Risk Management Insights

I want to join the BLOG

14/09/2017 / Enterprise Risk Management, Protecht News & Events, Risk Culture

Risk and Compliance Conference Season 2017

The Protecht team is looking forward to this year's conference season. Our focus will be on industry specific conferences where we will showcase how Protecht's full suite of risk management training, advisory and software services map to the needs of each industry sector.

Read More

12/09/2017 / Compliance Management, Risk Culture, ERM

Reputation Damage - Risk Event or Risk Impact?

Looking back over the last 12 months, corporate scandals continue with the finance industry seemingly always managing to make the headlines. Wells Fargo fake accounts in the US, CBA anti money laundering issues in Australia are two examples. The flow on effects from these scandals are often similar:

  1. Executives and CEO's involved are ushered out the door - key person risks arise.
  2. Fines were or will be imposed by regulatory agencies, which seem larger and more punitive in recent years.
  3. Class action lawsuits are attempted on behalf of disgruntled shareholders resulting in additional legal fees and potential settlement costs.
  4. Strategic growth objectives are derailed, as the companies involved need to batten down the hatches to recover from the scandal.
Read More

18/08/2017 / Enterprise Risk Management, Risk Culture, ERM

How to promote Risk Culture in your team

In a recent discussion with a colleague on preparing for 'black swan' events, we concluded that regardless of the size, type and structure of an organisation, it was having the right risk culture that was the key success factor in preparing for and surviving an improbable event.

Our view is that getting the right culture to support risk management across the business is the most important ingredient for success. But what actually is this thing called 'risk culture' and where can you get it? We believe that risk culture is the system of values and behaviours that are present in an organisation and guides all the decisions related to risk, made by management and employees. 

Read More

21/07/2017 / Enterprise Risk Management, Risk Culture, Risk Management, Risk Controls

Prevention is better than cure - and other risk management cliches

There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:

Every cloud has a silver lining:  If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.

What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.

And my favourite…

Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management. 

Read More

19/06/2017 / Enterprise Risk Management, Risk Controls

Risk Event Libraries. Do your own sanity check.

At Protecht, we get to see a lot of risk event libraries. There continues to be some confusion as to what is actually a risk event that is worthy of its place in a central library of risks. We often see these libraries peppered with failed controls, impacts and causes rather than the true underlying risk event.

In this blog we hope to provide some tips for you to do your own sanity check on the quality of risks in your risk registers or library. 

It helps to first think about the output – what will our reporting to stakeholders at both management and Board level look like and be used for. If risk events are too broad, aggregation of supporting data such as incidents and internal audit findings connected to such broad risks will become less useful, as will any attempt to allocate a meaningful set of controls to the risk. Too specific with lots of detail, renders summation of the top risks in charts as too unwieldy and confusion as to what is the actual risk event.

Examples would be as follows:

Criminal activitytoo broad. In this example, there are too many sub risks with different controls that need to be assessed. If all internal audit findings and incidents relating to internal fraud were wrapped up to this ‘risk event’ the first thing any Board member would ask is what type of criminal activity are we talking about? Rather than a risk event – this would be a good risk category, similar to other risk categories such as Employment Practices and Safety and Business Disruption.

Read More

06/06/2017 / Enterprise Risk Management, Risk Culture, Operational Risk, Risk Controls

Reducing human error...

What is Human Error?

Risk events often have many contributing causes, a common one being ‘human error’. But what is human error and can it be adequately mitigated? Human error can be defined as being a ‘failure of a planned action to achieve a desired outcome’.

Actions can fail to achieve the desired outcome if the action itself is inadequate for the purpose for which it was designed; or the action can be adequate but the execution of the action can be deficient – either through unintentional or intentional behaviours of people. Related article Expected and Targeted Risks.

Outcomes? 
There are therefore six possible outcomes in the combination of plan and human action:

  1. An adequate plan that is intentionally followed will likely result in the avoidance of the risk event
  2. An adequate plan that is unintentionally not followed will likely result in failure – a risk event caused by human error
  3. An adequate plan that is intentionally not followed will likely result in failure – a risk event caused by malice
  4. An inadequate plan that is intentionally followed will likely result in failure – a risk event caused by poor planning
  5. & 6. An inadequate plan that is unintentionally or intentionally not followed has a higher likelihood of failure or success of meeting the ultimate objective.

An example…
Is the case of the Piper Alpha disaster, where personnel who followed the muster procedures found that they could not access the lifeboats from the accommodation block, personnel who survived the disaster were those who (unintentionally or intentionally) chose to violate the muster rule and ‘step off’ the platform into the ocean. Therefore, an inadequate rule (plan) was violated and the ultimate objective (no fatalities) was individually achieved as these people avoided the risk event.

Read More

10/05/2017 / Security Risk Management, information security management

Cyber security – will we ever be safe?

I recently read an article in the @TheEconomist (April 8 edition) entitled The Myth of Cyber Security, a somewhat depressing article on the poor state of cyber security globally. The author discussed numerous reasons behind the current problems:

  • Software complexity and speed of development
  • Users failure to protect themselves
  • The technology industry’s inability to self regulate and accept liability for product flaws

The last point drawing comparisons to the car industry in the early 1960’s. It was not until the government forced their hand on safety did the industry’s attitude change.  The author considered that perhaps additional government intervention could be beneficial to the technology sector.  Examples included increased reporting requirements for companies that are hacked, forced default password changes and legislated timeframes for fixes to "at risk" products.

Read More

25/04/2017 / Risk Management, Performance Management, Risk and Reward

Opportunity risk management

Writing blogs in risk management is risky. It has a potential upside and a downside.  On the upside, the hope is that the blog adds to the development of risk management thinking and at the least promotes discussion on ideas that could lead to improvements in this great discipline. On the downside, it opens oneself up to criticism, usually relating to the view that we are overcomplicating things and/or not being technically correct. 

I for one, think the risk is worth taking as I believe the upside outweighs the downside and by and large positive and/or constructive feedback outweighs any negative and or destructive comments.

Read More

23/03/2017 / Risk Management Training, Inherent & Residual Risk

Risk Appetite - Inherent and Residual?

 The case for setting both an Inherent and Residual Risk Appetite

In the last two blogs, Inherent Risk - It is useful? and Expected and Targeted risks, I discussed the potential value of assessing inherent, residual, expected and targeted risks. In this article, I go one stage further and discuss the potential relevance and value of setting both an inherent and residual risk appetite. 

The instigator that prompted me to consider this topic came from a board risk appetite setting session I conducted a short time ago. It was clear that the board was not going to agree on the levels of risk appetite for certain risks as their views were quite diverse.

At one extreme, one director wanted to set high appetites, especially for strategic risk, while another more conservative director was very uncomfortable with this and wished to set much lower appetites.  Listening to the conversations it becomes clear that the discussion was at cross purposes.

Read More

16/03/2017 / Protecht News & Events, Risk Culture, Risk Management, Risk Management Training

Risk and Compliance Management Journey.

A personal story

Behind every hard-working professional there is always a personal story to tell and one of the best ways of learning is listening, talking and sharing those stories and those personal points of view. A key philosophy at Protecht is to listen and learn from professionals across all lines of business.

I was recently invited to present the Governance Institute Dux Awards for Risk and Compliance, a recognition that Protecht has been sponsoring for a number of years. The award recipients generally don't have a background in risk and compliance management, with many coming from legal or accounting professions.

Read More