Managing Systemic Risks in Organizations

The gross turnover of top 100 multinationals is higher than the gross domestic product of a few countries. As it was obvious from the financial crises, organizations employing a few hundred thousand employees can rock the global financial stability. From then on, a lot of discussion is occurring around systemic risks. However, I wonder about the actual momentum in addressing systemic risks.

As per my understanding, an inaccurate perception has formed that governments have the major responsibility to address systemic risks and not the organizations. The picture below depicts the increasing level of risks for human civilization or society as a whole and the increasing level of risks within an organization. Though we do not see linear relationships, they are interconnected. While an organization is a subset of the civilization, their large sizes have also made it a significant component of creating systemic risks.

 

Systemic risks

 

Another fallacy is that organization’s need to track systemic risks at the global level alone. From the financial crises, it was obvious that the Retail Housing Loan departments of US Banks shook the real estate industry. Various CDOs of banks investment divisions were the cause of collapse of major banks. Hence, something as small as the functioning of a department, process or product can destabilize the industry and economy when incorrect practices are followed in multiple organizations.

Moreover, senior management of organizations that have implemented Enterprise Risk Management (ERM) believe that systemic risks are automatically addressed. None of the ERMs is going beyond strategic risks. The focus is mostly on operational and tactical risk coverage. Unless the risk management department has taken concrete measures to identify systemic risks, in all probability they are unmitigated.

Lastly, for most of the systemic risks, the organization by itself can only partly mitigate the risks. Except for taking insurance, they cannot develop and implement full-fledged solutions to treat the risks. Though the impact of systemic risks is huge, the lack of understanding, information and solutions, make organizations negligent about identifying and addressing these risks. Hence, the question is – what should organizations do to manage systemic risks?

1. Global Systemic Risk Monitoring Group

Within the risk management department there should be dedicated resources tracking systemic risks from process to country level and reporting to the global group. In the interconnected world, the risks in one country impact other countries. For instance, consider the attack on Malaysian airplane by rebels in Ukraine. A geo-political risk of one country has brought an organization of another country down. Hence, now the risks have to be viewed from a global perspective. To do this organizations must incorporate the group within the organization structure, deploy funds and resources, use technology to connect and track risks at a global level.

2.  Connecting With National Risk Boards

The 2014 World Bank Risk Report suggests formation of National Risk Boards (Same name, could they have got inspired by this blog :)). This will be a huge plus, since risk identification and mitigation will be done at a national level. For instance, if a large country like India were connected at district, state, and national level through risk boards, the level of risk management would improve significantly.

Moreover, this will facilitate in addressing inter-state risks and cross border risks. For example, cyber security threats mitigation requires coordination within the country and significant amount of international collaboration. The national risk boards of countries become the focal point for international cooperation and collaboration for risk mitigation. Developing relationships with the board members and participating in the initiatives will help organizations in dealing with systemic risks.

3.  Connecting With Industry Risk Boards

The systemic risk group needs to connect with the industry risk boards and regulators to capture the industry level risks. For instance, Back of England conducts a half-yearly survey to determine systemic risks in UK financial sector and the confidence of the organizations in dealing with it.

If organizations facilitate in formation and management of industry risk boards, they can cooperate with the competitors to mitigate industry level risks. Relationships with international industry boards would be a huge plus in acquiring knowledge and formulating plans.

4.  Assessing Preparation at National Level

The World Bank report states that investment in risk mitigation and prevention is low, and most of the expenditure is done during and after a disaster to recover and continue operations. Therefore, the challenge is that risk identification may not result in developing and implementing risk mitigation plans. For example, various cities in India regularly suffer from floods during monsoons. ALthough the government knows the problem and solutions, it has not done much to resolve the issue. There are ongoing battles between city, state, and national level for risk prioritization.

That is, the same risk may have different impact and loss level due to national level preparation. Organizations need to assess the level of preparation of government and local communities to determine the impact and develop risk mitigation plans accordingly.

5.  Assessing Impact at Social Level

Previously, organizations were insulated from the society to some extent. The social networks have changed the scenario, and any incident can become an explosive issue. Hence, impact has to be calculated at social level rather than at an incident level. For instance, recently a six-year-old girl in Bangalore was gang-raped in school by her teachers. Last weekend, parents in Bangalore organized marches to demonstrate their anger against the schools lackadaisical attitude towards children security. Police has lodged complaints against the school and politicians are talking about closing the school.

Presently, rape, women, and child security are sensitive topics in India. India is fourth unsafe country in the world for women. Hence, a single incident can close down an organization. Therefore, risk managers need to identify sensitive issues related to systemic risks and extrapolate the impact at city, state, country, and global level to determine impact of various risks.

Closing Thoughts

Systemic risks impact is sometimes more than losses of earthquakes, tsunamis and nuclear disasters, hence they cannot be ignored. Higher level of focus is required within organizations, industry, community, and nations to build processes, institutions, and infrastructure to identify and mitigate systemic risks. Timely investment in this area can save billions of dollars. Hence, risk managers need to put their thinking caps on, develop concept notes, and influence senior managers to deploy funds in managing systemic risks.

