Tag Archives: Risk
Is it possible to manage an ethical company and be successful? Logically, most people would agree that, yes, ethics and success are not mutually exclusive conditions of sound governance. Yet, the Securities and Exchange Commission has found that private equity firms are more likely than not to break the law or have material conflicts of interests. Has the principle of fiduciary responsibility, the “Prudent Man” rule, been relegated to the dustbin of financial market ethos?
Recently, Blackstone Group, the world’s most profitable fund manager, was ordered to repay fund investors $28.9 million and assessed a $10 million fine by the SEC for failure to disclose the collection and handling of fees that should have been used to benefit investors. Blackstone, to its credit, reported that its internal audit group uncovered the problem and reported its findings to investors. However, senior executives within the firm had to conceive the idea and present the proposal to a governing board for approval. What is the cause of a lapse in ethical judgment?
Blackstone is not alone, in the same article several incidents of regulatory violations related to fee disclosure by fund managers were cited. Blackstone Group has $330 billion under investment and close to $3 trillion dollars under administration so what causes successful firms to cut corners? How does governance break down? A spokesperson for Blackstone Group responded to the violation by explaining, “our Limited Partner Advisory Committee did not exercise its right to object.”
One of the hottest topics in financial services is a new concept called Conduct Risk. The phrase “conduct risk” comprises a wide variety of activities and types of behavior which fall outside the other main categories of risk, such as market, credit, liquidity and operational risk. In essence it refers to risks attached to the way in which a firm, and its staff, conduct themselves. There is no clear definition for Conduct Risk so it is more like pornography right? You know it when you see it! But, that is not exactly correct. The reason conduct risk is hard to define is because we are misled by the frequency of certain events leading to errors in judging when bad ideas become bad behavior. These incidents beg the question of whether the unethical behavior by private equity firms is any different from Volkswagen’s emissions scandal?
The public outrage and media attention attributed to Volkswagen pales in comparison to reports of financial services firm misbehavior. Why is this the case? The answer is found in the field of cognitive science. Our views of events are shaped in large part by the frequency of news reports on a variety of risks we face. Shark attacks are a great example of this phenomenon. We believe that more humans are killed or maimed by sharks than cows. We know, empirically, that humans are killed or maimed by cows more frequently because farmworkers encounter more cows than beachgoers do sharks. Local news accounts of “death-by-cow” events just don’t draw the same attention as a shark attack leading us to misdiagnose the risk.
The same can be said to explain how we view misbehavior of financial services firms. The frequency of regulatory and financial misbehavior has become almost invisible and is often relegated to the second or third page of news. The shock factor has worn out and we are no longer surprised to find that some fund manager has over charged or failed to follow the rules.
So how does risk management, audit, compliance and ethics officers address conduct risk? What defense can be used when the argument is, “everyone else is doing it why can’t we?” This is the riddle of ethical dilemmas. There is no risk framework or internal control to deal with conduct risk. It represents 98% of all operational risk failures according to a recent study. For the largest firms, regulatory fines are no longer a deterrent and the costs of compliance, risk and audit has already been absorbed as a cost of doing business. The public is no longer outraged about being fleeced, and in fact, car buyers will return to Volkswagen and investors will, undoubtedly, return to Blackstone Group. Solving the riddle of ethical dilemmas is the biggest challenge faced by risk professionals who are ill equipped to adequately mitigate this risk.
It is possible to run an ethical company and be successful. But it is also possible for unethical behavior to creep into the boardroom and C-Suite because the costs no longer exceed the benefits.
I was a risk manager before risk management was cool!
It seems that everyone wants to be a risk manager today. This is great news because with more people thinking about risks the better. But there is uneasiness with risk management today that swings between a necessary evil and Risk as a Service set of expectations. The truth, as usual, lies in the details.
To date, no central self-regulatory group has emerged in risk management with the mission of defining the language of risk. Risk management has developed from the ground up with a diverse and eclectic set of specialized risk standards that span industry, government, sovereign entities and the military.
Risk management has become “hip” and very confusing as well!
Should risk management be codified?
How an organization defines its risks shape the expectations and duties of a risk manager. How one measures a risk management program depend, in large part, on the success of its outcomes? All too often organizational risk programs start with a definition of risks but fail to clearly define the expected outcomes of the program.
Vague definitions of risk outcomes are easily identified by statements such as “no surprises”, “proactive” and “look around corners”. Even regulatory prescriptions such as “prevent, detect and correct” are less than informative.
Are these realistic outcomes or the wishes of management and regulators to not deal with uncertainty and the messiness of bad judgment?
Uncertainty, by definition, cannot be anticipated including the vagaries of human behavior and random events that can disrupt operations. When unexpected events happen is it a failure of the risk program or a chance event? Risk happens, but all to often the inevitable second guessing of the risk program has become a competitive sport inside and outside of many organizations.
The imprecise use of the language of risk has led to unrealistic expectations of risky outcomes. Codifying risk management may be easy in theory but impractical in the real world.
There are benefits to standards and a common language in risk management. The development of risk standards and frameworks has broadened risk awareness. Less well understood is the difference between a risk and uncertain events.
Humans, including risk managers, are still prone to judgment error and have not evolved the skills to “prevent and detect” uncertainty before it happens. Judging a risk program when it fails to anticipate an uncertain event is like expecting risk management to accurately predict the weather 100% of the time. We joke when the Weather Channel over states adverse conditions but careers are not ruined if the storm is more or less severe than expected.
Is the next milestone in risk management a fuller recognition of human behavior? Standards and frameworks are less responsive to real-time risks. The Bill Gross/Pimco dilemma is an interesting example of uncertainty. And Gross is not the only example. It is instructive that human behavior is hard to anticipate. Maybe more instructive is the fact that most organizations don’t anticipate that uncertainty, not risk, is the big disruptor of organizational outcomes.
