Strategy For Funding Risk Management Departments

Organizations want risk managers to focus on reducing costs of doing business, especially the regulatory costs. However, when risk managers ask for resources and budgets for running the department, they have to compromise. Lack of budget is generally the main cause for not implementing enterprise risk management, doing strategic risk management, building a risk management culture and providing consulting.

Generally, the budgeting process starts in the last quarter of the year. When the budget committee is approving other revenue earning departments budgets, risk management department heads present a cost budget. This does not go down well with the budget approval committee. They cut ten to thirty per cent of the budget despite risk managers giving valid justifications.

After budget approval, risk managers spend the year trying to squeeze in as much as they can. Sometimes it results in limited coverage and high stress levels for risk managers. With the increasing focus on risk management, the heads of risk management departments need to form a strategy to obtain the required funding. Look at the tips below to navigate the tricky budget approval process.

1. Start at beginning of current year

Start preparing for next year at the beginning of the current year. Identify the long-term and short-term projects. Commence influencing the key stakeholders of the long-term projects from the first quarter of the current year. If risk managers are the last one to submit their budget, they are unlikely to get heard.

2. Analyse the reasons for past failures

Assess the reasons for non-approval of the budget in previous years. Was it because the management thinks risk management is unimportant, is concerned about costs or it harms the interests of the key political players in the organization. After determining the reason, formulate strategies to change the mind-set for next year’s project approval.

3. Build relationships with key political players

Chances are that risk managers focus on the budget committee members for approval. Instead, identify the key power holders within the organization. Identify their relationships with the budget committee members. Before influencing the budget committee members, build relationships with key power holders. Get their support for the risk management function by understanding their drivers and motives.

4. Participate in business strategy formation

Involve yourself with the business strategy group. Identify various risks of the changes in business strategy and recommend the mitigation costs for the same. Attempt to incorporate the risk management budget in the strategy implementation costs. Align risk management budget with corporate goals and strategy.

5. Calculate the Return on Investment (ROI) for various projects.

Robert Biskup wrote an excellent article on Corporate Compliance Insights – “Making the Bottom Line Case for Compliance: The ROI of a Robust Compliance Department”. The nine points give superb ways of calculating ROI. Use the methods to negotiate with the business teams as the department can give a clear demonstration of cost savings or profit earnings. Do ROI calculations for previous years’ projects to demonstrate the value that risk management departments brought to the table.

6. Make business teams bear the cost of the project

For the projects, identify the stakeholders in the business teams. Categorize the projects as critical, necessary and optional from risk management perspective. Sometimes, risk managers spend time doing optional projects at the expense of critical projects, as they cannot refuse powerful business heads. In such cases, present the advantages of getting the assignment done. If possible, check whether business team will merge the cost of desirable projects in its budget next year rather than have it in risk management budget.

7. Build flexibility in budgets

The budgets go haywire when unexpected risks arise or regulations change. Suddenly risk management departments are in fire fighting mode and regular work is ignored. That is bad for business, since other critical risks remain un-monitored. Hence, estimate different cost budgets with probability of various risks and disasters occurring. Present these as contingency budgets to the management and take advance approval for the same. Risk mitigation efforts are delayed when risk managers take approval after a disaster has occurred. Revise the budgets quarterly as the business budget changes.

Closing thoughts

 Generally, risk managers have a financial background so they are outstanding at preparing the budgets. However, problem occurs when they do not have the negotiation skills and political strategy in place. Last quarter efforts do not work because everyone is on the same bandwagon. Gain a head start by starting in the first quarter itself. Be the first one to get the required approvals, so that the function gets what it wants.

Related article: Political Strategy for Risk Management

 

Political Strategy For Risk Management

A recent report published on Harvard Law School blog stated that in 81.2% of manufacturing and 73.6% of the non-financial sector companies have not appointed Chief Risk Officers (CRO). Interestingly, 83.3% of the financial services organizations have appointed a CRO with direct reporting to the CEO. This indicates, that unless mandatory, the risk managers do not have high visibility. Though their role is important in all sectors, they are unable to leverage themselves among the senior management. This issue is not new, and most complain at not getting a seat at the table.

 1.     Develop Political Skills

We need to look this issue from another lens. We need to develop a political strategy for the risk management department. Reason being, technical expertise on a subject takes one up only to the senior middle-management level. At senior management level organization politics dominates decision-making. Hence, risk managers need to develop political skills and astuteness to survive and thrive at that level.

