Thoughts on Direction of Ops Risk Management -V4 0
1. A Risk view from the Inside:
A Perspective
Amrut Joshi
Amrut Joshi
2. Amrut Joshi
The global economic environment through the last decade has been tumultuous not only for corporates but for
countries and societies as well. These adverse events have brought in to focus the causes of such failures and
importantly, the thinking around what could be the means and methods through which such calamities can be
avoided. Naturally, this has brought focus on Operational Risk as a solution but also raised the question in many
minds as to, why these adverse events occurred if risk management was already in place ?. While there is an
agreement that Risk Management is necessary, the question being asked is whether the current risk
management practices are good enough ?; are risk management teams able to provide value and assist
business ?; Can they really help stop Senior Management in the organization from taking the wrong steps ?
As a profession, there have been number of efforts to live up to the challenge. In this respect, various studies
have shown that risks are about human decisions. Hence to manage risks, whether through risk awareness or
other means, one needs to influence business decisions and ensure organisations steer in the right direction and
avoid failures. No amount of policing or oversight will be good enough to oversee every decision within an
organisation, but one can train and influence people to arrive at thought through appropriate decisions and thus
reduce the chances of failures.
This paper tries to introduce the idea of learning from other professions, especially Economics and introduces the
concept of “Behavioural Risk Management”. In the second part the paper captures the experience of a Risk-
Control Professional while being embedded within the business function as part of the 3 lines of defence model.
Executive Summary
2
3. Amrut Joshi
The last decade has been a time of significant disruptions in business landscape. The Enron failure brought about
significant changes in US in the areas of Governance, Auditor responsibilities and company disclosures, through
the Sarbanes Oxley regulation. The focus was on having process level controls, though it also covered aspects of
“Tone at the top” and governance structures as well.
This could not prevent the Lehman crisis, which not only impacted USA but more or less created a tsunami of
social and financial issues across the World, especially in the developed world. Ironically, the financial measures
by US and European Governments to remediate the situation have intertwined Australia and Asia, who were
relatively unscathed. Any unwinding of these measures/stimulus is expected to impact the Asia-Pac region as
well.
The current business landscape is characterised by:
• Slower economic activity – lower opportunities for growth assets
• Ever increasing expectations from investors-analysts
• Increased pressures on cost and as a means to generate profits to compensate for slowing revenue streams
• Increased regulations & oversight over financial institutions
• Social pressures on financial institutions
Context: Industry Landscape
3
4. Amrut Joshi
The Business failures and challenges described earlier have ignited focus on what does Risk do and what value it
provides to the organisation. Rightly or wrongly it has highlighted the question in many a mind, on whether
proper application of Risk Management could have prevented unfavourable business outcomes or reduced the
surprise element in these events.
The Risk Management profession in general and especially in the space of Insurance and Actuarial have been
quite interested in this topic and have commissioned quite a few studies and analysis. The findings through
these have been interesting and highlight some of the things that should be improved as a profession.
A research funded by the Chartered Institute of Management Accountants (CIMA) in association with the
Association of Insurance and Risk Managers had the following findings
• Risk Management is no longer solely a financial discipline, nor is it simply a concern for the internal control
function
• Where organisation retain a discrete risk management cadre – often specialists at monitoring and evaluating a
range of risks – their success is dependent on embedding risk awareness in the wider culture of the enterprise
• Risk Management is most successful when it is explicitly linked to operational performance
• Clear leadership, specific goals, excellent influencing skills and open-mindedness to potential threats and
opportunities are essential for effective risk management
• Bureaucratic processes and systems can hamper good risk management – either as a result of a “box ticking
mentality” or because managers and staff believe they do not need to consider risk themselves
Context: Risk Management
4
5. Amrut Joshi
Another report by the Cass Business School on behalf of Airmic, called the “Roads to Ruin” analyses a number
of recent business failures and highlights lessons learnt. The report investigated the origins and impact of over
twenty major corporate crises of the last decade. The crises examined involved substantial, well-known
organisations such as Coca-Cola, Firestone, Shell, BP, Airbus, Société Générale, Cadbury Schweppes, Northern
Rock, AIG, Independent Insurance, Enron, Arthur Andersen, Railtrack, the UK Passport Agency and also some
smaller firms. Several did not survive and most of the rest suffered severe damage. The report analysed
failures in 7 categories. 9 of the 18 cases studied had human behaviour as the cause of failures.
