Risk Management Insights

I want to join the BLOG

David Tattam, Director Research and Training

Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).
Find me on:

Recent Posts

04/06/2018 / ERM, Risk Manager, KRIs, Press/Media

What we can all learn from the APRA prudential inquiry report into the CBA

Taking Risk Management to the next level 

The APRA report of the prudential inquiry in the Commonwealth Bank of Australia (CBA) was issued on 1 May 2018 https://www.apra.gov.au/media-centre/media-releases/apra-releases-cba-prudential-inquiry-final-report-accepts-eu. On the following day, I was flying from Sydney to Perth and downloaded the report to "skim" read the key points on the flight.

I began reading on take-off and on landing 4 hours later, had completed the full 111 pages. I could not put it down.

Rather than a negative feeling of what we are doing wrong, I saw instead a rich source of information that we can use to take risk management to the next level.

On page 5, the report states:

"The Report that follows may read as a long catalogue of shortcomings. That would be too narrow a read. The Panel acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia. The Report is a roadmap for this journey."

It is also clear that many other financial institutions accept that they could change the name "CBA" on this report to their own and it would be equally as valid. At Protecht, we see this as a must-read for anyone serious about taking their risk management to the next level. It is, as APRA states, "a valuable roadmap".

The following is a summary of the main lessons we can learn from the report, and also the main themes that run through the report. 

Read More

01/06/2018 / ERM, Risk and Reward, KRIs

Balancing the Voices of Reward and Risk

The financial services industry is under the microscope in Australia with the Royal Commission in full swing, and the recent APRA (Australian Prudential Regulatory Authority) report into the CBA (Commonwealth Bank of Australia).

Many sobering findings have been aired, but looking at this positively, the findings provide an excellent blueprint for the development of stronger risk management and business practices going forward. The APRA report is really a roadmap for any organisation wishing to raise its risk management to the next level.

Read More

18/04/2018 / Risk Culture, Risk Management, Risk and Reward

Risk Management to Management? Is “Decision Support” the future?

Three key treasures of good risk management

The future of “Risk Management” would look brighter if we removed the word “Risk”. It is just “Management”. If “Risk” is “the effect of uncertainty on objectives”, Risk Management must be “managing the effect of uncertainty on objectives”. This is “Outcome Management”.  

Business Management involves making decisions aimed at achieving business objectives. Outcome management is therefore just management.

The future success of risk management relies on making it an integral part of management. This will only happen if risk management provides the right incentives. Humans and hence organisations run by humans, respond to incentives. Read related article: '10 keys to Risk Management Success'.

Psychologists have discovered that when a person is handed an unexpectedly hot cup of coffee, they typically drop the cup if they perceive it to be inexpensive but manage to hang on if they believe the cup is valuable.

Read More

27/03/2018 / Enterprise Risk Management, Risk Management, Risk Management Training

Enterprise Risk Management made Personal

PRM and ERM – use it in your Personal life

PRM? As we haven’t got enough acronyms in risk management already, I thought another one was required– right?  So, what is PRM? I just made it up – Personal Risk Management! 

They say charity starts at home – so why don’t we look at ERM, sorry PRM, in our personal lives? We can learn a lot from what we do well in our own lives and apply the same principles to our work lives and, bingo, we have good ERM working in our business!

One of the objectives of most people in their personal lives, I hope, is: To live a long and healthy life.

Read More

23/02/2018 / Bow Tie Analysis, Risk Management, ERM, KRIs

Effective Risk Management Tool: Bow Tie Analysis

Protecht loves Bow Ties, both formal and informal!  Bow Tie analysis has been around for longer than you might think. 

While some industries including oil, gas and mining have been using the bow tie consistently for years, at a broader level it appears that other industries, such as financial services, are also now realising the value of this simple yet effective risk management technique.

What does the bow tie do? 

Bow tie analysis provides a tool to identify and map out the different components of risk including root cause, risk events, risk impacts and controls. 

Read More

08/12/2017 / Operational Risk, Key Risk Indicators, Risk Manager, KRIs

How do Key Risk Indicators work?


In February this year, I ran a blog highlighting the power of the human brain and its senses in acting as a personal key risk indicator (KRI) system for personal early warning risk awareness as we journey through this inherently risky world.

This blog looks at the potentially awesome power that a well-designed and well applied
KRI system can have in the business world.

KRIs have multiple purposes. The main one is to act as an early warning system to prompt initial investigation and response so as to deal with a risk early in its life. It helps a firefighting risk manager to become a proactive risk preventer. At a wider level, KRIs allow us to “measure” risk and incorporate risk into risk-based performance measurement, risk-based decision making and risk-based incentive schemes.

So how do KRIs work?

KRIs operate on the fact that as risk develops through its life, from root cause(s), through event(s) to final impact(s), red flags, symptoms and other evidence may be given off.  KRIs tap into this information and turn it into intelligence to then be investigated and acted upon to deal with the risk most appropriately.

Read More

20/11/2017 / Compliance Management, Risk Culture, Risk Management

Compliance Risk Management Real Example

Gorillas and Bears – Comply or Die!

The story of Harambe, the Cincinnati Zoo’s much-loved Gorilla, went global in its interest. A defenceless animal was shot and killed to save a child who had fallen into its enclosure, not to mention the trauma suffered by the child. Investigations have since found that the barrier separating the public from the gorilla was not in compliance with primate-housing standards and requirements.

This simple story serves as a reminder as to the real reason for the compliance requirements and obligations we face, that is, protection of the various stakeholders of our businesses.

Read More

21/07/2017 / Enterprise Risk Management, Risk Culture, Risk Management, Risk Controls

Prevention is better than cure - and other risk management cliches

There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:

Every cloud has a silver lining:  If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.

What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.

And my favourite…

Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management. 

Read More

25/04/2017 / Risk Management, Performance Management, Risk and Reward

Opportunity risk management

Writing blogs in risk management is risky. It has a potential upside and a downside.  On the upside, the hope is that the blog adds to the development of risk management thinking and at the least promotes discussion on ideas that could lead to improvements in this great discipline. On the downside, it opens oneself up to criticism, usually relating to the view that we are overcomplicating things and/or not being technically correct. 

I for one, think the risk is worth taking as I believe the upside outweighs the downside and by and large positive and/or constructive feedback outweighs any negative and or destructive comments.

Read More

21/04/2017 / Enterprise Risk Management, Inherent & Residual Risk

Inherent Risk: Friend or Foe?

What does Inherent Risk mean?
There are few common definitions in risk but "Inherent Risk" is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".

Read More