The Misconstrued Likelihood

Source: Lancashire Resiliency Forum

Source: Lancashire Resiliency Forum

 

Have you ever thought of stopping the use of “likelihood” in preparing a risk matrix? The shocked reaction is – “how can we calculate risk without likelihood?” But seriously, how competent are we in calculating the probability of each risk. As risk managers, don’t we just check the box based on our judgment? The thought process is – earthquake – rare, hurricane – rare, data theft – occasional, and we don’t need data to make these judgments.

 1. Inaccurate Calculation

My claim is that all this is hyperbole and we draw inferences from inaccurate information. To substantiate my argument, here are two statements of the EY 13 Global Fraud Survey 2014 and Kroll Global Fraud Survey 2013/2014.

EY 13 Global Fraud Survey 2014 quote:–

“More than 1 in 10 executives surveyed reported their company as having experienced a significant fraud in the past two years. In fact, the level of fraud reported by respondents has remained largely unchanged over the past six years: from 13% in 2008 to 12% in 2014.”

 Kroll Global Fraud Survey 2013/2014 quote:

 “The incidence of fraud has increased. Overall, 70% of companies reported suffering from at least one type of fraud in the last year, up from 61% in the previous poll”

The EY report does not define “significant fraud” .Kroll report does state that “the economic cost of these crimes mounted, increasing from an average of 0.9% of revenue to 1.4%, with one in 10 businesses reporting a cost of more than 4% of revenue.”

 Now assume you do not have historical data on incidence of fraud in your organization and have to infer the likelihood of fraud from the above-mentioned statements.

 

Please share the logic you used to determine the likelihood in the comments section.

 2. Unidentified Representative Bias

Implicit in our judgment is representative bias, which only a discerning eye can decipher. For instance, read the following lines from the EY 13 Global Fraud Survey 2014.

“The survey results show a correlation between executive roles and willingness to justify certain activity when under pressure to meet financial targets:

CFOs are more likely than other executives to justify changes to assumptions relating to valuations and reserves in order to meet financial targets.

General counsel are more likely than other executives to justify backdating contracts in order to meet financial targets.

► Sales and marketing executives are more likely than other executives to justify introducing flexible return policies in order to meet financial targets.”

How is this news worth reporting? Aren’t risk managers aware that employees are more likely to conduct frauds within their area of job responsibility and authority?

It would be interesting to know the probability of other departments (excluding sales and marketing personal) introducing fraudulent flexible return policies. Without that information, while conducting a fraud investigation we are likely to assume the fraud in sales department was conducted by sales personnel, whereas it is possible that another department personnel had done it.

Now if you want further proof of representative heuristic, here is a classic example of a study conducted on women’s propensity to conduct fraud by Steffensmeler. He concluded:

“There is reason to believe that over time increasing the number of female CEOs would reduce corporate corruption because women tend to promote a more ethical business climate rather than one that promotes personal and corporate profits at all costs, no matter what the potential societal costs or harms might be.”

Then he further states that lower rate of fraud might be because men do not conspire with women to conduct frauds and women may not have access to higher echelons of management to do big frauds.

However, it still does not explain how he has made the above statements. According to child psychology reports, both girls and boys in childhood have nearly equal tendency towards anti-social behavior though it reflects in different ways. For example, boys bully directly, girls bully indirectly.

So, are we saying nature and nurture have less impact on girls than boys because they are somehow hardwired to be more ethical? Alternatively, do you think that social conceptions are at play here because women are the weaker sex and therefore nicer. Wouldn’t it be interesting to study the tendency to commit fraud by giving equal opportunity to both genders to steal without fear of punishment and then find who is more likely to do so? It might show that women commit less fraud not because they are more ethical, but more fearful.

Closing Thoughts

Risk managers must ask themselves – “What is the worst that can happen if they do not check any box of likelihood? It is possible to create a bucket list of known risks, with undetermined likelihood and impact?” Adopt an alternative method or procedure, since inaccurate calculations lead to misguiding the management and implementation of wrong risk mitigation plans.

If we do not know something, why pretend to have a magic wand and claim knowledge. What is the harm in admitting that we do not have all the answers?

 

References:

  1.  EY 13 Global Fraud Survey 2014
  2. Kroll Global Fraud Survey 2013/2014
  3. Women still less likely to commit corporate fraud 

 

 

 

 

Junk The Risk Assessments

Sorry folks for taking such a long break from blogging.  I was busy talking to a few angels who had entered my life all of a sudden. Now you are thinking that maybe I injured my head during the last five months. An adult talking about angels, absolutely insane! As kids we are happy to believe in Santa Claus. As we grow the social norms expect us to be more cynical, and we have to say – “We don’t believe in angels”. The question is –“have you seen any with your naked eye?” Off course not, but how does that prove that they don’t exist. In life, we have not seen many things, but we believe they exist.

So now, you are wondering what I am getting at.

As a risk manager has a business head ever told you – “You don’t have any idea of the business, this risk assessment is trash.” You wished to tell him that you did a proper job but he is absolutely is absolutely refusing to listen.

When business managers  submitted self-risk assessments, were you rubbing your eyes in disbelief? You could not figure out how they have rated the risks so high or so low, completely contrary to your expectations.