However, the challenge is that though risk management job requires high political skills, very few work at developing them. According to an organizational study, ~ 65-80% employees avoid politics, ~15-25% indulge in negative politics and ~5-10% participate in positive politics.  Risk managers need to develop skills in positive politics to influence senior management.

The positive politics players have win-win, ethical, organization focus, enlightened self-interest, collaborative and best interests of the business mindset. Indulging in negative politics will be harmful as the group has  win-lose, non-ethical, upward focus, self-interest, competitive and personal gain mind-set. Viewing politics as dirty and avoiding it, isn’t an option. Politics prevails in organization DNA and one has to choose how to play it.

 2.     Implement a Political Strategy

Another aspect to look into is that risk managers have to influence the organization to build a risk culture. The concerns of the junior managers differ from those of middle managers and senior managers. Moreover, different business units have clashing interests and priorities. Stumbling from one person to the other and trying to influence them on a random basis will not benefit the organization or the department. Therefore, to influence each sub-group positively, risk management departments need a political strategy.

After developing the political strategy, risk managers need to implement and run with it consistently over time to reap success. It will involve getting supporters, appointing campaign managers, forming coalitions and doing some secret handshakes. Risk managers of course have to walk a fine line of maintaining independence and objectivity while implementing the political strategy.

 Closing Thoughts

Success in organizations depends on how well a person manages their own expectations by understanding the political game. Corporate world is a jungle. One cannot expect that people will make rational and logical decisions in the best interest of the organization. Risk managers will remain on the side lines unless they learn to trapeze the political web. The good news is one can learn political skills.

References:

  1. Risks in the Boardroom – Harvard Law School
  2. Investigations in Organizational Politics

Risk Managers – Tone Down That Report!

This week three renowned figures – Angelina Jolie, Larry Page and Christine Quinn – disclosed their medical problems to the world. They discussed battle with breast cancer, paralysis of vocal cords, and struggles with bulimia and alcoholism. Jolie, a woman famous for her beauty bared her mastectomy details. They talked about fear of death and handicap, and frailty of human character. They risked high-profile careers by being candid. One word describes their actions – Courage.

However, the corporate world wants to hide behind lies and window dress their weaknesses. The corporate leaders sometimes threaten risk managers and auditors to tone down their reports. The messengers of bad news get shot. Risk managers face bullying, retaliation and threat to their jobs for showing courage to speak the truth. If they refuse to bow down to pressure, the business teams label them as politically dumb or difficult to deal with. Question is – should risk managers tone down their reports to please the business teams?

I want to discuss a couple of scenarios here and you decide the course of action.

Scenario 1- Don’t report correct facts to avoid giving bad news

Let us say, you are a CXO of an organization. You have a heart problem and visit a doctor who is a good friend of yours.

The doctor realizes your heart condition is bad. You require a heart surgery for four bypasses. The doctor doesn’t want to deliver the bad news to you, because he doesn’t wish to hurt your feelings.

The doctor tells you  – “You just have too much stress. You need a vacation to relax and have some fun.” He prescribes you some vitamins and discharges you.

You follow your doctor’s advice, take a vacation. You swim and jog for a couple of days and have a heart attack. You arrive at the hospital with a survival chance of 5%.

Did the doctor do the right thing by not telling you the truth?

Scenario 2 : Don’t report correctly to protect a friend

A civil engineer responsible for doing quality and inspection checks of a bridge notices that sub-standard quality of material is used. There is a high risk of bridge collapsing. However, he issues a clean report to his seniors because the engineer-in-charge of the bridge is a friend of his.

An organisation’s senior managers drive daily across the bridge to reach their office. One day all of them are on the bridge and it collapses. All die.

Would the families of the senior managers be happy with the quality control engineer’s for not disclosing the risks?

My guess is most of the corporate readers would have answered no. You would have preferred the truth when it is a question of your own life being at risk.

Corporate Scenario

So why don’t corporate citizens hesitate when they put other people’s life at risk. See the Bangladesh factory fire, Japan’s nuclear disaster or US banks home foreclosure and mortgage mess. Employees, customers and public lives or life savings were put at risk.

