Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

How do you build and improve resilience in your organisation? In this recording, David Tattam talks about how understanding the dynamics and balancing the voices of risk and reward can help you achieve sustainable rewards.

This session was recorded at the 2018 RMIA Annual Conference and was part of the Organisational Resilience stream. You can download the slides from the presentation at the end of this article.


Video Transcription:

Good morning to you all. This morning, I want to talk about relationships, particularly good marriages and good relationships. This stream is about sustainability. I was thinking about sustainability, not just in  business and work life, but also personal life. I have a confession to make, because incidents do make you stronger. I am on my second and final! marriage, and it got me thinking about sustainability.

We all dream and hope that when we walk down the aisle that we are there at 95 years old on our rocking chair with our partner. But often as we know, that isn't what ends up. I started to think why. I'll start to flip that over then to an organisation to the relationship that we should have between the partners of risk and reward. That's what this session is really all about. It really stems from the fact of so much going on in risk management, particularly in financial services at the moment, with the Royal Commission, and the APRA report on the CBA.

The APRA report talks a lot about the voices that were not being heard equally. In a marriage, there is the voice of both partners. The balance between the voices of the partners to make it successful. I'm going to start off on a really good note, which is two glasses of champagne to celebrate a happy marriage between risk and reward. What does that look like? I will talk about four things:

  1. The first one is to meet the partners.
  2. Secondly, relationship dynamics between the partners in the relationship.
  3. Thirdly, managing the marriage, because a good marriage requires work.
  4. Finally, reporting on the health of the marriage.

Meet the Partners: Risk and Reward

Firstly let's meet the partners, the reward partner and the risk partner. It is now great to be able to say that now in Australia I could have chosen same sex marriage. However, for no other reason than tradition and making the two partners look different, I'm going to use the traditional marriage to show the risk and reward relationship.


Let's meet the partners in the marriage and understand them a bit better. Now, the only reason I have labeled the female as "risk" is because the Australian slang we use when you tell someone when they're just about to do something risky and to, watch out, they go, "She'll be right." "She" is therefore risk. She'll be right means, don't worry with all that risk stuff. I want to go and get reward. As a result, I've labeled the female "risk".  That obviously makes the other person reward.

Let's think about what risk and reward are about. Let's learn a bit more about them. Firstly, risk. Risk is the effect of uncertainty on objectives. Reward is the degree to which we meet our objectives. Now, that includes both financial and non-financial objectives. If we think about it, straightaway, we have a connection and a strong bond between these partners. Because one is reward, the degree to which we meet our objectives, and the other one is the effect that uncertainty can have on objectives.

It always amazes me the number of times risk managers do not mention reward. It's all about risk. It's all about putting more controls over that risk to try and minimise it down to nothing or try to eliminate it. As we're going to see in a minute that's not such a great thing in a marriage when you eliminate a partner, it doesn't usually work that well.

Let's think more about the depth of each partner. Now, reward is the degree to which we meet our objectives both financial and non-financial. Importantly, and this is clearly prominent in the Royal Commission, the objective should cover the objectives of all stakeholders, not just the shareholder, as APRA refers to in the CBA report, the voice of finance. It should cover the customer, the member if you are a mutual, the employee, the suppliers, the regulator's, society and very importantly, the environment.

Let's move over to the risk partner. Risk is the effect of uncertainty on objectives. Again, as the objectives for reward cover all of the stakeholders, so risk should  cover all stakeholders. What risks do we have that affect the shareholder? Yes, we do that quite well, but what about the customer or the other stakeholders we spoke about earlier.

There are typically eight or nine stakeholders that we all have. The balance between those should be  driven by your strategy. The question is, what's more important, the shareholder or the member or the environment?

Let's now go and have a look at the couple's child, because children can tell us a lot about risk. I want to introduce you to Jenny.  She's seven years old, and she's attempting to achieve an objective. We might appreciate that she's facing some risk. But let's have a little chat with her about what she is trying to do from beginning to end. Number one is what are Jenny's objectives?


