SlideShare a Scribd company logo

Thoughts on Direction of Ops Risk Management -V4 0

A
Amrut Joshi
1 of 16
Download to read offline
A Risk view from the Inside: A Perspective Amrut Joshi Amrut Joshi
Amrut Joshi The global economic environment through the last decade has been tumultuous not only for corporates but for countries and societies as well. These adverse events have brought in to focus the causes of such failures and importantly, the thinking around what could be the means and methods through which such calamities can be avoided. Naturally, this has brought focus on Operational Risk as a solution but also raised the question in many minds as to, why these adverse events occurred if risk management was already in place ?. While there is an agreement that Risk Management is necessary, the question being asked is whether the current risk management practices are good enough ?; are risk management teams able to provide value and assist business ?; Can they really help stop Senior Management in the organization from taking the wrong steps ? As a profession, there have been number of efforts to live up to the challenge. In this respect, various studies have shown that risks are about human decisions. Hence to manage risks, whether through risk awareness or other means, one needs to influence business decisions and ensure organisations steer in the right direction and avoid failures. No amount of policing or oversight will be good enough to oversee every decision within an organisation, but one can train and influence people to arrive at thought through appropriate decisions and thus reduce the chances of failures. This paper tries to introduce the idea of learning from other professions, especially Economics and introduces the concept of “Behavioural Risk Management”. In the second part the paper captures the experience of a Risk- Control Professional while being embedded within the business function as part of the 3 lines of defence model. Executive Summary 2
Amrut Joshi The last decade has been a time of significant disruptions in business landscape. The Enron failure brought about significant changes in US in the areas of Governance, Auditor responsibilities and company disclosures, through the Sarbanes Oxley regulation. The focus was on having process level controls, though it also covered aspects of “Tone at the top” and governance structures as well. This could not prevent the Lehman crisis, which not only impacted USA but more or less created a tsunami of social and financial issues across the World, especially in the developed world. Ironically, the financial measures by US and European Governments to remediate the situation have intertwined Australia and Asia, who were relatively unscathed. Any unwinding of these measures/stimulus is expected to impact the Asia-Pac region as well. The current business landscape is characterised by: • Slower economic activity – lower opportunities for growth assets • Ever increasing expectations from investors-analysts • Increased pressures on cost and as a means to generate profits to compensate for slowing revenue streams • Increased regulations & oversight over financial institutions • Social pressures on financial institutions Context: Industry Landscape 3
Amrut Joshi The Business failures and challenges described earlier have ignited focus on what does Risk do and what value it provides to the organisation. Rightly or wrongly it has highlighted the question in many a mind, on whether proper application of Risk Management could have prevented unfavourable business outcomes or reduced the surprise element in these events. The Risk Management profession in general and especially in the space of Insurance and Actuarial have been quite interested in this topic and have commissioned quite a few studies and analysis. The findings through these have been interesting and highlight some of the things that should be improved as a profession. A research funded by the Chartered Institute of Management Accountants (CIMA) in association with the Association of Insurance and Risk Managers had the following findings • Risk Management is no longer solely a financial discipline, nor is it simply a concern for the internal control function • Where organisation retain a discrete risk management cadre – often specialists at monitoring and evaluating a range of risks – their success is dependent on embedding risk awareness in the wider culture of the enterprise • Risk Management is most successful when it is explicitly linked to operational performance • Clear leadership, specific goals, excellent influencing skills and open-mindedness to potential threats and opportunities are essential for effective risk management • Bureaucratic processes and systems can hamper good risk management – either as a result of a “box ticking mentality” or because managers and staff believe they do not need to consider risk themselves Context: Risk Management 4
Amrut Joshi Another report by the Cass Business School on behalf of Airmic, called the “Roads to Ruin” analyses a number of recent business failures and highlights lessons learnt. The report investigated the origins and impact of over twenty major corporate crises of the last decade. The crises examined involved substantial, well-known organisations such as Coca-Cola, Firestone, Shell, BP, Airbus, Société Générale, Cadbury Schweppes, Northern Rock, AIG, Independent Insurance, Enron, Arthur Andersen, Railtrack, the UK Passport Agency and also some smaller firms. Several did not survive and most of the rest suffered severe damage. The report analysed failures in 7 categories. 9 of the 18 cases studied had human behaviour as the cause of failures. All the analysis and attention on Risk Management has been a dual edged sword. Good because it has brought risk management on top of the discussion for Boards and Senior Management. In this sense the failures can be seen as a blessings which no risk awareness program could have ever dreamt of achieving. However it is also a reality that it has forced increased Regulations and Government oversight, thus increasing the cost of doing business. The pendulum has swung from a more self regulated approach to a more prescriptive regulatory requirements. The trust between Governments and People with Corporates, especially financial institutions has reduced. If Risk Management as a profession is not able to wake up to the call than natural reaction from business and regulators to go for other solutions. It needs to change, so that it is not in the situation where, it is the last to be consulted and first to be blamed. Context: Risk Management 5
Amrut Joshi Some of the opinions voiced are: “Only a few percentage of risk managers are functioning as what he call true risk managers- being involved in decision making, planning and elevating the goals of the company.” “While companies are recognising that there is a value and an importance of risk management. Many traditional risk managers do not have a very clear business mentality” ”If the Risk function is to have a future (more than from a Compliance perspective), it needs to be seen as a partner in delivering the management’s decision dashboard.” “risk managers are getting paid for activity. Activity is not results. When you get results and you play a role in the company making or saving money, you are taken more seriously.” What makes things different for Operational Risk ? The cousins of Operational Risk; Credit Risk and Market Risk have been fortunate enough and have better developed theory and practice, as also a more defined role and KPIs within the corporate world. At the same time, Credit and Market Risks are narrower and more specialised professions than Operational Risk. The scope of Operational Risk is much broader and covers a larger spread of business. It is applicable for every aspect and is everywhere in business. This also makes it difficult to comprehend and clearly define it like Credit or Market Risk. Opinions on Risk Management 6
