Managing Systemic Risks in Organizations

The gross turnover of top 100 multinationals is higher than the gross domestic product of a few countries. As it was obvious from the financial crises, organizations employing a few hundred thousand employees can rock the global financial stability. From then on, a lot of discussion is occurring around systemic risks. However, I wonder about the actual momentum in addressing systemic risks.

As per my understanding, an inaccurate perception has formed that governments have the major responsibility to address systemic risks and not the organizations. The picture below depicts the increasing level of risks for human civilization or society as a whole and the increasing level of risks within an organization. Though we do not see linear relationships, they are interconnected. While an organization is a subset of the civilization, their large sizes have also made it a significant component of creating systemic risks.

 

Systemic risks

 

Another fallacy is that organization’s need to track systemic risks at the global level alone. From the financial crises, it was obvious that the Retail Housing Loan departments of US Banks shook the real estate industry. Various CDOs of banks investment divisions were the cause of collapse of major banks. Hence, something as small as the functioning of a department, process or product can destabilize the industry and economy when incorrect practices are followed in multiple organizations.

Moreover, senior management of organizations that have implemented Enterprise Risk Management (ERM) believe that systemic risks are automatically addressed. None of the ERMs is going beyond strategic risks. The focus is mostly on operational and tactical risk coverage. Unless the risk management department has taken concrete measures to identify systemic risks, in all probability they are unmitigated.

Lastly, for most of the systemic risks, the organization by itself can only partly mitigate the risks. Except for taking insurance, they cannot develop and implement full-fledged solutions to treat the risks. Though the impact of systemic risks is huge, the lack of understanding, information and solutions, make organizations negligent about identifying and addressing these risks. Hence, the question is – what should organizations do to manage systemic risks?

1. Global Systemic Risk Monitoring Group

Within the risk management department there should be dedicated resources tracking systemic risks from process to country level and reporting to the global group. In the interconnected world, the risks in one country impact other countries. For instance, consider the attack on Malaysian airplane by rebels in Ukraine. A geo-political risk of one country has brought an organization of another country down. Hence, now the risks have to be viewed from a global perspective. To do this organizations must incorporate the group within the organization structure, deploy funds and resources, use technology to connect and track risks at a global level.

2.  Connecting With National Risk Boards

The 2014 World Bank Risk Report suggests formation of National Risk Boards (Same name, could they have got inspired by this blog :)). This will be a huge plus, since risk identification and mitigation will be done at a national level. For instance, if a large country like India were connected at district, state, and national level through risk boards, the level of risk management would improve significantly.

Moreover, this will facilitate in addressing inter-state risks and cross border risks. For example, cyber security threats mitigation requires coordination within the country and significant amount of international collaboration. The national risk boards of countries become the focal point for international cooperation and collaboration for risk mitigation. Developing relationships with the board members and participating in the initiatives will help organizations in dealing with systemic risks.

3.  Connecting With Industry Risk Boards

The systemic risk group needs to connect with the industry risk boards and regulators to capture the industry level risks. For instance, Back of England conducts a half-yearly survey to determine systemic risks in UK financial sector and the confidence of the organizations in dealing with it.

If organizations facilitate in formation and management of industry risk boards, they can cooperate with the competitors to mitigate industry level risks. Relationships with international industry boards would be a huge plus in acquiring knowledge and formulating plans.

4.  Assessing Preparation at National Level

The World Bank report states that investment in risk mitigation and prevention is low, and most of the expenditure is done during and after a disaster to recover and continue operations. Therefore, the challenge is that risk identification may not result in developing and implementing risk mitigation plans. For example, various cities in India regularly suffer from floods during monsoons. ALthough the government knows the problem and solutions, it has not done much to resolve the issue. There are ongoing battles between city, state, and national level for risk prioritization.

That is, the same risk may have different impact and loss level due to national level preparation. Organizations need to assess the level of preparation of government and local communities to determine the impact and develop risk mitigation plans accordingly.

5.  Assessing Impact at Social Level

Previously, organizations were insulated from the society to some extent. The social networks have changed the scenario, and any incident can become an explosive issue. Hence, impact has to be calculated at social level rather than at an incident level. For instance, recently a six-year-old girl in Bangalore was gang-raped in school by her teachers. Last weekend, parents in Bangalore organized marches to demonstrate their anger against the schools lackadaisical attitude towards children security. Police has lodged complaints against the school and politicians are talking about closing the school.

Presently, rape, women, and child security are sensitive topics in India. India is fourth unsafe country in the world for women. Hence, a single incident can close down an organization. Therefore, risk managers need to identify sensitive issues related to systemic risks and extrapolate the impact at city, state, country, and global level to determine impact of various risks.

Closing Thoughts

Systemic risks impact is sometimes more than losses of earthquakes, tsunamis and nuclear disasters, hence they cannot be ignored. Higher level of focus is required within organizations, industry, community, and nations to build processes, institutions, and infrastructure to identify and mitigate systemic risks. Timely investment in this area can save billions of dollars. Hence, risk managers need to put their thinking caps on, develop concept notes, and influence senior managers to deploy funds in managing systemic risks.