Is it possible that the risk assessments are frequently wrong and serve very little purpose except for completing the paper work? The idea of discarding risk assessments is scary as operational risk managers rely heavily on risk assessments matrix to assess the probability of occurrence of risk and the impact of the same. We advise business managers to complete self-risk assessments for their units. Organizations consider top twenty risks critical and depute resources to address the same.

Despite the risk assessments, unknown risks keep popping up. Risks rated low flare up into big issues. High impact low probability risks cause a whole lot of more damage than estimated.

Research on cognitive biases shows that subjective risk assessment done without data are prone to errors. Human beings have numerous biases in their thinking, due to which they tend to make incorrect decisions. Below is the list of biases I shall discuss in the next few posts:

1)      Representative Heuristic

2)      Availability

3)      Hindsight Bias

4)      Black Swans

5)      Conjunction Fallacy

6)      Confirmation Bias

7)      Anchoring, adjustment and contamination

8)      Affect Heuristic

9)      Scope Neglect

10)   Calibration and Overconfidence

11)   Bystander Apathy

You might be wondering whether the biases and heuristics really have any impact or is it just another aspect of psychology we can ignore. Let me ask you a question here:

 

Malcolm Gladwell did an analysis in his book David versus Goliath and stated that in 63% of the cases the smaller country defending its territories won the war. The powerful invader had to backtrack and generally lost the war despite its military strength. The small defending countries win because they use unconventional strategies for warfare, garner public support, and have higher commitment as they have more at stake if they lose. Then what percentage of the risk assessments of a war are incorrect? The loss of life and property are in vain.

Wait for the next few posts, as they might make you rethink on the conventional wisdom of risk assessment done by organizations.  

References: 1. Cognitive Biases Potentially Affecting Judgment of Global Risks – Eliezer Yudkowsky, Machine Intelligence Research Institute

2.  Probabilistic Reasoning by Amos Tversky and Daniel Kahneman

Strategy For Funding Risk Management Departments

Organizations want risk managers to focus on reducing costs of doing business, especially the regulatory costs. However, when risk managers ask for resources and budgets for running the department, they have to compromise. Lack of budget is generally the main cause for not implementing enterprise risk management, doing strategic risk management, building a risk management culture and providing consulting.

Generally, the budgeting process starts in the last quarter of the year. When the budget committee is approving other revenue earning departments budgets, risk management department heads present a cost budget. This does not go down well with the budget approval committee. They cut ten to thirty per cent of the budget despite risk managers giving valid justifications.

After budget approval, risk managers spend the year trying to squeeze in as much as they can. Sometimes it results in limited coverage and high stress levels for risk managers. With the increasing focus on risk management, the heads of risk management departments need to form a strategy to obtain the required funding. Look at the tips below to navigate the tricky budget approval process.

1. Start at beginning of current year

Start preparing for next year at the beginning of the current year. Identify the long-term and short-term projects. Commence influencing the key stakeholders of the long-term projects from the first quarter of the current year. If risk managers are the last one to submit their budget, they are unlikely to get heard.

2. Analyse the reasons for past failures

Assess the reasons for non-approval of the budget in previous years. Was it because the management thinks risk management is unimportant, is concerned about costs or it harms the interests of the key political players in the organization. After determining the reason, formulate strategies to change the mind-set for next year’s project approval.

3. Build relationships with key political players

Chances are that risk managers focus on the budget committee members for approval. Instead, identify the key power holders within the organization. Identify their relationships with the budget committee members. Before influencing the budget committee members, build relationships with key power holders. Get their support for the risk management function by understanding their drivers and motives.

4. Participate in business strategy formation

Involve yourself with the business strategy group. Identify various risks of the changes in business strategy and recommend the mitigation costs for the same. Attempt to incorporate the risk management budget in the strategy implementation costs. Align risk management budget with corporate goals and strategy.

5. Calculate the Return on Investment (ROI) for various projects.

Robert Biskup wrote an excellent article on Corporate Compliance Insights – “Making the Bottom Line Case for Compliance: The ROI of a Robust Compliance Department”. The nine points give superb ways of calculating ROI. Use the methods to negotiate with the business teams as the department can give a clear demonstration of cost savings or profit earnings. Do ROI calculations for previous years’ projects to demonstrate the value that risk management departments brought to the table.

6. Make business teams bear the cost of the project

For the projects, identify the stakeholders in the business teams. Categorize the projects as critical, necessary and optional from risk management perspective. Sometimes, risk managers spend time doing optional projects at the expense of critical projects, as they cannot refuse powerful business heads. In such cases, present the advantages of getting the assignment done. If possible, check whether business team will merge the cost of desirable projects in its budget next year rather than have it in risk management budget.

7. Build flexibility in budgets

The budgets go haywire when unexpected risks arise or regulations change. Suddenly risk management departments are in fire fighting mode and regular work is ignored. That is bad for business, since other critical risks remain un-monitored. Hence, estimate different cost budgets with probability of various risks and disasters occurring. Present these as contingency budgets to the management and take advance approval for the same. Risk mitigation efforts are delayed when risk managers take approval after a disaster has occurred. Revise the budgets quarterly as the business budget changes.