The most obvious one for a child is number one, to have fun. But she's a great kid, she also wants to be safe, and she's a fantastic kid because she wants to comply with the park rules. Now, as with our own objectives and our organisations, we'll prioritise these objectives. I'm sure the child will prioritise number one above number two above number three. It's very important we as organisations also prioritise our objectives and are very explicit with what those prioritisations are. We'll cover this later. But when I see an organisation that tells me that they are there for the care and the value add to the customer, and they promote that on all their materials and then they go in-house and encourage sale people to "sell, sell." We've got something being said externally and internally its in conflict. We're actually reprioritising for the voice of shareholder over the voice of customer. It might sound familiar in financial services.

Once we have our objectives, risk doesn't come from the objectives, it comes from what we need to do to achieve the objectives. The second step to feed us into risk is what are the critical things that Jenny needs to successfully achieve in order to meet her objectives? 


 She needs to get up to the top of the rock safely, play on top of the rock safely, get back to ground level safely. And if she can achieve those three steps, she's achieved her objectives.

Once we have identified those critical steps, we can now identify things that could stop her achieving those critical steps. We happen to call those risk.


As a parent, falling is probably the most obvious one. Now, falling is a risk event. A risk event for us is the point at which you lose control. If I am walking along and I start toppling over, that's the point of lost control, and that is my risk event, falling risk.

Now, this stage we don't know why Jenny might fall. So, I'm going to come up with five reasons she might fall. We call those the root causes.


She's just a seven year, so human error. It rained last night, liquid has made slippery ground. Moss on the rock to make it slippery, and so on. That's our root causes. As a result, we've gone all the way back from objectives through critical process through risk events to root causes. And then we think about how do we control that risk?


I've given you six potential controls that we could use. From inspections to clean up, non-slip shoes, first aid.

Now, I want to put this all together in a picture, and some of you that know Protecht, you know we love bow ties. So, bow tie analysis is the way that we can pull that all together, our favourite approach. It goes something like this if you're not familiar with bow ties.


In the middle of the bow tie, we put the point at which you lose control, which is the risk event, and that's falling. We then move either left or right. I'm going to go left first, to go back to the root cause. We are to do that by asking, but why? We keep on asking but why until the answer is, it just is or it's outside of our influence. Let's go.

She's just a kid. Why is she just a kid? Well, she's just a kid. So, human error in this instance, is one of our causes, because it just is. Liquid hazard is on the ground. But why? It rained last night. Is the level of rainfall within Jenny's influence? No, it is not. So, it's one of her root causes. It's an external root cause. I'm not going to say and explain each one of these, I'll leave the rest to your own thinking.

That gives us our root causes. We've now expanded that left hand side to go back to the source, the root cause of the risk. We then go the other way by asking, but what next? We don't stop until one or more of our objectives has been impacted. You can see on the right hand side, those three boxes equate to the objectives that Jenny had in the first place. Now, obviously, in risk management, we call the first one root causes, the bits in the middle risk events, and the right hand side risk impacts. An impact should always equal your objectives. I'm still amazed at the times we go to new clients and we look at their impact types and they don't correspond with objectives. There is no linkage between risk and reward. 

One of the first takeaways is to ensure that your impact types
in risk management exactly equal the objectives out of the strategic and the business plans.


Once we've got that, we can put the outline around it and that gives us the bow tie. We can then start adding our controls on at the appropriate spot. Inspections and clean up for liquid hazard and moss hazard. Training for the child, non-slip shoes, cushion, safety hat and first aid.

What we've done here is gone through that picture of risk from left to right, and put various controls in place. Now, the controls on the left are preventive controls. The controls in the middle are detective controls, and the controls on the right are reactive or corrective controls. Once we look at that, we have the picture of marriage, because we have both partners. Because on the left hand side everything around "falling" is risk, we have the bride. On the far right we have impacts which equal our objectives, which is reward. Here is the groom.

One of the key things here is that in risk management, we should never ever talk about risk without talking about its partner. If we talk about risk, we need to be talking about reward or the objectives because if you're not, you're not connecting the partnership together. Now, the first way to do that, is make sure that in every discussion you use the word risk, you must also mention reward. We train a lot of front-line managers, and they complain about risk managers talking about risk and having to control everything and spend lots of money on controls and causing the business a lot of overheads and so on. I say to them, the answer or the question you should ask is, why do you want me to add that control in? If they say, "Oh, it's because it's risky." Then you ask the second question, What objectives of my business does this risk effect? A risk manager who doesn't think risk reward will go, "Well, it's just risk. You've got to control it." Well not acceptable. You've got to be able to link it and explain how the control affects the objectives of the organisation's risk reward.

