Beyond Boundaries Risk and Complexity in 21 Century Organisations Richard Anderson
by user
Comments
Transcript
Beyond Boundaries Risk and Complexity in 21 Century Organisations Richard Anderson
Beyond Boundaries Risk and Complexity in 21st Century Organisations Richard Anderson Chairman, Institute of Risk Management Dubai, 20 May 2014 Why do people matter? What do you believe … ? Human nature is … Individualist … or … collectivist I or C? Which do you think? The way we live … “superiors” tell “inferiors” … or … “equals” negotiate the “rules” Prescribed/In-equal … versus … Prescribing/Equal Tell or Negotiate? T or N? Which way does it work? And cultural theory... Tell Hierarchist Typical Government Chief Scientist Fatalist What will be will be C I Individualist Richard Branson Philip Green Entrepreneur Negotiate Egalitarian Greenpeace Environmentalist Prince Charles How do we spot them? It might happen… It happened… to me It happened… It happened… to my competitor to me… to someone else The extended enterprise Multiple Economies in Multiple Societies Outcomes Joint Endeavour The extended enterprise Supplier 2 Supplier 1 Government Customer 1 Multiple Societies Prime Joint Endeavour Contractor SubContractor 1 Agents Outcomes IT Outsource Provider SubLabour Contractor Multiple Economies in 2 Customer 2 Customer 3 Regulator IP Owner The extended enterprise economy • • • A complex system is one in which even knowing everything there is to know about the system is not sufficient to predict precisely what will happen. Complex systems cannot be controlled – only influenced. Simple systems behave more like complex systems when under stress. VUCA! Uncertainty Volatility Chaos & Paradox Complexity Ambiguity Paradox: not susceptible to logical analysis Single enterprise or joint endeavour? The Social Dynamics of the extended enterprise Regulatory Influence Extent of Shared Values Outcomes Joint Endeavour Relative Power Allocation of Incentives Multiple Civil Societies What can we manage? Assurance and the risk manager Scale of the problem: • Simple Them Complex Nature of the issue • Operational Strategic Approach • Tools for Risk Management risk Conversations in Two management disciplines that must be “extended” Risk Appetite and Tolerance Risk Culture Risk Appetite Level Propensity to take risk Propensity to exercise control Risk Taking Exercising Control Escalation Tactical Project/ Operational Stakeholder Value Delegation Strategic Measurement Risk Metrics Control Metrics So what does this mean in practice? B t0 Time t1 A B t0 Time Time t1 t1 C Time B Time t1 C Performance t0 D A t0 Appetite Tolerance Performance Where you might get to if everything goes wrong t0 Performance Performance Performance A D t1 Risk Universe Current direction of travel for performance Where you might get to if everything goes right What do risks have in common? Directly experienced in day to day activities Not a lot of prior institutional or individual experience Cannot imagine life without balancing these risks Directly Discernible Visible through Science Manageable through science For example treasury, foreign exchange, some IT risks Virtual Lots of perspectives or possible outcomes People liberated to argue from their own preconceptions Achieving objectives depends on... Taking more managed risk – risk of taking on too much risk which becomes unmanageable Avoiding unnecessary problems – risk of avoiding everything, resulting in total inaction Creating the right performance culture – risk of over-stretch resulting in burn-out Setting appropriate corporate “ethics” and behaviours – risk of sclerosis as every stakeholder of every decision is consulted Zone 3 Dead Zone Zone 2 Performance Zone Zone 1 Dead Zone High Low Long Term Performance And doing the right amount of each Low Attribute: High (i) Managed Risk Taking or (ii) Avoiding Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours Balanced Risk Performance Culture Dead Zones Performance Zone More Managed Risk Avoiding Pitfalls Corporate Ethics Enron? Or the Big Banks? Performance Culture Dead Zones Performance Zone More Managed Risk Avoiding Pitfalls Corporate Ethics UK plc? Performance Culture Dead Zones Performance Zone More Managed Risk Avoiding Pitfalls Corporate Ethics The objective Performance Culture Dead Zones Performance Zone More Managed Risk Avoiding Pitfalls Corporate Ethics And you…? Performance Culture Dead Zones Performance Zone More Managed Risk Avoiding Pitfalls Corporate Ethics So what? We need to avoid these without squashing your whole purpose and spirit Performance Culture More Managed Risk Avoiding Pitfalls Your’ culture has to be supportive of RM. We cannot cut across the corporate culture or go against the grain Do you have a can do/will do culture: this needs to be supported by appropriate, but