What you need to know to stay current in risk management

It’s Thursday August 9th and our latest edition of the Feagin Company Weekly Risk Report: What you need to know to stay current in risk management.

Governance – Risk Management not working? Maybe this is why…

WHOA! WOW! WHEW! LinkedIn risk groups and various risk management blogs have been blowing up this week with philosophical debates and “hurt feelings reports” about everything from heat-maps, Monte Carlo analysis, risk matrices, etc…and the pundits weren’t playing nice! I’ve been around for a while now and in all my years, I’ve never once observed a Director, Officer, or other leader make a risk based decision using these “tools” of fierce debate. Most often it came down to “gut feeling,” “common sense,” internal and external opinions, and simple business case analysis…key word “simple” and get on with it…logistics. Practioners may win and loose philosophical debates but who cares? Companies win and loose by the numbers. Focused leaders don’t care about risk management philosophy, they care about results. Institutional investors…they don’t care if your heat-map is purple, sparkly, or glow-in-the-dark…they want the right risks managed and they want results; it’s about the bottom line. I’ll stick with experience and continue to stay out of the debate arena.

“The tactics…no, amateurs discuss tactics, Alekseyev thought wryly. Professional soldiers study logistics.” Red Storm Rising; Tom Clancy p. 435

Risk Identification – Herd mentality?

I’m focusing on risk identification this week and here’s why: I see too many organization’s following a “herd mentality,” call it group think, whatever and missing opportunities to identify and manage “clear and present dangers” to their specific organization. Here’s an example, take a look at some of the major risk surveys and you will find their annual results go something like this…”we surveyed 1,000 senior executives for their opinions about the top risks they are facing and our top 20 results were…” and they all say the same things. My experience:  by the time this data is published, it’s at least 6-months old which is ancient nowadays and it was someone else’s opinion; not insightful for the future. Boards and C-levels want forward thinking and insights into tomorrow’s risks. Get creative, seek different perspectives, and watch out for bias. Be careful about using these surveys to define your risk list.

Oh Captain my Captain! – Change your perspective

One area that continues to concern me when I review risk lists is the lack of critical thinking, internal and external. In the movie “Dead Poet’s Society,” there is a scene where English teacher John Keating, played by the late Robin Williams, stands atop his desk. Students aghast, Mr. Keating says, “I stand upon my desk to remind myself that we must constantly look at things in a different way.” He then tells his students to come and stand on his desk…hesitant at first, they oblige and experience a new perspective that leads to forever change. Mr. Keating encourages them to look at things differently, find their own voice, and take risks. Stand on the desk and gain new perspectives. What do you see? What are you missing? Take risks, but be informed. When you stand on your desk, you are not looking at the herd, you are looking over the herd and out to new horizons. That’s what leaders do.

Common Identification Methods

Brainstorming – it’s often not done well…but can be effective; quarterly to semi-annual is a good frequency, avoid gaming and pre-determined outcomes (bias). Use an outside facilitator if you need to.
Identification Surveys – Executives hate these things…”what are your top 3 risks?,” “what keeps you awake at night?” <yawn> and unfortunately, the person compiling the survey usually disregards the outliers from final analysis…not smart. Use with caution.
Interviews – Usually 30-45 minutes of expansion on “what keeps you awake at night” and typically missing intelligent questions around board and investor priorities, market trends and predictions, strategy, succession plans, and more. Waste of time if not done right but helps the risk manager get “sticky” with the C-suite, or not.

External Risk Identification – Not so common

Risk Managers need to consider “facilitating” discussions and critical thinking around geopolitical events, meta-data, and external indicators like the ones listed below, among other things. I get it; it’s hard, but with a little practice, it gets easier and is more informative.
Commodity Indexes – Should you be buying tomorrow’s steel or aluminum today? Maybe it’s fuel, but commodities, risky as they may be, do provide early warnings to future trends. Read the “tea leaves.”
Industry Trends – where’s the market going and is there a place for you at the table? Hey Retail, you need to look at Primark. They aren’t following the herd; they’re cutting a new path and killing it!
Market Demands – What is the market demanding? Now that’s a question you should ask the C-suite when conducting an interview…and let’s hope they are not skewed by bias, overconfidence, or philosophy.
Consumer Confidence – It’s a statistical measure and like most, garbage in is garbage out, but this one is pretty solid. You should be reviewing indicators for all countries where you are doing significant business or have major vendors. Visit one of my favorite websites: Trading Economics 
Real Estate Indices – I like to watch and analyze the real estate trends…they can provide leading indicators on consumer behavior and where businesses need to be alert.
Currency Volatility – Hey, if you are trading globally and not considering a currency hedge, you could loose your shirt! This is where I use quantification experts…no, the risk manager is typically not a quant expert; there are exceptions.