All the analysis and attention on Risk Management has been a dual edged sword. Good because it has brought
risk management on top of the discussion for Boards and Senior Management. In this sense the failures can be
seen as a blessings which no risk awareness program could have ever dreamt of achieving.
However it is also a reality that it has forced increased Regulations and Government oversight, thus increasing
the cost of doing business. The pendulum has swung from a more self regulated approach to a more prescriptive
regulatory requirements. The trust between Governments and People with Corporates, especially financial
institutions has reduced. If Risk Management as a profession is not able to wake up to the call than natural
reaction from business and regulators to go for other solutions. It needs to change, so that it is not in the
situation where, it is the last to be consulted and first to be blamed.
Context: Risk Management
5
6. Amrut Joshi
Some of the opinions voiced are:
“Only a few percentage of risk managers are functioning as what he call true risk managers- being involved in
decision making, planning and elevating the goals of the company.”
“While companies are recognising that there is a value and an importance of risk management. Many traditional
risk managers do not have a very clear business mentality”
”If the Risk function is to have a future (more than from a Compliance perspective), it needs to be seen as a
partner in delivering the management’s decision dashboard.”
“risk managers are getting paid for activity. Activity is not results. When you get results and you play a role in
the company making or saving money, you are taken more seriously.”
What makes things different for Operational Risk ?
The cousins of Operational Risk; Credit Risk and Market Risk have been fortunate enough and have better
developed theory and practice, as also a more defined role and KPIs within the corporate world. At the same
time, Credit and Market Risks are narrower and more specialised professions than Operational Risk. The scope of
Operational Risk is much broader and covers a larger spread of business. It is applicable for every aspect and is
everywhere in business. This also makes it difficult to comprehend and clearly define it like Credit or Market
Risk.
Opinions on Risk Management
6
7. Amrut Joshi
Operational Risk Managers need to adapt to the new environment and demands on the profession and grab the
opportunity to get some face time with C level management and also actively be part of bringing value to the
organisation.
Business disasters such as Enron, Lehman can not be attributable to inability to maintain Proper Risk Registers or
Incident logging or risk testing. Today’s business is far too complex and dynamic for relying on the standard
procedures and tools to capture and manage the risks to business. The key reason for business failures or for
risks in business are the decisions. This is also the motto for Operational Risk Management in ANZ Bank: It is
about the Decisions we make and Actions we take.
Decisions are made by humans. All decisions are not mechanical, otherwise they would have been automated.
We live in a environment, where the Customer is human, the demand for products and services is still driven by
Human wants –needs and behaviours and organisations are still a structure of humans with their follies and
traits.
The need of modern risk management is to move from the process to the objective. Focus on actual decisions
that are the root cause of any risks. To enable insights into decisions, one needs to understand the behaviours
that drive these decisions.
Operational Risk Management has to understand how decisions are made (Practical Drivers), so that it can be
understood how these could go wrong and influence it positively in achieving corporate objectives.
It is about the Decisions we make and Actions we take
7
8. Amrut Joshi
In Economics, the fundamental assumption is that Man is a rational animal and all decisions are rational; people
are perfectly rational, patient, computationally proficient little economic robots. This assumption has been
debated and understood that the assumption is far from true. The profession have come up with a body of
knowledge called Behavioural Economics to strengthen our understanding of how humans (people) behave in an
economic sense. Behavioural economics is, in a way, at the intersection of economics and psychology.
Behavioural economists develop models which account for the facts that people procrastinate, are impatient,
aren’t always good decision-makers when decisions are hard (and sometimes even avoid making decisions
altogether), go out of their way to avoid what feels like a loss, care about things like fairness in addition to
economic gain, are subject to psychological biases which make them interpret information in biased ways, and so
on.
