Risk is stepping into the limelight

Risk management is moving into the limelight, not just because the world is a complex, fast-moving and risky place in which to operate, but also because, as organisations innovate ever-more efficient processes, develop new and improved offerings, enter into strategic alliances, reach out to customers in new and innovative ways, and widen their reach into the global marketplace, their risk exposure increases. And organisations must do these things or face stagnation and death as they’re left further and further behind by their competitors.

Another factor pushing risk management into the forefront of an organisation’s operations is that the longer an organisation pays attention to risk management, the more it matures, in risk management terms. When an organisation first dips its toes into risk management, it is largely limited to compliance and protection. Operational risks are at the top of the risk manager’s ‘to do’ list. But once these risks become ‘business as usual’ (BAU) risks and are satisfactorily managed and monitored by ‘owners’, the risk manager’s list of current, active and therefore frequently reviewed risks, shrinks. Current risks might drop from well over 100 to around 20, for example, and these would only need annual or bi-annual audits, with quarterly audits for severe risks, to make sure all is well. You are now a ‘mature’ organisation, in risk management terms.

So what to do with all your spare time? The answer to this is what moves you into the limelight. With your BAU risks sorted, you move into the strategic space. You’re scanning the horizon, looking for opportunities. And for every opportunity you spy, there is a risk of some sort. You have moved into helping your organisation find and take risks that can add value to its operations and and offerings.

Risk culture is increasingly important. Every employee and contractor needs to be a mini risk manager for the organisation they’re working for. Risk managers need to monitor and guide the building of a strong risk culture, offer interesting and informative risk management training and work with senior management and the board to establish clear guidelines on who can take what risks, and why, without reference to senior management.

So there is a lot to do after you’ve reduced your organisation’s active current operational risks. You’re broadening, and probably increasing, the number of your organisation’s strategic opportunities and risks. Back to a bursting ‘to do’ list.

Are you ready to step into the limelight?

How to make your office safer

It’s easy to gloss over health and safety risks in the pleasant surroundings of a nice, clean, tidy, well lit, air conditioned office. Yet they’re there. Faulty wiring and untidy electric cords and cables, poor posture at the desk or computer, too much sitting, workplace violence, poorly ventilated equipment rooms, slippery floors around the water cooler or in the kitchen area, chemicals stored insecurely or unsafely in the toilet area, unstable shelving, overloaded filing cabinets and drawers left open obstructing passageways, poorly sterilised or unsterilised telephone handsets and ear pads… It’s scary when you think about it, especially when you’re the leader-manager responsible for a group of people working among all those hazards.

In New Zealand, offices have emergency kits in case of earthquakes and every employee has a small emergency kit in a desk drawer (or at least they’re supposed to and do when the team leader develops a strong safety culture). What about in your office? You may not be in an earthquake zone, but what about a power failure or blackout, a storm, or a siege by an unstable person, as occurred in Martin Place on 15th December 2014, or any number of other emergency situations? Here are some items to think about including in a duffle bag or backpack for your emergency kit (which of course, you will keep handy in case of need):

  • battery operated radio
  • first aid kit
  • lighting (flashlight, glow sticks)
  • list of emergency numbers and other important information
  • water and non-perishable food

What emergency protocols does your work team have in place when employees are unable to attend work due to, say, a ‘flu epidemic, a transport crisis, or a lockdown of the area your office is located in?  When did you last review them together? Have you had a dry run to make sure you’ve covered everything?

Is your fire extinguisher in good working order and readily accessible? When did you last hold a fire drill and conduct a hazard audit? When did you last analyse your accident and incident statistics? When did you last review the health and safety and other risks in your workplace and check that mitigation measures are effective and up-to-date? Have you diarised to take these actions regularly?

Do you have a list of items that require periodic inspections with columns showing serial number, location, date of last inspection, result, inspection notes, and date of next inspection? Include office equipment as well as first aid kits and fire extinguishers on your list.

How do you prevent the spread of infections among your work team? Does your cleaner sterilise door handles, drawer pulls, lift buttons–anything that receives multiple uses by multiple hands? Do you provide antibacterial wipes so employees can keep their workstations hygienic? Is everyone aware of the importance of hand washing, and not just after using the toilet or before and after eating? Have you discussed how to wash hands properly? (Hands spread 80% of common infectious diseases.) Check out this OH&S blog for more information on ensuring proper hand hygiene.

How strong is your workplace and work team’s safety culture? (The answer is, probably only as strong as your own attitude towards safety.)

Four skills you need to make a difference

I’ve been updating the risk management chapter and there’s so much information, I can’t fit it all in! But this information is too good to not  put somewhere, so here it is!

