102 – Foundations of Risk Management

Larry Gordon: [00:00:00] Welcome to episode 102. First season. Second episode. This episode will cover the foundational aspects of risk management. This will be useful during future episodes of What The Risk. We're going to cover what risk is and what risk is not, which also clarifies common misconceptions. We'll cover nine characteristics of a strong risk culture, along with red flags to watch out for. We'll talk about how to measure risk and the application of risk measurement. This episode 102 is a supplement to the podcast series. By its nature, it may be very heavy on information nuggets. Episode 102 is intended to help build your understanding of the risk framework. Some of our listeners may already have that knowledge, but others may not. I encourage you to use this episode as an ongoing reference and as a bonus. I've created an e-book to go along with this episode. It has additional detail, graphics and worksheets for you to use. Go to riskblindspots.com. That's plural because we all have them riskblindspots.com to become a blind spot insider and download the e-book Foundations of Risk Management. There are many perceptions about risk management. So let's start with perception matters. Risk management functions are often associated with the role of Dr. No. That's the evil character that works against the sales force. This perception is perpetuated from people remembering when someone in a risk department somewhere or a legal department told them no and blocked them from making a sale. When an organization has a strong risk management culture, the relationship between sales and risk should not be an obstacle.

Larry Gordon: [00:01:42] It should be seen as empowerment that enables businesses to thrive and generate sales with safe, risk based parameters and guardrails. Think about risk management as a prescriptive way, not to be part of the headline news in reality TV or as a business school case study for a failed company. Now let's talk about what risk is and what risk is not. Risk is not the job of only one person. Everyone in a company needs to understand that they have a responsibility to identify risk and they should work with others to appropriately address it. Risk is not a check the box exercise. Neither is monitoring dashboards. Spending time to evaluate and assess risk is important. Risk is not static. It's dynamic and evolving. It can be based on market conditions, internal or external events. Avoiding the risk management process is not a viable risk management plan. The ostrich method of burying your head to avoid risk does not work. Risk management is not a one size fits all. The most effective way to measure or monitor risk will depend on the specific content and nature of risks that are involved. We're going to cover this more in the. How to Measure Risk segment. Risk tolerance is company specific and will drive your risk based decision making process. When we say risk tolerance, it means the types of risk and the magnitude of risk that is considered acceptable to your company or your organization.

Larry Gordon: [00:03:29] Management is not sexy. If done correctly, you may not be able to quantify the benefits of the savings. However, when a bad event happens and you've not done your risk management correctly, the potential consequences can be operationally, financially or reputationally significant. At that point, you're going to know exactly how much your risk management could have saved you. There is a difference between risk management and risk avoidance. Consider this life example. Your child wants to go to a friend's house on the other side of the neighborhood, but they want to do it by themselves for the first time. While you're proud of their desire to be independent, this is a transition point just as much for you as it is for your child. Your choices are to not let them go, which is risk avoidance. Give them a ride to the friend's house yourself, which is risk avoidance, except for your car trip, or to teach the child how to safely cross streets. Follow the planned path and steer clear of stranger danger. The latter is a risk management strategy. Note this example does not include and is agnostic to your intentions to enhance the process with the GPS device. But a GPS tracker would be a risk event detection tool rather than a prevention tool. So we're going to set that aside for now. From a more technical perspective, risk management is an approach that involves identifying, addressing and mitigating risks along with continuous monitoring. It also aims to minimize the impact of potential risks while allowing for reasonable risk taking.

Larry Gordon: [00:05:11] Now, risk avoidance, on the other hand, focuses on eliminating or steering clear of risks entirely. It involves continuously deciding to not engage in activities or situations that carry significant risk. Strategies for risk avoidance include elimination, abstaining or substituting risky elements. If you're the parent in the above analogy, you want to be thoughtful and evaluative without overlaying unnecessary or unrelated bias in your risk approach. As a business leader, a banker or an investor, it's your nature to seek a higher return for your investment or your resources by actually taking risks. So it's important that you think about the activities of risk management rather than perceive a risk program as just risk avoidance. Risk management is not limited to utilizing dashboards. And let me give you an analogy. Driving a business is like driving a car. Don't get me wrong, it's natural to focus on the activities that give you more tangible rewards, such as speed and sales in cars and in business. There are a core set of metrics that should absolutely be monitored on a dashboard. Dashboards should tell you what is currently happening or has already happened. In business, dashboards are built based on the size and complexity of the operation. Now, here's the big however. If you're only looking at the dashboard when driving, it's a disaster waiting to happen. It's a matter of when, not if you will hit the friction point. Business leaders like good drivers should spend most of their time looking out of the windshield, the windows and mirrors.