Innovative Approaches to Fraud Risk Management

The Javelin Strategy & Research Identity Theft Report 2013 states that 5.16% of US customers suffered from identity theft amounting to US$20.9 billion. Moreover, Tablet users had the highest probability of fraud at 9.6%. Victims of data breach had a 22.5% likelihood to becoming fraud victims. Hence, it is clear that while organizations are deploying more processes, technology and resources to prevent fraud, the fraudsters are having a ball. One thing fraudsters do, is to think outside the box. So we have to take a leaf out of their book and be innovative in our approach to prevent and detect fraud. Below are some ideas on the same. Share with me your thoughts on what you think about them.

 1)    Voice Print Analysis

Presently, in most of the banks, a call center agent asks a set of questions to verify the identity of customer for telephone banking. Internal employees, external fraudsters and organized crime groups can easily steal information about date of birth, place of birth, address, secret questions, and card number.

Now voice-printing software is available for authentication of voice. The system automatically verifies the caller voice with the customer’s sample voice to identify fraudulent callers and protect the account.

Secondly, maintain voice records of earlier fraudsters. When system detects a fraudulent caller, it automatically checks against the previous fraudulent call records. Hence, the system will flag if a fraudster has previously conducted a telephone banking fraud. With this, it will be easy to nab the fraudster, if the police had caught him/her in a previous case.

A new voice identity technology is available  that captures the tone of the voice and the type of communication. The software can monitor quality of calls and customer satisfaction from call center agents’ conversations with customers. This will cut manual quality control checks significantly and result in savings in quality control department costs.

2)    Track through Photographs and Location Mapping

Besides having voice-printing software, use a system similar to WhatsApp to identify of customers. WhatsApp sends text messages, images, video recordings, audio recordings, and the location. If banks invest in a similar application and allow customers to download the application on their mobile phones and tablets, the number of telephone and internet frauds will reduce.

If a fraudulent caller is flagged, then the call center agent can request the customer to send a selfie or video. If it is the wrong person, usually the caller will cut the conversation and drop the attempt to commit a fraud.

If the caller is able to circumvent this control, the application will also track the location. Applications track the frequent places a customer visits or calls from. If the caller is from an unusual place, then s/he can be tracked immediately. For example, if a British customer is tracked to a place in India, the call centre agent can ask the caller to verify their location.

3. Track Spending Behavior

Sometimes high value fraudulent payments are processed resulting in huge losses. A study done by Vivek K. Singh*, Laura Freeman*, Bruno Lepri, Alex (Sandy) Pentland for “Classifying Spending Behaviour using Socio-Mobile Data” determined the spending behavior of customers from the social interaction patterns on mobile phones. For example, it showed that more social couple and couples with diverse business interests tend to spend more.

Using big data, insights on spending behavior of customers can be analysed based on personality traits. Tracking social patterns and payment patterns can flag out anomalies when the payment is not in line with the spending pattern. Moreover, a location map can identify the location of beneficiaries of previous payments . Hence, fraudulent payments can be identified at the time of processing itself.

Another advantage from this technology can be for processing retail loan applications. If prospective customers are willing to give the data of mobile phone transactions, then at the time of processing the application itself, the bank can identify which customers are likely to overspend and default in future. The bank can ask for additional securities and guarantees.

Moreover, if the application is installed in the loan customer’s mobile after loan disbursement, the moment s/he is about to overspend which might result in default of EMI, the bank can send the customer an alert to pay the EMI first.

 4. Fraud Risk Conversations

According to psychological studies on emotional intelligence, Negative Emotional Attractor’s activate defense systems and build resistance to change. On the other hand, Positive Emotional Attractors (PEA) activates parasympathetic nervous system and makes a person more conducive to listen and change behavior. An effective team has a 3:1 ratio of PEA:NEA. Another study shows that improving peer-to-peer conversation increases productivity of the team by 30 to 40%.

However, risk management reports are mainly critical hence activate NEA. Moreover, the communication, training material, and code of conduct are all geared towards creating fear and guilt. Hence, it is not surprising that attempts to educate business teams on fraud risks fail.

Fraud risk managers can build a positive interaction model using technology platform. A study conducted by Erez Shmueli_, Vivek Kumar Singh_, Bruno Lepri and Alex ”Sandy” Pentland on “Sensing, Understanding, and Shaping Social Behavior” enables tracking of human behavior through big data analytics. The analytic helps in understanding the behavior, the tone of the conversation and the trust relationships between people.

Using this technology, an organization can use a social networking platform to communicate fraud risks through blogs, videos, and stories. The write-ups and stories should be from the business teams. From the comments section, the application can identify the key influencers and trust holders to bring about change. Thus, change the conversation to change the behavior.

 Closing Thoughts

 The days of holding a gun to rob a bank are nearly over. Fraudsters use social engineering to obtain sensitive information to conduct account takeover frauds remotely. Hence, organizations need to use socio-physics, social networks, and technology to beat the fraudsters in their own game. Being a leader in adopting the latest technology to prevent and detect frauds has an additional advantage, the fraudsters have not discovered the antidote to it. Hence, fraud risk managers have the right weapons to fight. The right tools can make a hell of a difference.

