Tag Archives: James Bone is a Behavioral Risk Consultant with more than 20 years of experience in senior risk management roles across a variety of complex industries. Follow James at TheGRCBlueBook.com

2014-10-04 by: James Bone Categories: Risk Management Risk Management’s Tower of Babel



I was a risk manager before risk management was cool!

It seems that everyone wants to be a risk manager today.  This is great news because with more people thinking about risks the better.  But there is uneasiness with risk management today that swings between a necessary evil and Risk as a Service set of expectations.  The truth, as usual, lies in the details.

To date, no central self-regulatory group has emerged in risk management with the mission of defining the language of risk.  Risk management has developed from the ground up with a diverse and eclectic set of specialized risk standards that span industry, government, sovereign entities and the military.

Risk management has become “hip” and very confusing as well!

Should risk management be codified?

How an organization defines its risks shape the expectations and duties of a risk manager.  How one measures a risk management program depend, in large part, on the success of its outcomes?   All too often organizational risk programs start with a definition of risks but fail to clearly define the expected outcomes of the program.

Vague definitions of risk outcomes are easily identified by statements such as “no surprises”, “proactive” and “look around corners”.  Even regulatory prescriptions such as “prevent, detect and correct” are less than informative.

Are these realistic outcomes or the wishes of management and regulators to not deal with uncertainty and the messiness of bad judgment?

Uncertainty, by definition, cannot be anticipated including the vagaries of human behavior and random events that can disrupt operations.  When unexpected events happen is it a failure of the risk program or a chance event?  Risk happens, but all to often the inevitable second guessing of the risk program has become a competitive sport inside and outside of many organizations.

The imprecise use of the language of risk has led to unrealistic expectations of risky outcomes.  Codifying risk management may be easy in theory but impractical in the real world.

There are benefits to standards and a common language in risk management.  The development of risk standards and frameworks has broadened risk awareness.   Less well understood is the difference between a risk and uncertain events.

Humans, including risk managers, are still prone to judgment error and have not evolved the skills to “prevent and detect” uncertainty before it happens.   Judging a risk program when it fails to anticipate an uncertain event is like expecting risk management to accurately predict the weather 100% of the time.  We joke when the Weather Channel over states adverse conditions but careers are not ruined if the storm is more or less severe than expected.

Is the next milestone in risk management a fuller recognition of human behavior?  Standards and frameworks are less responsive to real-time risks.  The Bill Gross/Pimco dilemma is an interesting example of uncertainty.  And Gross is not the only example.   It is instructive that human behavior is hard to anticipate.   Maybe more instructive is the fact that most organizations don’t anticipate that uncertainty, not risk, is the big disruptor of organizational outcomes.

What is risk management?

Not surprisingly, if you research the definition of Enterprise Risk Management you will get more than two dozen slightly different versions.  What other profession has 24 or more different definitions for one fundamental concept?

Risk, it’s complicated.

Let me give you one example of a definition for Enterprise Risk Management from a consultant in the Healthcare Industry.  A true quote:

“Healthcare Risk management’s role was formally focused on claims & loss control. Over time the risk manager graduated to an expanded focus on clinical risk in-hospital.  Unfortunately the position remained reactive versus proactive with a focus on [inspection check-off lists].”  “Today’s Enterprise Risk Management approach must be system-wide, include a multidisciplinary approach and incorporate an integrated application designed to address risk across the continuum of care.  ERM’s goals must assist the organization in achieving its objectives, reduce uncertainty, minimize process variability, promote patient safety, maximize return on assets and enhance asset preservation while recognizing the diversity of risk possibilities.”

There are brilliant risk managers in every organization and a few may actually have many of the skills described above but let’s assume that you are this person.   Would you be given the leverage and decision-making ability to accomplish all of the expectations described in this job description?   Risk management is seldom critical-path to strategic financial and business objective setting.

In reviewing each of the two-dozen or more definitions of enterprise risk management it is easy to understand why there would be some confusion given obtuse descriptions like the one above.

Risk management isn’t an effort conducted in the isolation of one department. Risk management is an outcome of grounded decision-making across an organization.  Even great firms struggle with the challenge of coordinating the efforts of risk management and prioritizing the diversity of risks that are becoming more transparent.

 Not all risks deserve the same attention

When things go badly in companies “culture” is typically cited as the true cause.  Corporate culture may be overrated as a governance control.  Who is responsible for an organization’s culture?

In most organizations senior management sets the tone for how aggressive or conservative an organization pursues risky ventures.  Management incentives often determine which route is pursued yet risk management is often judged by the outcome of the decisions that work out versus the ones that fail.

The uncertainty of choosing between the two is the real challenge!

Risk, is in the eye of the beholder!

Research has shown that we each see risks differently.  Heads of state must deal with different risks than their counterparts in non-profit organizations.  Is it realistic to expect a framework to account for the nuisance inherent in all organizations? Some managers are risk adverse while others are risk takers.  Aligning the organization with the risks taken is the art of risk management.

