Jean Pousson reminds executives about their duties and responsibilities.
The recent “episode” about Bernard Madoff alleged $50 billion “Ponzi “scheme is yet another reminder to businesses that years of hard work and profitability can be wiped out by fraudulent activities not picked up by diligent risk assessment procedures. While more facts have to emerge about the extent of this supposed fraud, what is already becoming clear is that warning signs had been there, and had been flagged up,but no one seemed to act. The most obvious being his auditors who were literally a one man and his dog outfit, responsible for auditing funds under management of some $50bn!
In 1995 many of us will remember how one derivatives trader, Nick Leeson, brought down an entire bank,ie Barings Bank!
Add to this all the current woes of the banking sector where it has become abundantly clear that the full risks of products being sold and kept on the balance sheet were not fully understood. Huge write-offs ensued which necessitated recapitalisations and government assistance.
Risk assessment will never be full proof, but the odds of something going very wrong can be minimised. The Turnbull Report in the UK, which applies to Listed Companies only, and which is part of The Corporate Governance Code, provides guidance for directors in the field of risk management. This is well worth a look!
Some thoughts on the subject:
-Processes and monitoring activities are insufficient (by themselves)if the culture and values of the organisation do not support. Integrity and honesty regularly appear on organisations’ values, but how often have these been decomposed? In other words, have they been fully discussed for people to really understand how this translates into day to day operational behaviour? In one organisation, integrity received 85 different definitions and interpretations!
-New Business models bring about new dimensions and types of risks that often executives had not thought through properly, if at all! Industry dynamics change all the time and organisations should regularly review how the potential risks may have changed.
-Tools like external/environmental analysis(Pestle),industry analysis(5 forces)all help, but they must be undertaken regularly, and not always by the same cohorts! Personnel at all levels, no matter how junior, should be involved. Risk identification is not the sole preserve of the Board.
-Monetise the risk, ie what is the financial impact if this event were to happen? Could the business withstand that financial shock? Especially from a cash flow perspective.
-Having said that not all risks can be quantified. A far more qualitative approach needs to supplement the technical analysis. For example, risk is often only discussed in terms of calamities and financial mayhem. But what about strategic risks? Risk assessment discussions often highlight business opportunities. Oracle and Microsoft both grew out of distressed economic climates.
-Worst case scenario means just that. Far too often when organisations consider “worst case” scenarios, the assumptions are still quite optimistic, because the real worst case is a bad place to visit and we don’t want to go there. Try running away day/workshops where the theme of the day is only bad news. The outcome will surprise you.
-And finally, never forget the ABC of risk assessment:
Assume nothing Believe nobody Check everything!