References:

  1.  Javelin Strategy & Research Identity Theft Report 2013
  2. Classifying Spending Behavior using Socio-Mobile Data - Vivek K. Singh*, Laura Freeman*, Bruno Lepri, Alex (Sandy) Pentland
  3.  Sensing, Understanding, and Shaping Social Behaviour – Erez Shmueli_, Vivek Kumar Singh_, Bruno Lepri and Alex ”Sandy” Pentland

 

 

The Misconstrued Likelihood

Source: Lancashire Resiliency Forum

Source: Lancashire Resiliency Forum

 

Have you ever thought of stopping the use of “likelihood” in preparing a risk matrix? The shocked reaction is – “how can we calculate risk without likelihood?” But seriously, how competent are we in calculating the probability of each risk. As risk managers, don’t we just check the box based on our judgment? The thought process is – earthquake – rare, hurricane – rare, data theft – occasional, and we don’t need data to make these judgments.

 1. Inaccurate Calculation

My claim is that all this is hyperbole and we draw inferences from inaccurate information. To substantiate my argument, here are two statements of the EY 13 Global Fraud Survey 2014 and Kroll Global Fraud Survey 2013/2014.

EY 13 Global Fraud Survey 2014 quote:–

“More than 1 in 10 executives surveyed reported their company as having experienced a significant fraud in the past two years. In fact, the level of fraud reported by respondents has remained largely unchanged over the past six years: from 13% in 2008 to 12% in 2014.”

 Kroll Global Fraud Survey 2013/2014 quote:

 “The incidence of fraud has increased. Overall, 70% of companies reported suffering from at least one type of fraud in the last year, up from 61% in the previous poll”

The EY report does not define “significant fraud” .Kroll report does state that “the economic cost of these crimes mounted, increasing from an average of 0.9% of revenue to 1.4%, with one in 10 businesses reporting a cost of more than 4% of revenue.”

 Now assume you do not have historical data on incidence of fraud in your organization and have to infer the likelihood of fraud from the above-mentioned statements.

 

Please share the logic you used to determine the likelihood in the comments section.

 2. Unidentified Representative Bias

Implicit in our judgment is representative bias, which only a discerning eye can decipher. For instance, read the following lines from the EY 13 Global Fraud Survey 2014.

“The survey results show a correlation between executive roles and willingness to justify certain activity when under pressure to meet financial targets:

CFOs are more likely than other executives to justify changes to assumptions relating to valuations and reserves in order to meet financial targets.

General counsel are more likely than other executives to justify backdating contracts in order to meet financial targets.

► Sales and marketing executives are more likely than other executives to justify introducing flexible return policies in order to meet financial targets.”

How is this news worth reporting? Aren’t risk managers aware that employees are more likely to conduct frauds within their area of job responsibility and authority?

It would be interesting to know the probability of other departments (excluding sales and marketing personal) introducing fraudulent flexible return policies. Without that information, while conducting a fraud investigation we are likely to assume the fraud in sales department was conducted by sales personnel, whereas it is possible that another department personnel had done it.

Now if you want further proof of representative heuristic, here is a classic example of a study conducted on women’s propensity to conduct fraud by Steffensmeler. He concluded:

“There is reason to believe that over time increasing the number of female CEOs would reduce corporate corruption because women tend to promote a more ethical business climate rather than one that promotes personal and corporate profits at all costs, no matter what the potential societal costs or harms might be.”

Then he further states that lower rate of fraud might be because men do not conspire with women to conduct frauds and women may not have access to higher echelons of management to do big frauds.

However, it still does not explain how he has made the above statements. According to child psychology reports, both girls and boys in childhood have nearly equal tendency towards anti-social behavior though it reflects in different ways. For example, boys bully directly, girls bully indirectly.

So, are we saying nature and nurture have less impact on girls than boys because they are somehow hardwired to be more ethical? Alternatively, do you think that social conceptions are at play here because women are the weaker sex and therefore nicer. Wouldn’t it be interesting to study the tendency to commit fraud by giving equal opportunity to both genders to steal without fear of punishment and then find who is more likely to do so? It might show that women commit less fraud not because they are more ethical, but more fearful.

Closing Thoughts

Risk managers must ask themselves – “What is the worst that can happen if they do not check any box of likelihood? It is possible to create a bucket list of known risks, with undetermined likelihood and impact?” Adopt an alternative method or procedure, since inaccurate calculations lead to misguiding the management and implementation of wrong risk mitigation plans.

If we do not know something, why pretend to have a magic wand and claim knowledge. What is the harm in admitting that we do not have all the answers?

 

References:

  1.  EY 13 Global Fraud Survey 2014
  2. Kroll Global Fraud Survey 2013/2014
  3. Women still less likely to commit corporate fraud 

 

 

 

 

The Unreliable Expert Advisers

Let me start by asking you a question – How many times have you written the word “expert” in your resume. Were you, like me, obsessed about becoming a subject matter expert or a thought leader? Are you an ardent devotee of people who profess expertise and give expert opinion in the media?

1.  Experts Know Better

If the answer to the above questions is yes, then let me ask you another question. If a political scientist and an astrologer are giving predictions of the political scenario in India 20 years from now, whose judgment will you rely on?

Philip Tetlock studied 300 experts over a 20-year period and concluded that experts were just slightly better off than the novices were. The expert group consisted of economists, political scientists, academicians, journalists and Phd. Another study showed that a rat was able to predict the location of food in a cage better than Yale students were.

Started believing in astrologers yet?