Removing the Tower of Babel

 Let’s simplify the language of risk.  If risk is in the eye of the beholder we must be able to discuss risk using terms that everyone understands.  The importance of developing a common understanding of risks should not be underestimated.  A lack of agreement on risks is one of the leading causes of a failure to execute.

But in order to simplify the language of risk it is important to talk in terms of how we each experience risk.  Even very powerful people like Bill Gross have fears.  Would things have turned differently if communication had not broken down?  We will never know the answer but it is clear that risk management is as intimate as a broken relationship.

Sometimes, risk management is just about listening and being heard.

James Bone is a Behavioral Risk Consultant with more than 20 years of experience in senior risk management roles across a variety of complex industries.  Follow James at TheGRCBlueBook.com

2014-09-22 by: James Bone Categories: Risk Management Santander Bank’s Secret to Conquer the World – Simple, Prudent Risk Management

Chairman of Santander

Martin Vander Weyer The Spectator 20 September 2014

Four years ago, I wrote that I knew no dark rumors about Santander, the rising force in UK high street banking, but that history taught me banks which expand rapidly and globally ‘always come unstuck in the end… partly because the challenge of risk control across such vast portfolios becomes impossible… Banks that have been driven by one powerful personality also tend to lose management grip, and start finding skeletons in cupboards, as the big man comes to the end of his tenure.’ The big man in question was third-generation chairman Emilio Botín — who died in post last week, aged 79. Santander is now Europe’s largest financial group, but despite years of economic turmoil and real-estate bust in its Spanish home market, and despite my own forebodings, it still looks pretty strong. So what was Emilio’s secret?

The answer, I suspect, was a combination of simplicity, technology, and team spirit — three factors that have proved sadly deficient in many other big banks. Botín’s principles were those of the old-fashioned small-town banker he was born to be: ‘If you don’t know your customers very well, don’t lend them any money.’ But his bank’s computers were anything but old-fashioned — and Santander pulled out of buying a bundle of RBS branches largely because the systems put in by Fred Goodwin were so poor it was impossible to ensure ‘a seamless journey’ for customers. As for esprit de corps, one associate told me: ‘

Given all that, it makes more sense than it might otherwise have done for Emilio to be succeeded in the chair by his daughter Ana Patricia, who acquitted herself well as head of Santander UK and has long been in a position to study his methods. Meanwhile, I see the Barclays board has ignored my advice (I’m sensing a pattern here) to pick a no-nonsense female chairman in the mould of Ana Patricia: instead they have gone for a higher level of corporate correctness and appointed a no-nonsense Scotsman. He is John McFarlane — a veteran banker with ANZ, Standard Chartered and Citibank on his CV — and I hope his visa is in order.

After the vote

No-nonsense businesspeople will be very much what’s needed in the aftermath of the Scottish Catastrophe, as it will surely come to be known whichever way the vote has fallen. No nation, independent or semi-autonomous, can hope to prosper on the basis of the wild welfare promises of the SNP, unsupported by any plan to attract investment and stimulate growth. Only a resurgent private sector can drag Scotland out of the tax-and-spend peat bog into which this referendum has driven it deeper than ever — and that will take quite some grit on the part of entrepreneurs, given the fundamental hostility of both the SNP and Scottish Labour.

But grit —even granite ruthlessness — is a characteristic shared by the outstanding Scottish business builders of the past. Think of Dr William Jardine of Lochmaben, who became the great opium trader of Canton; or Dunfermline-born Andrew Carnegie, robber baron of 19th-century American steel; or Robert Fleming, Dundonian financier of American railroads. In more recent times I have personally encountered three who typify the breed: Sir Ian McGregor from Kinlochleven was the implacably tough National Coal Board boss who defeated the 1984 miners’ strike; Sir William Purves from Kelso (happily still with us) was a formidable chairman of the Hong Kong Bank; and Gordon Baxter was the hard-as-nails force behind the cosy image of his family’s soup and jam enterprise at Fochabers.

Today’s Scottish business role-model is Michelle Mone, Glaswegian inventor of the Ultimo push-up bra, who looks a lot friendlier than all those old-school chaps. But I suspect she’s just as tough a cookie — and she threatened to move her company to England in the event of a ‘yes’. That’s the other problem with Scottish business talent: so much of it, down the centuries, has been exercised outside Scotland. Who will now persuade the wealth creators to stay at home and pick up the bills?

Watch the oil price

One thing that might benefit Scotland, given predictions of falling North Sea revenues, is a rise in oil prices — which is what we’d normally expect at a time of Middle East mayhem. But to the surprise of some speculators the graph is currently pointing the other way: prices have fallen 15 per cent since mid-June, with West Texas Intermediate down to just above $90 a barrel at the beginning of this week. Why? Because US production is at a 28-year high, Libya is going strong and Iraqi production has not been as seriously disrupted by Islamic State insurgency as was feared. On the other side of the equation, Chinese industrial growth registered a mere 6.9 per cent in August, its weakest annualised rate since 2008, and western demand has slackened — not helped by European jitters over the outcome of the Scottish Catastrophe.

