How do you build and improve resilience in your organisation? In this recording, David Tattam talks about how understanding the dynamics and balancing the voices of risk and reward can help you achieve sustainable rewards.
This session was recorded at the 2018 RMIA Annual Conference and was part of the Organisational Resilience stream. You can download the slides from the presentation at the end of this article.
Good morning to you all. This morning, I want to talk about relationships, particularly good marriages and good relationships. This stream is about sustainability. I was thinking about sustainability, not just in business and work life, but also personal life. I have a confession to make, because incidents do make you stronger. I am on my second and final! marriage, and it got me thinking about sustainability.
We all dream and hope that when we walk down the aisle that we are there at 95 years old on our rocking chair with our partner. But often as we know, that isn't what ends up. I started to think why. I'll start to flip that over then to an organisation to the relationship that we should have between the partners of risk and reward. That's what this session is really all about. It really stems from the fact of so much going on in risk management, particularly in financial services at the moment, with the Royal Commission, and the APRA report on the CBA.
The APRA report talks a lot about the voices that were not being heard equally. In a marriage, there is the voice of both partners. The balance between the voices of the partners to make it successful. I'm going to start off on a really good note, which is two glasses of champagne to celebrate a happy marriage between risk and reward. What does that look like? I will talk about four things:
- The first one is to meet the partners.
- Secondly, relationship dynamics between the partners in the relationship.
- Thirdly, managing the marriage, because a good marriage requires work.
- Finally, reporting on the health of the marriage.
Meet the Partners: Risk and Reward
Firstly let's meet the partners, the reward partner and the risk partner. It is now great to be able to say that now in Australia I could have chosen same sex marriage. However, for no other reason than tradition and making the two partners look different, I'm going to use the traditional marriage to show the risk and reward relationship.
Let's meet the partners in the marriage and understand them a bit better. Now, the only reason I have labeled the female as "risk" is because the Australian slang we use when you tell someone when they're just about to do something risky and to, watch out, they go, "She'll be right." "She" is therefore risk. She'll be right means, don't worry with all that risk stuff. I want to go and get reward. As a result, I've labeled the female "risk". That obviously makes the other person reward.
Let's think about what risk and reward are about. Let's learn a bit more about them. Firstly, risk. Risk is the effect of uncertainty on objectives. Reward is the degree to which we meet our objectives. Now, that includes both financial and non-financial objectives. If we think about it, straightaway, we have a connection and a strong bond between these partners. Because one is reward, the degree to which we meet our objectives, and the other one is the effect that uncertainty can have on objectives.
It always amazes me the number of times risk managers do not mention reward. It's all about risk. It's all about putting more controls over that risk to try and minimise it down to nothing or try to eliminate it. As we're going to see in a minute that's not such a great thing in a marriage when you eliminate a partner, it doesn't usually work that well.
Let's think more about the depth of each partner. Now, reward is the degree to which we meet our objectives both financial and non-financial. Importantly, and this is clearly prominent in the Royal Commission, the objective should cover the objectives of all stakeholders, not just the shareholder, as APRA refers to in the CBA report, the voice of finance. It should cover the customer, the member if you are a mutual, the employee, the suppliers, the regulator's, society and very importantly, the environment.
Let's move over to the risk partner. Risk is the effect of uncertainty on objectives. Again, as the objectives for reward cover all of the stakeholders, so risk should cover all stakeholders. What risks do we have that affect the shareholder? Yes, we do that quite well, but what about the customer or the other stakeholders we spoke about earlier.
There are typically eight or nine stakeholders that we all have. The balance between those should be driven by your strategy. The question is, what's more important, the shareholder or the member or the environment?
Let's now go and have a look at the couple's child, because children can tell us a lot about risk. I want to introduce you to Jenny. She's seven years old, and she's attempting to achieve an objective. We might appreciate that she's facing some risk. But let's have a little chat with her about what she is trying to do from beginning to end. Number one is what are Jenny's objectives?