Wouldn’t a few honest risk management reports helped in fixing the problem in time to prevent the disasters?

The corporate world maintains double standards on reporting risks. They want full disclosure of the risks to them but not to others. Before setting these expectations, corporate citizens should answer these questions:

1) Isn’t it a risk manager’s job to identify the health problems of the organization, prescribe a cure, suggest amputation where required and nurse the organization back to health?

2) Is it right to compromise professional ethics and code of conduct to keep a few people happy?

3) Aren’t risk managers responsible for calculating the direct and indirect cost to others for non-disclosure of risks?

4) Shouldn’t risk managers hold their ground and stick to their independent advise as you will benefit from it in the long-run?

Closing Thoughts

Moral courage is one of the most difficult qualities to acquire. Larry Page, as CEO of Google fulfilled his responsibility to the investors by publicly disclosing his medical problems. Now the investors can make an informed decision. One has to admire Page for taking such a difficult call. It takes guts. Disclosing personal weakness makes one feel vulnerable, exposed and fallible. He has shown the path for corporate leaders to follow.

Justin Bieber’s Lesson For Risk Managers

Surfing through Twitter one gets deep insight of human behavior. I am sharing a couple of tweets that got me thinking on our (risk managers) approach. The hat tip goes to Justin Bieber and Mark Robinson for the post.

 1. Get a tribe

 Justin Bieber tweeted the message below and it got 119,562 retweets and 62,959 favorites at the last count.

“Live life full”

— Justin Bieber (@justinbieber) May 10, 2013

Now you might say, what is so original in this message. Nothing remarkable, except that Bieber has 39,087,920 followers.

The message for risk managers is that if we want business team to listen to us, then we need to get a tribe of followers. Sitting in a corner or a cabin, writing reports isn’t going to help us. We need to be on the floor  interacting with the business teams daily.

2. Connect with a popular leader

Then Mark Robinson tweeted this message:

“Justin Bieber got 100,000 retweets for tweeting “Live life full”. That’s just 3 random words. I’m going to try now.

Nipple squirrel ham”

— Mark Robinson (@robboma3) May 11, 2013

The message was retweeted 26,972 times and favorited 4379 times. Mark has 23,694 followers. While Bieber’s message was tweeted by just 0.3% of his followers, Mark’s message was tweeted more than the number of his followers. Isn’t that fascinating.

This is a trick which risk managers need to learn. Even the most mundane message of a popular leader will be followed more ardently than their sanest advise. People don’t follow bosses, they follow leaders whom they like. Hence, risk managers need to identify the popular figures in office, ask them to give their message or link up their own version to the popular person’s message. Risk management advise is going to spread faster then, rather than with all the technical stuff.

I am dedicating Justin’s song to all of you. We need to believe it too – “I got that power”.

Role of Positivity in Risk Management Communication

locking horns

Can something as simple as appreciation make business teams more willing to accept a risk manager’s viewpoint?

———————————————————————————————–

The Conflict

Proverbially risk managers are locking horns with business managers. Of course business managers out number risk managers, hence more often than not risk managers are licking wounds and complaining that business managers don’t listen to them. Business managers claim that they are running the show, so an interfering risk manager who is perpetually criticizing their hard work  should be shown the door.

Then risk manages lament that it is their job to high light risks which means negatives, so why go after them for being messengers of bad news. The conflict brews and sometimes reaches boiling point. No one wishes to see eye to eye because they wish to get eye for an eye. End result, the business suffers in this battle.

What is the cause of the stormy relationship? Criticism and negative feedback! No one likes it, so why blame the business managers.

What if risk managers change the approach? With the criticism they give a lot of positive reinforcement? Will the behavior of business managers change?

Research on Role of Positivity in Performance

Marcial Losada and Emily Heaphy conducted a research titled – “The Role of Positivity and Connectivity in the Performance of Business Teams – A Nonlinear Dynamics Model”. They studied the dynamics of team interaction in relation to approving and disapproving verbal feedback statements. Researchers coded the verbal communication among team members along three bipolar dimensions, positivity/negativity, inquiry/advocacy, and other/self. Sixty teams developing annual business strategy were analysed.

The results of the study have extremely important implications  from business performance aspect and for risk managers. The table below defines the ratios of various dimensions.

team ratio1

The positivity/ negativity ratios indicate that high performing teams give 5.6 positive comments to 1 negative comment. In contrast the low performing team give three negative comments to one positive comment. The medium performing teams give approximately two positive comments to one negative comment.