Closing thoughts

 Generally, risk managers have a financial background so they are outstanding at preparing the budgets. However, problem occurs when they do not have the negotiation skills and political strategy in place. Last quarter efforts do not work because everyone is on the same bandwagon. Gain a head start by starting in the first quarter itself. Be the first one to get the required approvals, so that the function gets what it wants.

Related article: Political Strategy for Risk Management

 

Political Strategy For Risk Management

A recent report published on Harvard Law School blog stated that in 81.2% of manufacturing and 73.6% of the non-financial sector companies have not appointed Chief Risk Officers (CRO). Interestingly, 83.3% of the financial services organizations have appointed a CRO with direct reporting to the CEO. This indicates, that unless mandatory, the risk managers do not have high visibility. Though their role is important in all sectors, they are unable to leverage themselves among the senior management. This issue is not new, and most complain at not getting a seat at the table.

 1.     Develop Political Skills

We need to look this issue from another lens. We need to develop a political strategy for the risk management department. Reason being, technical expertise on a subject takes one up only to the senior middle-management level. At senior management level organization politics dominates decision-making. Hence, risk managers need to develop political skills and astuteness to survive and thrive at that level.

However, the challenge is that though risk management job requires high political skills, very few work at developing them. According to an organizational study, ~ 65-80% employees avoid politics, ~15-25% indulge in negative politics and ~5-10% participate in positive politics.  Risk managers need to develop skills in positive politics to influence senior management.

The positive politics players have win-win, ethical, organization focus, enlightened self-interest, collaborative and best interests of the business mindset. Indulging in negative politics will be harmful as the group has  win-lose, non-ethical, upward focus, self-interest, competitive and personal gain mind-set. Viewing politics as dirty and avoiding it, isn’t an option. Politics prevails in organization DNA and one has to choose how to play it.

 2.     Implement a Political Strategy

Another aspect to look into is that risk managers have to influence the organization to build a risk culture. The concerns of the junior managers differ from those of middle managers and senior managers. Moreover, different business units have clashing interests and priorities. Stumbling from one person to the other and trying to influence them on a random basis will not benefit the organization or the department. Therefore, to influence each sub-group positively, risk management departments need a political strategy.

After developing the political strategy, risk managers need to implement and run with it consistently over time to reap success. It will involve getting supporters, appointing campaign managers, forming coalitions and doing some secret handshakes. Risk managers of course have to walk a fine line of maintaining independence and objectivity while implementing the political strategy.

 Closing Thoughts

Success in organizations depends on how well a person manages their own expectations by understanding the political game. Corporate world is a jungle. One cannot expect that people will make rational and logical decisions in the best interest of the organization. Risk managers will remain on the side lines unless they learn to trapeze the political web. The good news is one can learn political skills.

References:

  1. Risks in the Boardroom – Harvard Law School
  2. Investigations in Organizational Politics

Risk Managers – Tone Down That Report!

This week three renowned figures – Angelina Jolie, Larry Page and Christine Quinn – disclosed their medical problems to the world. They discussed battle with breast cancer, paralysis of vocal cords, and struggles with bulimia and alcoholism. Jolie, a woman famous for her beauty bared her mastectomy details. They talked about fear of death and handicap, and frailty of human character. They risked high-profile careers by being candid. One word describes their actions – Courage.

However, the corporate world wants to hide behind lies and window dress their weaknesses. The corporate leaders sometimes threaten risk managers and auditors to tone down their reports. The messengers of bad news get shot. Risk managers face bullying, retaliation and threat to their jobs for showing courage to speak the truth. If they refuse to bow down to pressure, the business teams label them as politically dumb or difficult to deal with. Question is – should risk managers tone down their reports to please the business teams?

I want to discuss a couple of scenarios here and you decide the course of action.

Scenario 1- Don’t report correct facts to avoid giving bad news

Let us say, you are a CXO of an organization. You have a heart problem and visit a doctor who is a good friend of yours.

The doctor realizes your heart condition is bad. You require a heart surgery for four bypasses. The doctor doesn’t want to deliver the bad news to you, because he doesn’t wish to hurt your feelings.

The doctor tells you  – “You just have too much stress. You need a vacation to relax and have some fun.” He prescribes you some vitamins and discharges you.

You follow your doctor’s advice, take a vacation. You swim and jog for a couple of days and have a heart attack. You arrive at the hospital with a survival chance of 5%.

Did the doctor do the right thing by not telling you the truth?

Scenario 2 : Don’t report correctly to protect a friend

A civil engineer responsible for doing quality and inspection checks of a bridge notices that sub-standard quality of material is used. There is a high risk of bridge collapsing. However, he issues a clean report to his seniors because the engineer-in-charge of the bridge is a friend of his.

An organisation’s senior managers drive daily across the bridge to reach their office. One day all of them are on the bridge and it collapses. All die.

Would the families of the senior managers be happy with the quality control engineer’s for not disclosing the risks?

My guess is most of the corporate readers would have answered no. You would have preferred the truth when it is a question of your own life being at risk.

Corporate Scenario

So why don’t corporate citizens hesitate when they put other people’s life at risk. See the Bangladesh factory fire, Japan’s nuclear disaster or US banks home foreclosure and mortgage mess. Employees, customers and public lives or life savings were put at risk.