The most obvious one for a child is number one, to have fun. But she's a great kid, she also wants to be safe, and she's a fantastic kid because she wants to comply with the park rules. Now, as with our own objectives and our organisations, we'll prioritise these objectives. I'm sure the child will prioritise number one above number two above number three. It's very important we as organisations also prioritise our objectives and are very explicit with what those prioritisations are. We'll cover this later. But when I see an organisation that tells me that they are there for the care and the value add to the customer, and they promote that on all their materials and then they go in-house and encourage sale people to "sell, sell." We've got something being said externally and internally its in conflict. We're actually reprioritising for the voice of shareholder over the voice of customer. It might sound familiar in financial services.
Once we have our objectives, risk doesn't come from the objectives, it comes from what we need to do to achieve the objectives. The second step to feed us into risk is what are the critical things that Jenny needs to successfully achieve in order to meet her objectives?
She needs to get up to the top of the rock safely, play on top of the rock safely, get back to ground level safely. And if she can achieve those three steps, she's achieved her objectives.
Once we have identified those critical steps, we can now identify things that could stop her achieving those critical steps. We happen to call those risk.
As a parent, falling is probably the most obvious one. Now, falling is a risk event. A risk event for us is the point at which you lose control. If I am walking along and I start toppling over, that's the point of lost control, and that is my risk event, falling risk.
Now, this stage we don't know why Jenny might fall. So, I'm going to come up with five reasons she might fall. We call those the root causes.
She's just a seven year, so human error. It rained last night, liquid has made slippery ground. Moss on the rock to make it slippery, and so on. That's our root causes. As a result, we've gone all the way back from objectives through critical process through risk events to root causes. And then we think about how do we control that risk?
I've given you six potential controls that we could use. From inspections to clean up, non-slip shoes, first aid.
Now, I want to put this all together in a picture, and some of you that know Protecht, you know we love bow ties. So, bow tie analysis is the way that we can pull that all together, our favourite approach. It goes something like this if you're not familiar with bow ties.
In the middle of the bow tie, we put the point at which you lose control, which is the risk event, and that's falling. We then move either left or right. I'm going to go left first, to go back to the root cause. We are to do that by asking, but why? We keep on asking but why until the answer is, it just is or it's outside of our influence. Let's go.
She's just a kid. Why is she just a kid? Well, she's just a kid. So, human error in this instance, is one of our causes, because it just is. Liquid hazard is on the ground. But why? It rained last night. Is the level of rainfall within Jenny's influence? No, it is not. So, it's one of her root causes. It's an external root cause. I'm not going to say and explain each one of these, I'll leave the rest to your own thinking.
That gives us our root causes. We've now expanded that left hand side to go back to the source, the root cause of the risk. We then go the other way by asking, but what next? We don't stop until one or more of our objectives has been impacted. You can see on the right hand side, those three boxes equate to the objectives that Jenny had in the first place. Now, obviously, in risk management, we call the first one root causes, the bits in the middle risk events, and the right hand side risk impacts. An impact should always equal your objectives. I'm still amazed at the times we go to new clients and we look at their impact types and they don't correspond with objectives. There is no linkage between risk and reward.
One of the first takeaways is to ensure that your impact types
in risk management exactly equal the objectives out of the strategic and the business plans.
Once we've got that, we can put the outline around it and that gives us the bow tie. We can then start adding our controls on at the appropriate spot. Inspections and clean up for liquid hazard and moss hazard. Training for the child, non-slip shoes, cushion, safety hat and first aid.
What we've done here is gone through that picture of risk from left to right, and put various controls in place. Now, the controls on the left are preventive controls. The controls in the middle are detective controls, and the controls on the right are reactive or corrective controls. Once we look at that, we have the picture of marriage, because we have both partners. Because on the left hand side everything around "falling" is risk, we have the bride. On the far right we have impacts which equal our objectives, which is reward. Here is the groom.