2.  Experts Perform Better

The counter argument is Malcolm Gladwell’s study, that to become an expert 10,000 hours of practice is required while continuously enhancing the skills to become an expert. Against this backdrop, one would assume that expertise matters and experts would perform better.

Below is a question, choose one of the options.

 

A study conducted by Eric Schwitzgebel showed that old and rare ethics books in the library were missing at twice the rate of other subject’s old books. That meant ethics philosophers were more likely to steal books than other lecturers were. Their expert knowledge on ethics did not prevent them from doing something completely unethical when it was in their self-interest.

Hence, all the knowledge and teaching of ethics would go waste if it were not incorporated in the behavior and personal value system. Does it not raise the question in your mind as to what is the point of teaching ethics in the organization? Maybe it is worth conducting an organization survey to measure the results.

 3.   Risks Can Be Accurately Predicted

After the financial crises, the bamboozled regulators were grappling to figure out why the idyllic scenario collapsed. All the posturing and ping-pong battles by the self-proclaimed risk management experts could not explain how they were caught napping.

The reason is simple. Risk managers and business managers can only predict risks based on their experience and information. For instance, in David versus Goliath battle, Goliath was well prepared. He was strong; he had a shield and a headgear to protect him. However, he was not aware that a slingshot could kill him. Hence, he did not mitigate that risk.

The risk managers and business managers do not have complete information about the present and the future business environment. Business managers normally take decisions when 70% of the information is available. Complete information is not available and the future is unknown. Hence, the next big disaster is always waiting at the next blind turn.

4.  High Performers Take Lessor Risks

Another assumption is that under-performing managers who are at the risk of missing their targets take higher risks than high-performing managers do. A study conducted by Ping Hu on mutual fund managers showed that both low and high performing managers are likely to take higher risks. The high performing managers do not face any employment risks, are comfortable in their positions; hence, take more risks. The under-performing managers take risks to achieve their goals. Hence, risk taking of managers is a U-shaped curve and highly dependent on the employment risks of the manager.

Therefore, the question arises what is the benefit of all the training given to managers. It allows managers to do proper risk mitigation and enables them to take higher risks.

Closing Thoughts

The above-mentioned studies shatter the fallacies and assumptions of confidently relying of expertise. An expert’s opinion may not be worth the paper it is written. So what is the advantage of having trusted advisers within the company?

The key is not to rely on insiders only. Have a panel of outside experts to give impartial view. Moreover, the experts shouldn’t be attached to their own opinion or view. The higher the levels of constructive confrontation within the organization, the better are the chances of doing effective risk management. Additionally, incorporate risk management processes within the business processes, and integrate them in employee behavior, practices, and reward system.

References:

  1. Philip Tetlock’s book, “Expert Political Judgment: How Good Is It? How Can We Know?”
  2. Do Ethicists Steal More Books? - Eric Schwitzgebel, Department of Philosophy, University of California at Riverside
  3. Fund Flows, Performance, Managerial Career Concerns, and Risk Taking - Ping Hu Risk Analytics, Corporate Finance, Wells Fargo, Charlotte, North Carolina

 

 

 

 

Junk The Risk Assessments

Sorry folks for taking such a long break from blogging.  I was busy talking to a few angels who had entered my life all of a sudden. Now you are thinking that maybe I injured my head during the last five months. An adult talking about angels, absolutely insane! As kids we are happy to believe in Santa Claus. As we grow the social norms expect us to be more cynical, and we have to say – “We don’t believe in angels”. The question is –“have you seen any with your naked eye?” Off course not, but how does that prove that they don’t exist. In life, we have not seen many things, but we believe they exist.

So now, you are wondering what I am getting at.

As a risk manager has a business head ever told you – “You don’t have any idea of the business, this risk assessment is trash.” You wished to tell him that you did a proper job but he is absolutely is absolutely refusing to listen.

When business managers  submitted self-risk assessments, were you rubbing your eyes in disbelief? You could not figure out how they have rated the risks so high or so low, completely contrary to your expectations.

Is it possible that the risk assessments are frequently wrong and serve very little purpose except for completing the paper work? The idea of discarding risk assessments is scary as operational risk managers rely heavily on risk assessments matrix to assess the probability of occurrence of risk and the impact of the same. We advise business managers to complete self-risk assessments for their units. Organizations consider top twenty risks critical and depute resources to address the same.

Despite the risk assessments, unknown risks keep popping up. Risks rated low flare up into big issues. High impact low probability risks cause a whole lot of more damage than estimated.

Research on cognitive biases shows that subjective risk assessment done without data are prone to errors. Human beings have numerous biases in their thinking, due to which they tend to make incorrect decisions. Below is the list of biases I shall discuss in the next few posts:

1)      Representative Heuristic

2)      Availability

3)      Hindsight Bias

4)      Black Swans

5)      Conjunction Fallacy

6)      Confirmation Bias

7)      Anchoring, adjustment and contamination

8)      Affect Heuristic

9)      Scope Neglect

10)   Calibration and Overconfidence

11)   Bystander Apathy

You might be wondering whether the biases and heuristics really have any impact or is it just another aspect of psychology we can ignore. Let me ask you a question here:

 

Malcolm Gladwell did an analysis in his book David versus Goliath and stated that in 63% of the cases the smaller country defending its territories won the war. The powerful invader had to backtrack and generally lost the war despite its military strength. The small defending countries win because they use unconventional strategies for warfare, garner public support, and have higher commitment as they have more at stake if they lose. Then what percentage of the risk assessments of a war are incorrect? The loss of life and property are in vain.