Similarly, under inquiry/advocacy ratios, the high performance teams are more balanced in their approach towards inquiry and advocacy. The team members question in an exploratory way. On the other hand, low performance teams are highly unbalanced and members advocate their own viewpoint. The medium performance teams are little bit tilted in favor of advocacy.

Again, high performance maintained a balance in discussing internal and external aspects. Whereas, low performance teams focus on internal inquiry. The medium performance are slightly more focused on internal than external aspects.

Thus, the high performance team have higher levels of connectivity, which results in better performance.

Overall, high performing teams show buoyancy throughout the meeting. They appreciate, compliment and encourage their team members. This expands the emotional space for team to function. In contrast, in low performance teams sarcasm and cynicism rules which restricts the emotional space. There is lack of mutual support, enthusiasm and a high degree of distrust.  The medium performance team don’t show distrust or cynicism but neither are they openly supportive and enthusiastic about their team members.

team dynamics

Implications for Risk Managers

The results are very important from a risk manager’s perspective. As the author states – “to do powerful inquiry, we need to put ourselves sympathetically in the place of the person to whom we are asking the question. There has to be as much interest in the question we are asking as in the answer we are receiving. If not, inquiry can be motivated by a desire to show off or to embarrass the other person, in which case it will not create a nexus with that team member.”

Hence, from the time we approach the business team, we need to ensure that we are inquiring about the business. We should not be advocating any quick recommendations based on high-level interactions.

Another point to note is that the questions should cover both the internal and external environment of the business. This would motivate the business team into a more open discussion.

The most important point is about positive feedback. In our verbal communication and written reports we focus on highlighting the negatives.

The research showed that positive comments (that is a terrific idea) create emotional space within the listener, hence the listener is more willing to take the feedback. The emotional space created by positive comments in high performing teams is twice the size of medium performing teams and three times that of low performing teams.

Negative reporting restricts the emotional space of the business team. To build a positive environment for acceptance of our views, recommendations and report, we need to give 6 positive comments for each negative comment.

The researchers have given equations to assess the emotional space based on various dimensions. It might be a good idea to calculate the same before issuing a report.

Closing thoughts

One of the incorrect assumptions that risk managers make is that there is a linear relationship between the observations and recommendations in the report. However, the study showed the impact of non-linear relationships on functioning of teams. Hence, the fault may lie in the straight forward cause and effect attitude taken by risk managers to get buy-in from business managers.

We generally discuss that in reports we should highlight the positives first to balance out the negatives. This research clearly points out the importance of doing so and the reasons why we are failing. We have to change our approach to be effective. We need to be part of the business team, develop a positive feedback system before giving any negative observations

References:

The Role of Positivity and Connectivity in the Performance of Business Teams: A Nonlinear Dynamics Model - Marcial Losada and Emily Heaphy

Risk Management Version 3.0

RM tiger

The business world is changing so rapidly that companies are either not willing to publish growth predictions or they are getting it wrong. In this new world trends can’t be analysed from historical data. The best business analytic teams fail because the new business models have totally different risks. Moreover, now the risks are interconnected and can’t be addressed separately. An operations risk may have a huge impact on financial risks.  The old compasses are useless and most are walking on uncharted territory.

This is the ideal time for risk managers to shed their old avatars and  become new super heroes of business. First they have to get out of their comfort zone of addressing internal risks that are preventable. The compliance and control based approach leaves over 60% of the risks un-addressed. If we consider that Risk Management version 1.0, we need to rapidly move to Risk Management version 3.0.

So what does version 3.0 look like?

1. Focus on Strategic Risk Management

I consider Enterprise Risk Management frameworks approach as Risk Management version 2.0. Though they covered strategic risks the focus was on finance, processes and technology. Hence, in reality it has become a bottom-up approach though the initial purpose was to make it top down. Risk managers are still not involved at strategic level and it is the Chief Strategy Officers who are analyzing strategic risks.

My guess estimate is that we depute less than 10% of resources to strategic risk management. We need to put in processes and resources where approximately 25% of efforts are focused on strategic risk management. Strategy failure probability has increased in present business environment.  For managing strategic risks reduce  probability of occurrence of assumed risks and effectively manage them if they occur.