One of the key things here is that in risk management, we should never ever talk about risk without talking about its partner. If we talk about risk, we need to be talking about reward or the objectives because if you're not, you're not connecting the partnership together. Now, the first way to do that, is make sure that in every discussion you use the word risk, you must also mention reward. We train a lot of front-line managers, and they complain about risk managers talking about risk and having to control everything and spend lots of money on controls and causing the business a lot of overheads and so on. I say to them, the answer or the question you should ask is, why do you want me to add that control in? If they say, "Oh, it's because it's risky." Then you ask the second question, What objectives of my business does this risk effect? A risk manager who doesn't think risk reward will go, "Well, it's just risk. You've got to control it." Well not acceptable. You've got to be able to link it and explain how the control affects the objectives of the organisation's risk reward.
That is a most common diagram that we use to explain the marriage, risk and reward, and it should sit on one sheet. Which means we are looking at both partners at the same time.
Relationship Dynamics of Risk and Reward
Now we understand what the partners in the relationship are, let's have a look at the relationship dynamics. How do the partners relate together? How does the marriage work? How do risk and reward interact? Are they enemies or best friends? Well, let's be honest with sustainability, enemies are not going to last long. If they are friends, then we're going to have a sustainable relationship, a sustainable marriage.
So, let's think about the dynamics. Let's go back to the definition of risk from the ISO 31000 standard. It says risk is the effect of uncertainty on objectives. Now, if risk is the effect of uncertainty on objectives, managing risk must be managing the effect of uncertainty on objectives.
I would put to you, sorry for all of you in the room, risk management as a discipline makes no sense. I don't know why we call ourselves risk managers because it's not what we really do. What we really do is this:
Because we are managing the effect of uncertainty on objectives. What we're really doing is managing objectives.
I wish our industry was actually called outcome management. This creates magic. Why? You go up to your front-line management team or CEO, or whatever and say, "Good morning, I'd like to have a chat with you." And they go, "Who are you?" "I'm David from risk management." They look at their diary, and miraculously, there's no room for six to eight weeks. I'll come back to you in 10 weeks. "Good morning. It's Dave here. Where are you from?" "I'm from outcome management." At the risk of sounding like a consultant, they say, "What do you do?" I say, "I'm here to help you nail your objectives." I bet they're going to give me a seat at the table on day one.
The first thing to remember is that we're not risk managers we're outcome managers, and each of you that is a risk manager, I want you to add a translator chip into your brain right now and give one to every employee in your organisation. And it works like this, every time you hear the word risk management, you say to yourselves, outcome management. Your face will go from a grimace to a smile, because you're now talking about the relationship between risk and reward, not risk in its own right.
Let's have a look at outcome management as an example. This is a lovely main road in Nairobi, in Kenya.
Our objective in the example is to get to the end of the road safely. The potholes, obviously represent risk because they create uncertainty as to the achievement of my objective of getting to the end of the road safely.
So, let's consider how we might try and achieve our objective. Number one drive flat out. Drag race up to the end, hopefully jump over the potholes. Now, this is about the "she'll be right" brigade. Because they are only focused on getting to the end of the road they want to ignore the potholes (risk). What could be the result of this? The first time they go, they might luckily make it, second time might luckily make it and so on. On the (say) eighth time, however, that's what happens (car crashes in pothole). We call this boom, bust management. Boom, boom, boom, boom, life is good for a while. Then something (risk) comes along, and we're bust. We're very good at that in business, particularly financial services. It usually takes seven years for the bust to come along, but it does.
This kind of relationship is where the "male" or reward is the biggest, and the "female" or risk is tiny, because we're not listening to the voice of risk. That will be Boom, boom, boom, bust. Because after a while, the risk partner who's being ignored, gets kind of annoyed and frustrated and bursts out with "Remember me?" "Who are you?" "I'm your partner in your marriage." "Oh, sorry, I forgot about you." And then we have the global financial crisis. And then we worry about the risk partner lots and ignore the reward partner. I'll come to that later. That is not a happy marriage.