What is risk management?
Not surprisingly, if you research the definition of Enterprise Risk Management you will get more than two dozen slightly different versions. What other profession has 24 or more different definitions for one fundamental concept?
Risk, it’s complicated.
Let me give you one example of a definition for Enterprise Risk Management from a consultant in the Healthcare Industry. A true quote:
“Healthcare Risk management’s role was formally focused on claims & loss control. Over time the risk manager graduated to an expanded focus on clinical risk in-hospital. Unfortunately the position remained reactive versus proactive with a focus on [inspection check-off lists].” “Today’s Enterprise Risk Management approach must be system-wide, include a multidisciplinary approach and incorporate an integrated application designed to address risk across the continuum of care. ERM’s goals must assist the organization in achieving its objectives, reduce uncertainty, minimize process variability, promote patient safety, maximize return on assets and enhance asset preservation while recognizing the diversity of risk possibilities.”
There are brilliant risk managers in every organization and a few may actually have many of the skills described above but let’s assume that you are this person. Would you be given the leverage and decision-making ability to accomplish all of the expectations described in this job description? Risk management is seldom critical-path to strategic financial and business objective setting.
In reviewing each of the two-dozen or more definitions of enterprise risk management it is easy to understand why there would be some confusion given obtuse descriptions like the one above.
Risk management isn’t an effort conducted in the isolation of one department. Risk management is an outcome of grounded decision-making across an organization. Even great firms struggle with the challenge of coordinating the efforts of risk management and prioritizing the diversity of risks that are becoming more transparent.
Not all risks deserve the same attention
When things go badly in companies “culture” is typically cited as the true cause. Corporate culture may be overrated as a governance control. Who is responsible for an organization’s culture?
In most organizations senior management sets the tone for how aggressive or conservative an organization pursues risky ventures. Management incentives often determine which route is pursued yet risk management is often judged by the outcome of the decisions that work out versus the ones that fail.
The uncertainty of choosing between the two is the real challenge!
Risk, is in the eye of the beholder!
Research has shown that we each see risks differently. Heads of state must deal with different risks than their counterparts in non-profit organizations. Is it realistic to expect a framework to account for the nuisance inherent in all organizations? Some managers are risk adverse while others are risk takers. Aligning the organization with the risks taken is the art of risk management.
Removing the Tower of Babel
Let’s simplify the language of risk. If risk is in the eye of the beholder we must be able to discuss risk using terms that everyone understands. The importance of developing a common understanding of risks should not be underestimated. A lack of agreement on risks is one of the leading causes of a failure to execute.
But in order to simplify the language of risk it is important to talk in terms of how we each experience risk. Even very powerful people like Bill Gross have fears. Would things have turned differently if communication had not broken down? We will never know the answer but it is clear that risk management is as intimate as a broken relationship.
Sometimes, risk management is just about listening and being heard.
James Bone is a Behavioral Risk Consultant with more than 20 years of experience in senior risk management roles across a variety of complex industries. Follow James at TheGRCBlueBook.com
What is the value proposition of TheGRCBlueBook? The answer may be best explained by what it is not. We are not LinkedIn, where groups are siloed by risk specialty, industry or self-declared standards. TGBB does not promote a framework or espouse a preference for one tool over another.
TGBB is organized around the tools all risk, audit, and compliance professionals use.
TGBB understands that silos prevent open and robust conversations about risk. We endeavor to share what’s working and learn from others without competing. Risks are not one dimensional nor are they so unique that one industry’s approach to solving problems may lead to new awareness not considered by a risk professional in another industry.
TGB B is grounded by the database of GRC tools and solutions providers however as each organization implements these solutions your unique lessons learned add color to the benefits and opportunities for improving these tools.
The challenge: How do I share these lessons while not exposing myself and my firm to reputation risk? The answer is that no proprietary information is requested. Lessons learned, product reviews and product ratings can and should be shared as opportunities to learn from others. What you give can be returned in full measure from the lessons of others. In the coming months we will lead by example with personals interviews of GRC users and, hopefully informative testimonials as well.
What’s in it for you? That depends. If you participate others will begin to share their stories and we all may learn more as a result. If you have considered a GRC vendor solution and others provide reviews or ratings of these products you will learn from the experience of others. We have chosen to not write or pay for reviews to prevent inherent conflicts of interest but more importantly this concept is founded on the belief that users are the best source of information for these solutions.
What we have learned is that the current sources of information about GRC tools and solutions are not sufficient for making informed buying decisions. Even more critical to the buying decision is a more fundamental question: What is the most effective approach to integrate these solutions in my organization that adds the most value to managing risks and addressing my problems?
It’s a bold experiment in trust! Information provided on this site is for the benefit of the members of TheGRCBlueBook. It’s free and will remain so.
So what is the value proposition? YOU! Your experience, your feedback, your lessons! You may be surprised that you get more than you imagined by participating.
TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries. A one stop source for all things risk and compliance related.
You must be logged in to view this document. Click here to login
You must be logged in to view this document. Click here to login
On January 28, 1986, the Space Shuttle Challenger burst into flame shortly after liftoff. All passengers aboard the vehicle were killed. A presidential commission was formed to investigate the cause of the accident and found that the O-ring seals had failed, and, furthermore, that the seals had been recognized as a potential hazard for several years prior to the disaster. The commission’s report, Report to the President by the Presidential Commission on the Space Shuttle Challenger Accident, stated that because managers and engineers had known in advance of the O-ring danger, the accident was principally caused by a lack of communication between engineers and management and by poor management practices. This became the standard interpretation of the cause of the Challenger disaster and routinely appears in popular articles and books about engineering, management, and ethical issues.