Risk registers that work at board level (This information is now out of date)
Effective and efficient strategic risk management in government.
I’m Trevor Llanwarne, Government Actuary. On my left is Colin Wilson, Deputy Government Actuary. We’re here to talk about strategic risk and modelling based on combining our mathematical background with practical experience. We think there is a way for organisations like yours to get to a practical simpler better process. But it’s early days hence this talk.
As I said, there are two elements. On strategic risk – I’d like to share some new ideas we’re piloting in various public bodies, On modelling – Colin will spend about 5 minutes sharing what’s going on with the Treasury’s review of quality assurance for the government’s 600+ critical models. Then, we will get into discussion.
Starting with my slot on strategic risk. In the next 15-20 minutes I want to:
- set the scene with some problems I’m sure you’ll relate to
- run through the thinking behind the new ideas we’re trying out
- share the concepts of the practical approach adopted
To set the scene, I want to paint 4 pictures in your mind and offer a couple of pointers from FRC and NAO.
Picture 1 comes from the film ‘The Italian Job’ with Michael Caine where the bus is perched perilously on the top of the cliff, I ask ‘why are you worried about whether the headlights work when you’re in this position’. Put another way, why is so much time spent on hundreds of little risks that don’t matter. When I started at GAD a few years ago, we had a risk register running to 50 pages. I looked for the top 7 risks and 3 were missing. When I mentioned this to a group of public sector risk managers I got the answer ‘you’ve got 4 out of 7’ you’re lucky to have that many. So the challenge from this picture is how do you sort out the wood from the trees?
Second. Imagine a picture of a black swan. Does anyone know why events, originally thought impossible but are not, are called black swans. For those who don’t know, black swans can only be found in the wild in Australia. Until Captain Cook discovered Australia, black swans were thought impossible. Here’s an example of a black swan. A solar flare that knocks out the electricity supply for 24 hours – the chances are greater than many risks where lots of attention is given. So the second challenge is how do you manage for black swan events.
Third think of your risk register. In all the work I’ve done, I have found no link between the length and detail of a risk register and the likelihood of failure or of avoiding failure. So the third challenge is to ask what is the purpose of a risk register when presented to a board? Can you get one that works at board level?
Fourth. No imagination now. Here is a report produced by AIRMIC (Association of Insurance Risk Managers in Industry and Commerce) Roads To Ruin. They’ve analysed over 15 instances of total failure in private sector (eg Enron, Northern Rock etc.). They have two conclusions that resonate with me – one is that a bad culture at the top towards risk is the common theme. Second that there is very little academic work or methodology around the real thing that matters for boards. The fourth challenge therefore is – strategic risk. How do you manage and handle strategic risk – the thing that really matters.
Next. In the pack for you to take away is a chart of FRC and NAO recommendations – both 2011 - on how better to handle risk. I want to focus on two key messages from the chart for public sector. The first is the messages to ‘determine risk tolerance (rather than appetite)’ – Tolerance is normally thought of as a limit on risk beyond which the organisation will not go. It is relatively simple as an idea but, even so, in the public sector, it’s not easy. Most organisations do not find it easy. On the other hand, Risk Appetite further includes consideration of positively taking risk (eg in private sector to earn profit) and is even more complex. I can come back to the issue in discussion if interested but suffice for the present that given where most organisations are, tolerance is the best first step. Don’t try to run before you can walk. The second key message from NAO/FRC is ‘quantify’. But how? Nobody really provides a good answer. Much that now follows tries to address these two key concerns in a way that makes sense.
Let me summarise therefore, before moving on, the five key challenges so far.
- How do you sort out the wood from the trees?
- How do you manage for black swan events?
- How do you devise a risk register that works at board level and delivers improved handling of risk?
- How do you manage and handle strategic risk – the thing that really matters?
- How do you better quantify against a background of a focus on risk tolerance?
OK. Now I’m an actuary and maths is my background. I also have many years of practical risk management at PWC where I was a partner for 16 years. So what have I learnt and how do we address these issues in the various jobs we’ve done around government? I want to offer three ideas to shine a light on how to make progress:
- Wouldn’t it be nice to predict accurately?
