ERM and Mission Critical Risks
The courts are creating new views of risk and risk management. Boards and ERM leaders should pay attention. Our white paper on mission critical risks explains it a bit more.
The courts are creating new views of risk and risk management. Boards and ERM leaders should pay attention. Our white paper on mission critical risks explains it a bit more.
Business Models
Business Model Generation (Osterwalder & Pigneur)
Value Proposition Design
Disruption
No Ordinary Disruption (Dobbs et al.)
Big Bang Disruption (Downes & Nunes)
Your Strategy needs a Strategy (Reeves et al)
Create Marketplace Disruption (Hartung)
Superforecasting (Tetlock and Gardner)
Strategy (more general)
Blue Ocean Strategy (Kim & Mauborgne)
The Lean Startup (Ries)
Playing to Win (Lafley and Martin)
Brand Resilience (Copulsky)
Discovery Driven Growth (McGrath and MacMillan)
Upside (Slywotzky)
Innovator’s Toolkit (HBS)
Geography of Genius (Weiner)
Strategy Beyond the Hockey Stick (Bradley et al.)
Strategic Execution
Achieving the Execution Edge (Bart & Schreiber)
Strategic Project Management Made Simple (Schmidt)
When Strategy Execution Marries Risk Management (Ow)
Seven Strategy Questions (Simons)
Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)
Attached is the white paper based on our ERM Summit on this topic.
It seems like that might be true in banking. Here’s an excerpt but you can read more in the document.
3) Ms. _________ as the Community Bank’s Group Risk Officer, failed to timely identify the root cause of team member sales practices misconduct in the Community Bank, failed to exercise credible challenge to the Community Bank’s head (_______) regarding risk management controls relating to sales practices, failed to timely and independently evaluate the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that threatened the safety, soundness, and reputation of ________ Bank, N.A. 20
4) Mr. _________, as the ____ Executive Audit Director assigned to the Community Bank, failed to timely identify the root cause of team member sales
practices misconduct in the Community Bank, failed to provide credible challenge
when evaluating the effectiveness of Community Bank’s risk management controls, and failed to identify, address, and escalate risk management control failures that
threatened the safety, soundness, and reputation of the Bank. ..
From today’s WSJ:
Coming after a year of events that weakened China’s status as a stable manufacturing center, the upheaval means Apple no longer feels comfortable having so much of its business tied up in one place, according to analysts and people in the Apple supply chain.
“In the past, people didn’t pay attention to concentration risks,” said Alan Yeung, a former U.S. executive for Foxconn. “Free trade was the norm and things were very predictable. Now we’ve entered a new world.”
At our Oct 2022 ERM Summit we asked a group of risk leaders about the importance of geopolitical and macro risks. Their responses are are:.Top risks
About 70% agreed that geopolitical and macro risks are a top risk and almost 70% agreed that these risks will have a major impact. What is surprising is that only slightly over 50% had a practice to identify these risks in a timely fashion.
My Risk Acumen takeaway is that ERM leaders should consider or reconsider their approach to identifying these risks in a timely fashion.
Assess emerging risks
"The board should carry out a robust assessment of the company's emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated. ... Principal risks should include, but are not necessarily limited to, those that could result in events or circumstances that might threaten the company's business model, future performance, solvency or liquidity and reputation. In deciding which risks are principal risks, companies should consider the potential impact and probability of the related events or circumstances, and the timescale over which they may occur" (UK Corporate Governance Code 2018).
ERM reaction: First, strengthen your emerging risks process. Second, include business model risk analysis in the process. This reaction captures the growing pressure on boards over emerging risks and business models. Recent work at the Center for Excellence in ERM at St. John's University's Tobin College of Business reveals that U.S. high-performing companies (as compared to those that are not high performers) are more likely to have an emerging risk process.
Board member reaction: There is no reason not to insist that companies push the dial higher than just doing risk identification, risk assessments, and risk ranking. Insist on an analysis of how the emerging and disruptive risks impact the business model. The future of the business could be at stake.
Enterprise risk management is a great, great process. I could not say more about it.
Mario Pilozzi, Wal-Mart Canada Chief Operating Officer.
Enterprise risk management is an iterative and disciplined process that can take many forms but often follows the flow identified in Figure 2. The key steps in the process include setting objectives, identifying risks, assessing risks, acting upon these assessments, and monitoring. An unfeigned approach to managing risk first requires the identification of the objectives. The objectives can be the company’s strategic objectives if enterprise risk management is being applied to the company as a whole. Alternatively, the objectives can be a department’s objectives or a new project’s objectives (where enterprise risk management is being applied to either of these individually). For example, FirstEnergy Corporation used enterprise risk management to identify and manage risks around a new e-business initiative, as well as to identify and manage risks of the entire organization.
Management that approaches each day or project not knowing what objectives they are trying to achieve can usually only offer a shallow repartee when asked by board members, “How is the company performing?” or “Are we meeting our goals?” One of the early lessons companies glean from enterprise risk management is that many layers of the company (including senior management, operating managers and regular employees) do not know or understand the objectives of the organization and how the objectives relate to their daily job and tasks. Enterprise risk management forces companies to identify and focus on the organization’s objectives. Risks are defined broadly to include any event or action that will prevent the organization from achieving its objectives. Enterprise risk management reinforces priorities to everyone involved, and ultimately to the risks surrounding those priorities. Knowing the priorities and the risks is essential to creating value for the stakeholders and to managing the company successfully.
From our first book on ERM (Making Enterprise Wide Risk Management Pay Off).