That is a most common diagram that we use to explain the marriage, risk and reward, and it should sit on one sheet. Which means we are looking at both partners at the same time.

Relationship Dynamics of Risk and Reward

Now we understand what the partners in the relationship are, let's have a look at the relationship dynamics. How do the partners relate together? How does the marriage work? How do risk and reward interact? Are they enemies or best friends? Well, let's be honest with sustainability, enemies are not going to last long. If they are friends, then we're going to have a sustainable relationship, a sustainable marriage.

So, let's think about the dynamics. Let's go back to the definition of risk from the ISO 31000 standard. It says risk is the effect of uncertainty on objectives. Now, if risk is the effect of uncertainty on objectives, managing risk must be managing the effect of uncertainty on objectives.

I would put to you, sorry for all of you in the room, risk management as a discipline makes no sense. I don't know why we call ourselves risk managers because it's not what we really do. What we really do is this:


Because we are managing the effect of uncertainty on objectives. What we're really doing is managing objectives.

I wish our industry was actually called outcome management. This creates magic. Why? You go up to your front-line management team or CEO, or whatever and say, "Good morning, I'd like to have a chat with you." And they go, "Who are you?" "I'm David from risk management." They look at their diary, and miraculously, there's no room for six to eight weeks. I'll come back to you in 10 weeks. "Good morning. It's Dave here. Where are you from?" "I'm from outcome management." At the risk of sounding like a consultant, they say, "What do you do?" I say, "I'm here to help you nail your objectives." I bet they're going to give me a seat at the table on day one.

The first thing to remember is that we're not risk managers we're outcome managers, and each of you that is a risk manager, I want you to add a translator chip into your brain right now and give one to every employee in your organisation. And it works like this, every time you hear the word risk management, you say to yourselves, outcome management. Your face will go from a grimace to a smile, because you're now talking about the relationship between risk and reward, not risk in its own right.

Let's have a look at outcome management as an example. This is a lovely main road in Nairobi, in Kenya.


Our objective in the example is to get to the end of the road safely. The potholes, obviously represent risk because they create uncertainty as to the achievement of my objective of getting to the end of the road safely.

So, let's consider how we might try and achieve our objective. Number one drive flat out. Drag race up to the end, hopefully jump over the potholes. Now, this is about the "she'll be right" brigade. Because they are only focused on getting to the end of the road they want to ignore the potholes (risk). What could be the result of this? The first time they go, they might luckily make it, second time might luckily make it and so on. On the (say) eighth time, however, that's what happens (car crashes in pothole). We call this boom, bust management. Boom, boom, boom, boom, life is good for a while. Then something (risk) comes along, and we're bust. We're very good at that in business, particularly financial services. It usually takes seven years for the bust to come along, but it does.

This kind of relationship is where the "male" or reward is the biggest, and the "female" or risk is tiny, because we're not listening to the voice of risk. That will be Boom, boom, boom, bust. Because after a while, the risk partner who's being ignored, gets kind of annoyed and frustrated and bursts out with "Remember me?" "Who are you?" "I'm your partner in your marriage." "Oh, sorry, I forgot about you." And then we have the global financial crisis. And then we worry about the risk partner lots and ignore the reward partner. I'll come to that later. That is not a happy marriage.


Number two, we look at the holes and they scare us. We are so paranoid about falling in a hole, we give up. I'm not even going to attempt it. This is called avoidance or elimination. In this instance, obviously zero success. We just give up, we go home, so we're never going to achieve anything.

Then in this instance, we've got a tiny "male" or  reward and a really big "female" or  risk because we're focusing too much on risk in this scenario.


Number three, we look at the potholes, they scare us, but we really want to get to the end of that road. So, what do we do? We buy some really big wheels and tires. It slows the car down dramatically and costs a fortune. It takes two hours to get to the end of the road, and by the time we're there, we're bankrupt. This is the same problem as the earlier example, but for a different reason. This is where the "male" or reward is very small. We're not worrying about reward. Cost doesn't matter and risk management / control is huge.