2. Focus on Human Behavioral Risks

Industrial age focused on mechanization and streamlining of processes. Products were produced on the assumption that human behavior can be straight jacketed. In the age of technology and social media, this assumption has proved false.  Social media and data analysis allows behavioral analysis of each individual.

Secondly, the bigger challenge the world is facing is of changing demographics. In the last few decades, the average age has changed from 60 years to 75-80 years. The older generation lives longer and works longer. The Gen Y is entering the workforce with different expectations. Women have not only broken ground in the corporate world, but have become main decision makers for household purchases. Emerging market customers and employees have different behavior patterns.  The leadership skill sets have changed drastically. Participative and consultative cultures are more successful now.

Therefore, whether an organization wishes to fight  war of talent or entice customers, understanding human behavior has become crucial. Each segment of employee, customer and other stakeholders present different risks which an organization needs to manage successfully. Without addressing these risks at strategic and operational level, an organization is unlikely to succeed.  Risk managers traditionally haven’t focused on people, leadership or culture risks. In this century they need to.

3. Integrate Risk Management Knowledge & Resources

The traditional approach of having different experts of financial, operational and other risks in separate departments and addressing each risk in a linear manner is redundant. Moreover, now businesses are significantly exposed to external risks, which was not the case before. The Vodafone and Nokia tax cases are prime examples of risks occurring due to change in government stance.

Risk Management version 3.0 requires integrated risk management where risk managers with diverse skills can assess inter-related risks – internal and external. Secondly, risk managers have to be available within the business and as a separate department. The risk managers operating as part of the business unit need to identify the business risks and update the risk management department. The department needs to devise holistic solutions.

The risk management tools, technology, processes and resources all need to restructured to operate in an integrated manner at all levels.

Closing Thoughts

I suspect, group think is prevailing among risk managers. No one wishes to be a bull in a china shop and say – “hey this isn’t working.” It is ironic that risk managers are not doing adequate risk management of their own role and function. Old habits die hard and getting out of the comfort zone is scary, but I think we need to do it. Else, business failures are going to increase at a high rate. In the current economic environment, we can’t afford those losses. Think about it and share your views.

Wishing all my readers a very Happy Holi.

Auditors Criticise Without Value Addition

This is my 251 post and it feels good to have written so many. So I thought of dealing with a difficult and sensitive topic for auditors. The corporate world views auditors with jaundiced eyes and auditorville has a bad reputation. Scott Adams in his book “Thriving on Stupidity in the 21st Century” humorously described auditors in the following paragraph:

“Auditors get more respect and more bribes than accountants. That is because auditors are relatively more dangerous. Auditors are generally plucked from the ranks of accountants who had very bad childhood experiences. The accountants who don’t go on to become serial killers have a good chance of becoming successful auditors.”

The reputation comes from doing post mortems, writing long reports on deficiencies and criticizing the work of business teams. No one likes a critic and especially not those who do not do any value addition. So where are we going wrong?

1.  Criticizing Makes an Auditor Successful

The common perception is that more faults an auditor finds in an audit, the better is the quality of the audit. This is driven by the fact that some audit departments have a key performance indicator on number of observations. If there are no observations or weaknesses, the audit quality was not good. Let me mention an old story here.

A couple was riding a donkey to reach their village.

Two passer-by’s saw them and said – “Poor donkey, has to take the load of two humans.”

The husband heard the comment and got of the donkey. Further, two passer-bys saw them and said-“See, the wife is sitting comfortably on the donkey and the poor husband is walking on the road.” The wife got off the donkey and made her husband sit on it.

After a few kilometers  two spectators said – “See what the world is coming to, no chivalry. Man is riding the donkey and the poor woman is walking.” Now both husband and wife started walking along with the donkey.

Then another set of bystanders said – “See the idiots, both are walking and no one is riding the donkey”

The purpose of audit is to provide assurance on the process, not find faults with it. For instance, last year you conducted an audit of purchasing process and made ten observations. Will the audit of the same process be successful if you made 11 observations or nil observations? If auditee implemented previous year recommendations, then they should not re-appear. If without a change in process, you found new weaknesses, then it means the previous year audit was not done properly. Hence, criticism doesn’t make an audit a success or a failure. The quality of observations holds meaning.