Amrut Joshi Operational Risk Managers need to adapt to the new environment and demands on the profession and grab the opportunity to get some face time with C level management and also actively be part of bringing value to the organisation. Business disasters such as Enron, Lehman can not be attributable to inability to maintain Proper Risk Registers or Incident logging or risk testing. Today’s business is far too complex and dynamic for relying on the standard procedures and tools to capture and manage the risks to business. The key reason for business failures or for risks in business are the decisions. This is also the motto for Operational Risk Management in ANZ Bank: It is about the Decisions we make and Actions we take. Decisions are made by humans. All decisions are not mechanical, otherwise they would have been automated. We live in a environment, where the Customer is human, the demand for products and services is still driven by Human wants –needs and behaviours and organisations are still a structure of humans with their follies and traits. The need of modern risk management is to move from the process to the objective. Focus on actual decisions that are the root cause of any risks. To enable insights into decisions, one needs to understand the behaviours that drive these decisions. Operational Risk Management has to understand how decisions are made (Practical Drivers), so that it can be understood how these could go wrong and influence it positively in achieving corporate objectives. It is about the Decisions we make and Actions we take 7
Amrut Joshi In Economics, the fundamental assumption is that Man is a rational animal and all decisions are rational; people are perfectly rational, patient, computationally proficient little economic robots. This assumption has been debated and understood that the assumption is far from true. The profession have come up with a body of knowledge called Behavioural Economics to strengthen our understanding of how humans (people) behave in an economic sense. Behavioural economics is, in a way, at the intersection of economics and psychology. Behavioural economists develop models which account for the facts that people procrastinate, are impatient, aren’t always good decision-makers when decisions are hard (and sometimes even avoid making decisions altogether), go out of their way to avoid what feels like a loss, care about things like fairness in addition to economic gain, are subject to psychological biases which make them interpret information in biased ways, and so on. While we have heard of the term behavioural Economics, it may be necessary to apply the same behavioural element to Risk Management. After all the aim is to influence decision making within organisations and decisions are taken by human beings. The need is to understand the motivators (positive and negative) of human decisions and influence or channel them in the right direction. If order to be future looking, Operational Risk should not only be using good analytics based on past data but also apply the concepts in behavioural economics to help us better appreciate risks, future events and embed risk thinking in human decision making. This may be the way to a more sustainable Business Risk Management and towards a practice which is agile and more in step with the speed of business decisions. Behavioural Risk Management 8
Amrut Joshi In order for Risk Leaders to play a more forceful and credible role within the organisation, they would need to utilise and display more of the following skills – behaviours and competencies: Success also depends upon: 1. Attracting the right people to be embedded as Risk Champions – Assurance leads 2. Getting the right attitude and understanding from Business Leaders to whom the Assurance lead report 3. Ability and attitude of Assurance Managers to move away from being Consultant to Active Implementation 4. Ability of the Assurance Managers to imbibe and be conversant with business operations – credibility 5. Ability of Risk Leaders to attract the right talent and business experience, who can provide credible oversight over business decisions. Ideally, risk teams should have members who have spent some time in business and who can empathise & understand in practical terms the challenges that Leaders and Managers face in coming to business decisions. While new regulations will necessitate higher risk oversight, risk management will need to have the skillset to have strong credibility and knowledge to oversee business effectively. Secondly, for business, doing it right the first time, will be the best bet. Hence risk management will be best served, if risk managers play a stronger influencing role than just serving in the “policeman” role. It also may not be practical to have a complete oversight of all the key decisions by Risk teams. The People Element within the Team 9 •  Listening but be able to filter the noise •  Influencing •  Manage conflict •  Test assumptions and investigate •  Innovate •  Seek and introduce change •  Deal with ambiguity •  Communication •  To be structured yet think out of the box •  Business acumen •  Stakeholder management •  Adaptability
My  Experience  in  the  First  Line  Of  Defence  Through  Embedded  Risk   Function  (Assurance)  as  a  means  of  influencing  Decision  Making   It’s about the decisions we make & the actions we take.
Amrut Joshi While Risk & Compliance have been natural comfort areas of work for Assurance, the challenge has been for Leaders to adapt and bring in the business goals component of the puzzle. The very reason of creating of Assurance function and embedding or bringing it closer has been to stay close to business to understand the risk dynamics at close quarters – be close to the place where actions and risk arise. This allows for leading by example and providing of pragmatic advice to influence business thinking. At a higher level of maturity all business managers will behave like Assurance Managers and Assurance Manager would have morphed into Business Managers with risk expertise. Risk Management as aptly stated by ANZ Group Risk is about: “ It’s about the decisions we make & the actions we take.” The key operative word being decisions. Assurance is in respect of decisions made and hence any Assurance structure and teams strengths are dependent upon the nature of decisions taken and the number, quality and speed of such decisions. As organisation maturity evolves, the Assurance function will change in synchronisation. Assurance teams will be based according to the place where decisions are made. In a sense, if an organisation hubs/off shores it operations, operational risks and controls will be more an ambit of off shore/hub assurance teams. Assurance and Risk Management will follow the structure and hierarchy of organisation decision making. A related element is skill set required of various Assurance teams. Assurance needs to have skills and credibility to participate in business management. Credibility = Trust + Confidence in Delivery. In this sense the Risk Professionals will not only be dealing with Governance within the organisation but also be the Trustees of Quality. Quality in decisions and quality in delivery. Introduction 11 Achieve Goal ! Risk ComplianceBusiness Goals