Same as the one before, but through too many controls bogging the business down. What's the solution?


I would suggest that we smartly maneuver around each pothole as you come up to it; quick left, quick right, 25 kilometers an hour, slow down, break, left, right, and we weave our way up through the road. Now, as we're doing that, we are now focusing on both reward and risk equally. We have a balanced and happy marriage.

I will put to you that there is where we will get success. Success is sustainable reward. It's not boom, boom, boom, boom, boom, boom, bust, its boom, boom, boom, which is reasonable profits but not crazy. But we can keep on repeating that year after year and will end up with our partner at 95 years old still holding hands because we got a balance between the two. Now, that to me is success. That's what sustainability is all about.

My number one objective in risk management is sustainable reward. That's it. That's what we do, sustainable reward.


To sum that up then, if we look at the partnership, reward is the main focus, risk is secondary, she'll be right, boom, bust. Rewards, secondary focus, everything's too risky around here, our main focus is risk. No boom whatsoever, therefore a long term bust. 50%, 50% equals long term sustainability. That is the dynamics between the partnership.

Let's now think about the relationship and how the dynamics work. Firstly, generally, as long as you're taking reasonably smart risk, the greater the risk, the greater the average expected reward. However, the greater the risk, the greater the potential variation around that expected outcome.


Now, many many years ago I did a degree in business finance and I remember doing a class on economics, which introduced me to the concept of this. Some of you might remember this from your uni days, the capital asset pricing model or CAPM. .


This is a map of the partner, male return or reward up the left. We have now risk, the other partner on the horizontal axis, and we map the two as how they relate. They relate like this. Let's have a look at expected reward or expected relationship. 

On the left hand side, that's the level of return we're going to get for taking no risk. We call it the risk free return. If you're thinking about it financially, let's say investing in a three year government bond, very low risk, only sovereign risk, but obviously a very low reward. As you move to the right and take more risk and make the risk partner bigger, on average, expected return for the other partner goes up. Now, obviously without any other additional information, it would make sense to always have massive risk and massive reward. But it's missing something, and that's variation.

So, let's now add variation on, variation. The more risk we take, there is a bigger chance of not meeting that outcome in a negative sense. Over here, very low variation, the outcome's fairly certain. Equally though, as long as the risk has an upside, we call it opportunity risk, it could also be that, where we take a risk and the actual outcome is better than what we expect. This is really important in risk management in that we've got to appreciate that some risks have an upside and a downside where some risks have downside only. Downside only we call threat risks. Once they have an upside, the upside we call opportunity risk, and the downside, threat risk. Obviously, we need to be smart about this because the opportunity risk can actually add to our outcomes, the green side. Threat risk can hurt us.

Maximise the upside, minimise the downside. One of the things that we're going to talk about in a minute is how far up this side can we go? How big can we get the risk partner to be? Well, that's determined by risk appetite. In this instance, it tells me the marriage can never go further right than that blue line. That's our risk appetite. Now, I'm going to talk about risk appetite in a second. The key is, the higher the risk, the greater the expected reward. However, the greater the variation around that expected outcome.

Managing the Marriage Between Risk and Reward

Now, we understand the relationship dynamics. When I talk now about the managing the marriage, the keys to a happy, sustainable marriage, making great relationship decisions. Because a lot of what we do in risk management should be focused on helping our people make better decisions. In a marriage, good decisions will equal sustainable marriage. Finally, incentives for success. Let's have a look.


The keys to success:

  1. Number one, understand each partner really well. Get to know your partner extremely well before you go and walk down the aisle.  Get to know reward really well and get to know risk really well.

  2. Understand the needs of each partner. What is the needs of reward? Where does that come from? Strategic plans and business plans. Understand the needs of risk. What are the risk targets? What are we aiming for? What's the right balance.

