with Yoda. And with that in mind, we offer you this summer reading list of some of our favorite books about failure (from individual to organizational to societal), and the many lessons it can teach us.
· “The Logic of Failure”, by Dietrich Dorner
· “Normal Accidents”, by Charles Perrow
· “Flirting with Disaster", by Gerstein and Ellsberg
· “The Field Guide to Understanding Human Error”, by Sidney Dekker
· “Meltdown”, by Clearfield and Tilcsik
· "Inviting Disaster”, by James Chiles
· “Why Decisions Fail”, by Paul Nutt
· “Why Most Things Fail”, by Paul Ormerod
· “The Limits of Strategy”, by Ernest von Simson
· “How the Mighty Fall”, by Jim Collins
· “Surprise Attack”, by Richard Betts
· “Surprise Attack”, by Ephraim Kam
· "Pearl Harbor: Warning and Decision", by Roberta Wohlstetter
· "Why Intelligence Fails", by Robert Jervis
· “Military Misfortunes”, by Eliot Cohen and John Gooch
· “This Time Is Different”, by Reinhart and Rogoff
· “Irrational Exuberance”, by Robert Shiller
· “Manias, Panics, and Crashes”. by Charles Kindleberger
· “Crashes, Crises, and Calamities”, by Len Fisher
· “The Upside of Down”, by Thomas Homer Dixon
· “Understanding Collapse”, by Guy Middleton
· “Why Nations Fail”, by Acemoglu and Robinson
· “The Rise and Fall of the Great Powers”, by Paul Kennedy
· “The Rise and Decline of Nations”, by Mancur Olson
· “The Collapse of Complex Societies”, by Joseph Tainter
· “The Seneca Effect”, by Ugo Bardi