2. My Way or Highway

The other presumption is that audit can be done without much of business knowledge. Just high-level understanding is required. This is really an incorrect view. I recall in my training period I was assigned an internal audit client that flew helicopters. When I was doing bank vouching, I had said to my colleague doing cash vouching  -“Wish we were auditing a car maker, at least I know the cost of a car tyre.” I was checking the appropriateness of expenses including repair and maintenance of helicopters when I hadn’t seen a helicopter from a five feet distance, let alone sit in one. Your guess is as good as mine on the quality of observations and value addition provided.

The big problem comes, when after doing an audit without business knowledge we refuse to listen to the business teams that the observations are irrelevant or incorrect. We don’t appreciate the different perspective of business teams and high-handedly push down our recommendations. Times of India mentioned a nice joke on this last Sunday.

Why did the chicken cross the road?

Plato: For the greater good.

Aristotle: To actualize its potential.

Darwin: It was the next logical step after coming down from the tree.

Neitzsche: Because if you gaze too long across the road, the road gazes back at you.

Buddha: If you ask this question, you deny your own chicken-nature.

Closing Thoughts

In the 21st century, auditors can’t hold a stick to beat the business teams all the time. The role has changed. With it the skill set and approach needs to be changed. If auditors are not able to give a better solution or process change, they should consider whether their criticism makes sense or not. Maybe, business needs to live with the control weaknesses, take the risks because the costs of plugging them are very high. The observation and recommendation should provide value addition, either in the form of assurance or improvement. Else, a lot of expenses are made to cater to auditors’ egoistical viewpoints rather than seeing business viability.

All criticism and feedback on the blog is welcome. Please share your views. A big thank you to my readers for reading my 250 posts.

Risk Managers Leadership Challenge

British Petroleum was recently fined US $ 4.5 billion for the Deep-water Horizon disaster in April 2010. The highest ever fine till date. The verdict implicated two employees for negligence. Similar news is coming of regulators charging huge fines to banks for their wrong doings. Regulators and law enforcement agencies change in approach sends a clear message – regulators won’t tolerate lax attitude towards risk management. Organizations will have to pay through their nose if caught contravening laws and regulations. Therefore, risk managers have to pull up their socks and gear themselves for tougher times.

It is apparent that risk management approaches and practices that worked until 2011, will not work by 2015. Frequently, risk managers focused on self-preservation by blaming the top management for lack of support. They continued the silo approach and turf wars with other risk management departments at the expense of the organization. They escaped majority of the blame for the debacles, as business was responsible for the risk management decisions. Risk managers role was recommendatory and supportive in nature; hence, the ball was never in their court.

1.     New demands from business heads

In my view, business heads will not allow this type of smooth sailing to risk managers now. They will hold risk managers accountable and responsible for the level of risk within the organization and for failure to prevent risk management disasters. In the current environment, risk managers need to focus on the following.

a)     Build risk awareness across the organization and spread the message to every employee of the organization.

b)     Maintain a risk register that captures internal and external risks at strategic, tactical and operational level.

c)      Ensure decisions are taken after giving due regard to risk versus reward parameters. Organization risks remain within the risk appetite.

d)     Guarantee complete compliance to all legal and regulatory requirements at a global level.

e)     Make risk management departments efficient and effective by managing costs and working with limited resources.

2.     Change in leadership style

Hence, it is crucial for risk managers to change their leadership style and take a deep look on the management practices they have followed until date. I know you would think that isn’t a big issue. I also thought on the same lines before I read Lisa Wiseman’s views on multiplier effect of leadership. She is the author of the book – Multipliers: How the Best Leaders Make Everyone Smarter. I must say it is a revelation. She has divided leaders in two major categories – diminishers and multipliers. Multipliers use and amplify intelligence of others that results in a 2X effect. Unfortunately, diminishers use less than half the intelligence of those around them. Diminishers have the attitude that they are the smartest in the room, and hence do not leverage on the intelligence of others. On the other hand, multipliers create an environment where best thinkers grow. See the chart below to understand the ten sub categories.

