Monthly Archives: September 2015

Archived Posts

September 22, 2015 by: James Bone Categories: Risk Management Volkswagen – The Cost of Deception

17-sweden-cars“We screwed up”. Michael Horn, head of VW’s US operations, offered a stark apology and admission of cheating on diesel emissions. “Our company was dishonest with the EPA, and the California Air Resources Board and with all of you” was the confession offered by Mr. Horn during a press conference to discuss the now explosive findings of devices added to their cars to fake the appearance of passing emissions tests. The scandal, like most acts of deception, will widened into a predictable pattern of lost public trust, stock price declines, calls for the resignation of senior management as well as regulatory fines and legal action that may exceed 20% of the value of the firm, in some estimates.

Is deception worth the risk? The answer may surprise you! While it may be easy to condemn Volkswagen, as many will in judging the firm’s actions, but should we rush to judgment so quickly? Jonah Lehrer, author of “How We Decide”, discusses the “Uses of Reason” and how rational people placed in specific circumstances can lose perspective and make irrational decisions. The shortened version of the story: In 1949 in the grassy highlands of Montana, firefighters had been called in to fight what was described as a minor brush fire. The geology of Mann Gulch was wedged between the pine trees of the Rocky Mountains and the grasslands of the Great Plain.

The fire, which began in the Rockies, had grown out of control by the time the firefighters reached the gulch. The small crew of smokejumpers were inexperienced and had no map of the terrain but had moved down toward the Missouri River in case things got out of hand. Suddenly, the winds changed course and began pushing the fire toward the men. As the men rapidly retreated down the gulch it became obvious the fire was moving faster than the men could run. However, a remarkable thing happened, the leader of the firefighters ordered the men to stop running from the fire and set fires where they stood. Unfortunately, the other firefighters either didn’t hear the command or decided the thought of facing sure immolation was too much and kept running. The captain of the firefighters survived while his men died in the rushing firestorm.

Caught up in the sheer panic of moment the firefighters experienced what is known as “perceptual narrowing”. The problem with panic is that it narrows one’s thoughts. Panic reduces awareness to the most essential facts, the most basic instincts, with survival being the strongest of these instincts.

What does fighting fires have to do with Volkswagen?

Decision making under pressure in the face of uncertainty is one of the biggest risks faced by all organizations. Decision failures such as the one experienced by Volkswagen is the most costly of all the risks organizations experience. If you add up all of the internal control failures, audit failures and operational risk failures none exceed the loss of credibility, stock value or public trust as does the act of deception. The very survival of Volkswagen is now begin questioned by some in the media. What could have led to Volkswagen’s perceptual narrowing event?

Volkswagen had built an assembly plant in Chattanooga, Tennessee and had plans to invest $7 billion to revamp its family of Passat diesel model cars. Volkswagen’s Passat was losing market share to Toyota and couldn’t keep up with model revamps of its competitors. Volkswagen has set a goal of overtaking Toyota by 2018 but instead lost 10% share in 2014 and was down 16% year to date in August of this year. In other words, panic had set in.

There is no justifiable excuse for deception but the rush to judgment should be muted with a sense of humility. Small deceptions happen at many firms with the same level of acceptance that appears to have been pervasive at Volkswagen. Price deception, new product launches with known defects and financial products with hidden fees are just a few examples of deceptive practice that are passed as justifiable business decisions to achieve higher sales goals or justify stock options and bonuses. “Others are doing it why can’t we?”

Much will be made of Volkswagen’s deceit and many were complicit with devising, installing, inspecting, auditing and accounting for the deceptive devices and executing such a massive fraud. However, instead of pointing fingers, Volkswagen should be used as an opportunity for discussion in board rooms, executive suites, risk management, auditing departments, and on the shop floor. Deception, no matter its size, sends a signal to the entire organization what you really value.

September 9, 2015 by: James Bone Categories: Risk Management You Can’t Lead if No One Wants to Follow by Roger W. Ferguson, Jr., President & CEO TIAA-CREF

Roger W Ferguson Jr
In this series, professionals explain how to lead in times of turmoil or growth.

A recent search turned up more than 140,000 books on the topic of leadership. It seems there is an endless amount to say about this important topic. But the main thing you need to know is that leadership is really all about “followership,” or getting others to want to follow you. To put it another way: you can’t be out in front leading the parade unless there are people willing to line up and march behind you.

Followership is not conferred by a title, and it cannot be forced. Rather, it’s about inspiring people, and I believe there are four characteristics of leaders who do this well.