Disconnected   Internal   Audit   Risk Business   “Business  owns  Risk”       Internal   Audit   Risk   Assurance     “Business  owns  Risk”   Business       Internal   Audit   Risk                  Business   “Business  owns  Risk”       •  Business,  Risk  and  Internal  Audit  are  part  of  the  Internal   Control  structure  but  disconnected   •  Business  focuses  on  business  objec<ve  delivery  but  awareness   &  applica<on  of  risk  thinking  &  controls  is  minimal  and   considered  to  be  someone  else  responsibility  (Ownership)   •  Risk  ac<vi<es  are  performed  as  they  are  mandated,  value  to   business  is  not  appreciated-­‐  performed  in  word  but  not  in   spirit.   •  Internal  Audit  reports  with  micro  level  findings  are  considered   to  be  means  for  business  management  to  know  risks  within   business   •  Risk  management  personnel  have  less  awareness  of   challenges  of  business  management  and  risk  requirements   may  be  considered  onerous  and  imprac<cal.   •  Risk  Professionals  &  Business  Managers  with  ac<ve  risk  based   decision  making  are  embedded  within  Business  layer   •  Business  focuses  on  business  objec<ve  delivery,  general  risk   awareness  is  improved    but  risk  thinking  &  controls  is   considered  to  be  of  the  Assurance  team  within  business   (Ownership)   •  Risk  ac<vi<es  are  performed  more  because  of  mandate  by   Assurance,  fear  of  compliance  or  Head  of  business  and  some   amount  of  indirect  percep<on  of  value  to  business.   •  Internal  Audit  reports  &  errors  are  considered  to  be  the   means  for  business  management  to  know  risks  within   business.    They  are  also  treated  as  KPIs  for  Assurance.   •  Assurance  needs  to  play  a  Change  Manager  role-­‐influencer  &   increase  involvement  in  business  management  and  feedback   to  Risk  layer  on  prac<cali<es  of  mandated  risk  requirements.   •  Risk  based  thinking  is  part  of  natural  business  decision   making-­‐  Quality  of  decision  making  ensures  beQer  risk   management.   •  Business  focus  on  business  objec<ve  delivery  but  with  a  risk   bent  to  any  decisions.  Leaders/Business  Managers  understand   that  most  risk  events  stem  from  their  behavior  and  decisions   •  Risk  management  culture  is  embedded  in  business  because  of   the  belief  that  risk  based  decision  making  leads  to  value  to   business.   •  Internal  Audit  and  Risk  reports  are  treated  as  risk  indicators   on  health  of  business  &  ac<on  is  taken  on  underlying  factors   rather  than  on  the  “audit  issues”.    KPIs  are  based  on   demonstra<on  of  risk  culture  rather  than  on  indicators  only.   •  Assurance  role  gets  converted  to  a  Business  Manager  role   with  SME  knowledge  on  Risk  &  Controls.   My Views on the evolution of 3 Lines of Defence: Thinking Risk in Decision Making – The Journey to be taken Connected   Embedded   Current Desired State “The End Goal” Past 12Amrut Joshi
Amrut Joshi •  The key aspect of the 3 line of defence model - “embedded” Risk Professionals within business is - BEING ON THE INSIDE. •  The advantage of this approach is that by actually being embedded within business, Assurance champions are able to better understand risks because they are now very close to the action. They breathe and feel the business, this is useful because it avoids the distinct US and Them feeling. •  There is a bond of common purpose and goals- Trust which allows a much open discussion on Objectives, Inhibitors, actions, which are all important components of understanding and arriving at risks-threats and actions to manage those – More transparency and Visibility •  The goal is to bring risk management closer from abstract theory to more practical application. Business Managers see value through it, the key value add from the first line is the ability to support a commercial trade-off with KRAs aligned to business outcomes as well as risk outcomes. •  The critical aspect here is that unless we have Assurance team incredibly close to the business we will never be able to keep on top of changes in technology and business. •  However, this embedded 3 lines of defence model is not a silver bullet and in fact compared to other models is much more difficult to implement. It requires heavy support by Other elements within the organisation; such as Ethics, Code of Conduct, Strong Tone at the top and whole hearted support from Business Leaders. •  The model also needs a Stronger second line; who can provide independent oversight and challenge to decisions arrived at by business which now have better risk knowledge. •  The Second Line challenge has to improve from being process level focus to a discussion that utilises strong business understanding and application of risk to business reality. Philosophy of Embedded Risk Managers- Assurance 13
Amrut Joshi Being Accepted – Credibility – Working the Matrix The embedded risk model within ANZ, provided an excellent opportunity to learn from the Inside on how business perceives Risk, What are their challenges in trying to follow Risk requirements and how things can be done differently to enable achievement of Risk objectives. • One of the biggest challenges in the initial days was gaining acceptance from business. The reason being, though Assurance was reporting to Head of Business, the roles was not very clearly understood to the Business Heads. They were considered to be proxy Risk & Compliance personnel. • Initially the expectation from Business Managers was to involve Assurance only with traditional areas of Operational Risk Management relating to Risk Register maintenance, anything to do with Control or processes, Audit-Compliance. This in effect was “outsourcing” of risk & compliance requirements from Business Team to Assurance. “Business Owns Risk” was interpreted to mean that Assurance Personnel within business own the risk ! • Business leaders who are aware of the statement “business owns risks” but were really lost in terms of what it means to their business and what do they need to do? • The expectation was that Assurance would not have the skill or the drive to get actively involved in day to day business strategy, issues and initiatives. • Balancing the needs within the Matrix Management structure; matrix between Global and Regional; matrix between Business and Operations and matrix between Country and Regional management. • Defining and scope of Business Assurance as compared to scope for Operational Risk, which is more process based. Challenges 14
Amrut Joshi The uncertainty around what Assurance was an opportunity to exploit. In addition, the loss of independence was something that looked bad on first glance but also allowed for removing the boundaries on how far can Assurance contribute to the solution. The following helped to overcome the challenges: •  Getting actively involved in strategy setting for the business (Knowing the Business) •  Proactively getting to know every aspect of business and the work done, challenges and perception of Assurance from every Manager and Team Leader (Knowing the Business) •  Proactively, get involved into issues and being part of the solution (Come with Ideas) •  Solve issues by leveraging on superior connectivity (connections within the Assurance community, Risk, Audit and Country) and the advantage of seeing things across the Region (leverage on strengths) •  Sharing good practices learnt across the Region and promoting recognition of the team/person (Come with Ideas) •  Designing and implementing Audit Engagement Framework, helping prepare for the audit (Leverage on Strengths and reduce pain points) •  Taking the lead in simplification and automation of mandatory risk and compliance activities (Automation) •  Use of negative reinforcement through communication of Regulatory, Compliance and Risk requirements and the consequence of non-adherence thereof But also highlighting the least painful ways to satisfy those but which are also professionally right What were the things that helped in facing the Challenge 15
Amrut Joshi •  Leading by example; take ownership of certain business aspects and deliver it successfully by display broader Management skills (Confidence in Execution - Credibility) •  Using to the advantage of additional responsibility to establish credibility by learning and solving of problems and through it displaying it by example on taking the right decisions. (Lead by example) •  Strong relationship built through credibility with Audit and Risk, which allowed for synergetic approach to achieving control objectives. This was seen as beneficial and positive by business. •  Ability to build strong relationships across countries and teams within the matrix. •  Strong Senior Management face time and the ability to use this to highlight business issues and push solutions. What were the things that helped in facing the Challenge 16 References: Roads to Ruin; A study of major risk events: their origins, impact and implications Report; Commentary on the Report by Professor Alan Punter Managing the people side of risk by Mckinsey Banks need to question their ‘three lines of defense’ by Howard Davies Laurie Widmer: Is Risk Management Obsolete ? & Risk Management Makeover