Meanwhile, the slothful sheikhs of Opec have not convened an emergency meeting because they say the trend is seasonal and the price will recover — but if they’re wrong and it goes on down, all sorts of consequences follow. Though the slump of 2008 saw lows of around $40, a level of $100-plus is now needed for most big oil companies to remain adequately profitable. US shale drillers consider $80 to $85 to be the ‘sweet spot’ at which capital is attracted into their sector, but many deep-water or otherwise inaccessible oil exploration projects only become viable at levels of $120 or more. A sustained phase of lower prices would switch off an awful lot of new drilling — and make us all that little bit more vulnerable to what happens next in the turbulent Islamic world.

This article first appeared in the print edition of The Spectator magazine, dated 20 September 2014

James Bone is a Behavioral Risk Consultant with more than 20 years of experience in senior risk management roles across a variety of complex industries.  Follow James at TheGRCBlueBook.com

2014-07-08 by: James Bone Categories: Risk Management What the FIFA World Cup teaches us about Risk Management

soccer on the beach

Even if you are not a Futbol fan, or soccer fan as we know it in the U.S., you no doubt paid attention to the progress of the US team’s successes in the World Cup in Brazil.   The excitement of play and the exacting analysis of TV commentators is interesting to watch but hard to follow in part because of the complex scoring system used in the FIFA World Cup standings.

In an attempt to better understand how the World Cup scoring system worked I went right to the source, FIFA.com.

Here is what I found: First of all, let me say that the scoring system and World Rankings of teams who compete in the FIFA World Cup is stunningly complex.  Here is the formula used to calculate points for the FIFA World Ranking:

P = M x I x T x C x 100.

M. Points for a victory (3 pts. – Win; 1 pt. – Draw; 0 pts. – loss)

I. Importance of a match (Friendly – 1.0 pt.; World Cup qualifier – 2.5 pts.; Continental final or FIFA Confederation Cup competition – 3.0 pts.; and, World Cup final – 4.0 pts.)

T. Strength of opposition [200 – ranking position of opposition / 100]

Only the top 149 teams are assigned a value of 2.00; All other teams receive a minimum weighting 0.50

C. The strength of a confederation [There are six separate confederations which are each given a weight from 1.00 – 0.85 after each FIFA World Cup event]

Based on the complexity of the scoring system one would assume that the brackets in the World Cup would be determined by which teams ranked highest.  One would be wrong!  The ranking system appears to simply determine the 32 qualifying teams who will compete in the World Cup.

A Final Draw is conducted of the 32 teams to decide which team is placed into one of 4 groups which must then be rebalanced after the draw to sort out the correct number of teams placed in each group of play. Once the competition begins an even more confusing system is used to determine who advances in the World Cup.

Here is how it works:   The two teams with the most points in each group make it to the Round of 16.  If teams are level on points, the first tiebreaker is goal differential.  The next tiebreaker is goals scored.  If that number is the same, then the result of the head-to-head match is determinative.  If the head-to-head game ended in a draw, then finally, lots are drawn.

Got it so far?

How could an archaic and complex system like this have anything to do with risk management?  Well, if your risk assessment program resembles this scoring system you know you have a real problem.

It is no wonder that at least one of the groupings earned the moniker, “The Group of Death”.  This is when one group is selected with an unusually heavy weight of top competitors. The US team found itself in the Group of Death and almost escaped defying the odds.

So what are the lessons for risk managers?  First of all, complex or elaborate risk scoring systems do not result in better outcomes.  If you can’t easily explain how you assess risks to senior management you may have created a “FIFA”.  Complexity does not ensure accuracy and in many cases may hide the weaknesses inherent in your risk assessment program.

Next, complex risk systems may unintentionally predetermine outcomes because of a bias the designers used in determining what should rise to the top.  I am not suggesting that FIFA has rigged the outcome of World Cup events; others will judge the fairness of the system for themselves.

What I am saying is that over-engineering a process tends to incorporate a bias or the inherent biases of designers into the ultimate outcome(s) whether they are aware of it or not.  When designing a process to assess how results develop over time the program design should err toward capturing randomness as opposed to assumed outcomes based on past experience or fairness.

Don’t create your own version of a “Group of Death” simply because you know these risks exist.  FIFA-proof your risk program to gain credibility with senior management and ensure that you haven’t predetermined the risk outcomes in your program.

Futbol may never be as popular as American football or baseball in the US but you have to admit that some of the matches were exciting to watch, especially the drama of the US team or your other favorites in the World Cup!  Gooooooooaaaaaaaallllllllll!

James Bone is a Behavioral Risk Consultant with more than 20 years of experience in senior risk management roles across a variety of complex industries.  Follow James at TheGRCBlueBook.com