Larry Gordon: [00:06:57] This is where the obstacles are. In other words, manage the risks. The ability to identify friction points, anticipate events and make adjustments will always lead to better outcomes. When driving a car. The greatest potential impact can come from missing what's hidden in your blind spots just over the driver's shoulders. You may not look in your blind spots all the time, but we do need to know that we have the right visibility when that time comes. When there are new technologies in the cars that expose the risk of blind spots, we utilize them. Blind spot detectors are now in side mirrors, cross alerts, lane departures and surround cameras. Similarly like technology that helps the driver. This podcast is designed to help a business leader expose the company's blind spots. What is a strong risk management culture look like? Mature risk management programs have certain characteristics. It starts with promoting a holistic approach to risk. It's supported by effective policies and procedures and is embedded in the organization's values, vision and mission. We're going to go through the nine characteristics of strong risk cultures. We're also going to talk about red flags. And you're going to hear us talk about these routinely. Keep in mind that these are just examples of red flags. There are many more. Okay. Number one tone at the top. A culture of risk management starts with the tone from the top. This means that senior leaders of the organization demonstrate a strong commitment to risk management and set an example for others to follow.

Larry Gordon: [00:08:34] The red flag from tone at the top is when you ask somebody at the company who owns risk. If leadership tells you they have one person that's solely responsible for risk management, it's not in their DNA. It's not part of the culture of the organization. They have not valued the person or the process. And if that one person they point to is not an executive officer, it may be viewed organizationally as just a check the box exercise. Number two clarity of roles and responsibilities throughout the company. There should be a clear understanding of roles and responsibilities related to risk management. It should be known throughout the business that is including the board of directors, senior management, risk management, staff and business line staff. Now there's two red flags for this one. Number one red flag. There's no risk management experience at the board of directors level or the board doesn't have a standing agenda item for risk topics. This means that risks are probably not being escalated where they need to be. Red flag number two. When you talk with employees about specific risks that they have in their role and it results in a deer in headlights response, this means that that person doesn't understand the impact of their job and how it could impact risk within their organization. Number three. Effective communication. Effective communication is demonstrated by good policies, procedures and requirements, including regular training and awareness programs.

Larry Gordon: [00:10:09] It's all about the transparency and being aware of what everyone is supposed to be doing. The big red flag for effective communication. His policies that appear to be cut and paste from an online source without being customized. Now, off the shelf policies can be a good starting point, but that's exactly what they are, a starting point. They must be adapted for each organization. Simplistic procedures allow for inconsistency and the desired results. Before we move on from effective communication, I specifically want to talk about policy and procedure documents. Think of policies as the what documents they are overall direction, principle and expectations for that organization. Our company will comply with this regulation. The procedure documents should be thought about as a How document. They are detailed instructions to ensure activities are done on a consistent, repeatable and reproducible manner. This is how we will specifically process each customer's order so we will comply with the regulation. A great example about the importance of well documented procedures can be found on the great British baking show known as the Great British Bake Off in the UK. If you've never seen the show, each episode has a segment called The Technical Challenge. The technical challenge gives bakers a recipe for a specific baked item such as a cake, bread, pastry or dessert. The recipe is often incomplete or lacking specific instructions. This forces the baker to rely on their baking knowledge, skills and intuition to fill in the gaps.