3.     Risk managers diminish business teams

I understand that our first reaction is to believe that we are a multiplier leader. However, you will change your opinion on reading the details in the paper or on taking the accidental diminisher quiz (links below). Majority of us are somewhere between the spectrum on multiplier to diminisher. Here are some of the instances where risk managers show diminishing behavior:

a)     As risk managers sometimes we have focused on building large departments to show importance rather than deliver value.  We do so at the expense of other risk management departments who might be requiring the resources desperately.

b)     We use our positions politically to create a fearful environment among business teams. They believe all shortcomings and failures will be reported to senior managers and their jobs will be at risk.

c)      We use our limited knowledge of business operations to give advice to business teams without considering their viewpoints and thoughts on the same.

d)     We roll out risk management plans and initiatives without having any discussions with the business teams and people at lower levels that have to execute the plans.

e)     We believe without our personal involvement business teams cannot manage risks. Instead of training and educating business teams, we get involved in every small aspect.

Closing thoughts

Though, if you read the top five things risk managers have to do at the top of the page, we need to cultivate multiplier behavior patterns. Nothing can be better than using twice the brainpower of a resource at the cost of one. Moreover, the multiplier effect will facilitate using the knowledge residing with business teams. It is only when business teams start thinking about risk management on their own that organizations will avoid disasters.

In the present environment, risk managers have to meet new demands with insufficient resources and knowledge. Do you think becoming a multiplier will address some of the problems? According to you what alternative approaches should be followed?

References

  1. Multipliers: How the Best Leaders Make Everyone Smarter Management Forum Series presentation by Liz Wiseman Synopsis by Rod Cox
  2. Accidental diminisher quiz

Winner of the Competition of Bullshit Quotient Book

Thank you all for participating in the poll and the competition held in the post “A Book Review – Bullshit Quotient“. Over a 100 people voted and mostly in favor of the views expressed by the author Ranjeev Dubey. Ranjeev has personally gone through the comments and chosen a winner. He has also expressed this thoughts on the various comments. Read below, as I am sharing an unedited version of his opinion.

My thought as I read through the thoughtful comments posted by your followers was mainly at the high level of comprehension here. Why we nevertheless allow this endless repetition of culpable double speak is a moot question. Why this clear understanding of the reality on the ground does not translate into a program of change is another moot question. I can draw your attention to the following nuggets that I particularly liked:

“The business of the company is to deliver value to the stakeholders/shareholders. Everything else is incidental. All the stuff about delivering value to customers is BULLSHIT. - M Seshagiri Rao:

“Small practices often have no audit trail. Accountability is ensuring that you understand and carry out the actions of the law, with ethical and moral actions. So, the laws are there, [but] the government is in the hands of those who thrive on power, regardless of having the right to vote, that doesn’t even matter…”- Joanne McNamara:

“As a cynical private investigator I have found that the bigger the lie, regardless of the circumstances, simply means that there are more person involved.”- Jeff Moy

“To add to the misery, a nation in need of an inspiring dream, is fed the empty corporate drivel”. - Amey Kawale

But at the end, the prize goes to the one who goes beyond the points made, to the next level so to speak. And for me, the winner is:

“Commercial organization sometimes fail to realize (or take the ostrich approach to the fact) that they don’t exist in a vacuum, but within an ecosystem where the (mostly competing) interests of companies, customers, employees, regulators, environment and the larger society are required to be optimized. This was the stated (though in a different way) objective of the concept of Trusteeship, which sadly has gone out of the window gradually after Indian independence.” – Deb.

Thank you all, and especially, thank you Debashis

Rajeev Dubey “

The winner of the competition is Debashis Gupta. Congratulations!

Debashis please email your address to me and we will send you the prize.

Coal Gate Scam – Should Auditors Comment on Policy Decisions?

The Coal Gate Scam report has squarely put the loss of Rs. 1.86 lakh crores (USD 35. 097 billion) at the Prime Ministers door. Comptroller and Auditor General (CAG) report states that Prime Minister Manmohan Singh agreed to introduce competitive bidding for allocation of coal blocks way back in October 2004. However, his office indulged in delay tactics of approving the revised policy. This resulted in allocation of coal blocks according to the old policy introduced in 1993. Failure to use competitive bidding resulted in a loss of Rs. 1.86 lakh crores (USD 35.097 billion).

This raises interesting questions from the corporate sector perspective. Should auditors see the validity and applicability of policies? Alternatively, should they restrict their role to the compliance of existing policies?  What happens when a policy or standard operating procedure of an organization is redundant however is still being followed? If competitors are using better processes, technology and policies than the organization, what role should auditors play in it?