Wouldn’t a few honest risk management reports helped in fixing the problem in time to prevent the disasters?

The corporate world maintains double standards on reporting risks. They want full disclosure of the risks to them but not to others. Before setting these expectations, corporate citizens should answer these questions:

1) Isn’t it a risk manager’s job to identify the health problems of the organization, prescribe a cure, suggest amputation where required and nurse the organization back to health?

2) Is it right to compromise professional ethics and code of conduct to keep a few people happy?

3) Aren’t risk managers responsible for calculating the direct and indirect cost to others for non-disclosure of risks?

4) Shouldn’t risk managers hold their ground and stick to their independent advise as you will benefit from it in the long-run?

Closing Thoughts

Moral courage is one of the most difficult qualities to acquire. Larry Page, as CEO of Google fulfilled his responsibility to the investors by publicly disclosing his medical problems. Now the investors can make an informed decision. One has to admire Page for taking such a difficult call. It takes guts. Disclosing personal weakness makes one feel vulnerable, exposed and fallible. He has shown the path for corporate leaders to follow.

Justin Bieber’s Lesson For Risk Managers

Surfing through Twitter one gets deep insight of human behavior. I am sharing a couple of tweets that got me thinking on our (risk managers) approach. The hat tip goes to Justin Bieber and Mark Robinson for the post.

 1. Get a tribe

 Justin Bieber tweeted the message below and it got 119,562 retweets and 62,959 favorites at the last count.

“Live life full”

— Justin Bieber (@justinbieber) May 10, 2013

Now you might say, what is so original in this message. Nothing remarkable, except that Bieber has 39,087,920 followers.

The message for risk managers is that if we want business team to listen to us, then we need to get a tribe of followers. Sitting in a corner or a cabin, writing reports isn’t going to help us. We need to be on the floor  interacting with the business teams daily.

2. Connect with a popular leader

Then Mark Robinson tweeted this message:

“Justin Bieber got 100,000 retweets for tweeting “Live life full”. That’s just 3 random words. I’m going to try now.

Nipple squirrel ham”

— Mark Robinson (@robboma3) May 11, 2013

The message was retweeted 26,972 times and favorited 4379 times. Mark has 23,694 followers. While Bieber’s message was tweeted by just 0.3% of his followers, Mark’s message was tweeted more than the number of his followers. Isn’t that fascinating.

This is a trick which risk managers need to learn. Even the most mundane message of a popular leader will be followed more ardently than their sanest advise. People don’t follow bosses, they follow leaders whom they like. Hence, risk managers need to identify the popular figures in office, ask them to give their message or link up their own version to the popular person’s message. Risk management advise is going to spread faster then, rather than with all the technical stuff.

I am dedicating Justin’s song to all of you. We need to believe it too – “I got that power”.

Human Rights Risk Management Process

Bangladesh Building Collapse

The fire in a nine-story factory building in Bangladesh killed 400 people. More than 600 people remain unaccounted for. It housed five garment factories that supplied to international brands – J.C. Penny, The Children’s Place, Dress Barn, Primark, Wal-Mart etc. The workers were asked to come to work even when cracks appeared in the building the previous day.

Bangladesh is the second largest exporter of clothes and the workers get the lowest compensations. Just around USD 37-40 per month. The question arises why are the multinational organizations not following the UN Guiding Principles for Human Rights protection. The reason is simple; they want to show higher and higher profits to the investors.

In Delhi, in Munirka one will find numerous small factories full of workers making export garments. A friend of mine also ran one. I had bought a few shirts from her at cost price ranging from Rs 300-500 (USD 6-10). In one international visit, I found the same shirts selling in range of USD 15-30. The fivefold increase in price was because of the brand tag attached to the shirt.

The multinational buyers push the prices down and some supplier gives a rock bottom price. The others are forced to match that price to get the business. End result is that basic facilities are not provided to the workers and they work at really low wages. Unknown workers are paying with their lives in developing countries to satisfy the growth targets set by CEOs to earn their bonuses and keep investors happy.  It is the dark side of capitalism which organizations want to hide.

In most companies, human rights risk management is not a focus area. The 2013 Global Risk Management Survey conducted by RIMS identified seven risks related to human resources among the top fifty risks. Though worker injury and harassment were included there was no specific emphasis on human rights risk management.

The risk management team can conduct annually or bi-annually a human rights risk management assessment. It requires attention not only from human resources perspective but from operational, financial, legal and reputational risks perspective. Any breach can result in huge losses.

Here are some of the steps mentioned in the UN Guiding Principles on Human Rights and guide “Investing the Right Way” issued by Institute of Human Rights and Business.

1.     Review the Human Rights Policy Statement

Human rights risk management is emerging as an important issue, especially with multinationals entering emerging markets and developing countries. They are expected to protect and respect rights of workers, communities and society. Investors can play a crucial role by influencing companies to promote human rights relating to gender equality, child labor, rights of indigenous people, land acquisition, mineral processing etc.