Question legacy business models
"Allegiance to legacy business models with reluctance to question their future viability" is a red flag, according to board guidance (Adaptive Governance: Board Oversight of Disruptive Risks, NACD, 2018).
ERM reaction: Include business model risk analysis in your risk assessment.
Board member reaction: Don't accept a risk map with a list of top risks. Ask if tools have been applied to examine the risks around the business model — in essence, the heart and soul of the business. Without a grasp of this, you are overseeing the wrong risk. Peter Drucker, a management consultant, educator, and author, wrote in "Theory of the Business" in the Harvard Business Review in 1994 that every three years we should challenge every product, service, policy, etc. — basically, every assumption about the business.
https://www.apqc.org/resource-library/resource-listing/evolving-practices-enterprise-risk-management-1
Our April 22, 2021 Center for Excellence in ERM Summit topic has been set. This April our Summit will cover ESG and ERM alignment.
In my opinion, it is to read what they read. Until we understand how the C Suite and Board thinks then we will always be on a steep uphill climb. One reading list:
· Business Models
o Business Model Generation (Osterwalder & Pigneur)
o Value Proposition Design
· Disruption
o No Ordinary Disruption (Dobbs et al.)
o Big Bang Disruption (Downes & Nunes)
o Your Strategy needs a Strategy (Reeves et al)
o Create Marketplace Disruption (Hartung)
o Superforecasting (Tetlock and Gardner)]
o Blue Ocean Strategy (Kim & Mauborgne)
· Strategy (more general)
o The Lean Startup (Ries)
o Playing to Win (Lafley and Martin)
o Brand Resilience (Copulsky)
o Discovery Driven Growth (McGrath and MacMillan)
o Upside (Slywotzky)
o Innovator’s Toolkit (HBS)
o Geography of Genius (Weiner)
o Strategy Beyond the Hockey Stick (Bradley et al.)
· Strategic Execution
o Achieving the Execution Edge (Bart & Schreiber)
o Strategic Project Management Made Simple (Schmidt)
o When Strategy Execution Marries Risk Management (Ow)
o Seven Strategy Questions (Simons)
o Strategy that Works – How Winning Companies Close the Strategy-to-Execution Gap (Leinwand & Mainardi)
From today’s WSJ:
“In discussing an emergency safety bulletin the FAA issued after the Lion Air crash, the suit said that Mr. Muilenburg was more concerned with potential cash-flow disruptions than safety matters. “We need to be careful” that the FAA’s interest in the contents of flight manuals, he wrote to Greg Smith, the company’s chief financial officer, “doesn’t turn into a compliance item that restricts near-term deliveries.”
The risk-management update to the board after the first crash didn’t include oversight of airplane safety, according to the suit, nor did safety issues surface as part of a December 2018 meeting of the board’s audit committee.”
The headline of the WSJ story was “Boeing Board Failed to Challenge CEO, Lawsuit Says.”
Organizations may need to not only assess their ERM process but also revisit how they setup and practice board risk oversight.
Disclose a Change in Business Strategy
Of note is this sentence in the new SEC rule (effective Nov 9, 2020): “However, we are adopting as a disclosure topic material changes to a registrant’s previously disclosed business strategy.”
My 1.5 cents? I’d read that section every year. Changes in business strategy change the strategic risks.
Here’s an overview:
•Require summary risk factor disclosure of no more than two pages if the risk factor section exceeds 15 pages
•Refine the principles-based approach of Item 105 by requiring disclosure of “material” risk factors (From “most significant” to “material”). This will result in risk factor disclosure that is more tailored to the particular facts and circumstances of each registrant which should reduce the disclosure of generic risk factors
•Require risk factors to be organized under relevant headings in addition to the subcaptions currently required, with any risk factors that may generally apply to an investment in securities disclosed at the end of the risk factor section under a separate caption (i.e., so a “general risk factors” section)
I know this is banking but I thought you might find Citi’s $400m fine and consent order and the regulator comments interesting:
The Comptroller finds, and the Bank neither admits nor denies, the following:
(1) For several years, the Bank has failed to implement and maintain an enterprise- wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile. (2) The OCC has identified the following deficiencies, noncompliance with
12 C.F.R. Part 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches,” or unsafe or unsound practices with respect to the Bank’s enterprise-wide risk management and compliance risk management program:
(a) failure to establish effective front-line units and independent risk management as required by 12 C.F.R. Part 30, Appendix D;
(b) failure to establish an effective risk governance framework as required by 12 C.F.R. Part 30, Appendix D; 2
(c) failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and
(d) failure of compensation and performance management programs to incentivize effective risk management.
This is not all bad news. Many will find these new business models, value propositions, and opportunities.
Consider what new blue oceans (yes, it’s a good read), customers, customer dimensions might exist in this world. Think about it. Spend time imaging the new possibilities and opportunities.
Tip: when allocating time, let’s say an hour, the best ideas come at the end. Rarely do they show up in the first 10 minutes. Be patient.
You are likely biased. Tons of research on this. Create a new division to disrupt yourselves. Put people on it that are not tied or incentivized to the old model. Clayton Christenson, Steve Jobs, and others have proposed this. Why? Because it was and still is a great idea.
You can talk all day about a variety of drivers, risks, and uncertainties but one thing i’ve learned from a few smart colleagues, my son, and brilliant CEOs is the ability to see through the fog to identify the # 1 big deal you must get right. Major on the minors. Hedgehog. Focus. Get in the moment. Whatever you want to call it, you’ve got to know the existential risk.