Number two, we look at the holes and they scare us. We are so paranoid about falling in a hole, we give up. I'm not even going to attempt it. This is called avoidance or elimination. In this instance, obviously zero success. We just give up, we go home, so we're never going to achieve anything.
Then in this instance, we've got a tiny "male" or reward and a really big "female" or risk because we're focusing too much on risk in this scenario.
Number three, we look at the potholes, they scare us, but we really want to get to the end of that road. So, what do we do? We buy some really big wheels and tires. It slows the car down dramatically and costs a fortune. It takes two hours to get to the end of the road, and by the time we're there, we're bankrupt. This is the same problem as the earlier example, but for a different reason. This is where the "male" or reward is very small. We're not worrying about reward. Cost doesn't matter and risk management / control is huge.
Same as the one before, but through too many controls bogging the business down. What's the solution?
I would suggest that we smartly maneuver around each pothole as you come up to it; quick left, quick right, 25 kilometers an hour, slow down, break, left, right, and we weave our way up through the road. Now, as we're doing that, we are now focusing on both reward and risk equally. We have a balanced and happy marriage.
I will put to you that there is where we will get success. Success is sustainable reward. It's not boom, boom, boom, boom, boom, boom, bust, its boom, boom, boom, which is reasonable profits but not crazy. But we can keep on repeating that year after year and will end up with our partner at 95 years old still holding hands because we got a balance between the two. Now, that to me is success. That's what sustainability is all about.
My number one objective in risk management is sustainable reward. That's it. That's what we do, sustainable reward.
To sum that up then, if we look at the partnership, reward is the main focus, risk is secondary, she'll be right, boom, bust. Rewards, secondary focus, everything's too risky around here, our main focus is risk. No boom whatsoever, therefore a long term bust. 50%, 50% equals long term sustainability. That is the dynamics between the partnership.
Let's now think about the relationship and how the dynamics work. Firstly, generally, as long as you're taking reasonably smart risk, the greater the risk, the greater the average expected reward. However, the greater the risk, the greater the potential variation around that expected outcome.
Now, many many years ago I did a degree in business finance and I remember doing a class on economics, which introduced me to the concept of this. Some of you might remember this from your uni days, the capital asset pricing model or CAPM. .
This is a map of the partner, male return or reward up the left. We have now risk, the other partner on the horizontal axis, and we map the two as how they relate. They relate like this. Let's have a look at expected reward or expected relationship.
On the left hand side, that's the level of return we're going to get for taking no risk. We call it the risk free return. If you're thinking about it financially, let's say investing in a three year government bond, very low risk, only sovereign risk, but obviously a very low reward. As you move to the right and take more risk and make the risk partner bigger, on average, expected return for the other partner goes up. Now, obviously without any other additional information, it would make sense to always have massive risk and massive reward. But it's missing something, and that's variation.
So, let's now add variation on, variation. The more risk we take, there is a bigger chance of not meeting that outcome in a negative sense. Over here, very low variation, the outcome's fairly certain. Equally though, as long as the risk has an upside, we call it opportunity risk, it could also be that, where we take a risk and the actual outcome is better than what we expect. This is really important in risk management in that we've got to appreciate that some risks have an upside and a downside where some risks have downside only. Downside only we call threat risks. Once they have an upside, the upside we call opportunity risk, and the downside, threat risk. Obviously, we need to be smart about this because the opportunity risk can actually add to our outcomes, the green side. Threat risk can hurt us.
Maximise the upside, minimise the downside. One of the things that we're going to talk about in a minute is how far up this side can we go? How big can we get the risk partner to be? Well, that's determined by risk appetite. In this instance, it tells me the marriage can never go further right than that blue line. That's our risk appetite. Now, I'm going to talk about risk appetite in a second. The key is, the higher the risk, the greater the expected reward. However, the greater the variation around that expected outcome.