Wait for the next few posts, as they might make you rethink on the conventional wisdom of risk assessment done by organizations.  

References: 1. Cognitive Biases Potentially Affecting Judgment of Global Risks – Eliezer Yudkowsky, Machine Intelligence Research Institute

2.  Probabilistic Reasoning by Amos Tversky and Daniel Kahneman

Routine Activity Theory Implications on Increasing Crime Rate in Indian Society

Cohen and Folsen’s Routine Activity Theory of Crime, appeals to me at an intellectual level to understand the increasing rate of crime in Indian society. However, it contradicts my personal philosophy about human beings. The theory presumes that every human being basically has a criminal tendency and is capable of crime. I believe that human beings are inherently good and each human being irrespective of the crimes they have committed is capable of good deeds. Hence, I will try to discuss the theory without bias and balance the two opposing views. If I sound partial towards my philosophy, then forgive me from the goodness of your heart.

1.      Introduction

The theory was based on analysis of US crime data of 1947-1974. During this period the average income of families increased, number of people below poverty line decreased, education levels improved, and unemployment levels decreased. However, the rate of violent crime in urban areas   increased – rape (174%), assault (164%), robbery (263%) and homicide (188%).

The Indian urban society is showing similar trends since liberalization in 1990s. While growth, income, economy, facilities, education etc. has significantly improved in urban areas, the rate of crime has increased exponentially. Before, in 1960s and 1970s, others would ostracize a middle class person if he were publicly involved in criminal activity. Now, nearly every second person is involved in a corrupt and unethical activity openly. Though we blame it on deteriorating social values, this theory helps us understand why we compromise the values and participate in a crime.

2.      Concept

The theory states that “structural changes in routine activity patterns can influence crime rates by affecting the convergence in space and time of three minimal elements of direct contact predatory violations: (1) motivated offenders, (2) suitable targets, and (3) the absence of capable guardians against a violation”. Lack of any one of these reduces crime. However, the level of control exercised by the guardians has a direct impact on crime. Even if motivated offenders and suitable targets remain the same, if control reduces, crime increases. The theory states that income of the offender does not have any impact on his desire to commit crime and contradicts the popular notion that people with less income have a higher propensity to commit crime.

Source: Wikepedia

Now this can be understood in Indian context. The number of people living away from their traditional homeland has increased as more people are living in nuclear families or as singles in different cities. The change in social behavior has changed the routine activity of people as social controls of family and community have decreased. These aspects reduce the worry of motivated offenders on how their community will judge them if they participate in unethical behavior. Secondly, the same aspect makes suitable targets more vulnerable to crime as protective layers have reduced. Hence, due to this changing social structure, motivated offenders and suitable targets have both increased. With it, the corruption in law enforcement agencies has reduced control. The sum total of it all has increased the crime rates in Indian urban areas.

3.      Effect

Then the theory states that motivated offenders cooperate to strengthen their efficiency in criminal activities. On the other hand, the potential victims join hands to gain collective strength to protect themselves from the attack. The challenge becomes bigger for potential victims when high-net worth individuals undertake criminal activities. The potential victims risk of victimization increases.

From the Indian context, the driver for change in social values has been the thirst for money and power. The higher level of ambition for being powerful and materialistically successful has motivated people to break the traditional social norms and move towards corruption and crime. Previously, the lack of a good criminal justice system was compensated by strict controls from family and community. Now all the three guardians have decreased control and the value of rewards gained from criminal activity is high. The other factor to consider is that voluntary help groups and social support groups are less in India; hence, the potential victims do not get the desired protection. As Cohen said – “it is ironic that the very factors which increase an opportunity to enjoy the benefits of life may also increase the opportunities for predatory violations”. Crime has become the by-product of freedom and prosperity as it has enmeshed itself in routine activities of daily life in Indian urban society.

Closing Thoughts

My personal belief is that for every action, especially criminal or unethical activity, a person needs to ask whether they need to involve themselves in it. When one accepts rewards for the wrong reasons, one cannot avoid punishment for the wrong reasons also. Hence, why go for the wrong rewards in the first place; and if one has received them, why not return them? When one is in a financially strong position and survival does not depend on income from criminal activity, why not refuse to undertake that activity. No one can involve another in a criminal activity if the participants do not wish for any monetary benefits. Hence, to enjoy the benefits of life, say no to crime and unethical activities.

References:

Routine activity theory - Crime Prevention Division – By Cohen and Folsen

 

Impact of Power Styles on Organization Risks

Power, we all want it. If we don’t have it, we associate with the powerful in the hope some of it rubs down to us. Being in the upper echelons of corporate world or the political corridors of the country’s parliamentary houses ensures that you are exempt from the rules applicable to the common person.

However, the way a person gets power and uses it reflects the person’s character, and its influence on others. In the corporate world, the power styles used by senior managers directly influence the risk levels of the organization. Unsurprisingly,  power and politics are undiscussable topics in the corporate world; hence, when risk managers do risk assessments, they ignore the two.