While we have heard of the term behavioural Economics, it may be necessary to apply the same behavioural
element to Risk Management. After all the aim is to influence decision making within organisations and decisions
are taken by human beings. The need is to understand the motivators (positive and negative) of human decisions
and influence or channel them in the right direction.
If order to be future looking, Operational Risk should not only be using good analytics based on past data but
also apply the concepts in behavioural economics to help us better appreciate risks, future events and embed risk
thinking in human decision making. This may be the way to a more sustainable Business Risk Management and
towards a practice which is agile and more in step with the speed of business decisions.
Behavioural Risk Management
8
9. Amrut Joshi
In order for Risk Leaders to play a more forceful and credible role within the organisation, they would
need to utilise and display more of the following skills – behaviours and competencies:
Success also depends upon:
1. Attracting the right people to be embedded as Risk Champions – Assurance leads
2. Getting the right attitude and understanding from Business Leaders to whom the Assurance lead
report
3. Ability and attitude of Assurance Managers to move away from being Consultant to Active
Implementation
4. Ability of the Assurance Managers to imbibe and be conversant with business operations – credibility
5. Ability of Risk Leaders to attract the right talent and business experience, who can provide credible
oversight over business decisions. Ideally, risk teams should have members who have spent some time
in business and who can empathise & understand in practical terms the challenges that Leaders and
Managers face in coming to business decisions.
While new regulations will necessitate higher risk oversight, risk management will need to have the skillset to
have strong credibility and knowledge to oversee business effectively. Secondly, for business, doing it right the
first time, will be the best bet. Hence risk management will be best served, if risk managers play a stronger
influencing role than just serving in the “policeman” role. It also may not be practical to have a complete
oversight of all the key decisions by Risk teams.
The People Element within the Team
9
• Listening but be able to filter the noise
• Influencing
• Manage conflict
• Test assumptions and investigate
• Innovate
• Seek and introduce change
• Deal with ambiguity
• Communication
• To be structured yet think out of the box
• Business acumen
• Stakeholder management
• Adaptability
10. My
Experience
in
the
First
Line
Of
Defence
Through
Embedded
Risk
Function
(Assurance)
as
a
means
of
influencing
Decision
Making
It’s about the decisions we make
& the actions we take.
11. Amrut Joshi
While Risk & Compliance have been natural comfort areas of work for Assurance, the challenge has been for
Leaders to adapt and bring in the business goals component of the puzzle. The very reason of creating of
Assurance function and embedding or bringing it closer has been to stay close to business to understand the risk
dynamics at close quarters – be close to the place where actions and risk arise. This allows for leading by
example and providing of pragmatic advice to influence business thinking. At a higher level of maturity all
business managers will behave like Assurance Managers and Assurance Manager would have morphed into
Business Managers with risk expertise.
Risk Management as aptly stated by ANZ Group Risk is about: “ It’s about the decisions we make & the
actions we take.” The key operative word being decisions. Assurance is in respect of decisions made and
hence any Assurance structure and teams strengths are dependent upon the nature of decisions taken and the
number, quality and speed of such decisions.
As organisation maturity evolves, the Assurance function will change in synchronisation. Assurance teams will be
based according to the place where decisions are made. In a sense, if an organisation hubs/off shores it
operations, operational risks and controls will be more an ambit of off shore/hub assurance teams. Assurance
and Risk Management will follow the structure and hierarchy of organisation decision making. A related element
is skill set required of various Assurance teams. Assurance needs to have skills and credibility to participate in
business management. Credibility = Trust + Confidence in Delivery. In this sense the Risk Professionals will not
only be dealing with Governance within the organisation but also be the Trustees of Quality. Quality in decisions
and quality in delivery.
Introduction
11
Achieve
Goal !