  3. Understand the boundaries around the relationship, particularly around risk appetite.

  4. Ensure both partners have equal say in the relationship. I would argue a relationship where one partner dominates the other is not going to end in a happy. It's going to have a limited life. Equally, a business that downgrades risk to the detriment of reward, we know what that looks like. A decision is made, it's all based on reward, and when it's made, someone says, "Can you tell risk? Apparently, they have to do some tick off or something." That's disgraceful. Risk should be at the table at the same time reward is at the table so their voices are heard equally.

  5. Ensure the performance of the marriage is measured based on the optimal outcome for both partners, not just one. We have so many incentive schemes based purely on reward. Yes, sales volumes and goodness knows what. We see that in financial services a lot, and that ends in tears.

  6. Ensure that those that make decisions that affect the partnership are incentivised for both risk and reward performance. So, the incentive scheme is there to make sure the balance between the partners is managed appropriately.

Let's go to two of those. Let's understand then the reward part really well. For that, we need a really good strategic plan, which is, where do we want to be in three years' time, and the right business plan of how are we going to get there? I'm still amazed at the number of times we go out to clients and we start doing risk work with them. I always asked for a series of information from the customer or the client. The top of the list is the strategic plan and business plans.


So many times I get a call back saying, we want to know why you want the strategic plan. Here is an organisation that doesn't in any way link risk with reward. Or secondly, they say, "Well, I actually our strategic plan and business plan isn't very good. We don't have very measurable targets. So, we often back-fill." You can't do any decent risk management unless you have a very strong strategic and business plan with measurable KPI targets.

Second part then is risk appetite.


What is the maximum amount of risk that we are allowed to take? This puts a size around the risk partner. We think about what risk appetite is, the maximum amount of risk that we are willing to take in pursuit of our objectives. So, how big, and I don't mean physical, how big can the risk partner be? Because that is going to determine the maximum size of the reward partner, because they are linked.

Now, in this instance, we call the risk appetite, freedom within boundaries. I want to give you a little illustration of this. We're going to use this illustration to really have a look at the relationship between risk and reward for decision making. Let's start off then with risk appetite, an illustration. Imagine that you and your partner have two children, Jenny, we've already met Jenny and Johnny.


This weekend you want to go to the local park. And your objective with your partner is to have wine and cheese and chat about the film you saw last night on a picnic rug in the middle of the park. 

Johnny and Jenny, they have got different objectives. They are off, they want to go play. They want adventure and fun. You say, "Wait a second. Before you go, don't go too far away." Why? Because over there, there's really high trees, there's a rock ledge over there, there's a main road over this side and a river over here. And we know that the further they go away from the picnic rug, the greater the risk. It's a risk proxy or risk indicator. In addition. We can't supervise them as well, so our controls are weaker the further they go away.

So, Johnny says, "How far is that dad or mom?" Now, you're not allowed to mark the park. The line's  invisible. Poor old Johnny doesn't know quite where that is, and you have to explain it. So, you say to Johnny, "It's, a pretty big area." In our view of the world, big is risk appetite. Appetite is the size of risk manifested in a qualitative measure. It's fantastic for mum and dad (The board) to discuss the relative risk appetites we have.

Now, mum and dad might say, "Well, playing risk medium, sugar risk, zero." It's good to articulate the relativities between your different risk types. However, Johnny doesn't know what "big" is. So, it's not very good to operationalise into the business so that your business decision makers can make decisions.

What do we need? We need a measurable metric that supports the appetite. I'd suggest the best one we might have is meters from the picnic rug. We now say "up to 22 meters away". That is a "tolerance" supported with a measurable indicator. We are assuming Johnny and Jenny know what a meter is. We need to educate them in what that indicator means. But we'll assume they do. Once we've got that, they now know that they are free to play within that circle, but they're not allowed to go outside, and they are free to do what they like in that circle to have fun.

Now, ordinarily, in risk management, we generally like colours. What we generally do is we have an inner sanctum called the green zone. Which means within appetite, no action required. Between the green and the boundary, we usually have amber, which means within appetite, raised attention. Outside is pretty obvious, which is outside of appetite, action required. That then gives us that classic RAG, red, amber, green. Some of you might have red, amber, green, pink, blue or whatever, it doesn't matter. I've just got three, it seems to be the most basic.