I personally recommend risk managers to understand the individual power styles of the senior managers and overall organization power style. To appreciate the connection between power and risk, let us first look at the power styles and their impact on the organization.

Power Sttyles

Depending on the situation, a leader needs to use various power styles. However, if a leader uses coercive style even when it is not required, then something is wrong. Leaders frequently use power styles of reward and punishment for fulfilling illegitimate requirements. Hence, the probability of followers being involved in unethical activities requiring compromise of personal values is higher. On the other hand, the expert style ensures that followers make informed judgments as the leader attempts to enhance their ethical values and knowledge level. The reward is not in the form of a bribe and is implicit; the leader is dedicated to improving the organization.

Another aspect that requires understanding is the need for creating perception of power. When a leader is undertaking illegitimate activities (watch any Hindi movie to see the underworld Don) he needs to create a strong perception of power by using threat and punishment. Else, his coercive tactics will be ineffective, as people will not cooperate. Therefore, he makes some sacrificial goats to demonstrate that he is above the law and normal rules don’t apply to him. Another tactic is to break the social norms, and not behave rationally and predictably. Both these methods focus on creating fear to ensure compliance. Without the perception of power and fear, the leader becomes vulnerable to revolt from the common person. The only way for him to retain his power is by increasing the number of sacrificial goats, threats, and punishments.

1.   Impact on Legal and Reputation Risks

A coercive leader is usually riding a tiger. The organization risks continue multiplying as more and more people become aware of the unethical practices. An elastic can be stretched up to a limit. Eventually, the concocted environment cocoon will burst and all hell will break loose. The leader cannot trust anyone after a point. Hence, his fear increases in direct proportion to his vulnerability. The leader takes more and more risks to protect his personal fiefdom. The organizations reputation risks and legal risks increase proportionately.

2.   Impact on Human Resource Risks

Overtime, the leader’s charisma wears off. As the layers peel off, disillusion sets in. Employees realize that the leader doesn’t behave with integrity and honesty. Even the loyalists recognize that whenever it suits the leader’s personal agenda, they can face the bullet without any fault of their own. This creates disquiet among employees, and employee disengagement increases. The human resource risks increase manifold with disengaged employees.

3.   Impact on Operational and Financial Risks

The disengagement starts effecting productivity and performance as everyone grasps that meritocracy has no links with rewards. This in turn impacts the bottom line as leader fails to deliver on targets. Failure to show profitability and results makes the leader’s position precarious. The leader starts feeling pressure from the top. As he is unable to improve productivity, he attempts to manipulate results and financial statements. In nutshell, leader’s power style influences operational risks and financial risks of the organization.

Closing Thoughts

No one can deny that success in life depends quite significantly on a person’s power and influence. The general opinion is that means to the end do not matter when we strive for power. On the contrary, how we get power and maintain power, is crucial for longevity in the powerful position. For a coercive leader, the end is tragic, as the hunter becomes the hunted. Moreover, if a leader gets power by paying bribes or giving rewards, his power ends when he stops doing so. His loyalists disappear with speed. Abusing power is no longer safe in the present world, as it increases the personal risks of the leader and the organization risks. Therefore, risk managers need to ensure for continued prosperity of the organization, that leaders get power by the rights means and use it for the right purposes.

India’s Failures In Disaster Management

Floods in North India have left over 70,000 people stranded and 550 dead. Loss to property will run in billions. The on-going rescue efforts are yielding results but very slowly.  The uncoordinated recovery response and efforts indicate lack of disaster management capabilities of the state.

India as a country does not have a properly implemented disaster management system. The Comptroller and Auditor General of India recent report - “Performance Audit Report on Disaster Management of India” highlights glaring deficiencies. Below are some of the key observations from the report. It is sufficient to make Indian citizens sleepless at night.

1.      An Introduction

India with its geo-climatic conditions, high density of population, socio-economic disparities,  politics and troubled relationship with neighboring countries, has high risk of natural and man-made disasters. In respect to natural disasters, it is vulnerable to forest fires, floods, droughts, earthquakes, tsunamis and cyclones. Man-made disaster risks are (1)war, bombing, terrorist attacks, and riots, (2) chemical, biological, radiological, and nuclear crises, (3) hijacks, train accidents, airplane crashes and shipwrecks, etc.

Government passed the Disaster Management (DM) Act in 2005. According to the act, National Disaster Management Authority (NDMA) was formed under the Prime Minister and the National Executive Committee (NEC) developed National Policy of Disaster Management, which was approved in 2009.

2.      Failure in Formation of Disaster Recovery Plan

Until mid-2012, the National Executive Committee (NEC) had not prepared India’s National Plan for Disaster Management. Surprisingly, though India has faced a major disaster each year since development of DM Act, NEC has not met after May 2008. The Working Group it formed in 2007 never met after that.

Then the buck was passed to Ministry of Home Affairs (MHA) to prepare a National Response Plan (NRP). It directed National Institute of Disaster Management (NIDM) to prepare the NRP. NIDM submitted a draft plan in April 2012, which was circulated by MHA to other departments.

The other two components of the National Plan for Disaster Management are National Mitigation Plan and National Capacity Building Plan. While the latter is still under preparation, some departments have submitted the mitigation plans.