Risk
ComplianceBusiness
Goals
12. Disconnected
Internal
Audit
Risk
Business
“Business
owns
Risk”
Internal
Audit
Risk
Assurance
“Business
owns
Risk”
Business
Internal
Audit
Risk
Business
“Business
owns
Risk”
• Business,
Risk
and
Internal
Audit
are
part
of
the
Internal
Control
structure
but
disconnected
• Business
focuses
on
business
objec<ve
delivery
but
awareness
&
applica<on
of
risk
thinking
&
controls
is
minimal
and
considered
to
be
someone
else
responsibility
(Ownership)
• Risk
ac<vi<es
are
performed
as
they
are
mandated,
value
to
business
is
not
appreciated-‐
performed
in
word
but
not
in
spirit.
• Internal
Audit
reports
with
micro
level
findings
are
considered
to
be
means
for
business
management
to
know
risks
within
business
• Risk
management
personnel
have
less
awareness
of
challenges
of
business
management
and
risk
requirements
may
be
considered
onerous
and
imprac<cal.
• Risk
Professionals
&
Business
Managers
with
ac<ve
risk
based
decision
making
are
embedded
within
Business
layer
• Business
focuses
on
business
objec<ve
delivery,
general
risk
awareness
is
improved
but
risk
thinking
&
controls
is
considered
to
be
of
the
Assurance
team
within
business
(Ownership)
• Risk
ac<vi<es
are
performed
more
because
of
mandate
by
Assurance,
fear
of
compliance
or
Head
of
business
and
some
amount
of
indirect
percep<on
of
value
to
business.
• Internal
Audit
reports
&
errors
are
considered
to
be
the
means
for
business
management
to
know
risks
within
business.
They
are
also
treated
as
KPIs
for
Assurance.
• Assurance
needs
to
play
a
Change
Manager
role-‐influencer
&
increase
involvement
in
business
management
and
feedback
to
Risk
layer
on
prac<cali<es
of
mandated
risk
requirements.
• Risk
based
thinking
is
part
of
natural
business
decision
making-‐
Quality
of
decision
making
ensures
beQer
risk
management.
• Business
focus
on
business
objec<ve
delivery
but
with
a
risk
bent
to
any
decisions.
Leaders/Business
Managers
understand
that
most
risk
events
stem
from
their
behavior
and
decisions
• Risk
management
culture
is
embedded
in
business
because
of
the
belief
that
risk
based
decision
making
leads
to
value
to
business.
• Internal
Audit
and
Risk
reports
are
treated
as
risk
indicators
on
health
of
business
&
ac<on
is
taken
on
underlying
factors
rather
than
on
the
“audit
issues”.
KPIs
are
based
on
demonstra<on
of
risk
culture
rather
than
on
indicators
only.
• Assurance
role
gets
converted
to
a
Business
Manager
role
with
SME
knowledge
on
Risk
&
Controls.
My Views on the evolution of 3 Lines of Defence: Thinking
Risk in Decision Making – The Journey to be taken
Connected
Embedded
Current
Desired State
“The End Goal”
Past
12Amrut Joshi
13. Amrut Joshi
• The key aspect of the 3 line of defence model - “embedded” Risk Professionals within business is - BEING ON
THE INSIDE.
• The advantage of this approach is that by actually being embedded within business, Assurance champions are
able to better understand risks because they are now very close to the action. They breathe and feel the
business, this is useful because it avoids the distinct US and Them feeling.
• There is a bond of common purpose and goals- Trust which allows a much open discussion on Objectives,
Inhibitors, actions, which are all important components of understanding and arriving at risks-threats and
actions to manage those – More transparency and Visibility
• The goal is to bring risk management closer from abstract theory to more practical application. Business
Managers see value through it, the key value add from the first line is the ability to support a commercial
trade-off with KRAs aligned to business outcomes as well as risk outcomes.
• The critical aspect here is that unless we have Assurance team incredibly close to the business we will never
be able to keep on top of changes in technology and business.