Expertise: You must have the right degree of expertise about your organization and the issues it is confronting, or you will never have credibility. You don’t see many amateurs among the ranks of leaders, because people want leaders who base their decisions on more than just gut reactions. That said, there are different kinds of expertise. Whether you are an engineer, teacher, or chef, you need a deep, rock-solid understanding of your discipline. But you should also develop a broader expertise — on the organization in which you’re working and on your industry or sector as a whole. You need that big-picture perspective to earn followership beyond just your functional area.

Appeal: George Clooney-style charisma is nice, but that’s not what I’m talking about here. I’m referring to the kind of appeal that stems from attributes associated with strong leadership, namely, the ability to:

1.  Make the big decisions.
2.  Effectively communicate those decisions and articulate the thinking behind them.
3.  Think both tactically and strategically.
4.  See the big picture – the “forest for the trees.”

Empathy: Effective leaders recognize that people have lives outside of work and sometimes need support and flexibility to balance competing demands and responsibilities. If you have an employee whose 3-year-old has strep throat or whose mother is experiencing dementia, you should take the time to understand his or her needs and support that employee in finding solutions. If you treat people with empathy, they may very well follow you to the ends of the earth; if you don’t, they will never line up behind you in the first place.

Fortitude: Effective leaders are the calm in the storm during the bad times, and they stay grounded in the midst of the good times. They are the shock absorbers of their organizations, tempering both the highs and the lows. Leaders with fortitude also know how to take criticism with a grain of salt. And let’s face it; there’s always criticism. But they won’t let it to keep them from taking action, nor will they allow it to cloud their vision or sour their optimism.

Those four characteristics may sound pretty simple, but if being a good leader were simple, there wouldn’t be so many books on the subject. The abundance of advice may seem overwhelming at times, but if you keep your focus where it belongs – on being the kind of leader who is worthy of followership – you can’t go wrong.

September 7, 2015 by: James Bone Categories: Risk Management The revision of ISO 31000 on risk management has started

kevin_knight_ref1963Reducing, anticipating and managing risk are all part of the daily grind for organizations that have integrated risk management into their business strategy. That’s why they often turn to ISO 31000 on risk management to support themselves in this task.
ISO standards come up for revision every five years, and ISO 31000, and its accompanying Guide 73 on risk management terminology, are no exception. Launching the revision process, ISO/TC 262/WG 2, the working group responsible for developing core risk management standards, gathered from 3 to 9 March 2015 in Paris – under the auspices of AFNOR, ISO member for France – to discuss the necessary changes to be made to the standard. Here, Kevin Knight, Chair of ISO/TC 262 on risk management, gives us the lowdown so far.

ISO/CD 31000, Risk management – Principles and guidelines, and ISO/CD Guide 73, Risk management – Vocabulary, are under revision. Why is this revision needed?
With the passage of time, a number of risk practitioners indicated that ISO 31000:2009 needed a limited review to ensure it remained relevant to users. As a result, ISO Guide 73:2009 will need to be revised in so far as changes are made to terms and definitions used in the revised ISO 31000, or additional terms and definitions are deemed necessary to assist users with their own documentation.

In other words, it is important that the two documents be revised at the same time?
Yes. All the terms and definitions in ISO 31000 are contained in ISO Guide 73, so any changes to the terms and definitions in ISO 31000 must be identical in both documents.

What are the main points of the revision? How is the content and language brought up to date?
Many have seen this limited review as an opportunity to seek greater changes that reflect the needs of major corporations and governments for a high-level document. As a consequence, ISO/TC 262/WG 2 had to deal with a total of 656 comments at its March 2015 meeting in Paris. While they did complete the task, it has demonstrated a need for a new high-level document that will require a full technical review by ISO/TC 262/WG 2 to develop a design specification (DS) that outlines additional issues to be addressed based on the comments examined in Paris. The DS will, of course, have to be approved by the participating members of ISO/TC 262 in order to proceed.

The first editions of ISO 31000 and ISO Guide 73 were published in 2009. What feedback have you received since then from the users of the documents and how is this feedback taken into account in the revision process?

Kevin Knight, Chair of ISO/TC 262.
ISO 31000 has been adopted as a national standard by more than 50 national standards bodies covering over 70 % of the global population. It has also been adopted by a number of UN agencies and national governments as a basis for developing their own risk-related standards and policies, especially in the areas of disaster risk reduction and the management of disaster risk.