Hence, companies need to publish Human Rights Policy Statement on their websites. The UN Guiding Principle 16 states –

 “As the basis for embedding their responsibility to respect human rights, business enterprises should express their commitment to meet this responsibility through a statement of policy that:

(a) Is approved at the most senior level of the business enterprise;

(b) Is informed by relevant internal and/or external expertise;

(c) Stipulates the enterprise’s human rights expectations of personnel, business partners and other parties directly linked to its operations, products or services;

(d) Is publicly available and communicated internally and externally to all personnel, business partners and other relevant parties;

(e) Is reflected in operational policies and procedures necessary to embed it throughout the business enterprise.”

As a first step risk managers need to check whether the organization has a human rights policy statement and the above mentioned steps have been adhered to.

2.     Human Rights Impact Assessment

The second aspect of UN Guiding Principles is for companies to establish human rights due diligence processes. Guiding Principle 17 states:

 “In order to identify, prevent, mitigate and account for how they address their adverse human rights impacts, business enterprises should carry out human rights due diligence. The process should include assessing actual and potential human rights impacts, integrating and acting upon the findings, tracking responses, and communicating how impacts are addressed. Human rights due diligence:

(a) Should cover adverse human rights impacts that the business enterprise may cause or contribute to through its own activities, or which may be directly linked to its operations, products or services by its business relationships;

(b) Will vary in complexity with the size of the business enterprise, the risk of severe human rights impacts, and the nature and context of its operations;

(c) Should be on going, recognizing that the human rights risks may change over time as the business enterprise’s operations and operating context evolves.”

Human rights risk management is complex and challenging. If ignored, they can increase political risks and deteriorate relationships of the organization with the government. For example, Tata Motors wished to establish Nano manufacturing plant in Singur, West Bengal. The government allocated agriculture land using 1894 land acquisition rule, meant for public improvement projects, to take over 997 acres farmland. The farmers protested with help of activists and the then opposition leader Mamta Banerjee. Tata Motors moved out of West Bengal and established the factory in Gujarat. Multinationals looking for large tracts of land to establish factories are facing similar challenges in India.

Another aspect to look into is that scrap, waste disposal, sewage, environment pollution etc. from factories can impact food, water and health of local communities.

Decision needs to be taken whether investments should be made in countries or states with poor human rights record. In India, the Naxalite area is extremely conflict prone and business operations can have severe human rights impact.

Risk managers should evaluate the strategy and operations of the company from human rights, environmental, social and governance factors. The companies can face operational risks (project delays or cancellation), legal and regulatory risks (lawsuits and fines) and reputational risks (negative press coverage and brand damage). The impact assessment should be done from investors, customers, employees, society and supplier perspective. Identify business owners for the risks and devise appropriate risk mitigation plans to address adverse impact.

3.   Grievance Mechanisms

UN Guiding Principles state that victims of corporate related human rights abuse should have access to judicial or non-judicial remedies. Companies should provide some remedies themselves and cooperate in the remediation process.

UN Guiding Principle 29 states –

“To make it possible for grievances to be addressed early and remediated directly, business enterprises should establish or participate in effective operational-level grievance mechanisms for individuals and communities who may be adversely impacted.”

However, this isn’t followed by the companies in true spirit. “A Vigieo analysis of human rights records of 1500 companies listed in North America, Europe and Asia revealed that, in the previous three years, almost one in five had faced at least one allegation that it had abused or failed to respect human rights.”

Ideally the investors in the company should ensure that grievance mechanisms exist and address human rights issues. The transparency and disclosure of the same in annual reports would highlight the financial, legal and reputational risks. However, the investors don’t seem to be bothered by it.

See the case of Apple. It reported  Gross Profit Margin – 42.5%, Net Profit Margin – 26.7%, Revenue Per Employee – $ 2,149,835 and Net Revenue Per Employee – $ 573,255. It has 43000 employees in US and 20,000 outside US. However, Apple contractors hire an additional 700,000 people to engineer, build and assemble iPads, iPhones and Apple’s other products.

An Apple supplier in Taiwan, Foxconn was recently in the news for its workers attempting suicide. As per reportsWorkers are required to stand at fast-moving assembly lines for eight hours without a break and without talking. Workers, sharing sleeping accommodations with nine other workmates, often do not know each other’s names. They do not have much time to get to know each other. The basic starting pay of 900 RMB($130) a month – barely enough to live on – can be augmented to a more respectable 2,000RMB ($295) only by working 30 hours overtime a week.”

See the difference the company earns per employee and the payment made to the supplier’s employees. Apple shows profits at the expense of lives of Taiwanese workers.  The workers don’t have much of a grievance mechanism in China as the government stated that the suicides are within the normal suicide rate. Can Apple investors sacrifice some profit margin for safety and security of the contractual workers?

Another old example is the class action suit since 2001 on Wal-Mart Stores that involved 1.5 million current and former Wal-Mart female employees. It is the largest workplace bias case in US history.

 4.    Human Rights Reporting

 The biggest challenge is that most of the human rights abuses are not reported. The victims of human rights exploitation hold little power in comparison to the exploiters. They can hardly take up the might of powerful businesses when they are struggling to get basic food and shelter. Secondly, in the developing and emerging countries, corruption levels are generally high. Hence, media, law enforcement agencies etc. are bribed by the power players to silence the victims. However, with internet and social media, things are gradually changing. People have a voice and collectively they can fight.