Larry Gordon: [00:11:54] This test, their ability to follow instructions, adapt to unfamiliar recipes and showcase their technical proficiency. In the meantime, the hosts were filmed away from the contestants, showing the audience what the final product is supposed to look like, what it's supposed to taste like, and any skills that are going to be of particular challenge. Each contestant is given the raw ingredients to be successful. But incomplete instructions typically prevent the contestants from getting it perfect. The judging table at the end is always very interesting. There's a wide range of variance across the contestants in the final products they deliver. Now think about your business. You want to set the teams up for success, but by providing specific, step by step details, pictures. Et. So each time the procedures are completed, they are perfect. Too often procedures are less than complete, like in the baking technical challenge. Do you want your customers to experience a wide variance of outcomes when you deliver your work product? Do you want them to think about your business in that way? Not knowing exactly what they're going to get. In the world of Six Sigma, variance is the enemy. Clear procedures are key and critical. Data driven decision making is the fourth item. Risk management decisions are based on accurate and timely data that is analyzed and interpreted effectively. The red flag here is are there too many swag decisions being made in your company? A swag decision is someone's wild ass.

Larry Gordon: [00:13:32] Guess. The strategic and organizational decisions made without facts or verifiable information means that there's little basis for the decisions being made in your organization. Number five, continuous improvement. A strong risk management culture is one that constantly looks to evolve and improve as risk management practices through ongoing monitoring, evaluation and feedback. The red flag here is if you hear comments like our program was put into place a while back and it's been working just fine, or if it ain't broke, don't fix it. This indicates the management is not adjusting to changing risks. Number six Risk Awareness. All employees should be aware of the risks associated with their role. Each should be empowered to raise concerns when necessary. The red flag. This is like nails on a chalkboard to me. When someone says they do not escalate issues because management knows what they want done. This indicates a strong communication barrier likely with multiple root causes. If an employee is uncomfortable and escalating a risk, that's a leadership issue. If a leader is aware of a risk, there should be open conversations and discussions to educate the employees. Number seven. Accountability. Individuals and teams need to be held accountable for managing risks within their areas of responsibility, and there need to be consequences for failing to do so. So here's a few red flags. When there is no process in place to test or monitor activities. When there is no process to allocate costs associated with losses and when there is no forum to learn from mistakes.

Larry Gordon: [00:15:25] This is actually a valuable learning opportunity lost so you can learn from any mistakes and thus not repeat them. Now, I've been in an executive conversation before where the risk officer took the position that assigning a cost allocation for a particular failure would set a precedent for all future cost allocations. This was a false premise and absolutely not the case. Each event, each loss must be judged independently to figure out what the root cause is and then the cost allocated to the responsible cost center. This is about lessons learned and how to avoid the next times. Number eight. Flexibility, Strong risk management. Cultures are flexible. They allow teams to respond quickly and effectively to changing market conditions, regulatory environments or emerging risks. Red flags for flexibility. Companies have no plan or infrastructure to evaluate external or internal changes or the ability to appropriately respond. Said another way this red flag is like looking up from a car's dashboard while driving. Seeing an object in the road and not being able to make adjustments to avoid it. You need a process in place to adjust to external factors. Number nine, Customer Focus. Without customer focus, your business goes away. Risk management cultures embrace and account for customer needs and interests. There needs to be a risk based approach with the company's mission and strategic objectives. Here we have two red flags with on different ends of the scale. Having a mantra of the customer's always right and we must make the sale is one red flag.

Larry Gordon: [00:17:17] Here's a quick story. I witnessed a company willing to make a sale because they needed the transaction for cash flow. They did notrillionecognize that actually making the sale could have bankrupted the company. They did not consider the regulations that they were about to violate. That's a severe blind spot. Potentially two root causes came about. They do not have the right risk management tools in place. Number one, or the employees, if they were aware of the regulatory issue, were fearful of backlash for objecting to management. Is the customer usually, right? Absolutely. But it is important to know the rules of the road. The second red flag is on the other extreme, having customer requirements that are so rigid from a risk perspective that customers find it hard to do business with the company. Now, if you're in the regulated environment, this may not apply. Otherwise there should be training and appropriate empowerment of your frontline team to make decisions about acceptable risks. When companies try to build a risk culture. Transparency of the whole process is important so everyone knows the rules of the road as it applies to your company, as it applies to the individuals in it. Once the risk is identified, it needs to be measured. Now, here's a caution flag. When you set your risk thresholds, you should do it when you're not in a crisis. You have to put thought and logic into the levels. If you are ever in a position where people want to change the meaning of your dashboard or change the meaning of your dashboard indicators because they're not convenient.