Recommended

Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
 
CRO Insight
CRO InsightCRO Insight
CRO InsightMike Wilkinson
 
Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal Leadershipjobdoctors
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Descriptor MetisGRC
Descriptor MetisGRCDescriptor MetisGRC
Descriptor MetisGRCOtbert de Jong
 
View from the top. A board-level perspective of current business risks
View from the top. A board-level perspective of current business risksView from the top. A board-level perspective of current business risks
View from the top. A board-level perspective of current business risksThe Economist Media Businesses
 
Risk Health Check
Risk Health CheckRisk Health Check
Risk Health CheckLjuba Bogdanovich
 
Managing risk
Managing riskManaging risk
Managing riskDavide Di Fazio
 

Recommended

Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
 
CRO Insight
CRO InsightCRO Insight
CRO InsightMike Wilkinson
 
Combining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal LeadershipCombining Corporate Governance with Internal Leadership
Combining Corporate Governance with Internal Leadershipjobdoctors
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Descriptor MetisGRC
Descriptor MetisGRCDescriptor MetisGRC
Descriptor MetisGRCOtbert de Jong
 
View from the top. A board-level perspective of current business risks
View from the top. A board-level perspective of current business risksView from the top. A board-level perspective of current business risks
View from the top. A board-level perspective of current business risksThe Economist Media Businesses
 
Risk Health Check
Risk Health CheckRisk Health Check
Risk Health CheckLjuba Bogdanovich
 
Managing risk
Managing riskManaging risk
Managing riskDavide Di Fazio
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Managing Reputational Risk
Managing Reputational RiskManaging Reputational Risk
Managing Reputational RiskEneni Oduwole
 
Analyzing and managing reputational risk
Analyzing and managing reputational riskAnalyzing and managing reputational risk
Analyzing and managing reputational riskDawn Simpson
 
Corporate governance.docx
Corporate governance.docxCorporate governance.docx
Corporate governance.docxOumaymaKharbouch
 
The risk of risks: Reputation risk and resiliency Sept. 2014
The risk of risks: Reputation risk and resiliency Sept. 2014The risk of risks: Reputation risk and resiliency Sept. 2014
The risk of risks: Reputation risk and resiliency Sept. 2014Linda Locke Reputation Strategist
 
People risk collateral 2013
People risk collateral 2013People risk collateral 2013
People risk collateral 2013Rahul Bhan (CA, CIA, MBA)
 
Inhibiting factors in sfm
Inhibiting factors in sfmInhibiting factors in sfm
Inhibiting factors in sfmzemicku
 
Reputation risk
Reputation riskReputation risk
Reputation riskMichel Rochette
 
Managing Reputational Risk
Managing Reputational RiskManaging Reputational Risk
Managing Reputational RiskEneni Oduwole
 
.credit-suisse Annual Report Part 4 Risk management
.credit-suisse Annual Report Part 4 Risk management.credit-suisse Annual Report Part 4 Risk management
.credit-suisse Annual Report Part 4 Risk managementQuarterlyEarningsReports2
 
AMXi Overview
AMXi OverviewAMXi Overview
AMXi OverviewAMX International, Incorporated
 
Reputational Risk
Reputational RiskReputational Risk
Reputational RiskCapco
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management FrameworksDaniel Kapellmann Zafra
 
Rebuilding financial risk management
Rebuilding financial risk managementRebuilding financial risk management
Rebuilding financial risk managementVincent O'Neil
 
Reputational risk in banks nibm lecture 220213
Reputational risk in banks nibm lecture 220213Reputational risk in banks nibm lecture 220213
Reputational risk in banks nibm lecture 220213krammohan
 
Emergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionEmergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionMichel Rochette
 
Impact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskImpact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskPECB
 
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...Alegra N Horne
 
OverseeRiskAsNewerMoreComplex
OverseeRiskAsNewerMoreComplexOverseeRiskAsNewerMoreComplex
OverseeRiskAsNewerMoreComplexKashif Ali
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Tim Leech
 
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02Mike Wilkinson
 
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxSTRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxsusanschei
 

More Related Content

What's hot

ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Managing Reputational Risk
Managing Reputational RiskManaging Reputational Risk
Managing Reputational RiskEneni Oduwole
 
Analyzing and managing reputational risk
Analyzing and managing reputational riskAnalyzing and managing reputational risk
Analyzing and managing reputational riskDawn Simpson
 
The risk of risks: Reputation risk and resiliency Sept. 2014
The risk of risks: Reputation risk and resiliency Sept. 2014The risk of risks: Reputation risk and resiliency Sept. 2014
The risk of risks: Reputation risk and resiliency Sept. 2014Linda Locke Reputation Strategist
 
Inhibiting factors in sfm
Inhibiting factors in sfmInhibiting factors in sfm
Inhibiting factors in sfmzemicku
 
Managing Reputational Risk
Managing Reputational RiskManaging Reputational Risk
Managing Reputational RiskEneni Oduwole
 
.credit-suisse Annual Report Part 4 Risk management
.credit-suisse Annual Report Part 4 Risk management.credit-suisse Annual Report Part 4 Risk management
.credit-suisse Annual Report Part 4 Risk managementQuarterlyEarningsReports2
 
Reputational Risk
Reputational RiskReputational Risk
Reputational RiskCapco
 
Rebuilding financial risk management
Rebuilding financial risk managementRebuilding financial risk management
Rebuilding financial risk managementVincent O'Neil
 
Reputational risk in banks nibm lecture 220213
Reputational risk in banks nibm lecture 220213Reputational risk in banks nibm lecture 220213
Reputational risk in banks nibm lecture 220213krammohan
 
Emergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionEmergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionMichel Rochette
 
Impact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskImpact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskPECB
 