UN Guiding Principle 21 lays out the requirement for companies to communicate human rights impact externally. It states -

 “In order to account for how they address their human rights impacts, business enterprises should be prepared to communicate this externally, particularly when concerns are raised by or on behalf of affected stakeholders. Business enterprises whose operations or operating contexts pose risks of severe human rights impacts should report formally on how they address them. In all instances, communications should:

(a) Be of a form and frequency that reflect an enterprise’s human rights impacts and that are accessible to its intended audiences;

(b) Provide information that is sufficient to evaluate the adequacy of an enterprise’s response to the particular human rights impact involved;

(c) In turn not pose risks to affected stakeholders, personnel or to legitimate requirements of commercial confidentiality.”

 As per the UN principles, the reports must cover appropriate qualitative and quantitative indicators, feedback from internal and external sources including affected stakeholders.

Risk managers can evaluate the reports and the reporting process to ensure that all risks are properly addressed. They should evaluate whether cautionary steps are taken and nothing is being done to exacerbate the situation. They should highlight severe or irreversible risks to the management to ensure appropriate decisions are taken.

Closing Thoughts

 Inequalities in income are the main cause of human rights abuse. The rich want to get richer at the expense of blood and sweat of the poor, and sometimes life. The diamond manufacturers and sellers took the right step to publish that they do not source blood diamonds. Since 2003, the Kimberley Process Certification Scheme (KPCS), supported by national and international legislation, has sought to certify the legitimate origin of uncut diamonds. Trade organizations – International Diamond Manufacturers Association (IDMA) and the World Federation of Diamond Bourses (WFDB) – representing virtually all significant processors and traders – have established a regimen of self-regulation.

Other industries, be it technology, electronics or textile manufacturers,  need to come out with similar steps to stop human rights abuse. The risk managers have a vital role to play in it. If we do not do anything, we are cheating this and the next generation of their right to live happily.

References:

  1.  Investing the Right Way – A Guide for Investors on Business and Human Rights – By Institute of Human Rights and Business
  2. Singur farmland-  Tata Motors conflict
  3. Apple financial ratios
  4. Foxconn Case Study
  5. Diamond industry sales clauses
  6. 2013 RIMS Global Risk Management Survey

 

Role of Positivity in Risk Management Communication

locking horns

Can something as simple as appreciation make business teams more willing to accept a risk manager’s viewpoint?

———————————————————————————————–

The Conflict

Proverbially risk managers are locking horns with business managers. Of course business managers out number risk managers, hence more often than not risk managers are licking wounds and complaining that business managers don’t listen to them. Business managers claim that they are running the show, so an interfering risk manager who is perpetually criticizing their hard work  should be shown the door.

Then risk manages lament that it is their job to high light risks which means negatives, so why go after them for being messengers of bad news. The conflict brews and sometimes reaches boiling point. No one wishes to see eye to eye because they wish to get eye for an eye. End result, the business suffers in this battle.

What is the cause of the stormy relationship? Criticism and negative feedback! No one likes it, so why blame the business managers.

What if risk managers change the approach? With the criticism they give a lot of positive reinforcement? Will the behavior of business managers change?

Research on Role of Positivity in Performance

Marcial Losada and Emily Heaphy conducted a research titled – “The Role of Positivity and Connectivity in the Performance of Business Teams – A Nonlinear Dynamics Model”. They studied the dynamics of team interaction in relation to approving and disapproving verbal feedback statements. Researchers coded the verbal communication among team members along three bipolar dimensions, positivity/negativity, inquiry/advocacy, and other/self. Sixty teams developing annual business strategy were analysed.

The results of the study have extremely important implications  from business performance aspect and for risk managers. The table below defines the ratios of various dimensions.

team ratio1

The positivity/ negativity ratios indicate that high performing teams give 5.6 positive comments to 1 negative comment. In contrast the low performing team give three negative comments to one positive comment. The medium performing teams give approximately two positive comments to one negative comment.

Similarly, under inquiry/advocacy ratios, the high performance teams are more balanced in their approach towards inquiry and advocacy. The team members question in an exploratory way. On the other hand, low performance teams are highly unbalanced and members advocate their own viewpoint. The medium performance teams are little bit tilted in favor of advocacy.

Again, high performance maintained a balance in discussing internal and external aspects. Whereas, low performance teams focus on internal inquiry. The medium performance are slightly more focused on internal than external aspects.

Thus, the high performance team have higher levels of connectivity, which results in better performance.

Overall, high performing teams show buoyancy throughout the meeting. They appreciate, compliment and encourage their team members. This expands the emotional space for team to function. In contrast, in low performance teams sarcasm and cynicism rules which restricts the emotional space. There is lack of mutual support, enthusiasm and a high degree of distrust.  The medium performance team don’t show distrust or cynicism but neither are they openly supportive and enthusiastic about their team members.

team dynamics

Implications for Risk Managers

The results are very important from a risk manager’s perspective. As the author states – “to do powerful inquiry, we need to put ourselves sympathetically in the place of the person to whom we are asking the question. There has to be as much interest in the question we are asking as in the answer we are receiving. If not, inquiry can be motivated by a desire to show off or to embarrass the other person, in which case it will not create a nexus with that team member.”

