IncQ Consulting recently had our leadership conference on the beautiful Island of Phuket, Thailand. Apart from wanting to make you jealous, I would like to share with you two slides from the presentation that was given to the IncQ Consulting Practice Leaders on Governance, Risk, and Compliance and then make some comments on it relating to the recent Walmart incident.
The first slide shows the historical drivers for significant market capitalization decline, categorized broadly into strategic, operational, legal and compliance, and financial risks.
The second slide represents some results of a survey conducted by KPMG.
A caveat on the market capitalization decline drivers: To keep the chart readable, a fundamental piece of data is missing – the interrelationship between the risk drivers and the risks. In the interest of trying to keep this blog short, I’ve drawn up some examples of how risk drivers and risks may be interrelated and therefore increase the likelihood of other drivers and risks. It can lead to what is called the Domino Effect and, if uncontrolled, will often lead to multiple catastrophic failures for the organization.
For simplicity, I’ve left out multiple impacts in different impact categories that are exacerbated by multiple risks, but let’s just say that I’m painting a very rosy picture of the domino-effect here.
Take the recent Walmart incident as an example of a simple domino effect.
A breakdown or absence of certain key internal controls, led to bribery (and also breach of compliance), which led to reputational fallout, which led to share price drops of around 12 percent on Monday, and a further 4 percent on Tuesday. It also resulted in fallout with the main Walmart parent company, which trades separately to Walmart Mexico, with drops of 5 percent on Monday and 3 percent on Tuesday.
Linking this back to the KPMG survey results, we see the not too surprising business complexity, reducing risk exposure and improving performance as top-3 drivers for GRC convergence.
The interesting figure that I will focus on for this blog is the 4th driver. This driver is the first driver that the CEO has actually singled-out as an explicit risk type ie, the most important risk to be best managed by GRC convergence is reputational risk. This is risk-intuitive thinking. Reputational fallout tends to be at the end of the domino effect and often affects share price. Therefore, if we converge our Governance, Risk and Compliance frameworks and processes, and have a holistic, integrated, and coordinated approach to managing risks and domino effects, then we will avoid these reputational fallouts such as the recent Walmart incident. That is because analysing reputational risk will show multiple other risks pointing to it, with multiple drivers, allowing us to more accurately focus our key controls. Some of these controls won’t even directly relate to reputational risk. We’re managing reputational risk, via indirectly controlling related risks.
Conversely, you simply can’t manage reputational risk in a silo. There’s no “preventative control” for reputational risk, only the efforts required to recover from reputational fallout.
Managing interrelationships between drivers and risks seems a little more difficult than managing risks in isolation, but there are two strong reasons to manage interrelationships between drivers and risks:
- Companies don’t usually collapse or have significant market capital decline due to a single risk. Only when multiple risks hit all at once and the organization is not prepared for them do we see collapses of this nature. Multiple risks hit all at once mostly because of the domino effect rather than just bad luck. The domino effect therefore is the biggest risk (impact) a company can face.
- It is impossible to make a judgement call on the appropriate level of control on any risks if we don’t understand the interdependencies and interrelationships with other drivers and risks.
As an example, a risk manager identifies a risk with a moderate likelihood and moderate impact. Moderate control prioritization is made accordingly, based on the management of this risk in a silo. A converged GRC process however would have identified the fact that this risk may significantly increase the likelihood of multiple, related, catastrophic risks. The prioritization on this control should actually be very high. Moderate control and monitoring of this risk is unduly exposing your organization to multiple catastrophic risks.
Mapping out the inter-relationships between risks and drivers by GRC Convergence.
How not to do it.
You don’t do it by listing your risks on a spreadsheet. That would be the most granular silo there can possibly be (silo by risk). I’ve yet to see anyone compile an accurate or even meaningful picture of their risks using a spreadsheet, and I’ve seen some amazingly complex spreadsheets. I’ve had the following discussion with many Risk Managers telling me that their spreadsheet is sufficient technology for their $100m+ organization:
“If this driver happens, what will the impact most likely be?” asks Justin, pointing to line 250 on the spreadsheet as an example.
The Risk Manager proceeds to read out the risk description of line 250.
“So, the other 500 risks on your spreadsheet are all completely unaffected by this?” asks Justin.
Of course, they know that the answer to my last question is “no” or “I don’t know”. The reality is, there is a more complicated impact than what they told me and the impact magnitude may be significantly higher than what they rated based on the fact that we now have multiple risk impacts all happening at once. It’s much too difficult to comprehend this using a list of risks on a spreadsheet, but we must understand this if we are to protect our organization from the biggest, most catastrophic domino-effects.
How to do it.
It’s actually very simple if you use decent Risk Management technology. You need good people, good process, and good technology, in balance. I’ve seen the best people, with the best risk management frameworks and processes, using Excel lists, and it’s significantly holding them and their organization back. It’s like turning up to a Formula One race in a horse and cart. Even with the best race driver in the world, it’s still not the best holistic solution to meet objectives!
Risk Management technology should be able to answer the following 5 questions within a few seconds:
- Can we easily see and analyse interrelated drivers and risks?
- Can we calculate the expected impact of all of the interrelated risks for any specified risk driver?
- Can we see where the real weaknesses are and appropriately prioritise controls on the risks that may not be damaging in isolation, but can trigger other catastrophic risks?
- What are our real top 10 risks and their drivers, and how are we monitoring them (including their interrelated risks)?
- Where should the CEO be placing focus to protect the organisation?
The more relevant the question to the organization, the less accurate the answer will be when using a spreadsheet. Spreadsheets are only ok at answering questions that aren’t really all that helpful to the CEO. A CEO is not interested in a spreadsheet of 500 or 1000 risks, as the CEO is typically working in magnitudes far greater than each of these risks alone and it’s just too much for him or her to become familiar with, and to do something about.
The CEO is interested however, in ensuring the biggest risk to the organization is appropriately managed. The only way to do this, is to properly identify interrelationship and the domino effect.
But Risk Management technology is expensive!
Only if you ignore the cost of not having Risk Management technology.
I would like you to do the following (assuming you’re not up to your eyeballs trying to continuously update spreadsheets with risks):
- Look at your risk management technology and ask yourself those questions that I posted above. Can you easily answer them? Any decent risk management technology should have each of those questions answered by a simple report or dashboard.
- If you’re using Excel spreadsheet lists, try to map the relationships between the risks and drivers and each other.
- If you manage to do this, then contact me ASAP as you’ve just done something that I’ve never seen before and I would be thrilled to see it!
- If you can’t do this, then contact me to talk seriously about some technology that will support you. If not me, contact some other trusted risk management advisor (I assume you don’t have one if you’re still using spreadsheets).
There is so much decent Risk Management technology available at the moment for different industries, different organizational sizes and different price-points, you would be doing yourself and your organization a huge disservice if you weren’t to seriously consider talking to someone about it.