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...Alegra N Horne
 

What's hot (18)

ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
Managing Reputational Risk
Managing Reputational RiskManaging Reputational Risk
Managing Reputational Risk
 
Analyzing and managing reputational risk
Analyzing and managing reputational riskAnalyzing and managing reputational risk
Analyzing and managing reputational risk
 
Corporate governance.docx
Corporate governance.docxCorporate governance.docx
Corporate governance.docx
 
The risk of risks: Reputation risk and resiliency Sept. 2014
The risk of risks: Reputation risk and resiliency Sept. 2014The risk of risks: Reputation risk and resiliency Sept. 2014
The risk of risks: Reputation risk and resiliency Sept. 2014
 
People risk collateral 2013
People risk collateral 2013People risk collateral 2013
People risk collateral 2013
 
Inhibiting factors in sfm
Inhibiting factors in sfmInhibiting factors in sfm
Inhibiting factors in sfm
 
Reputation risk
Reputation riskReputation risk
Reputation risk
 
Managing Reputational Risk
Managing Reputational RiskManaging Reputational Risk
Managing Reputational Risk
 
.credit-suisse Annual Report Part 4 Risk management
.credit-suisse Annual Report Part 4 Risk management.credit-suisse Annual Report Part 4 Risk management
.credit-suisse Annual Report Part 4 Risk management
 
AMXi Overview
AMXi OverviewAMXi Overview
AMXi Overview
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management Frameworks
 
Rebuilding financial risk management
Rebuilding financial risk managementRebuilding financial risk management
Rebuilding financial risk management
 
Reputational risk in banks nibm lecture 220213
Reputational risk in banks nibm lecture 220213Reputational risk in banks nibm lecture 220213
Reputational risk in banks nibm lecture 220213
 
Emergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer functionEmergence of the Chief Risk Officer function
Emergence of the Chief Risk Officer function
 
Impact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing RiskImpact of Changing World Politics in Managing Risk
Impact of Changing World Politics in Managing Risk
 
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
An Analysis of Managerial Coordination: Wil AI Technology Counter the Princi...
 

Similar to Thoughts on Direction of Ops Risk Management -V4 0

OverseeRiskAsNewerMoreComplex
OverseeRiskAsNewerMoreComplexOverseeRiskAsNewerMoreComplex
OverseeRiskAsNewerMoreComplexKashif Ali
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Tim Leech
 
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02Mike Wilkinson
 
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxSTRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxsusanschei
 
A Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk ManagementA Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk ManagementTurlough Guerin GAICD FGIA
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementAnu Damodaran
 
My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...
My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...
My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...Guan Khoo
 
Risk management assignment exploring the relationship between threat, strateg...
Risk management assignment exploring the relationship between threat, strateg...Risk management assignment exploring the relationship between threat, strateg...
Risk management assignment exploring the relationship between threat, strateg...Total Assignment Help
 
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk ManagementSap 2009 06 02 Risk Management
Sap 2009 06 02 Risk ManagementPierre Harboun
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementAnu Damodaran
 
The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...Albert Vilariño
 
2015 global capital markets risk management study
2015 global capital markets risk management study2015 global capital markets risk management study
2015 global capital markets risk management studyLapman Lee ✔
 
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSRobin Beregovska
 
Building an invisible framework for risk management
Building an invisible framework for risk managementBuilding an invisible framework for risk management
Building an invisible framework for risk managementhallowedblasphe76
 
BDO Global Risk Landscape
BDO Global Risk LandscapeBDO Global Risk Landscape
BDO Global Risk LandscapeBDO Spain
 
Chartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk ManagementChartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk ManagementCA. (Dr.) Rajkumar Adukia
 
Running Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docxRunning Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docxjeanettehully
 
Running Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docxRunning Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docxtodd271
 

Similar to Thoughts on Direction of Ops Risk Management -V4 0 (20)

OverseeRiskAsNewerMoreComplex
OverseeRiskAsNewerMoreComplexOverseeRiskAsNewerMoreComplex
OverseeRiskAsNewerMoreComplex
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
 
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
WTW-EU-16-PUB-1735 Risk Culture Perspectives_V02
 
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docxSTRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
STRATEGIC PLANNINGManaging Risks A NewFrameworkby Rob.docx
 
A Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk ManagementA Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk Management
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...
My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...
My ERM Chapter (9) in "Operational Risk 2.0", (Riskbooks, 2007) introducing B...
 
Risk management assignment exploring the relationship between threat, strateg...
Risk management assignment exploring the relationship between threat, strateg...Risk management assignment exploring the relationship between threat, strateg...
Risk management assignment exploring the relationship between threat, strateg...
 
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk ManagementSap 2009 06 02 Risk Management
Sap 2009 06 02 Risk Management
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Risk management
Risk managementRisk management
Risk management
 
The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...
 
2015 global capital markets risk management study
2015 global capital markets risk management study2015 global capital markets risk management study
2015 global capital markets risk management study
 
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
 
Building an invisible framework for risk management
Building an invisible framework for risk managementBuilding an invisible framework for risk management
Building an invisible framework for risk management
 
BDO Global Risk Landscape
BDO Global Risk LandscapeBDO Global Risk Landscape
BDO Global Risk Landscape
 
Chartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk ManagementChartered Accountant’s Role in an Enterprise Risk Management
Chartered Accountant’s Role in an Enterprise Risk Management
 
Risk govjuly2012
Risk govjuly2012Risk govjuly2012
Risk govjuly2012
 
Running Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docxRunning Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docx
 
Running Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docxRunning Head ERM 1ERM 10Research Paper Draf.docx
Running Head ERM 1ERM 10Research Paper Draf.docx
 