1.     Delaying Policies Becomes a Political Game

According to the CAG report, the Screening Committee allocated blocks and the process lacked transparency. Allegations are that private companies with political links benefited at the expense of others. However, competitive bidding policy could have been introduced with an amendment from the administrative desk. Prime Minister’s role becomes critical as he was also fulfilling the responsibilities of Minister of Coal. CAG says he made it into a bigger issue that the policy should be changed for all minerals and not just coal; hence the process for making such large-scale policy change was different. This allowed the coal ministry to follow the 1993 process.

This happens in the corporate sector too. For instance, an employee or a small group suggest a change to an existing control process that will take just one man-month effort. Some others with vested interests do not wish for the change to occur. However, they can’t reject the suggestion for strengthening controls without looking bad. Hence, to stall the project, they add a few more suggestions which make the project larger into 24 man-months effort. Now the change can only happen once the huge budget is approved. Since, the project is not priority; it stays on the bottom of the budget approval list. Hence, status quo remains and subsequently someone exploits the control weakness to conduct a fraud.

In such a situation, as an internal auditor would you highlight the initial attempt to strengthen controls and put responsibility on the other group for delaying the change? Do we as internal auditors go back in such depth to find out what projects or policies were kept pending approval and they had such a huge negative impact?

2.     Auditor’s Role in Policy Review

The Supreme Court has upheld CAGs power to comment on policies. Justices R M Lodha and A R Dave bench said “Do not confuse the constitutional office of CAG with that of an auditor of a company or corporation.” This response was in respect to a petitioner’s contention that CAG should restrict itself to auditing expenditure and not comment on the government’s rational of policy decisions. The bench had further added – “CAG is not the traditional Munimji to prepare only balance sheets. It is constitutionally mandated to examine the efficiency, effectiveness and economy of the decisions of the government in using resources. If the CAG will not do this, then who will?

This viewpoint raises some interesting points for internal auditors in the corporate world. Should auditors be commenting on strategic or policy decisions of the company?

For instance, the company decides to use print media for advertising open job positions. However, it is much cheaper to use job portals and social media. These significantly reduce the cost of recruitment. Should an auditor restrict himself to checking that all expenditure is authentic or question the hiring policy?

Another aspect is the strategy decisions. Let us say, Company A decided not to enter into the emerging markets, whereas Company B operating in the same industry entered the emerging markets and increased the profitability tremendously. Should an auditor audit strategic decisions, and not just say that it is management responsibility. Where is the line of demarcation drawn in respect of corporate internal audit?

Institute of Internal Auditors new standard applicable from 2013 ‘Achievement of the organization’s strategic objectives’ states that – “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives”.  Hence, should we conclude that evaluating strategic decisions comes under internal audit purview?

3.     Auditor’s Role in Calculating Presumptive Loss

The CAG audit reports on 2G licenses and Coal Block allocations have raised a storm due to the calculation of presumptive loss figures. The government’s contention is that CAG should not be calculating the opportunity loss, as policy decisions are taken to benefit the public.

CAG however, contended that – “We had never commented on government policies, neither did we ever say that auction was the only route or that all natural resources should be auctioned. In both 2G spectrum licences and coal block allocations, we had only commented on the ‘effectiveness or non-implementation’ of policies. The presumptive loss or windfall gain figures are only to highlight the serious issues of an act of commission during implementation of government policies.”

In the corporate world, internal auditors make an observation and restrict their recommendations to suggest improvements. In rare cases, a cost-benefit analysis is done on the impact of the control weakness. We generally fail to draw management attention to the seriousness of the issue, as they are no numbers given. Should corporate internal auditors change their approach to audit work to give a cost-benefit analysis for their observations? Will that garner more attention from the management and initiate action?

Closing Thoughts

These are questions worth debating about and there are no easy answers. The business world internal auditors can learn quite a few lessons from the government auditors. They are doing a good job of raising contentious issues. Below is a poll to assess your views.

References:

  1. CAG not a ‘munimji’ of govt’s balance sheet: SC
  2. CoalGate: CAG does not let Manmohan, PMO off the hook
  3.  Performance Audit of Allocation of Coal Blocks and Augmentation of Coal Production (Ministry of Coal)