Now, in addition, we've got capacity. Capacity is the point at which you take risks that could threaten your survival. That's when Johnny and Jenny walk across the main road over here or go into the river. We have now, capacity, maximum risk we are able to take. Come back in, we have appetite. Come back in, we then have a trigger, which gives us a green, amber, red. That then gives us a maximum amount over the size of the risk partner.

That is critically important because the bigger the risk partner, on average, the greater the reward partner. But equally, the greater the potential variation. So, you want the kids to have fun, but you don't want to risk their personal health to a degree, which is obviously potentially going to be long term injury. That then leads us to relationship decision making.


The first major objective of risk management is sustainable reward. How do we get that at a micro level through better decision making, risk reward decision making. When you make a risk reward decision in a relationship, in your business, step number one is to ask the question, "Can I"? The "Can I?" test. This is testing whether the level of risk in the decision is within your risk appetite. If the answer is no, you can't. If it is yes, you can.

Now, there's a second risk appetite called society's risk appetite, which is given to us by compliance, compliance obligations. Is it within the law? Yes or no? Is it within your risk appetite? Yes or no? If either of those answers is outside, the answer is we can't do it. If it's within, it means we might do it, but not necessarily we will, we might. We then move on to the second question. If it is within appetite, we move on to the "Should I" test. The "Should I?" is where we balance the reward with the risk. What is the optimal relationship between the reward and risk once we've determined the maximum size of risk?

Let's go back to the picnic rug and apply the Should I test.


In order to do this, we need one more zone, and that zone is in the middle called the blue zone. Some of our clients have it, not all. It's a one meter boundary around the picnic rug. You're going to see how we use that in a second. Once we've got that, you then need a really good risk system. This risk system is an app on your iPhone which measures the location of the kids, with respect to the picnic rug by geo locating the kids with a chip somewhere. We can measure how far away are from the picnic rug.


Risk Appetite: The Red Zone

So, let's have a look. Okay, beep, beep, beep, 23 meters, which means they're in the red zone. You're having a lovely chat with your partner. If it goes into red, you need to interrupt your partner and say, "Excuse me." And go running off. Grab Johnny, Jenny by the ear, pull them back in, "What the hell are you doing out there?" Because red is outside of appetite. Don't tell me you're having a great time. It's irrelevant because you are outside of appetite.

Unfortunately, a lot of people in risk management start accepting red as the norm. That's unacceptable, totally unacceptable,


Risk Appetite: The Amber Zone

The next then is 21 meters. 21 meters is just on the amber zone. A lot of people think amber is not good. I disagree. It depends on the other partner in the relationship. A lot of people go if it's an amber, get it back to green, not necessarily. Let's see what I'm going to do if it's in amber. I'm chatting with my partner. I wait for a pause to ask a question of the kids? Because it's within appetite but raised attention.

I call over to Johnny and Jenny, and ask, "What are you doing over there?" The first thing they say is, "We're playing on our iPads?" What am I going to say if they playing their iPads? I'm going to say, "Come back into the picnic rug." Why? Because I know they can get the same reward playing with their iPad sitting on the picnic rug with a lot less risk. So, that is not a good relationship dynamic. I'd go, "Come on, get yourself back here." Or they say, "Oh, Dad, we found a fantastic cave. Bats are in here, Bear Grylls is with us down here. We're having so much fun." What I'm going to say now, I'm going to say, "Good on you guys. Awesome, tell us all about it when you get back because they've justified that their reward is worth it for using that level of risk." There's the relationship.


Risk Appetite: The Green Zone

Next, 14 meters, they're in the green zone. What am I going to do now? We're talking about a great part of the field, I'm not going to interrupt my partner. I'm going to wait because green is okay, and I'm going to wait for a nice break when they're done. I just turn around, "Johnny, Johnny what are you doing?" "Playing with our iPads." "All right guys, look, I know you are. But honestly, come back to the picnic rug." I'm pretty relaxed because it's green. But it's not optimal, because I can get a lower risk for the same reward.