Thoughts on Direction of Ops Risk Management -V4 0

  • 1. A Risk view from the Inside: A Perspective Amrut Joshi Amrut Joshi
  • 2. Amrut Joshi The global economic environment through the last decade has been tumultuous not only for corporates but for countries and societies as well. These adverse events have brought in to focus the causes of such failures and importantly, the thinking around what could be the means and methods through which such calamities can be avoided. Naturally, this has brought focus on Operational Risk as a solution but also raised the question in many minds as to, why these adverse events occurred if risk management was already in place ?. While there is an agreement that Risk Management is necessary, the question being asked is whether the current risk management practices are good enough ?; are risk management teams able to provide value and assist business ?; Can they really help stop Senior Management in the organization from taking the wrong steps ? As a profession, there have been number of efforts to live up to the challenge. In this respect, various studies have shown that risks are about human decisions. Hence to manage risks, whether through risk awareness or other means, one needs to influence business decisions and ensure organisations steer in the right direction and avoid failures. No amount of policing or oversight will be good enough to oversee every decision within an organisation, but one can train and influence people to arrive at thought through appropriate decisions and thus reduce the chances of failures. This paper tries to introduce the idea of learning from other professions, especially Economics and introduces the concept of “Behavioural Risk Management”. In the second part the paper captures the experience of a Risk- Control Professional while being embedded within the business function as part of the 3 lines of defence model. Executive Summary 2
  • 3. Amrut Joshi The last decade has been a time of significant disruptions in business landscape. The Enron failure brought about significant changes in US in the areas of Governance, Auditor responsibilities and company disclosures, through the Sarbanes Oxley regulation. The focus was on having process level controls, though it also covered aspects of “Tone at the top” and governance structures as well. This could not prevent the Lehman crisis, which not only impacted USA but more or less created a tsunami of social and financial issues across the World, especially in the developed world. Ironically, the financial measures by US and European Governments to remediate the situation have intertwined Australia and Asia, who were relatively unscathed. Any unwinding of these measures/stimulus is expected to impact the Asia-Pac region as well. The current business landscape is characterised by: • Slower economic activity – lower opportunities for growth assets • Ever increasing expectations from investors-analysts • Increased pressures on cost and as a means to generate profits to compensate for slowing revenue streams • Increased regulations & oversight over financial institutions • Social pressures on financial institutions Context: Industry Landscape 3
  • 4. Amrut Joshi The Business failures and challenges described earlier have ignited focus on what does Risk do and what value it provides to the organisation. Rightly or wrongly it has highlighted the question in many a mind, on whether proper application of Risk Management could have prevented unfavourable business outcomes or reduced the surprise element in these events. The Risk Management profession in general and especially in the space of Insurance and Actuarial have been quite interested in this topic and have commissioned quite a few studies and analysis. The findings through these have been interesting and highlight some of the things that should be improved as a profession. A research funded by the Chartered Institute of Management Accountants (CIMA) in association with the Association of Insurance and Risk Managers had the following findings • Risk Management is no longer solely a financial discipline, nor is it simply a concern for the internal control function • Where organisation retain a discrete risk management cadre – often specialists at monitoring and evaluating a range of risks – their success is dependent on embedding risk awareness in the wider culture of the enterprise • Risk Management is most successful when it is explicitly linked to operational performance • Clear leadership, specific goals, excellent influencing skills and open-mindedness to potential threats and opportunities are essential for effective risk management • Bureaucratic processes and systems can hamper good risk management – either as a result of a “box ticking mentality” or because managers and staff believe they do not need to consider risk themselves Context: Risk Management 4
  • 5. Amrut Joshi Another report by the Cass Business School on behalf of Airmic, called the “Roads to Ruin” analyses a number of recent business failures and highlights lessons learnt. The report investigated the origins and impact of over twenty major corporate crises of the last decade. The crises examined involved substantial, well-known organisations such as Coca-Cola, Firestone, Shell, BP, Airbus, Société Générale, Cadbury Schweppes, Northern Rock, AIG, Independent Insurance, Enron, Arthur Andersen, Railtrack, the UK Passport Agency and also some smaller firms. Several did not survive and most of the rest suffered severe damage. The report analysed failures in 7 categories. 9 of the 18 cases studied had human behaviour as the cause of failures. All the analysis and attention on Risk Management has been a dual edged sword. Good because it has brought risk management on top of the discussion for Boards and Senior Management. In this sense the failures can be seen as a blessings which no risk awareness program could have ever dreamt of achieving. However it is also a reality that it has forced increased Regulations and Government oversight, thus increasing the cost of doing business. The pendulum has swung from a more self regulated approach to a more prescriptive regulatory requirements. The trust between Governments and People with Corporates, especially financial institutions has reduced. If Risk Management as a profession is not able to wake up to the call than natural reaction from business and regulators to go for other solutions. It needs to change, so that it is not in the situation where, it is the last to be consulted and first to be blamed. Context: Risk Management 5
  • 6. Amrut Joshi Some of the opinions voiced are: “Only a few percentage of risk managers are functioning as what he call true risk managers- being involved in decision making, planning and elevating the goals of the company.” “While companies are recognising that there is a value and an importance of risk management. Many traditional risk managers do not have a very clear business mentality” ”If the Risk function is to have a future (more than from a Compliance perspective), it needs to be seen as a partner in delivering the management’s decision dashboard.” “risk managers are getting paid for activity. Activity is not results. When you get results and you play a role in the company making or saving money, you are taken more seriously.” What makes things different for Operational Risk ? The cousins of Operational Risk; Credit Risk and Market Risk have been fortunate enough and have better developed theory and practice, as also a more defined role and KPIs within the corporate world. At the same time, Credit and Market Risks are narrower and more specialised professions than Operational Risk. The scope of Operational Risk is much broader and covers a larger spread of business. It is applicable for every aspect and is everywhere in business. This also makes it difficult to comprehend and clearly define it like Credit or Market Risk. Opinions on Risk Management 6