Risk List

I can’t make this up…I’ve seen some practitioners spend hours debating whether to call a list of risks the “risk sphere,” “risk universe,” “risk profile,”…whatever. Leadership doesn’t care about that. They want to make sure risks across the whole organization are being identified and managed. I just call it a “risk list.” Works for me; do what works for you…keep it simple. The priority is having the right risks on the list and then managing them. If you can’t do that, it doesn’t matter what you call it. Oh, and in most cases…the risk list becomes “the risk admiration society.” Take action.

If you are wondering, here’s a sample of risks that some surveys reported for 2018:

  • Sovereign Debt
  • Macroeconomic Risk
  • Political Shocks
  • Investor Relations
  • Identity Politics

I guess I have that sideways look a dog can give you…again. Think manageable level and application.

Common Identification Mistakes

A risk defined at such a high-level it is not manageable. Seriously, I came in behind a large company that conducted a risk identification engagement for a multi-billion dollar privately held company. My task? Make sense of the risk list. ‘Business Continuity’ was in their top 5 for prioritization management. Well, they’re located in the Pacific Northwest near volcanos, major fault lines, and the Pacific Ocean; duh. Details were missing so I dove deep and discovered they were managing this risk in amazing and creative ways…solidly compliant with best practices and ISO standards; we made some Disaster Recovery tweaks pertinent to a recent acquisition but that was it. Yes, it’s a high risk and they can’t lose focus on it; every company has this risk but make sure when you identify a risk, it’s actionable. Result: we left the risk on the list but shifted focus and energy to ‘cost of capital’ and specific ‘legislative changes’ (intentionally vague). This helped leadership to focus on the right risks while having confidence other “high impact” risks were sufficiently managed. The Board appreciated that as well.

Social Engineering

I suggest becoming aware of social engineering and fast. It has implications to you personally as well as to  your organization, competitors, and customers. I will be deep-diving into Social Engineering risks in the near future to break it down into manageable thoughts. We are also planning to release a special podcast on the subject featuring a leading expert in the field. For now, take a look at last week’s segment on Frameware and do some research. You’ll be alarmed you did.

Geo-Political – Iran

So, President Trump stuck it to Iran like he said he would but EU companies are also getting an ultimatum. Choose Iran or the United States, but you won’t trade with the US if you trade with Iran. What’s happening in Iran? The citizens are calling for “regime change” and protesting in the streets “death to the dictator!” Why does this matter to you? A dying regime often resorts to extreme measures of preservation but don’t expect the EU to lay down either. They have thousands of jobs and $-billions in contracts with Iran at stake; yes, you read that correctly. The EU will counter by trying to revise the existing 1996 blocking statute (Cuba). Also, EU Foreign Policy Chief, Federica Mogherini, is urging EU companies to defy the Trump Administration and increase trade with Iran. Keep an eye on the region: oil shocks and political fallout ahead…this will get ugly before it gets better.

The Takedown

  • Iranian president Rouhani thinks he has the upper hand in talking to President Trump…his currency shed 50%…80% if you’re watching the black market, but Rouhani stopped the bleeding with exchange revisions and added 20% back…currency manipulation…ripple effect, EU.
  • China accused of manipulating its currency in response to tariffs…haven’t they been doing that all along?
  • Salesforce names Keith Block as co-CEO…Mark Benioff is the other. Co-CEO models rarely work.
  • Elon would be great at poker, and maybe he is: He’s floating the idea of taking Tesla private and winning in the markets for now.
  • US healthcare cost predicted to soar in 2019 on the heels of President Trump chipping away Obamacare…when’s the last time costs went down? I think that’s a safe prediction. I predict they’ll go up in 2020 and 2021 and 2022 and 2023 and…
  • 3D printing of guns is sending some into hysteria. Anyone with a 3D printer and CAD (look it up if you don’t know) can design and print their own gun. Um, desktop CNC machines…anyone? You can also 3D laser scan anything and then 3D print it. You don’t need a drawing. Real threat…tax revenue? exploding guns?
  • Facebook wants access to bank data, yours to be exact…BUT WAIT! They just want to improve communication between you and the bank so don’t worry! #deleteFAKEbook #protectyourprivacy

Next Week…

  • Supply Chain risk management and why I don’t call it “supply chain” anymore
  • Effective risk governance models
  • Social Engineering
Subscribe To Our Weekly Risk Report

Subscribe To Our Weekly Risk Report

Join the list to receive our weekly communications.  We won't spam you, or share your information with others.  You can unsubscribe at any time.

You have Successfully Subscribed!

Share This