The widespread use of ISO 31000:2009 has prompted a variety of questions to various experts, with national standards bodies and ISO seeking clarification on certain points of the standard. These points, combined with feedback from the national mirror committees, indicated a need to provide greater clarity in some areas.

A need was also expressed by risk practitioners, especially in the G20 economies, for a high-level document that reflects the way risk is managed in multinational organizations and national governments, as well as how risk management should be incorporated into the governance and management systems of organizations.

As it stands, ISO 31000 is a generic guidance document, which has been found to be very useful in developing countries and small to medium-sized enterprises. Yet there is a need for something more substantial than the guidelines contained in Annex A of ISO 31000:2009 to help organizations move further onwards, and that is what ISO/TC 262/WG 2 is currently working on.

What will the new editions change for users of these documents?
The limited review of ISO 31000 will hopefully provide greater clarity for its users.

What are the next important steps of the revision?
This will depend on the work being done by ISO/TC 262/WG 2 since the Paris meeting to develop a recommendation to ISO/TC 262. There are two possibilities:

1. ISO/TC 262/WG 2 finalizes the limited review of ISO 31000:2009 into a Draft International Standard (DIS) and sends it out for ballot; then it undertakes a full technical review to develop a design specification for a New Work Item Proposal (NWIP) for a high-level standard on the management of risk; or

2. ISO/TC 262/WG 2 seeks the approval of the technical committee to stop the “limited” revision and go directly – with the results achieved so far – to a full “technical” revision. This will need a design specification (DS) that outlines the issues to be addressed in addition to what has currently been achieved. A task group of ISO/TC 262/WG 2 has until end of June 2015 to develop the DS for comment and then submission to a ballot of the technical committee participating members, along with the latest Committee Draft (CD) of ISO 31000.

What is the target publication date?
This very much depends on the outcome of the proposals outlined above. In the event of the first proposal being adopted, I would expect the revised edition of ISO 31000 to be published in mid-2016. On the other hand, if the second proposal is chosen, then I would hope to see publication of the resultant standard by the end of 2017.

September 6, 2015 by: James Bone Categories: Risk Management Risk has a Shape

Distribution curvesOne of the central tenets of risk management is the idea that we understand “Risk”. Most definitions of risk management include terms such as, assessment, evaluation, identification, control, transfer, reduction, retention and so on to describe what should be done to risk to protect the firm, patient or enterprise from bad outcomes. The benefits ascribed to risk management include the achievement of a firm’s business goals, better patient care, improved decision making, risk-adjusted returns on capital and a host of superlatives attributed to the proper risk framework or leading practice.

Very few risk management definitions actually explain how to accomplish these results with any degree of specificity. Instead, the definition includes vague descriptions of activities that lead to risk management. For example, a hospital definition of risk management: “The constellation of activities—planning, organizing, directing, evaluating and implementing—which are involved in reducing the risk of injury to patients and employees, as well as property damage or financial loss in a healthcare facility”. This definition, like many others of similar vagary, are no more than “trial and error” disguised as risk management. What is clear is that we may not truly understand Risk as well as we think we do!

With few exceptions, there are two very large and glaring gaps in every definition of risk management. The first gap consists of a lack of recognition that a large body of well-established research and knowledge exists on how to measure risk. Risk has a shape and the shape of risk is derived from the data of events composed of the things we call a risk. For example, hospitals document the number of wrong limbs cut off due to poor communications or an IT department may count the number and type of Denial of Service (“DoS”) incidents it has experienced each month. Each of these events take the form of various distribution patterns when plotted on a chart. The shape of risk can be defined by its distribution on a chart such as, normal, log-normal, and skewed distributions to name a few. To truly understand Risks you must understand its shape.

Anyone, without any training, can talk about risk management but if you can’t explain the shape of your risk then you have a cursory understanding of risk. This lack of understanding partially explains why risk management programs are perceived to have failed. The shape of risk helps to explain the behavior of the risks you face. What is perceived as a failure of risk management programs is really a failure to understand the limits of the tools used in risk management today. This is not a debate between nerds. We are often misled by risks every day because we do not understand the shape of risk.

The second gap in risk definitions deals with what cognitive scientist call, Heuristics and Biases. Heuristics include intuition, norms, knowledge and short cuts we use to understand and navigate the world we live in. Biases are long held beliefs and preferences we establish over our life time. Whenever we are faced with new threats and uncertainty we often times fall back on the things that worked in the past only to learn that we were led astray by cognitive dissonance. Said simply, we fail to believe the facts that are counter to our beliefs or expectations until the risk is obvious to all.