  • 7. Amrut Joshi Operational Risk Managers need to adapt to the new environment and demands on the profession and grab the opportunity to get some face time with C level management and also actively be part of bringing value to the organisation. Business disasters such as Enron, Lehman can not be attributable to inability to maintain Proper Risk Registers or Incident logging or risk testing. Today’s business is far too complex and dynamic for relying on the standard procedures and tools to capture and manage the risks to business. The key reason for business failures or for risks in business are the decisions. This is also the motto for Operational Risk Management in ANZ Bank: It is about the Decisions we make and Actions we take. Decisions are made by humans. All decisions are not mechanical, otherwise they would have been automated. We live in a environment, where the Customer is human, the demand for products and services is still driven by Human wants –needs and behaviours and organisations are still a structure of humans with their follies and traits. The need of modern risk management is to move from the process to the objective. Focus on actual decisions that are the root cause of any risks. To enable insights into decisions, one needs to understand the behaviours that drive these decisions. Operational Risk Management has to understand how decisions are made (Practical Drivers), so that it can be understood how these could go wrong and influence it positively in achieving corporate objectives. It is about the Decisions we make and Actions we take 7
  • 8. Amrut Joshi In Economics, the fundamental assumption is that Man is a rational animal and all decisions are rational; people are perfectly rational, patient, computationally proficient little economic robots. This assumption has been debated and understood that the assumption is far from true. The profession have come up with a body of knowledge called Behavioural Economics to strengthen our understanding of how humans (people) behave in an economic sense. Behavioural economics is, in a way, at the intersection of economics and psychology. Behavioural economists develop models which account for the facts that people procrastinate, are impatient, aren’t always good decision-makers when decisions are hard (and sometimes even avoid making decisions altogether), go out of their way to avoid what feels like a loss, care about things like fairness in addition to economic gain, are subject to psychological biases which make them interpret information in biased ways, and so on. While we have heard of the term behavioural Economics, it may be necessary to apply the same behavioural element to Risk Management. After all the aim is to influence decision making within organisations and decisions are taken by human beings. The need is to understand the motivators (positive and negative) of human decisions and influence or channel them in the right direction. If order to be future looking, Operational Risk should not only be using good analytics based on past data but also apply the concepts in behavioural economics to help us better appreciate risks, future events and embed risk thinking in human decision making. This may be the way to a more sustainable Business Risk Management and towards a practice which is agile and more in step with the speed of business decisions. Behavioural Risk Management 8
  • 9. Amrut Joshi In order for Risk Leaders to play a more forceful and credible role within the organisation, they would need to utilise and display more of the following skills – behaviours and competencies: Success also depends upon: 1. Attracting the right people to be embedded as Risk Champions – Assurance leads 2. Getting the right attitude and understanding from Business Leaders to whom the Assurance lead report 3. Ability and attitude of Assurance Managers to move away from being Consultant to Active Implementation 4. Ability of the Assurance Managers to imbibe and be conversant with business operations – credibility 5. Ability of Risk Leaders to attract the right talent and business experience, who can provide credible oversight over business decisions. Ideally, risk teams should have members who have spent some time in business and who can empathise & understand in practical terms the challenges that Leaders and Managers face in coming to business decisions. While new regulations will necessitate higher risk oversight, risk management will need to have the skillset to have strong credibility and knowledge to oversee business effectively. Secondly, for business, doing it right the first time, will be the best bet. Hence risk management will be best served, if risk managers play a stronger influencing role than just serving in the “policeman” role. It also may not be practical to have a complete oversight of all the key decisions by Risk teams. The People Element within the Team 9 •  Listening but be able to filter the noise •  Influencing •  Manage conflict •  Test assumptions and investigate •  Innovate •  Seek and introduce change •  Deal with ambiguity •  Communication •  To be structured yet think out of the box •  Business acumen •  Stakeholder management •  Adaptability
  • 10. My  Experience  in  the  First  Line  Of  Defence  Through  Embedded  Risk   Function  (Assurance)  as  a  means  of  influencing  Decision  Making   It’s about the decisions we make & the actions we take.
  • 11. Amrut Joshi While Risk & Compliance have been natural comfort areas of work for Assurance, the challenge has been for Leaders to adapt and bring in the business goals component of the puzzle. The very reason of creating of Assurance function and embedding or bringing it closer has been to stay close to business to understand the risk dynamics at close quarters – be close to the place where actions and risk arise. This allows for leading by example and providing of pragmatic advice to influence business thinking. At a higher level of maturity all business managers will behave like Assurance Managers and Assurance Manager would have morphed into Business Managers with risk expertise. Risk Management as aptly stated by ANZ Group Risk is about: “ It’s about the decisions we make & the actions we take.” The key operative word being decisions. Assurance is in respect of decisions made and hence any Assurance structure and teams strengths are dependent upon the nature of decisions taken and the number, quality and speed of such decisions. As organisation maturity evolves, the Assurance function will change in synchronisation. Assurance teams will be based according to the place where decisions are made. In a sense, if an organisation hubs/off shores it operations, operational risks and controls will be more an ambit of off shore/hub assurance teams. Assurance and Risk Management will follow the structure and hierarchy of organisation decision making. A related element is skill set required of various Assurance teams. Assurance needs to have skills and credibility to participate in business management. Credibility = Trust + Confidence in Delivery. In this sense the Risk Professionals will not only be dealing with Governance within the organisation but also be the Trustees of Quality. Quality in decisions and quality in delivery. Introduction 11 Achieve Goal ! Risk ComplianceBusiness Goals
