In an extensive interview, Tim Leech and Peter Bonisch share personal insights into some of the major issues and challenges facing those involved in risk and assurance today.
Paul Moxey – ACCA’s head of corporate governance and risk management – talks to Tim Leech of Risk Oversight Inc and Peter Bonisch of Paradigm Risk, two of the leading thinkers on risk and assurance.
Tim Leech is recognised globally as a thought leader, innovator, and provocateur in the risk and assurance fields. He has provided training and consulting services and technology to public and private sector organisations in Canada, the US, UK, Europe, South America, Africa, the Middle East and Asia.
In March 2012 he authored and published a controversial white paper The High Cost of ERM Herd Mentality; and most recently in December 2012 two new articles Board Oversight of Management’s Risk Appetite and Tolerance published by Conference Board Director Notes series in the US, and The High Cost of Herd Mentality published by LSE Center for Analysis of Risk and Regulation (CARR). These papers challenge traditional approaches to risk and assurance management practised by tens of thousands of companies and hundreds of thousands of auditors and risk specialists around the world. His thesis is that traditional ERM and audit assurance approaches are sub-optimal at best, potentially fatal at worst.
(Tim also recently spoke at an ACCA event, where he focused on entrerprise risk management. Find out what he had to say.)
Peter Bonisch is one of the UK’s leading advisers on risk governance in financial services and corporate sectors. He works with boards of directors and senior executives on improving their governance and management processes around risk and uncertainty and assurance, and on enhancing and protecting corporate reputation and value.
Peter is a former national director of assurance services for Ernst & Young in New Zealand, where he was also president of the Institute of Internal Auditors. He has worked internationally with leading clients on risk management and lectures in the UK on corporate governance. From 2008 – 2009, he was a partner in one of the UK’s leading corporate governance advisory firms, and was managing director of a London-based risk and assurance consultancy from 2002 to 2005. He is a regular contributor to debates on governance, risk and control in the UK and Europe.
Paul: Tim, has there been any discernible change in management’s risk appetite and tolerance in recent years?
Tim: My perception is that there has been and it’s driven largely by the regulatory vigour of regulators pursuing instances where they perceive there were major governance lapses. Following the 2008 crises the conclusion was that deficient risk oversight and risk management were key elements. As a result both the UK and the US brought in new disclosure rules. In the UK, the FSA has gotten religion in terms of looking at that area so I think it’s the regulatory rigour that has resulted in management having no choice but to address more structure and formality in the way they identify and come to grips with risk appetite and tolerance.
Peter: I’d echo the comments about the financial sector – I think a lot of institutions at the moment are regulatory-driven in their conservatism. Outside that I’m sure that there’s a spread of response. There are firms that have been well positioned to increase their risk because they’ve understood properly what their appetite is and what their tolerances are and they have the flexibility to move within those and pick up advantages where other firms have been more reluctant.
Paul: So you’re saying that it is driven by regulatory requirements. Do you think the regulators understand what they mean by risk appetite and tolerance? And do you think the companies themselves and their boards understand those terms or is there some confusion?
Tim: I think it’s at a formative stage – people are grappling with what they mean. A tangible example would be if we had asked any of the major UK banks that are at the heart of the LIBOR scandal what their tolerance was for being involved in fraudulent manipulation of indexes used around the world, and if you’d asked the board how do you feel about that – I think they would have struggled greatly.
Right now a lot of the appetite tolerance statements are heavily quantitative. They deal with things like portfolio diversification and things that have been around for a long time. What I’m not seeing in the appetites and tolerance statements are things that would really address many of the major scandals that have happened. Currently one of the UK banks has been accused of fraudulent lending practices or misleading marketing practices – I’ve seen very few statements that address what their tolerance is for lying to prospective clients. There is an element of reality that I’m not seeing in these appetite statements on critical issues that I still think need to be addressed.
Peter: The qualitative aspect is interesting. I think quantitatively a lot of firms put a lot of work into defining what their appetites should be, but I agree with Tim – there’s a real question as to whether or not they can translate those effectively through their firm anyway. On the qualitative side, on the compliance side and the criminality side, I think a lot of firms have no real idea how to translate the aspirations of their board into control systems that are effective throughout the firm.