Managing the Marriage Between Risk and Reward
Now, we understand the relationship dynamics. When I talk now about the managing the marriage, the keys to a happy, sustainable marriage, making great relationship decisions. Because a lot of what we do in risk management should be focused on helping our people make better decisions. In a marriage, good decisions will equal sustainable marriage. Finally, incentives for success. Let's have a look.
The keys to success:
- Number one, understand each partner really well. Get to know your partner extremely well before you go and walk down the aisle. Get to know reward really well and get to know risk really well.
- Understand the needs of each partner. What is the needs of reward? Where does that come from? Strategic plans and business plans. Understand the needs of risk. What are the risk targets? What are we aiming for? What's the right balance.
- Understand the boundaries around the relationship, particularly around risk appetite.
- Ensure both partners have equal say in the relationship. I would argue a relationship where one partner dominates the other is not going to end in a happy. It's going to have a limited life. Equally, a business that downgrades risk to the detriment of reward, we know what that looks like. A decision is made, it's all based on reward, and when it's made, someone says, "Can you tell risk? Apparently, they have to do some tick off or something." That's disgraceful. Risk should be at the table at the same time reward is at the table so their voices are heard equally.
- Ensure the performance of the marriage is measured based on the optimal outcome for both partners, not just one. We have so many incentive schemes based purely on reward. Yes, sales volumes and goodness knows what. We see that in financial services a lot, and that ends in tears.
- Ensure that those that make decisions that affect the partnership are incentivised for both risk and reward performance. So, the incentive scheme is there to make sure the balance between the partners is managed appropriately.
Let's go to two of those. Let's understand then the reward part really well. For that, we need a really good strategic plan, which is, where do we want to be in three years' time, and the right business plan of how are we going to get there? I'm still amazed at the number of times we go out to clients and we start doing risk work with them. I always asked for a series of information from the customer or the client. The top of the list is the strategic plan and business plans.
So many times I get a call back saying, we want to know why you want the strategic plan. Here is an organisation that doesn't in any way link risk with reward. Or secondly, they say, "Well, I actually our strategic plan and business plan isn't very good. We don't have very measurable targets. So, we often back-fill." You can't do any decent risk management unless you have a very strong strategic and business plan with measurable KPI targets.
Second part then is risk appetite.
What is the maximum amount of risk that we are allowed to take? This puts a size around the risk partner. We think about what risk appetite is, the maximum amount of risk that we are willing to take in pursuit of our objectives. So, how big, and I don't mean physical, how big can the risk partner be? Because that is going to determine the maximum size of the reward partner, because they are linked.
Now, in this instance, we call the risk appetite, freedom within boundaries. I want to give you a little illustration of this. We're going to use this illustration to really have a look at the relationship between risk and reward for decision making. Let's start off then with risk appetite, an illustration. Imagine that you and your partner have two children, Jenny, we've already met Jenny and Johnny.
This weekend you want to go to the local park. And your objective with your partner is to have wine and cheese and chat about the film you saw last night on a picnic rug in the middle of the park.
Johnny and Jenny, they have got different objectives. They are off, they want to go play. They want adventure and fun. You say, "Wait a second. Before you go, don't go too far away." Why? Because over there, there's really high trees, there's a rock ledge over there, there's a main road over this side and a river over here. And we know that the further they go away from the picnic rug, the greater the risk. It's a risk proxy or risk indicator. In addition. We can't supervise them as well, so our controls are weaker the further they go away.
So, Johnny says, "How far is that dad or mom?" Now, you're not allowed to mark the park. The line's invisible. Poor old Johnny doesn't know quite where that is, and you have to explain it. So, you say to Johnny, "It's, a pretty big area." In our view of the world, big is risk appetite.