Things are equally bad at State level. Just 14 states have submitted their State Disaster Management Plan.  The lackadaisical attitude shows government’s complete disregard towards national and human safety.

3.      Performance of National Disaster Management Authority

The CAG report states that – “So far, no major project taken by NDMA has seen completion. It was noticed that NDMA selected projects without proper groundwork, and as a result either the projects were abundant midway or were incomplete after a considerable period of time.”

The projects included earthquake vulnerability risk assessment, micro zonation of major cities, landslide risk assessment, national flood risk mitigation, national school safety program, mobile radiation detection system, national disaster communication system, etc. The natures of the projects indicate their criticality and importance for disaster management. Even the hazard maps for earthquakes, landslides, cyclone, tsunami and floods are incomplete or unavailable. Without these maps, the government is not even in a position to identify the high-risk areas.

The main reasons for delays in disaster management project planning are lack of committed groups, failure in communicating and coordinating with various ministries, shortage of staff and insufficient knowledge and expertise in these fields. Though funds were approved and allocated for various phases, things just haven’t got beyond conceptualization stage.

4.      Mis-utilization of Funds

Government constituted National Disaster Response Fund and State Disaster Response Fund to deal with the disasters. The government approved Rs 33,580.93 crores for State Disaster Response Funds for a period of five years – 2010-2015. The report indicates that Ministry of Home Affairs is not receiving appropriate information from states on utilization of funds. Audit findings reveal that some states have misutilized funds for expenditures that were not sanctioned for disaster management. There was in a few cases significant delay in releasing funds. Additionally, some States didn’t invest the funds thereby incurring huge interest losses. This shows financial indiscipline in states management of funds.

Secondly, a separate National Disaster Mitigation Fund was to be constituted for reconstruction and restoration activities after the disaster. However, this has not been done till date. The States were required to form State Disaster Mitigation Fund and District Disaster Mitigation Fund. Quite a few states haven’t created the funds. Uttarakhand, the state reeling from floods, has just a State Disaster Mitigation Fund.

The situation is so bad, that the National Disaster Response Reserve of Rs 250 crores to buy relief material (blankets, tents, etc.) was not operational until audit time.

5.      Disaster Management Communication

Department of Space commenced a Disaster Management Support programme in March 2003. The main seven projects started between 2003 to 2007 are incomplete till 2012. These are namely – National Disaster Management Informatics System, National Disaster Communication Network, Doppler Weather Radars, Satellite Based Network for Disaster Communication, Disaster Management Synthetic Aperture Radar, Airborne laser Terrain Mapping and Digital camera System and National Disaster for Emergency Management. Presently, if a disaster strikes and regular communication networks go down, there are no contingency methods available for communication to a disaster-hit area.

6.      National Disaster Response Force (NDRF)

Ten Central Armed Police Forces battalions were formed of 1149 posts each. 27% of the posts were vacant in May 2012. The NDRF personnel don’t have sufficient training, facilities, equipment, and residential accommodation. With these constraints, it is difficult to imagine that they can effectively manage disasters.

Till recently, they didn’t even have deployment guidelines. In a few instances, they were deployed during elections. In one instance, they reached the disaster site without food, water, or tents for themselves. The local authorities had to give the same.

Up to June 2012, just seven states have constituted State Disaster Response Force. Even the local Regional Response Centres are ill equipped.

The impact can be seen at the local fire services level also. As per the Thirteenth Finance Commission, deficiencies in fire services are alarming. 97.54% of the country doesn’t have fire stations, 96.28% doesn’t have fire-fighting personnel, and 80.04% doesn’t have fire fighting and rescue vehicles. Shortage of trained manpower, vehicles, and equipment plague the existing fire service centers.

Locally, the states do have not mobile hospitals and trained trauma management doctors. There are no real medical facilities available for Chemical, Biological, Radiological and Nuclear disasters at national level. This is seriously a pathetic state of affairs. Government bodies are showing no concern for human life.

Closing Thoughts

After reading the report, I realized that Indians have just one option at present – pray to God that disaster doesn’t strike in their region. The governments at national, state and district levels have shown a negligent attitude towards disaster management. This is a classic case – funds are available but nothing has been done to implement the plan. Indian citizens can check with the local politicians and government bodies to assess the level of preparedness for disaster management. If required, local bodies can be formed in different constituencies and societies to act as disaster management task force. As it is a question of citizen safety, public activism will help in developing adequate disaster management capabilities.

References:

CAG Report – Performance Audit Report on Disaster Management of India

 

Strategy For Funding Risk Management Departments

Organizations want risk managers to focus on reducing costs of doing business, especially the regulatory costs. However, when risk managers ask for resources and budgets for running the department, they have to compromise. Lack of budget is generally the main cause for not implementing enterprise risk management, doing strategic risk management, building a risk management culture and providing consulting.

Generally, the budgeting process starts in the last quarter of the year. When the budget committee is approving other revenue earning departments budgets, risk management department heads present a cost budget. This does not go down well with the budget approval committee. They cut ten to thirty per cent of the budget despite risk managers giving valid justifications.

After budget approval, risk managers spend the year trying to squeeze in as much as they can. Sometimes it results in limited coverage and high stress levels for risk managers. With the increasing focus on risk management, the heads of risk management departments need to form a strategy to obtain the required funding. Look at the tips below to navigate the tricky budget approval process.