Larry Gordon: [00:19:06] It will distort reality and amplify your risk. Now, we used a car analogy earlier. Here's a second transportation analogy. I have friends that are pilots. One of them told me that every time he goes to the airport to fly, he looks for every reason not to fly that day. Now, this sounds counterintuitive, but listen in. He told me that during the preflight check, if things are not exactly how we expect them to be, he doesn't fly. Any variances to his checks on the ground could lead to a problem in the air. And the landing may be much more impactful than it should be. Another pilot friend of mine explained that in situations without visibility, a pilot has to rely upon their instruments. You cannot be second guessing your instruments and making repeated judgment calls. This would only compound your risk and you may not be able to recover once you regain visibility. The moral of these stories is establish your risk parameters when you can thoughtfully set them, trying to determine what your risk tolerance is and should be during an event will likely lead to a bad outcome. Back to risk measurement. There is no one size fits all answer to measuring risk. Measurements of risk will depend on the specific context and the nature of the risk involved. However, I will talk briefly about seven common ways to measure risk.

Larry Gordon: [00:20:37] Number one probability and impact, assessing the likelihood and potential impact of risk occurring and assigning a numerical value to each will help quantify the overall level of risk. Now we're going to talk more about this shortly as it is something that needs to be understood. Number two. Historical Data analysis. You definitely want to look at historical data related to similar risks or events that can help identify patterns and inform the risk assessment. Now, when we say inform the risk assessment, we're talking about understanding risks and documenting them. From there, we can prioritize the risks that need to be addressed. Number three is scenario analysis. Work through hypothetical scenarios and evaluate the impacts. This will help identify potential risks and inform potential risk mitigation strategies. One way to do this is through tabletop exercises. However, the representatives from various parts of the company get together, walk through various scenarios and talk about the action steps that will be needed if an event happens. Each of you will be having different input and then you'll have multiple cases on top of that. What does HR have to do? What does it have to do? How do we work with customer support? Stress testing. Number four, simulate extreme market conditions to assess the impact on your operations and try to identify any vulnerabilities. One example is what happens to your business if gas prices double or triple? It's not just about what your company spends at the pump that matters.

Larry Gordon: [00:22:19] What happens in the cost of the supply chain? Will your cost be going up? How much do buying patterns change your business, customers or consumers? And think of all those different impacts and what that means to your business. Number five expert judgment. Seek input from subject matter experts or experienced professionals on how to measure certain risks. They can provide valuable insight into risks and risk management strategies. Number six is risk appetite. You want to establish what a clear risk, appetite and tolerance means to your organization. Setting the levels helps guide your risk management decisions, such as prioritizing resources and efforts. Think about it. If your organization can tolerate one or more events, that would cost $1,000 each. What if there were $100,000 each? Can your company withstand an event where half the workforce is unable to get their job done? Your systems go down. They can't get into the office and you have no way for them to work remotely. What about adding a day to your customer delivery schedules, your service level agreements? Do you have a normal 24 hour delivery? So that adding a day is really doubling your delivery time? Do you have a 60 day lead time? So one day may not be impactful to a customer. So think about all of these pieces of your risk appetite. These are thresholds that should be determined for each business. Risk indicators as number seven establish key risk indicators or Chris. These help monitor and track risk levels over time and inform management decisions.

