Helping to Frame the Board’s Risk Conversation - A Profession in Transformation by AIRMIC John Hurrell and Julia Graham This session presented on October 04, 2016 during the FERMA European Risk Seminar in Malta, set out some of the issues involved for risk managers making this professional journey and offer practical ideas and suggestions on how risk managers can seize these professional opportunities. Reinforcing FERMA’s vision of “a world where risk management is embedded in the business model and culture of organisations”, this session will focus on how risk management can be embedded in the business model of the organisation and the importance of risk culture and the profiling of risk culture as part of this process. The session introduced models, tools and techniques designed for the risk manager developed in partnership with colleagues from other professions and in consultation with those who have a seat at the boardroom table.

1. 2 October 2016 – Malta
Helping to Frame the Board’s Risk Conversation
A Profession in Transformation
John Hurrell and Julia Graham

2. 2
www.airmic.com
The Association for
those responsible for
risk management and
/ or insurance in their
organisations
1200 members in 450
companies generally
with turnover in excess
of £1bn
Extensive research
programme into risk
related issues

3. The Way Ahead

4. Leadership needs to
think the unthinkable
 Ineffective
 Complacent
 Striving
 Strong culture of trust and respect
 Board and management challenge each other
 Chairs run meetings well
 Feedback
 Conduct regular evaluations
 Chairs ask for input after each meeting
 Risk managers need to be equipped and positioned to support the Board

5. Member Survey 2016 findings
 For the first time the top two risks associated with cyber
 Lower levels of confidence for less ‘traditional’ risks
 Risk management not fully integrated with wider business units
 Risk education not fully integrated within the organisation
 Budget constraints
 Risk culture not embedded within organisation
 Risk management not integrated with strategy
 Risk management team better access to the Board
The focus on risk has never been greater
Airmic member views

6.  Most risk failures are directly or indirectly a consequence of
inappropriate behaviours.
 Effective risk governance is achieved through the promotion of
effective cultures and behaviours.
 Good behaviour and culture are key factors in the successful
delivery of the purpose and objectives of an organisation and the
creation of value.
Culture and Behaviour – Airmic research findings

7. Why did companies fail?
 Lack of board skill and NED control
 Board risk blindness
 Leadership failures
 Poor communications
 Organisational and risk complexity
 Inappropriate incentives
 Risk management ‘Glass Ceiling’
‘Roads to Ruin’

8. ‘Roads to Resilience’
1. Exceptional Risk
Radar
2. Flexible and diverse
resources and
assets
3. Strong relationships
and networks
4. Rapid response
capability
5. Constant review and
adaptation
Why do companies succeed?

9. Exceptional Risk Radar
 Everyone is responsible
 Constant vigilance
 Complacency engineered out
 Constant questioning and challenge
 Communication critical

10. Flexible and Diverse Resources and Assets
 Actively managed dependencies
 Active networks with ability to switch
rapidly
 Availability of crisis management
expertise

11. Strong Relationships and Networks
 Shared common purpose
 No blame culture – (“fix the problem”)
 Flatter Structures
 Engaged leaders

12. Rapid Response Capability
 Quick and appropriate action
 Defined processes and teams
 Ability to identify appropriate resources
quickly
 Rehearsing and practising

13. Constant Review and Adaptation
 Investigation through scenario
analysis
 Learning as a core value
 Near misses must be
communicated
 Active and transparent responses

14. Risk Responsive Roads to Resilience
Roads to Ruin Risk Compliant
Respond,
Recover, Review
Prevent,
Protect &
Prepare

15. • It’s all about behaviour and risk culture ….
Why do so many companies appear unprepared and
unresponsive when the crisis hits?

16. Risk Governance perceptions
– Before the crisis

17. The reality - After the crisis

18. Black Swans
 Black Swans represent 'unknown unknowns'
 As such, how can you plan for them?
 But our research shows that you do not need to
 It's not Black Swans which are the biggest threat!

19.  Grey Rhinos represent ‘known unknowns'
 You can you plan for them
 Highly probable, high impact neglected threats
 Warnings and visible evidence but leaders fail to address obvious dangers
 Acting in time can make a situation better or keep a crisis from deteriorating
 But it’s not Black Swans or Grey Rhinos that are the biggest threat, it’s ............

20. It's Black Elephants!
 It’s the Black Elephant
 The Black Elephant was always in the (board) room
 But nobody saw it!
 Or if they did, they chose to ignore it
 But this Black Elephant has been visible to many within organisations
 And obvious to all once the crisis had hit!

21.  Most risk failures are
directly or indirectly
as a consequence of
inappropriate
behaviours
 Effective risk
governance is
achieved through
the promotion of
effective cultures
and behaviours
Culture is in the spotlight
 The UK Corporate Governance
Code 2014 sets out explicit
responsibilities for risk
management and internal
controls
 Guidance includes specific
reference to risk culture and
assurance – to ensure that an
appropriate culture is
embedded throughout the
organisation, including
embedding risk considerations
into reward systems

22. Drivers of risk culture

23. Managing risk culture is a cyclical process

24. When organisations get into trouble, fixing the culture is usually the
‘cure’
… but culture isn’t something you fix
Cultural change is what you get after you’ve learned lessons and
implemented them
Culture is not the culprit – it’s about people
Source: Lausanne University 2016

25. Beware of Board risk blindness and complacency
 Research indicates that there can be a gap
between perception and reality
 Boards report high confidence levels on a
range of subjects
 Yet rarely discuss some of them in depth ...

26.  Integrated process across all departments, functions and levels
 Integrated with the business model, strategic decision making and planning
 Appropriate performance reward structures in place
 Monitoring process including annual effectiveness review in place
 Educated and informed people across the organisation
 Educated and informed stakeholders
 Peer to peer team working
 Proactive and insightful professionals
 Future gazing skills
 Educated and informed risk leaders
Roadmap to the new risk leadership

27. Key findings
 Digital – a great change driver
 Data – the great differentiator
 Innovators and futurists –
forward looking
 Expanding the range of
expertise – imperative
 Professionalism – key to
cementing hard-earned
influences imperative
 Make friends in the right places – business and
governance
 Do not seek to become an expert in everything –
look internally and externally for the best advice
 Become a storyteller – encourage risk thinking
 Communicate with knowledge and confidence – this
will help to drive influence at all levels
 Understand the power of data analytics – and how
this can be integrated into existing risk management
practices
 Develop techniques like horizon scanning and
scenario analysis
 Use a common language for business and data –
avoid jargon
The role of the risk manager
is transforming
Priorities for the next generation of risk managers
The Changing Role of the Risk Manager: ACE 2015

29. Thank you
for your attention
WWW.FERMA.EU