Annette Mikes, Matthew Hall and Yuval Millo wrote an article called How experts gain influence in the July-August 2013 Harvard Business Review that I filed to use to update the risk management chapter. But as I said, alas, no room. The article explains how functional experts like health and safety managers, risk managers, sustainability managers, training managers and other functional specialists can gain the time and attention they need from senior managers. Based on their research they identified four competencies to build:

  1. Trailblazing: Don’t just sit there–go out and find ways to add value with your expertise. Talk to people across the organisation, at all levels, and find out what’s going on in your specialism and how you can help. Look for opportunities to make a difference to the organisation strategically or operationally.
  2. Toolmaking: Develop tools, dashboard indicators, report templates and so on to help you spread the word about the benefits of paying attention to your area and to show how the organisation is progressing in it. Make them attractive, easily understandable and easily scanned.
  3. Teamwork: When networking across the organisation to keep your specialist area front of mind, listen and learn–What are people interested in? What bothers them? What do they want and need from you? Incorporate their ideas into your activities and plans. Get their feedback on your tools and reports so you can make them more user-friendly and understandable.
  4. Translation: Help people understand the complexities of your specialism. Fancy words and statistics leave people cold. Translate them to everyday language. Tell stories to make your points clear.

When you’re passionate about your area of expertise, when you really believe the contribution it makes to building a better organisation, and when you have the energy and drive to blaze trails, make tools, work with others and translate your know-how into their words and worlds, you can make a difference. And that’s what it’s all about.

Cyber crime risks increasing

Australia’s 2012 Cyber Crime and Security Report, commissioned by the national computer emergency response team, CERT Australia, and conducted by the University of Canberra, was released in February 2013. More than 20% of the 255 organisations surveyed reported a ‘cyber incident’, including denial-of-service attacks, financial fraud, loss of proprietary information and theft of critical data. Attacks involved the use of malicious software such as “ransomware” and “scareware”, and trojans — despite 90%  of respondents using anti-virus software, spam filters and firewalls, and 65% having IT security staff with tertiary qualifications. Interestingly, the report also said those who reported no cyber incidents were likely to have failed to detect them.

Alana Maurushat, academic co-director of the Cyberspace Law and Policy Centre at the University of New South Wales, says that computers are the weapon of choice when it comes to industrial espionage. She also recommends a ‘healthy disrespect’ for statistics about cyber crime and identity theft, saying they are both under-reported.

The World Economic Forum puts the risk of a cyber crime causing a major global breakdown of critical infrastructure costing more than US$250 billion at about 10%. The European Commission estimates the damage from cyber crime for business worldwide at around US$1 trillion a year. The Australian Crime Commission’s most recent figures, for 2008, estimates the cost of e-protection for Australian companies at A$1.95 billion.

Cyber attacks are not random but coordinated and targeted for financial gain; and they’re growing. Ken Gamble of the cyber-detective firm Internet Fraud Watchdog, believes Australia has a high incidence of cyber crime compared to other countries, but less protection. Thailand (population 70,000), for example, has about 200 police detectives in cyber crime units and is hiring about 800 more over the next five years, while NSW (population 7,000), with the most cyber detectives of the Australian states and territories, has about 12 detectives working in cyber crime.

Perhaps the soon-to-be-created cyber security centre, bringing together experts from CERT Australia, the Defence Signals Directorate, the Defence Intelligence Organisation, the Australian Security Intelligence Organisation, the Federal Police and the Crime Commission to work with business, announced by then-Prime Minister Gillard last January, can help increase Australia’s cyber safety.

Meanwhile what is your organisation doing to protect its cyber risk?

Discussion questions

Have you carried out a proper cyber risk analysis for your organisation? Do you have robust measures to protect your organisation’s intellectual property? Do you routinely remind staff to stay vigilant so they don’t become careless or complacent regarding security matters?

How to use models

Models are representations of the real world. They help you better understand the real world by breaking it into pieces, making them good when you need to assess a risk or make a decision. But as Kevin Madigan points out, in an article on Property Casualty 360, a National Underwiriter’s website, no model can cater for every contingency and some models are better than others at helping us assess information about a risk or decision. The main thing is not to use models unquestioningly, for two reasons:

  1. Models are based on underlying assumptions.
  2. Models work on probabilities.

That means you need to understand both the assumptions models make and how they calculate probabilities.

First, ask yourself what your model’s underlying assumptions are and how correct and relevant are they to your organisation or decision. What contingencies are built into and left out of the model? Are the missing pieces important and if so, how can you incorporate them into your decision-making or risk management?

Next, find out how the model calculates probabilities. There are two ways: ‘classical’ probabilities and ‘subjective’ probabilities. You can be reasonably confident in classical probabilities because they are based on observation and experimentation; for example, flipping a coin or testing a drug on a target group and a control group. (Why not call them objective probabilities? Good question; too logical maybe.)

But you can’t experiment or observe elements of decisions about unusual events or problems or of catastrophic risks. That’s when subjective probabilities are used. Either you or the model need to estimate probabilities, perhaps based on observations about the past, informed assumptions about the future, and your ‘best guess’. That’s a long way away from classical probabilities.