• However, this embedded 3 lines of defence model is not a silver bullet and in fact compared to other models
is much more difficult to implement. It requires heavy support by Other elements within the organisation;
such as Ethics, Code of Conduct, Strong Tone at the top and whole hearted support from Business Leaders.
• The model also needs a Stronger second line; who can provide independent oversight and challenge to
decisions arrived at by business which now have better risk knowledge.
• The Second Line challenge has to improve from being process level focus to a discussion that utilises strong
business understanding and application of risk to business reality.
Philosophy of Embedded Risk Managers- Assurance
13
14. Amrut Joshi
Being Accepted – Credibility – Working the Matrix
The embedded risk model within ANZ, provided an excellent opportunity to learn from the Inside on how
business perceives Risk, What are their challenges in trying to follow Risk requirements and how things can be
done differently to enable achievement of Risk objectives.
• One of the biggest challenges in the initial days was gaining acceptance from business. The reason being,
though Assurance was reporting to Head of Business, the roles was not very clearly understood to the Business
Heads. They were considered to be proxy Risk & Compliance personnel.
• Initially the expectation from Business Managers was to involve Assurance only with traditional areas of
Operational Risk Management relating to Risk Register maintenance, anything to do with Control or processes,
Audit-Compliance. This in effect was “outsourcing” of risk & compliance requirements from Business Team to
Assurance. “Business Owns Risk” was interpreted to mean that Assurance Personnel within business own the
risk !
• Business leaders who are aware of the statement “business owns risks” but were really lost in terms of what it
means to their business and what do they need to do?
• The expectation was that Assurance would not have the skill or the drive to get actively involved in day to day
business strategy, issues and initiatives.
• Balancing the needs within the Matrix Management structure; matrix between Global and Regional; matrix
between Business and Operations and matrix between Country and Regional management.
• Defining and scope of Business Assurance as compared to scope for Operational Risk, which is more process
based.
Challenges
14
15. Amrut Joshi
The uncertainty around what Assurance was an opportunity to exploit. In addition, the loss of independence was
something that looked bad on first glance but also allowed for removing the boundaries on how far can Assurance
contribute to the solution.
The following helped to overcome the challenges:
• Getting actively involved in strategy setting for the business (Knowing the Business)
• Proactively getting to know every aspect of business and the work done, challenges and perception of
Assurance from every Manager and Team Leader (Knowing the Business)
• Proactively, get involved into issues and being part of the solution (Come with Ideas)
• Solve issues by leveraging on superior connectivity (connections within the Assurance community, Risk, Audit
and Country) and the advantage of seeing things across the Region (leverage on strengths)
• Sharing good practices learnt across the Region and promoting recognition of the team/person (Come with
Ideas)
• Designing and implementing Audit Engagement Framework, helping prepare for the audit (Leverage on
Strengths and reduce pain points)
• Taking the lead in simplification and automation of mandatory risk and compliance activities (Automation)
• Use of negative reinforcement through communication of Regulatory, Compliance and Risk requirements and
the consequence of non-adherence thereof But also highlighting the least painful ways to satisfy those but
which are also professionally right
What were the things that helped in facing the Challenge
15
16. Amrut Joshi
• Leading by example; take ownership of certain business aspects and deliver it successfully by display broader
Management skills (Confidence in Execution - Credibility)
• Using to the advantage of additional responsibility to establish credibility by learning and solving of problems
and through it displaying it by example on taking the right decisions. (Lead by example)
• Strong relationship built through credibility with Audit and Risk, which allowed for synergetic approach to
achieving control objectives. This was seen as beneficial and positive by business.
• Ability to build strong relationships across countries and teams within the matrix.
• Strong Senior Management face time and the ability to use this to highlight business issues and push
solutions.
What were the things that helped in facing the Challenge
16
References:
Roads to Ruin; A study of major risk events: their origins, impact and implications Report; Commentary on the Report by Professor Alan Punter
Managing the people side of risk by Mckinsey
Banks need to question their ‘three lines of defense’ by Howard Davies
Laurie Widmer: Is Risk Management Obsolete ? & Risk Management Makeover