Or they might sit and go, "Oh, we're playing tag, we're having okay fun." I go, "Okay, cool." Because I've now met risk reward. Although they go, "Oh, we're bored. We want to go home?" What am I going to do then. I'll say, "Get out to the cave." Go and take more risk because the reward is not enough. And then the favourite spot for me is 0.5 meters on the picnic rug, complaining and moaning. We've had enough, we want to go home. What are you going to say to the kids? The first one I'd say, is why are you complaining? "Oh, we just had enough." What are you going to say as a parent? I know what I'm going to say. "Go away. We brought you here to the park to have fun and you're moping around the picnic rug." Take more risk.

A risk manager should sometimes
encourage the business to take more risk.


And I know it goes against a lot of philosophies. We are risk managers, we are not risk minimisers. If we're not getting enough reward we should be pushing the business. In financial services we talk about the three lines of defense. I don't like the word defense, it should be called the three lines of defense and attack. Because attack is when we're taking too little risk. Or they go, "Oh, dad, I've broken my leg." If they've done that, they've justified why they are taking little risk and I would be remiss of me to say go away. I'd be going, "There, there, there." Fix it up and it's okay to be in that zone if you have a reason.

That is then bringing in the can I, should I test together. You can see the importance of the relationship dynamics once you are within the area of freedom. So, let's finish up then talking about reporting on the performance of the marriage.

Reporting on Marriage Performance

How well is the marriage going? Let's have a look. Let's have a look at how the male partner's going. 


A few little measures, we might call them performance indicators, and we might scale them green, amber, red. Green's great, red's not so good.

All right. That's a little snapshot of how reward is going. What about risk? How is she going? Add a few risk indicators on and see how they're going. We've done it individually now. But the key is going to be to bring it together because we should be looking at the balance of how they're feeling, not one over the other.

But that then brings me to a section of the APRA report on the CBA. One of my favourite parts of it is all about the voices. It gives us some key lessons around the voices.


It says particularly, that the objectives of different stakeholders must be balanced. The voice of finance and the voice of customer must be heard equally. The short term, long term objectives must be balanced. The voice of risk must be balanced with the voice of reward. Sound familiar? Bonuses linked directly to sales volume relating to how the groom is feeling alone is unacceptable. Because you're only looking at one side of the equation. Bonuses should be linked to a balance of metrics covering all relevant stakeholders, and both risk and reward, which is the state of the combined partnership.

So, balancing the voices of risk and reward, what might it look like?


Well, here's the voice of the groom. Here's the voice of the bride. Now, it's slightly more complex than that. There's not only two people in this relationship. I won't go any further with this analogy, but there's lots. Because each of the stakeholders has a partnership, the voice of customer, the voice of shareholder, the voice of employee, the voice of supplier. What we have, therefore, is a matrix. We have risk and reward but by stakeholder. If we look at that, and we measure all of that, and we put the two together, it might be something like this..

Without knowing the metrics that's gone behind that, how do we feel about this organisation? Well, I would figure the shareholders' are pretty happy. Reward's good, green and amber risk, pretty good. The customer, oh dear. We can't really care about the customer do we? Both red and both reward and risk, the voice of customer is not being listened to. The employees are happy. Great reward, very little risk for the employees. Sounds like a very selfish organisation to me. Shareholder and employee are key. Regulator, not really happy. Society don't seem to care too much about that. But that is an example then have of a little snapshot of the marriage. What might it look like? Here's an example.


Over on the left here, we have the performance of the groom. On the right we have the performance of the bride. Without looking at specific metrics, what does this tell us? Well, again, shareholder happy days. Green reward, green risk. Customer, oh dear. The employee, pretty good. Regulator, not happy. Supplier, third party, not happy.

Now, for me, if we instead reported like that, this was then the focus of the bonuses that were given to CEOs and whatever, the world would change. I would argue coming out of the CBA APRA report, and the Royal Commission is this is a bit of a practical solution to make this happen. Maybe for those of you that attend the discussion on the Royal Commission tomorrow, might expand that a little bit further.

Finally, what does the risk side look like? Because I'm not here just to talk about performance, more risk side. Well, traditionally, and I think it was earlier this morning that spoke about the different ways you can measure risk. Traditionally, we might do it by five by five matrix, very basic. We might add on to that some indicators, but to us, is that risk measure is a whole myriad of things. We call it Protecht RiskInMotionTM.