Risk management, outside of scientific departments, Quant shops on Wall Street, and a few select quantitative fields does not practice its art with precise tools for measuring risk or take into account the human errors inherent in heuristics and bias. Precision should be measured in degrees. Data scientist understand that all models are flawed but some models are more useful than others.

Making decisions under uncertainty requires that risk professions understand the shape of their risks. The shape of your risks will tell you how much confidence to place in your data. As risk professionals begin to discuss risk in terms of degrees of confidence and probability of outcomes through the use of more precise tools the expectations of and value in risk management becomes more evident. These tools will then lead to better decision making and help to overcome the flaws that simple heuristics and bias bring to sloppy thinking. I plan to address heuristics and bias in-depth in upcoming articles as it deserves much more explanation than I have dealt with in this piece.

The good news is that these tools exist today and you can begin to use them in your risk practice without becoming a data scientist or quantitative analyst. In fact, I maintain one of the largest free database of risk management tools on the internet today. The level of sophistication and functionality of analytical risk tools continues to grow rapidly and will become standard practice in the next 5 – 10 years. Now you have no excuse for not knowing or understanding the shape of your risk.

September 4, 2015 by: James Bone Categories: Risk Management The False Promise of the Single Metric – Harvard Business Review

stock-photo-2456857-binary-codeManagers and boards are often pushed by investors, fund managers, and analysts to focus intently on a single measure of success, such as shareholder value or profit, and then they do everything they can to maximize it. As a result, they tend to overlook other important measures — for instance, customer satisfaction, employee motivation, and supplier support — and their narrow view of the organization can do long-term damage.

Consider “Chainsaw Al” Dunlap, infamous for his profit-at-any-price approach to corporate turnarounds. He left a trail of failed companies behind him, including the iconic Sunbeam. He’s an extreme example, but one that shows what happens when you lose sight of organizational complexity. Companies should be managed much more holistically. As complex systems, they require systems of measurement to track progress against key goals. Its common sense, but it bears repeating, given how many companies don’t operate that way.

I know firsthand how challenging it can be to take a holistic approach, especially when your organization is in crisis. I was once a CEO leading a corporate turnaround. After I’d taken the reins of a loss-making manufacturer of trusses and frames for houses, the management team had to give the bottom-line its sole attention to get the company back to profitability.

In short, we had to be a bit myopic to survive. Unprofitable, but still promising, product lines were cut, timber stocks were reduced to a bare minimum, employee numbers were razored, and long-term development activities were curtailed. We saved the company from being wound up — barely. But we also cut away the company’s muscle, leaving only the skeleton. It was no way to run a firm over the long term. Certainly, some enlightened CEOs and boards understand this.

When Paul Polman became the CEO of Unilever, for example, he stopped giving analysts’ earnings guidance, dispensed with quarterly profit reports, and said there’d be no special treatment for hedge funds. Instead, he focused his metrics on the long-term needs of a full range of stakeholders, as Unilever’s annual reports demonstrate. Initially the market took a dim view of this shift, punishing the stock price. But it rebounded months later, after analysts accepted Polman’s wider lens.

Think of it this way: Organizations are a lot like individuals. To live a full, satisfying life, you probably wouldn’t focus exclusively on wealth, sacrificing every bit of joy so you can have a large bank balance on your deathbed. Nor, most likely, would you concentrate only on your health, wrapping yourself in cotton wool to take zero risks with your well-being. Maximizing one thing would mean giving up too much in other areas. Most of us have found that it’s better to work on a combination of things — to look after the whole self’s best interests — by making many choices over time, from the foods we eat to the relationships we build.

Similarly, business leaders and governance teams must look after the whole company. Indeed, they’re charged by corporate law to do so. Their mandate is to improve the probability of their organizations’ long-term survival and growth. To gauge their success, they need a composite scorecard with both objective and subjective targets for key stakeholders. For instance, they may want to gauge employees’ productivity, innovation, and contentment, and customers’ profitable revenue and satisfaction. And so it goes, stakeholder by stakeholder. But here’s the thing: Even if a metric is classed as objective, someone ultimately has to apply the “good enough” test, which is subjective. This requires continual judgment and adjustment —it’s much messier than using a single metric — but it’s what executives and boards get paid for. ________________________________________

Graham Kenny is the managing director of Strategic Factors, a Sydney, Australia-based consultancy that specializes in strategic planning and performance measurement. He is the author of Crack Strategy’s Code (President Press, 2013) and Strategic Performance Measurement (President Press, 2014).