So use models to help you make decisions and calculate risks but use them all with care, a questioning mind, and common sense:

  • Don’t take any model at face value.
  • Don’t interpret any model, especially those using subjective probabilities, as factual.

The statistician George EO Box put it well:

‘All models are wrong but some are useful.’

P.S. When you’re working with models, here’s a phrase guaranteed to impress: Don’t get caught up in delusional exactitude. In other words, be wary of models that claim to have a high degree of precision.

Discussion questions

What models do you use in your work? How accurately do they break information into pieces and represent the real world? What are their underlying assumptions and how relevant are they to the situation you’re applying them to? What type of probabilities do they use? In what ways might the models you use be wrong?

Leading from under the Sword of Damocles

Managers at every level regularly face difficult situations, but perhaps none more difficult than leading employees who know or fear they are going to lose their jobs. The announced closure of Holden’s manufacturing operations in 2017 brings this home in spades. Team leaders of the 13,200 employees likely to face the prospect of finding new ways to earn an income as a direct and indirect result of the closure are faced with helping their staff perform to the best of their ability until the axe falls.

The continuing restructuring of the Australian economy to keep the country prosperous, reducing jobs in the manufacturing sector and increasing jobs in the service and knowledge sectors, is likely to be cold comfort to the employees with the prospect of their own eventual job loss and the job losses of their friends, neighbours and colleagues hanging over their heads. Let’s face it, it’s hard to take a holistic view when when you and your loved ones are standing under the Sword of Damocles.

Discussion questions

What steps would you take if you were leading a team who know or fear their jobs are going to disappear in the next two years? What messages would be important to communicate to them? What would you do to keep up current levels of output, quality and customer service? What risks to output, quality and customer service would you identify and want to remain alert to?

The price of risk

This morning’s Akenhurst Newsletter by Alastair Dryburgh had some interesting comments about risk and reputation damage, which of course, can be much higher to an organisation than the dollars needed to rectify a realised risk.

Dryburgh points out that when we think about risk, we tend to combine it with reward, but that’s only part of the picture. He offers some models you can use to make sure you aren’t avoiding good risks and not realising that you’re taking some bad ones.

  • The Horseburger Risk, named after the recent horsemeat in beefburger scandals in Europe: This is a risk that, when you’re lucky, produces a small benefit and even produces a small benefit when you’re mildly unlucky. But when you’re really unlucky, you’ve got a catastrophe on your hands. This type of risk could also be called the BP Deepwater Horizon Refinery Scandal or the Apple iPhone 4 Scandal (see the Theory to Practice Box ‘The Well from Hell and Bad Apples on page 520 of the text). The danger of The Horseburger Risk is that we can see the regular, small benefit of taking it, but are blind to the catastrophe waiting to happen.
  • The Convex Risk is one where you gain a lot when you’re lucky but lose less than the equivalent amount when you’re unlucky. This taps into the brain heuristic that programs us to avoid risks more than to go for gain. Alastair’s example is offering you $150 if he tosses a coin and it comes down heads, but if it comes down tails, you give him $100. Few people take that one because the psychological pain of losing $100 outweighs the pleasure of winning $150, but if you made a logic-based decision, you’d say yes to this bet every single day and be better off to the tune of $90,000 in ten years time. (See pages 520 – 523 of the text for more on brain heuristics.)
  • The 50 Shades of Grey Risk, named after the self-published book of the same name. It could also be called the Harry Potter, Lady Gaga or Rolling Stones Risk: When you are unlucky, you have a small cost (no sales); when you’re moderately lucky, you still have a small cost (small sales); but when you’re very lucky, you have a huge and lucrative win and become fabulously rich; this doesn’t happen often.
  • The Sausage Machine Risk is a predictable risk, just like a sausage machine: put the meat in, turn the handle, sausages come out. The more meat, the more sausages. This is a good risk when it produces a big enough payoff.

Dryburgh advises putting this to practice this way:

  • Look at what you’re doing and eliminate the horseburger risks; every time you do something to reduce costs or improve efficiency, work out where the potential catastrophic risk lies and manage it properly.
  • Overcome your psychological bias against convex risks; work out the odds and take more of convex risks when the odds are in your favour.
  • Experiment with potential 50 Shades of Grey risks when you have time (but know the odds are against you).
  • Build a sausage machine that produces a good payoff.

Discussion questions

Just the other day, we learned that Flight Centre has been found guilty of price fixing, despite its strong anti-bribery and corruption policy. On the day of the Federal Court’s guilty finding, Flight Centre’s shares dropped six per cent. What other reputational damage might Flight Centre expect? What advice would you offer Flight Centre branch managers in responding to staff and customer concerns?

What type of risk would Dryburgh call Flight Centre’s attempted price fixing? Would you have taken it?