RiskInMotion is bringing all the risk information together. In the first column, we've got our risk assessment from say a typical five by five matrix. In the next column, the results of our controls testing on controls over the  risk, key risk indicators on that risk, audit findings, outstanding actions, past incidents and so on.

This morning we heard about continuous monitoring, picking up information from the internet of things. That's indicators, that's going in RiskInMotion. This now creates a dynamic risk profile so that we're always checking in with the risk partner and going, "How are you going? Are you okay today?" and not shutting them in the closet for seven years and ignoring them based on "she'll be right". We don't want that, we should be checking in with each partner on an ongoing basis.

We believe the risk partner isn't checked on often enough because we do risk statically and we need to move to a dynamic view.


Let's finish up them with the motivation to create a happy marriage. That moves us finally to incentive schemes and remuneration.


In the APRA report, it says bonuses linked directly to sales volume and sales targets should be removed. Hallelujah, we should not measure the performance of a relationship purely on how the husband is feeling. It's not going to work. Bonuses should be linked to a balance of metrics covering all relevant stakeholders and both risk and reward. Exactly what we just spoke about.

Finally, tips for a resilient marriage.


Risk and reward partners are equal. They have equal voices. One partner risk, supports the other partner, reward. They are not enemies.

A lot of people think that risk management stops us doing things. The "Business Prevention Unit", as it's often called. This is totally incorrect, it's completely the other way around. It's a "Business Enablement Unit".

Reward requires risks. They can't live without each other, and reward cannot be achieved without risk. Risk and reward are best friends. They're not enemies. Risk and reward must consider every stakeholder in the relationship, not just one or two, such as the shareholder.

If you achieve that, you'll have a happy marriage and sustainable reward. Now, I've spoken a bit about the APRA CBA report hundred, 111 pages, which some of you may have read. If you haven't read it, I did do a blog when it came out that I think goes to 12 pages or so. It is on our website as a blog. I'm also on LinkedIn. So, please have a look at that.

I just want to finish with this thought, and it's something I couldn't tell you up front, because no one of you would have listened to a word I had to say. And that is, over the past six years, one of my biggest training clients is the Commonwealth Bank of Australia. I do much of  their internal operational risk training.

When the CBA Report come out, my wife looked at me over the breakfast table in a wonderful way. She said, "Dave, you can't be doing a very good job." My response was this, and it's a really important takeaway for you.


You can take a horse to water, you can't make it drink. You can take risk management to an organisation you can't make them do it. I believe the risk knowledge is in the bank but ,maybe the voice of risk was not being listened to enough!

All the training we do, in these conferences you come to, we can show you the wonderful lake that is risk management. Beautiful water, very good for your health. But we can't grab your heads, dip them in and go, suck, you've got to want to do that yourselves.

The only way they're going to do that is if you show them the incentive of drinking from the beautiful lake that is risk management because then they'll have the incentive to do it.


Hopefully you will realise that the reward which you love so much cannot survive without risk. That way we risk managers will be brought into the decisions up front and be an equal partner in the marriage. Other than that, thank you, cheers and we'll enjoy the happy marriage tonight when we have our dinner. Thank you.

Ready for more risk management courses?

We hope you enjoyed this recording. If you're interested in attending more risk management and other related courses, check out this year's available workshops in your city:

APAC Risk Management Courses

Europe Risk Management Courses


logo RMIA 2018To learn more about the RMIA Conferences, you can visit this page.

Related Articles

feature image
Risk in Motion, Risk Reporting, Videos, Risk Management Framework

Understanding RiskInMotion: How to bring all your risk information into one dashboard

Risk is always in motion - its measurement is forever changing. In this webinar, David Tattam and David Bergmark talk about how using dynamic...
Read more
feature image
Protecht News & Events, Risk in Motion, Risk Reporting, Videos, Internal Audit

Auditing your Control Framework - SOPAC 2019

How do you encourage your staff to embrace risk and controls? In this recording, David Tattam talks about how understanding the dynamics and...
Read more
feature image
Risk Management, Risk Maturity, Decision Making

Don’t go into hibernation, BEAR is coming to you

As a result of the Royal Commission, more non-banks must now implement BEAR. This post covers how your organisation should view this as an...
Read more