Paul: I wonder if we should separate financial services from everywhere else? My impression is that financial services are quite familiar with the term risk appetite or tolerance and they think of it in terms of a quantitative measure, whereas outside financial services I think that most organisations are only beginning to get their head around the terms but when they do think about it, they think about it in fairly general and vague terms. You both have a great deal of experience in this and – bearing in mind that we want to be talking to people both from financial services and outside and the answers may be different for the two different sectors – what should boards be doing?
Tim: In some respects they’re different but in many respects they’re the same. In addition to scores of financial institutions I’ve worked all over the world with oil companies, manufacturing companies – a full range. I’ve had discussions with clients that make public statements in annual reports that they have no tolerance for accidents and yet every year there are a number of people dying and there’s hundreds of thousands of hours linked to loss time accidents. It’s just people have not provided realistic statements about tolerance – whether we’re talking about the willingness to pollute the Gulf of Mexico, or whether it’s accidents, or whether it’s the number of products they’re prepared to let out of the door with defects – we’re not going to gain anything if organisations are going to put forward risk appetite tolerance statements that are more wish lists than they are any semblance of reality.
I’m afraid this condition isn’t restricted to the financial sector – it applies to many companies. The approach we recommend requires explicit acceptance of what are often quite risky-looking residual risk status situations. In the absence of the company being willing to add more risk treatments, by definition that risk acceptance position represents their risk appetite. Many companies seem to have a hard time facing this as a reality of what ‘risk appetite’ really means.
Paul: Do they think of risk and risk appetite in isolation or do they think of risk in relation to the business objectives that they are trying to work towards or the pursuit of reward (because risk and reward should be balanced)? What I’ve seen in terms of risk appetite statements and tolerance statements appears to have been written as if in a vacuum without much reference to what the organisation is actually about.
Peter: I think the point Tim made revealed risk preferences are enormously important. Firms can make aspirational statements till they’re blue in the face but how they actually behave ultimately reveals their preferences for risk and until firms sit back and look at the number of their peers that fail or that get into problems in whatever sector – oil & gas is a prominent one but it’s equally applicable across the spread of industries – then they’re going to be making statements that don’t accord with the reality of their operations.
Paul: When you say revealed, where are you revealing it – is it in an annual report or something that you reveal to them?
Peter: No – it is in the way they behave. To use Tim’s example, it’s in the number of accidents that occur.
Paul: In the UK now, companies are supposed to report on their appetite for risk and tolerance, although not in those terms necessarily, and I have looked at the statements that companies have made and they don’t reveal very much at all – partly because I think companies have not got round to reporting on this matter yet. However, what should boards be doing in accordance with your advice or best practice as you’ve seen it?
Tim: What we recommend is to install and implement a methodology that focuses on important ‘value creation objectives’ and also ‘potentially value eroding objectives’. An example of a potentially value eroding objective would be that if you don’t achieve the objective of producing reliable financial statements and you’re caught, it can have a very negative effect on your share price.
You don’t generate revenues by being good at accounting but you can create negative and the same applies to complying with environmental laws – you don’t increase your profits by complying with environmental laws – in fact quite often it’s the opposite – but if you have the misfortune of a serious environmental incident such as BP, it's coming close, even with a behemoth like BP, to levelling them.
You need a methodology that analyses your ‘current residual risk status’ linked to value creation and potential value eroding objectives. With this type of approach you get a realistic a look at where you are accepting a higher level of risk that you could practically manage down with more risk treatments if you elected to. And when you choose not to manage down/mitigate a risk and you’re prepared to leave the retained risk position as it is, which sometimes can be significant level of retained risk, that by definition is telling you what the firm’s and the board’s risk appetite is.
Now very few boards have received information that shows them where the highest levels of retained risk are. Take a simple example like the financial statements – very few boards are told that lines 5, 9 and 15 are the ones with the highest levels of uncertainty and the auditor is really not sure either – are you good with that?
Paul: In your article Board Oversight of Management’s Risk Appetite and Tolerance, you’re somewhat critical of risk registers and I think one of the things you’re saying is that you cannot predict all risks – you talk about uncertainty as well. Should one be thinking more of uncertainty management rather than risk management?
Peter: I’m not sure that that’s logically possible but I do think that you need to recognise that we use the term ‘risk’ in many different things – risk in the traditional quantifiable sense of probability, uncertainty, ambiguity, complexity – and even complexity you can unpack, so a firm needs to deal with all these things when thinking in traditional terms of how you control the risks that you know about and understand well is just one aspect of what a firm needs to do to manage risk.