not stifling, RM Corporate Ethics We want to create the mechanisms by which these risks can be taken to your advantage So what does this mean in practice? B t0 Time t1 A B t0 Time Time t1 t1 C Time B Time t1 C Performance t0 D A t0 Appetite Tolerance Performance Where you might get to if everything goes wrong t0 Performance Performance Performance A D t1 Risk Universe Current direction of travel for performance Where you might get to if everything goes right Get it right => Shareholder value growth Start here... Get it wrong => Shareholder value destruction Excellent competency in risk management The bottom line for risk management? •Managing more risk taking •Avoiding pitfalls •Excellent performance culture •Great corporate ethics and behaviours 4 Measurement SH/H Val External 5 Assurance Internal Risk Based Alignment Sources Governance model Key Data Control Maturity 3 Risk and Control Risk Taking 1 Business Context 2 Risk Capability Capacity Segments Geography Risks Strategy Six components Risk Appetite 6 Board Reporting Risk Data Board and Senior Management Vision Risk Assurance Risk Appetite Strategy Operating Model Controls DATA Process Policy Risk Capability A function of 1. Capacity (how much you can carry?); and 2. Maturity (how much can your people cope?) IRM Risk Culture Framework Risk Culture Organisational Culture Behaviours Personal Ethics Personal Predisposition to Risk IRM’s risk culture framework looks at component parts making up an organisation’s risk culture • How will I react? • How will I respond in recognition of other competing needs? • What will I do? • What will we do? • Our overall risk culture Risk Skills Decisions Risk Resources Reward Governance Informed Risk Decisions Transparency Tone at the Top Accountability Dealing with Bad News Risk Leadership Risk culture aspects model Risk Culture Competency Leadership in complex systems Tasks & ideas Be Courageous Be Curious Be Clear Relationships & behaviours Embrace uncertainty Adopt open enquiring mindset Distribute leadership & decisions Draw on widely diverse perspectives Establish compelling vision Go out of your way to make connections Invest in promoting values Conversations in risk management EE Partners CEO Back Office You Suppliers IP owner Clients Management campaign Take Stock Target Operating Model Gap Analysis Rules of engagement Action Shortfalls from Desired outcomes Governance Information sharing Risk Management TOM Route map to achievement Address information asymmetries Next steps Implement Check Implement Check Implement Check Assurance Confirmation Harvest benefits Share lessons Desired Outcomes Participants Purpose Roles Values Rewards Culture Appetite An approach to starting 1. Articulate strategy in terms of value drivers 2. Identify relevance and urgency of objectives, plans and projects 3. Identify both what needs to go right and what might go wrong 4. Develop responses 5. Document, keep fresh and share with staff (ie make it cultural) Value drivers Hard financial drivers Profitable turnover growth Soft drivers Human capital EBITDA Intellectual property Cash tax Innovation Interest Partnerships Capital expenditure Joint ventures Changes in working capital Reputation Competitive advantage period Some questions for the board • How complex is our business operating model? • What additional risks does complexity pose? • Do we understand the risk tolerance associated with the complexity? • How do we manage these risks? • How do we get helpful risk information? • How do we get sufficient assurance on our risk management investment? I passionately believe that we can make uncertain futures much more manageable... This means that we must work with our organisations to re-imagine how they manage themselves, to make sure that they know where they are on important matters and to be confident that they know how to address uncertain futures. We use our knowledge, skills and experience, combined with proven tools, techniques and approaches, which we leave behind for them to carry on using long after we have finished, to transform their business. As a consequence they will face the future with more familiarity, they will feel more confident about their current position and they will be organised to go forward into these uncertain futures. The bottom line Risk Management should be the disruptive intelligence that pierces perfect-place arrogance Next steps • Consultation document now available • Final version to be published September 2014 • Three volumes of guidance: 1. Executive summary/overview/questions for the board 2. Concepts, governance and assurance 3. Practical tools, techniques and case studies Questions Email: [email protected] Tel: +44(0)7807 780284 Institute of Risk Management 6 Lloyd’s Avenue London EC3N 3AX United Kingdom www.theirm.org