- Heat maps don’t work at the strategic level
Failure of an organisation is often caused by contagion
- Wouldn’t it be nice to be able to predict accurately? If you could predict what will happen if you do nothing, then you can do whatever is necessary to stop the bad things that will arise. That would be focussed, efficient and, effective. But it’s not the real world – or is it? Here’s a Nate Silver book. He was the only guy who predicted all 50 States correctly in 2012 on Obama v Romney. Four years earlier he got 49 out of 50 in 2008 and was the top forecaster. More prosaically, he also got a lot of baseball predictions correct and shows how to play better poker. We need to take something from the sorts of things he does I suggest. And of course, it’s all statistical which is why it appeals to me of course.
- Heat maps don’t really work at the strategic level. They try to get you to allocate a likelihood and impact to each risk. But for every risk there’s a whole range of impacts. Let’s take rain affecting cricket matches. The impact and likelihood of occasional drizzle is different to a thunderstorm which differs again from a summer monsoon. So which do you choose? Anyone using a heat map in this way is taking a view on which type of rain matters and very rarely are they transparent in doing so. We need to have a simpler analysis which can be quantified. [Note that for some presentational purposes, it can be very useful to consider a concept of ‘reasonable worst case’ particularly for scientific black swans. However, this concept does not seem, to date and to my knowledge, to have been used for an individual public body’s strategic risk and it still gives difficulty for risk management and prioritisation decisions at board level without quantification]
- Failure is often caused by risk contagion – ie one big crisis triggering another. In the finance world, the models ignore contagion in crises so don’t work. In the last crisis in 2008, sub-prime mortgage defaults caused problems with liquidity and that caused problems with equities which fell by one-third. Everything tends to be connected in the bad times. Another example. 50 years ago today, we were in the third week of the coldest winter in the last 100 years. Guess what, London buses went on strike for the first time in decades. We saw a similar threat with the Olympics last summer. The chances of industrial action change dramatically when some unconnected other big event occurred. And, if industrial action occurs, then management are stretched and maybe someone might then make a slip in a public statement, on something quite different, impacting reputation. We need to have a mechanism to capture contagion and stop pure silo management of risk by cause.
Here’s where this leads me. Maths can help with all of this. Not that you need a mathematician to handle risk. Instead, that the maths leads to an extra process you can adopt yourselves. So what are we piloting?
We are piloting a process which, at present, sits on top of what you do and is very simple and easy
In principle – in steps:
- Ensure owned by CEO and the board. The guy responsible for strategy (and the governance body responsible for strategy) must own strategic risk.
- Questionnaire for all board members plus an analysis of your website’s strategic or corporate plan to identify the few desired strategic outcomes.
- Define tolerance limit on an outcome basis.
- Define risks by outcome from the above (not cause) but then list causes and combinations.
- Draw up a one page risk register with likelihood of going beyond tolerance. Typically this is in bands. We often use 0-3%, 3-10% >10%.
- Monthly one-page board reporting showing changes particularly changes in likelihood.
- Focus board discussion on getting likelihood down.
- Agree crisis management strategy before crises occur.
In practice, our involvement, typically, has been with the questionnaire. We take the answers, review the web-site and offer a Strawman risk register. Then the organisation takes over. Since the work to do this is about an hour’s preparation plus a meeting we don’t charge.
If you do this, experience suggests:
- better risk management at minimal cost maximises value of input from the non-executives without loss of focus quite separately, it gives better decision-taking on key strategic matters by adding in an extra question against each option under consideration ‘what does this option do to the likelihood of going above tolerance limit’
- outside consultants don’t need to be involved
Finally, all my 5 challenges are addressed
In my handouts by the exit for you to take away to give some detail of a risk register, some citations and of course, the questionnaire which to finish, is designed using behavioural economic techniques to maximise responses.
This speech relates to the third document of the Strategic risk management publication.