1. Start at beginning of current year

Start preparing for next year at the beginning of the current year. Identify the long-term and short-term projects. Commence influencing the key stakeholders of the long-term projects from the first quarter of the current year. If risk managers are the last one to submit their budget, they are unlikely to get heard.

2. Analyse the reasons for past failures

Assess the reasons for non-approval of the budget in previous years. Was it because the management thinks risk management is unimportant, is concerned about costs or it harms the interests of the key political players in the organization. After determining the reason, formulate strategies to change the mind-set for next year’s project approval.

3. Build relationships with key political players

Chances are that risk managers focus on the budget committee members for approval. Instead, identify the key power holders within the organization. Identify their relationships with the budget committee members. Before influencing the budget committee members, build relationships with key power holders. Get their support for the risk management function by understanding their drivers and motives.

4. Participate in business strategy formation

Involve yourself with the business strategy group. Identify various risks of the changes in business strategy and recommend the mitigation costs for the same. Attempt to incorporate the risk management budget in the strategy implementation costs. Align risk management budget with corporate goals and strategy.

5. Calculate the Return on Investment (ROI) for various projects.

Robert Biskup wrote an excellent article on Corporate Compliance Insights – “Making the Bottom Line Case for Compliance: The ROI of a Robust Compliance Department”. The nine points give superb ways of calculating ROI. Use the methods to negotiate with the business teams as the department can give a clear demonstration of cost savings or profit earnings. Do ROI calculations for previous years’ projects to demonstrate the value that risk management departments brought to the table.

6. Make business teams bear the cost of the project

For the projects, identify the stakeholders in the business teams. Categorize the projects as critical, necessary and optional from risk management perspective. Sometimes, risk managers spend time doing optional projects at the expense of critical projects, as they cannot refuse powerful business heads. In such cases, present the advantages of getting the assignment done. If possible, check whether business team will merge the cost of desirable projects in its budget next year rather than have it in risk management budget.

7. Build flexibility in budgets

The budgets go haywire when unexpected risks arise or regulations change. Suddenly risk management departments are in fire fighting mode and regular work is ignored. That is bad for business, since other critical risks remain un-monitored. Hence, estimate different cost budgets with probability of various risks and disasters occurring. Present these as contingency budgets to the management and take advance approval for the same. Risk mitigation efforts are delayed when risk managers take approval after a disaster has occurred. Revise the budgets quarterly as the business budget changes.

Closing thoughts

 Generally, risk managers have a financial background so they are outstanding at preparing the budgets. However, problem occurs when they do not have the negotiation skills and political strategy in place. Last quarter efforts do not work because everyone is on the same bandwagon. Gain a head start by starting in the first quarter itself. Be the first one to get the required approvals, so that the function gets what it wants.

Related article: Political Strategy for Risk Management

 

Political Strategy For Risk Management

A recent report published on Harvard Law School blog stated that in 81.2% of manufacturing and 73.6% of the non-financial sector companies have not appointed Chief Risk Officers (CRO). Interestingly, 83.3% of the financial services organizations have appointed a CRO with direct reporting to the CEO. This indicates, that unless mandatory, the risk managers do not have high visibility. Though their role is important in all sectors, they are unable to leverage themselves among the senior management. This issue is not new, and most complain at not getting a seat at the table.

 1.     Develop Political Skills

We need to look this issue from another lens. We need to develop a political strategy for the risk management department. Reason being, technical expertise on a subject takes one up only to the senior middle-management level. At senior management level organization politics dominates decision-making. Hence, risk managers need to develop political skills and astuteness to survive and thrive at that level.

However, the challenge is that though risk management job requires high political skills, very few work at developing them. According to an organizational study, ~ 65-80% employees avoid politics, ~15-25% indulge in negative politics and ~5-10% participate in positive politics.  Risk managers need to develop skills in positive politics to influence senior management.

The positive politics players have win-win, ethical, organization focus, enlightened self-interest, collaborative and best interests of the business mindset. Indulging in negative politics will be harmful as the group has  win-lose, non-ethical, upward focus, self-interest, competitive and personal gain mind-set. Viewing politics as dirty and avoiding it, isn’t an option. Politics prevails in organization DNA and one has to choose how to play it.

 2.     Implement a Political Strategy

Another aspect to look into is that risk managers have to influence the organization to build a risk culture. The concerns of the junior managers differ from those of middle managers and senior managers. Moreover, different business units have clashing interests and priorities. Stumbling from one person to the other and trying to influence them on a random basis will not benefit the organization or the department. Therefore, to influence each sub-group positively, risk management departments need a political strategy.

After developing the political strategy, risk managers need to implement and run with it consistently over time to reap success. It will involve getting supporters, appointing campaign managers, forming coalitions and doing some secret handshakes. Risk managers of course have to walk a fine line of maintaining independence and objectivity while implementing the political strategy.

 Closing Thoughts

Success in organizations depends on how well a person manages their own expectations by understanding the political game. Corporate world is a jungle. One cannot expect that people will make rational and logical decisions in the best interest of the organization. Risk managers will remain on the side lines unless they learn to trapeze the political web. The good news is one can learn political skills.

References:

  1. Risks in the Boardroom – Harvard Law School
  2. Investigations in Organizational Politics