Tim: I think you raise a good point. At the root of Peter’s response is the reality that there isn’t a generally accepted agreement what the word ‘risk’ means yet – certainly ISO 31000:2009 has taken a stab at it and has debated it for many years and they actually modified the original version that came out of Australia/New Zealand 4360:2004 with a twist – the COSO ERM 2004 initiative basically rejected many of the philosophies of 4360 and is inconsistent with ISO 31000 so when we talk about it, it’s difficult because it’s definitional.
Paul: Tim – I’m a simple fellow. When I want to look for a definition, I turn to a dictionary – not to ISO 31000 or anywhere else – and dictionaries, pretty much every one of them, give a very similar definition of risk and it can be a noun or it can be a verb but generally it’s something you don’t want and it’s a very simple definition and not the definition that the risk management profession tends to use now - which is why I’m thinking perhaps ‘uncertainty’ is a term that we should be moving towards?
Peter: There’s a very important point in there – the fundamental point is that firms need to take risk to make money, and firms generally need to take more risk to make more money and they need to take opportunities, but I agree with Tim and the point of your question – you don’t need to distort language to understand that you need to take risk to make profit and that opportunity is an essential part of risk-taking. I cannot get beyond the idea that people associate risk with what can go wrong and they should, but we need to remember first that all firms need to take risk to make profit and secondly, firms need to understand where they’re good at taking risk and where they’re not good at taking risk and I think driving into that is what understanding better appetite and tolerance are about.
Tim: Well, I like your notion of uncertainty and we’ve adopted it. We try and cut through all of the theoretical debates that are going on, which are important to have, but when we work with work-teams at the coal face we go with the model that says you tell me what the end result is you want to achieve then let’s look at ‘threats to achievements/risks’ because we find that it helps people grapple with it.
So we go with the risks/threats to achievement and we say look, these are real or potential situations that could impact on the achievement of these objectives. People can come up with risks/threats to achievement and you can and should use other tools to identify risks/threats to achievement – that’s how we try and operationalise the notion of uncertainty.
If something better comes along that the average person can understand, I’ll be happy to embrace it but for now our approach to risk management is a merger, if you will, of the ISO definition of ‘risk’ with the words ‘threats to achievement’. ‘Threats to achievement’ are my words – I choose to use them so that people always understand that what we’re talking about has to impact on a valid implicit or explicit objective or by definition we shouldn’t entertain it.
Peter: There’s a key point in what Tim just said – explicit or implicit objectives. You cannot specify all your objectives just as you cannot specify all your risks.
Paul: It seems to me that if you come out of a specific objective you can probably identify a few specific risks but the risks are probably the more important ones. The root causes of these risks are kind of bubbling along and it’s difficult to express those other than in rather vague terms. You can express a tolerance for a risk that you have articulated such as a fire happening, but the tolerance for something like an unfortunate culture that facilitates and enables fixing of LIBOR rates or mis-selling of interest swaps to small businesses – that sort of thing you can’t really articulate. They’re very low level.
Peter: We need to be careful that we don’t end up with a camel when we want a horse. Why do firms fail? Predominantly because of strategic error. Some fail because of operational problems. A far smaller proportion, according to research, fail for compliance reasons. The risks that we need to fix primarily are the way in which firms approach their strategy and the uncertainties in the execution of that strategy. Unless that’s our starting point, we’re looking in the wrong end of the telescope.
Tim: I agree with Peter. One of the things that I’ve done in the latest iteration of the risk management tools that we recommend is recommend the use of an ‘objective register’ with the caveat that I don’t propose to clients that they populate it with thousands of objectives. I recommend that they populate it with their key value creation objectives as a starting point in addition to the potentially value-eroding objectives.
There are multiple surveys that have been done with companies that have claimed to have been implementing and using ERM sometimes for as much as ten years. When you analyse the risks that these processes kick out for boards you often find that none of the risks relates to the important objectives that are going to drive shareholder value. They relate to the other things that Peter referred to, risks that are not unimportant – and they do kill firms but they kill a smaller number of firms than the ones that don’t clearly map out objectives and strategic direction.
So when we look at companies like Research in Motion and Dell, those are not cases where they polluted the Gulf of Mexico or they were involved in LIBOR scandals but they struggled with identifying where they needed to go next to continue growth and value creation and preservation – that’s the strategic part and my contention is because of risk registers where you ask people what do you see as the big risks to the company, or to some process, or to a department – people without clarity on key outcome objectives are unfocused. They don’t have any core starting point that everybody uses when they’re talking about what they think are the ‘key or significant risks’.