  • 12. Disconnected   Internal   Audit   Risk Business   “Business  owns  Risk”       Internal   Audit   Risk   Assurance     “Business  owns  Risk”   Business       Internal   Audit   Risk                  Business   “Business  owns  Risk”       •  Business,  Risk  and  Internal  Audit  are  part  of  the  Internal   Control  structure  but  disconnected   •  Business  focuses  on  business  objec<ve  delivery  but  awareness   &  applica<on  of  risk  thinking  &  controls  is  minimal  and   considered  to  be  someone  else  responsibility  (Ownership)   •  Risk  ac<vi<es  are  performed  as  they  are  mandated,  value  to   business  is  not  appreciated-­‐  performed  in  word  but  not  in   spirit.   •  Internal  Audit  reports  with  micro  level  findings  are  considered   to  be  means  for  business  management  to  know  risks  within   business   •  Risk  management  personnel  have  less  awareness  of   challenges  of  business  management  and  risk  requirements   may  be  considered  onerous  and  imprac<cal.   •  Risk  Professionals  &  Business  Managers  with  ac<ve  risk  based   decision  making  are  embedded  within  Business  layer   •  Business  focuses  on  business  objec<ve  delivery,  general  risk   awareness  is  improved    but  risk  thinking  &  controls  is   considered  to  be  of  the  Assurance  team  within  business   (Ownership)   •  Risk  ac<vi<es  are  performed  more  because  of  mandate  by   Assurance,  fear  of  compliance  or  Head  of  business  and  some   amount  of  indirect  percep<on  of  value  to  business.   •  Internal  Audit  reports  &  errors  are  considered  to  be  the   means  for  business  management  to  know  risks  within   business.    They  are  also  treated  as  KPIs  for  Assurance.   •  Assurance  needs  to  play  a  Change  Manager  role-­‐influencer  &   increase  involvement  in  business  management  and  feedback   to  Risk  layer  on  prac<cali<es  of  mandated  risk  requirements.   •  Risk  based  thinking  is  part  of  natural  business  decision   making-­‐  Quality  of  decision  making  ensures  beQer  risk   management.   •  Business  focus  on  business  objec<ve  delivery  but  with  a  risk   bent  to  any  decisions.  Leaders/Business  Managers  understand   that  most  risk  events  stem  from  their  behavior  and  decisions   •  Risk  management  culture  is  embedded  in  business  because  of   the  belief  that  risk  based  decision  making  leads  to  value  to   business.   •  Internal  Audit  and  Risk  reports  are  treated  as  risk  indicators   on  health  of  business  &  ac<on  is  taken  on  underlying  factors   rather  than  on  the  “audit  issues”.    KPIs  are  based  on   demonstra<on  of  risk  culture  rather  than  on  indicators  only.   •  Assurance  role  gets  converted  to  a  Business  Manager  role   with  SME  knowledge  on  Risk  &  Controls.   My Views on the evolution of 3 Lines of Defence: Thinking Risk in Decision Making – The Journey to be taken Connected   Embedded   Current Desired State “The End Goal” Past 12Amrut Joshi
  • 13. Amrut Joshi •  The key aspect of the 3 line of defence model - “embedded” Risk Professionals within business is - BEING ON THE INSIDE. •  The advantage of this approach is that by actually being embedded within business, Assurance champions are able to better understand risks because they are now very close to the action. They breathe and feel the business, this is useful because it avoids the distinct US and Them feeling. •  There is a bond of common purpose and goals- Trust which allows a much open discussion on Objectives, Inhibitors, actions, which are all important components of understanding and arriving at risks-threats and actions to manage those – More transparency and Visibility •  The goal is to bring risk management closer from abstract theory to more practical application. Business Managers see value through it, the key value add from the first line is the ability to support a commercial trade-off with KRAs aligned to business outcomes as well as risk outcomes. •  The critical aspect here is that unless we have Assurance team incredibly close to the business we will never be able to keep on top of changes in technology and business. •  However, this embedded 3 lines of defence model is not a silver bullet and in fact compared to other models is much more difficult to implement. It requires heavy support by Other elements within the organisation; such as Ethics, Code of Conduct, Strong Tone at the top and whole hearted support from Business Leaders. •  The model also needs a Stronger second line; who can provide independent oversight and challenge to decisions arrived at by business which now have better risk knowledge. •  The Second Line challenge has to improve from being process level focus to a discussion that utilises strong business understanding and application of risk to business reality. Philosophy of Embedded Risk Managers- Assurance 13
  • 14. Amrut Joshi Being Accepted – Credibility – Working the Matrix The embedded risk model within ANZ, provided an excellent opportunity to learn from the Inside on how business perceives Risk, What are their challenges in trying to follow Risk requirements and how things can be done differently to enable achievement of Risk objectives. • One of the biggest challenges in the initial days was gaining acceptance from business. The reason being, though Assurance was reporting to Head of Business, the roles was not very clearly understood to the Business Heads. They were considered to be proxy Risk & Compliance personnel. • Initially the expectation from Business Managers was to involve Assurance only with traditional areas of Operational Risk Management relating to Risk Register maintenance, anything to do with Control or processes, Audit-Compliance. This in effect was “outsourcing” of risk & compliance requirements from Business Team to Assurance. “Business Owns Risk” was interpreted to mean that Assurance Personnel within business own the risk ! • Business leaders who are aware of the statement “business owns risks” but were really lost in terms of what it means to their business and what do they need to do? • The expectation was that Assurance would not have the skill or the drive to get actively involved in day to day business strategy, issues and initiatives. • Balancing the needs within the Matrix Management structure; matrix between Global and Regional; matrix between Business and Operations and matrix between Country and Regional management. • Defining and scope of Business Assurance as compared to scope for Operational Risk, which is more process based. Challenges 14
  • 15. Amrut Joshi The uncertainty around what Assurance was an opportunity to exploit. In addition, the loss of independence was something that looked bad on first glance but also allowed for removing the boundaries on how far can Assurance contribute to the solution. The following helped to overcome the challenges: •  Getting actively involved in strategy setting for the business (Knowing the Business) •  Proactively getting to know every aspect of business and the work done, challenges and perception of Assurance from every Manager and Team Leader (Knowing the Business) •  Proactively, get involved into issues and being part of the solution (Come with Ideas) •  Solve issues by leveraging on superior connectivity (connections within the Assurance community, Risk, Audit and Country) and the advantage of seeing things across the Region (leverage on strengths) •  Sharing good practices learnt across the Region and promoting recognition of the team/person (Come with Ideas) •  Designing and implementing Audit Engagement Framework, helping prepare for the audit (Leverage on Strengths and reduce pain points) •  Taking the lead in simplification and automation of mandatory risk and compliance activities (Automation) •  Use of negative reinforcement through communication of Regulatory, Compliance and Risk requirements and the consequence of non-adherence thereof But also highlighting the least painful ways to satisfy those but which are also professionally right What were the things that helped in facing the Challenge 15
  • 16. Amrut Joshi •  Leading by example; take ownership of certain business aspects and deliver it successfully by display broader Management skills (Confidence in Execution - Credibility) •  Using to the advantage of additional responsibility to establish credibility by learning and solving of problems and through it displaying it by example on taking the right decisions. (Lead by example) •  Strong relationship built through credibility with Audit and Risk, which allowed for synergetic approach to achieving control objectives. This was seen as beneficial and positive by business. •  Ability to build strong relationships across countries and teams within the matrix. •  Strong Senior Management face time and the ability to use this to highlight business issues and push solutions. What were the things that helped in facing the Challenge 16 References: Roads to Ruin; A study of major risk events: their origins, impact and implications Report; Commentary on the Report by Professor Alan Punter Managing the people side of risk by Mckinsey Banks need to question their ‘three lines of defense’ by Howard Davies Laurie Widmer: Is Risk Management Obsolete ? & Risk Management Makeover