Larry Gordon: [00:24:11] Chris should be thought about as early warning signals of potential risks that materialize into significant issues or threats and track that. Chris Over time it will help you identify trends. Overall, the best way to measure risk really is dependent on the specific context and goals of your risk assessment. And remember, no one way is the right way. A combination of different methods to measure risk can be most effective. At the top of the show, I mentioned there's an e-book to go with this episode. It has additional details, graphics and worksheets for you to use. During this application of risk section, we will start transitioning to the book. So go to risk blindspots.com. That's plural because we all have them risk blind spots.com to become a blind spot insider and download the book application of risk measurement. We talked about culture and measurement in the different methods that are used. Now it's important to work through some of the terminology that we'll be using throughout the podcast. So let's revisit the risk measurement from the perspective of probability and impact. Probability and impact tie back to the concept of inherent risk and residual risk. And so let's continue using the analogy of driving a car. Inherent risk is like the danger of driving a car without anything there to help safeguard you. Without safeguards, including car safety features, it encompasses risks such as accidents, road conditions, weather hazards and other drivers behavior. These risks exist regardless and without any safety precautions that you take and are inherent to the activity of driving.

Larry Gordon: [00:26:03] Control effectiveness refers to how well risk mitigation and controls actually work. What I mean by that is you can have great controls, but if they're not implemented and they're not effective, they don't do any good. So you have to ask yourself about your controls. Do they reduce the residual risk? Do your procedures or systems prevent, minimize or mitigate the probability of an event even happening? Or do they minimize the impact if it does happen in the car analogy? Controls would be wearing a seatbelt. Following traffic safety rules and maintaining the vehicle safety such as brakes, steering signals and airbags. In the book, I include a representative residual risk chart. It shows inherent risk and control effectiveness, which is used to determine the level of residual risk. Now, residual risk represents the remaining level of risk or the dangers that persist after your safety precautions are put into place. You may reduce the level of risk, but your controls do not serve to completely eliminate the risk. We talked about inherent risks. Getting that right is very important because everything flows from there. There are two key components probability and impact that together determine the level of risk. Probability refers to the likelihood or chance of a particular risk event occurring. Usually expresses a percentage or frequency one time per week, one time per year. One time per decade. It depends on your situation. Probability can be assessed using various techniques that we talked about.

Larry Gordon: [00:27:47] The higher the probability of a risk event occurring, the higher the overall level of risk. Impact refers to the potential consequences or severity of an event if it were to occur. Companies can be impacted in multiple ways from a single event. It can be financial, reputational, operational or other relevant dimensions. The impact of an event can be put into quantitative terms or qualitative terms. Quantitative terms are dollar value of losses. Number of customers affected. Qualitative terms really focus on the potential damage to reputation, disruption to operations. The higher the potential impact of an event, the higher the overall level of risk. By considering both probability and impact, business leaders can prioritize risks and allocate resources. We've covered a great deal today. This is where I want you to transition to the book that goes along with episode 102. The book goes into more details about probability and impact. It shows calculation examples and makes the concepts much more tangible. I encourage you to go to download the book, go through the process and use the worksheets to help you identify and size the risks in your business. Topics you're going to find in the book include moving beyond t shirt sizing to determine the magnitude of risk, creating three by three and five by five risk grids and the worksheets to frame the probability and impact levels. And after you spend time with the book and thinking through your company's risk framework, each episode should give you new ideas and risk topics to apply.

Larry Gordon: [00:29:38] Episode 102 Wrap up. If you're learning about risk management. Episode 102 provided you with quite a few information nuggets to think about. I encourage you to listen to this episode periodically and each time you do, you'll be able to apply new experiences as you become more comfortable with the risk management concepts. I will tell you exactly what I tell my teams when we take on new and challenging tasks. We may swallow a little water, but if we stick together, nobody's going to drown. These concepts will start to fall into place. When you hear the guest interviews, their experiences and their advice. Let's recap episode 102 about the foundational aspects of risk management. You learn more about what risk is and what risk is not, and we remove some of your misconceptions. You learn nine characteristics of strong risk culture and you should be able to spot red flags. We covered ways to measure risk and the application of risk measurement as it fits into the inherent risk, control, effectiveness and residual risk categories. I encourage you to download the ebook that goes along with episode 102. Work through it at your pace. You should not have to do it alone. Remember, risk management is not a one person responsibility. Work with your teams to help identify all the risks in your business. And if you're a blind spot insider, you're welcome to submit questions and comments about this episode.