Paul: Do you see value in scenario analysis?
Tim: Well, it’s a viable technique to identify risks. Scenario analysis can be used particularly well if you have a one or more specific objectives. We teach our trainers and analysts to imagine scenarios and then say what would the risks be that would come with it and what would the likely impact be on the achievement of the objective. You can get very sophisticated in applying that tool, or you can do it just very simply and generate some pretty impressive results.
Paul: What should internal audit be doing in relation to boards’ oversight of risk appetite and tolerance?
Tim: I give Richard Chambers, CEO and President of the IIA Inc, a lot of credit. I think there’s been an enormous number of changes in IIA IPPF standards which if you’re impatient you might say are not enough and are not fast enough, but if you look at the speed of change in the internal audit world, they’re actually happening relatively fast in terms of the standards. Unfortunately practices are changing considerably slower.
The words in the IIA standards are now at least trying to funnel internal auditors into more focus on strategic objectives which it never did before. The importance of auditors evaluating the effectiveness of a company’s risk process is now a ‘must do’ in the IIA standards as opposed to a ‘should do’. I think where the IIA is still struggling is that it is still very willing to support internal audit regimes where the auditors complete audits and form a subjective opinion on whether they think controls are effective.
I take exception to the notion of ‘effective controls’ as determined by auditors. There’s no such thing as effective controls – there are only different levels of retained risk which are more or less acceptable to management. Until the profession starts to transition away from subjective auditor opinions on control effectiveness and focus on ensuring the organisation’s board is aware of the current retained/residual risk status, I think the profession will continue to struggle and contribute far less than it could be.
Paul: Let me re-phrase the question slightly – you’ve answered the question on what the internal audit profession should be doing, but think of an internal auditor ahead of his or her time: what could that internal auditor be doing – perhaps going above and beyond what the standards are expecting of them at the moment?
Peter: I think exactly as Tim has outlined – focus on residual risk because we let internal auditors off the hook hugely and by Tim’s definition, I’m impatient. Until we are driving internal auditors to deliver some sort of standardised (within their own organisation) periodic opinion on where the organisation has moved over time in terms of residual risk, however defined, then we’re not asking enough of them.
Tim: On the bright side, Peter, the IIA standards that became effective January 2013 at least said if the chief audit executive is aware of a situation that they think is outside of tolerance, they should mention it. Unfortunately the standards don’t go as far as saying auditors should actively work to ensure the board is aware of the consolidated entity level residual risk status situations outside of management’s risk appetite/tolerance.
Peter: But it’s been 15 years since you and I both started having the argument with IIA to get them to this point.
Tim: As my mother used to say, patience is a virtue.
Paul: What more can the bold internal auditor be doing to get involved in looking at strategic risk and the effectiveness of the board to manage that?
Peter: It’s not up to an internal auditor to second-guess strategy but what is crucially important is that they ensure – or that they seek to ensure – that uncertainty has been considered effectively and properly in the process of formulation of strategy and indeed in its execution.
Tim: Adding on to Peter’s comment – he knows very well that I’ve been on a campaign for over 20 years now. When COSO took the decision in 1991 that setting and communicating objectives was not, in COSO’s opinion, part of an integrated control framework I believe it set the profession back 20 years.
Paul: One final suggestion which I think is a provocative one – ‘define your outcomes and measures and you’ve defined your risk appetite and tolerance’.
Peter: Well only in so far as you have assumed that there is a constant level of uncertainty or a constant level of understood risk but that’s simply not the case. Risks emerge over the course of execution of the business plan and have to be dealt with.
Tim: Not only do risks emerge but the quality of the knowledge about the risks alters as things go on and one of the things that formal risk management does is (if done well), it enhances – so if you can imagine a camera that is out of focus, what good risk management will do is actually bring the true picture of what you’re facing in trying to achieve your objectives into more clarity. You can then decide whether to take evasive action or live with the risk of a major negative consequence. The clarity of the image of the risks that create uncertainty you achieve what you want is key to understanding what an organisation’s real risk appetite/tolerance really is.
Paul, Tim and Peter were speaking prior to an ACCA event on 'Board Oversight of Management’s Risk Appetite and Tolerance: A New Global Imperative'. A write up of that event can be found elsewhere in this e-bulletin.