Hence, from the time we approach the business team, we need to ensure that we are inquiring about the business. We should not be advocating any quick recommendations based on high-level interactions.

Another point to note is that the questions should cover both the internal and external environment of the business. This would motivate the business team into a more open discussion.

The most important point is about positive feedback. In our verbal communication and written reports we focus on highlighting the negatives.

The research showed that positive comments (that is a terrific idea) create emotional space within the listener, hence the listener is more willing to take the feedback. The emotional space created by positive comments in high performing teams is twice the size of medium performing teams and three times that of low performing teams.

Negative reporting restricts the emotional space of the business team. To build a positive environment for acceptance of our views, recommendations and report, we need to give 6 positive comments for each negative comment.

The researchers have given equations to assess the emotional space based on various dimensions. It might be a good idea to calculate the same before issuing a report.

Closing thoughts

One of the incorrect assumptions that risk managers make is that there is a linear relationship between the observations and recommendations in the report. However, the study showed the impact of non-linear relationships on functioning of teams. Hence, the fault may lie in the straight forward cause and effect attitude taken by risk managers to get buy-in from business managers.

We generally discuss that in reports we should highlight the positives first to balance out the negatives. This research clearly points out the importance of doing so and the reasons why we are failing. We have to change our approach to be effective. We need to be part of the business team, develop a positive feedback system before giving any negative observations

References:

The Role of Positivity and Connectivity in the Performance of Business Teams: A Nonlinear Dynamics Model - Marcial Losada and Emily Heaphy

Risk Management Version 3.0

RM tiger

The business world is changing so rapidly that companies are either not willing to publish growth predictions or they are getting it wrong. In this new world trends can’t be analysed from historical data. The best business analytic teams fail because the new business models have totally different risks. Moreover, now the risks are interconnected and can’t be addressed separately. An operations risk may have a huge impact on financial risks.  The old compasses are useless and most are walking on uncharted territory.

This is the ideal time for risk managers to shed their old avatars and  become new super heroes of business. First they have to get out of their comfort zone of addressing internal risks that are preventable. The compliance and control based approach leaves over 60% of the risks un-addressed. If we consider that Risk Management version 1.0, we need to rapidly move to Risk Management version 3.0.

So what does version 3.0 look like?

1. Focus on Strategic Risk Management

I consider Enterprise Risk Management frameworks approach as Risk Management version 2.0. Though they covered strategic risks the focus was on finance, processes and technology. Hence, in reality it has become a bottom-up approach though the initial purpose was to make it top down. Risk managers are still not involved at strategic level and it is the Chief Strategy Officers who are analyzing strategic risks.

My guess estimate is that we depute less than 10% of resources to strategic risk management. We need to put in processes and resources where approximately 25% of efforts are focused on strategic risk management. Strategy failure probability has increased in present business environment.  For managing strategic risks reduce  probability of occurrence of assumed risks and effectively manage them if they occur.

2. Focus on Human Behavioral Risks

Industrial age focused on mechanization and streamlining of processes. Products were produced on the assumption that human behavior can be straight jacketed. In the age of technology and social media, this assumption has proved false.  Social media and data analysis allows behavioral analysis of each individual.

Secondly, the bigger challenge the world is facing is of changing demographics. In the last few decades, the average age has changed from 60 years to 75-80 years. The older generation lives longer and works longer. The Gen Y is entering the workforce with different expectations. Women have not only broken ground in the corporate world, but have become main decision makers for household purchases. Emerging market customers and employees have different behavior patterns.  The leadership skill sets have changed drastically. Participative and consultative cultures are more successful now.

Therefore, whether an organization wishes to fight  war of talent or entice customers, understanding human behavior has become crucial. Each segment of employee, customer and other stakeholders present different risks which an organization needs to manage successfully. Without addressing these risks at strategic and operational level, an organization is unlikely to succeed.  Risk managers traditionally haven’t focused on people, leadership or culture risks. In this century they need to.

3. Integrate Risk Management Knowledge & Resources

The traditional approach of having different experts of financial, operational and other risks in separate departments and addressing each risk in a linear manner is redundant. Moreover, now businesses are significantly exposed to external risks, which was not the case before. The Vodafone and Nokia tax cases are prime examples of risks occurring due to change in government stance.

Risk Management version 3.0 requires integrated risk management where risk managers with diverse skills can assess inter-related risks – internal and external. Secondly, risk managers have to be available within the business and as a separate department. The risk managers operating as part of the business unit need to identify the business risks and update the risk management department. The department needs to devise holistic solutions.

The risk management tools, technology, processes and resources all need to restructured to operate in an integrated manner at all levels.

Closing Thoughts

I suspect, group think is prevailing among risk managers. No one wishes to be a bull in a china shop and say – “hey this isn’t working.” It is ironic that risk managers are not doing adequate risk management of their own role and function. Old habits die hard and getting out of the comfort zone is scary, but I think we need to do it. Else, business failures are going to increase at a high rate. In the current economic environment, we can’t afford those losses. Think about it and share your views.

Wishing all my readers a very Happy Holi.