How do you build and improve resilience in your organisation? In this recording, David Tattam talks about how understanding the dynamics and balancing the voices of risk and reward can help you achieve sustainable rewards.
This session was recorded at the 2018 RMIA Annual Conference and was part of the Organisational Resilience stream. You can download the slides from the presentation at the end of this article.
Okay, good morning to you all. This morning, I want to talk about relationships, particularly marriages, good relationships. Because obviously, appreciate that this stream is about sustainability. When I was thinking about sustainability, I often think about sustainability, not just obviously work life, but also personal life. I have a confession to make, because incidents do make you stronger. I am on my second marriage and final, and it got me thinking about sustainability.
We all dream and hope that when we walk down the aisle that we are there at 95 years old on our rocking chair with Horlicks and slippers with our partner. But often as we know, that isn't what ends up. I started to think why. I'll start to flip that over then to an organisation of the relationship that we should have between the partners of risk and reward. That's what this session is really all about. It really stems from the fact that with so much going on in risk management, particularly financial services at the moment. And the Royal Commission, which we talk about a little bit tomorrow, also the APRA report on the CBA.
A lot of that was talking about the voices that were not being heard equally. In a marriage, there is a voice of both partners. This is all about the balance between the voices of the partners in the marriage to make it successful. I'm going to start off on a really good note, which is two glasses of champagne, which you might resonate to much better, and celebrating a happy marriage between risk and reward. What does that look like? Now, in terms of it, I want to talk about four things:
- The first one is to meet the partners.
- Secondly, relationship dynamics between the partners in the relationship.
- Number three, managing the marriage, because it needs work, let's be honest. Managing a relationship between the partners.
- Finally, reporting on the health of the marriage.
Now, the first one then is to think about meeting the partners. I want to have a look at the reward partner and a look at the risk partner. Now, probably a couple years ago, I couldn't put the next slide up. But I'm very proud to say that I can because we always think about who these partners in the relationship are. We know that it could be or it could be or it could be. Now for no other reason than tradition and making the two look different, I'm going to choose the one in the middle, and the risk and reward partnership.
Let's see if we can meet the partners in the marriage and understand them a bit better. Now, the only reason I have labeled the female as risk is because the Australian slang that we use when you tell someone when they're just about to do something, watch out for, and they go, "She'll be right." She'll be right is actually risk. She'll be right means, don't worry with all that risk stuff. I want to go and get reward. As a result, I've labeled the female for risk. That's the only reason. That obviously makes the other person reward.
Let's think about what risk and reward are about. Let's learn a bit more about them. Firstly, risk. Risk is the effect of uncertainty on objectives. Reward is the degree to which we meet our objectives. Now, that includes both financial and non-financial objectives. If we think about it, straightaway, we have a connection and a strong bond between these partners. Because one is reward, the degree to which we meet our objectives, and the other one is the effect that uncertainty can have on objectives.
It always amazes me the number of times we work particularly with new clients, and the word risk is key because we deal with risk managers, and very rarely do they mention reward. It's all about risk. It's all about putting more controls over that risk to try and minimise it down to nothing or try to eliminate it. As we're going to see in a minute that's not such a great thing in a marriage when you eliminate a partner, it doesn't usually work quite well.
When we now have looked at our partners, let's move on a little bit to think about the depth of that partner. Now, reward is the degree to which we meet our objectives both financial and non-financial. Now, importantly, and this obviously is prominent in the Royal Commission is that the objective should cover the objectives of all stakeholders. All stakeholders, not just the shareholder as APRA refers to in the CBA report, the voice of finance. It should cover the customer, the member if you are a mutual, the employee, the suppliers, the regulator's, the society and very importantly the leaves on the trees and the water and the environment.
Let's move over to risk now. Risk is the effect of uncertainty on objectives. Again, as the objectives for reward cover all of the stakeholders, so should the risks cover all stakeholders. What risks do we have that affect the shareholder? Yes, we do that quite well. What about the customer? Again, the member, or the employee in all of the shareholders, all of the stakeholders we spoke about earlier.
Now we're starting to get a linkage because the link is the anchor through the stakeholders, and we've got them there typically seven or eight or nine stakeholders that we all have. And obviously, the balance between those is something about your strategy. What's more important, the shareholder or the member or the environment?
Now, let's go and have a look at the couple's child. Because children can tell us a lot about risk, and that's what I want to do now. I want to introduce you to Jenny. There's Jenny. She's seven years old, and she's attempting to achieve an objective. With anybody that's a parent or otherwise might appreciate she's facing some risk. But let's have a little chat with her about what she is trying to do from beginning to end and number one is what is Jenny's or what are Jenny's objectives?
The most obvious one for a child is number one, to have fun. But she's a great kid, she also wants to be safe, and she's a fantastic kid because she wants to comply with the park rules. Now, as with our own objectives and our organisations, we'll prioritise these objectives. I'm sure the child will prioritise number one above number two above number three. It's very important we as organisations also prioritise our objectives and are very explicit with what those prioritisations are. We'll cover this later. But when I see an organisation that tells me that they are there for the care and the value add to the customer, and they promote that on all their materials. And then they go in-house and they talk to the brokers and go, "Mate, just sell, sell." We've got something being said externally and internally. We're actually re-prioritising for the voice of shareholder over the voice of customer. It might sound familiar in financial services.
Once we have our objectives, risk doesn't come from the objectives, it comes from what we need to do to achieve the objectives. The second step to feed us into risk is what are the critical things that Jenny needs to successfully achieve in order to meet her objectives?
Now that puts you there are three things. She needs to get up to the top of the rock safely, play on top of the rock safely, get back to ground level safely. And if she can achieve those three steps, she's achieved her objectives.
Once we have identified those critical steps, we can now identify things that could stop her achieving those critical steps. We happen to call those risk.
As a parent, falling is probably the most obvious one. Now, falling is a risk event. A risk event for us is the point at which you lose control. If I am walking along and I start toppling off, that's the point of lost control, and that is my risk event, falling risk. I'm going to stand a little bit back from here.
Now, this stage we don't know why Jenny might fall. So, I'm going to come up with five reasons she might fall. We obviously call those the root causes.
She's just a seven year old human error. It rained last night, liquid has it slippery ground. Moss on the rock to make it slippery, and so on. That's our root causes. As a result, we've gone all the way back from objectives through critical process through risk events to root causes. And then we think about how do we control that risk?
I've given you six potential controls that we could use. From inspections to clean up, non-slip shoes, first aid.
Now, I want to put this all together in a picture, and some of you that know Protecht, you know we love bow ties. So, bow tie analysis is the way that we can pull that all together, our favourite approach. It goes something like this if you're not familiar with bow ties.
In the middle of the bow tie, we put the point at which you lose control, which is the risk events, and that's falling. We then move either left or right. I'm going to go left first, to go back to the root cause. We are to do that by asking, but why? We keep on asking but why until the answer is, it just is or it's outside of our influence. Let's go.
She's just a kid. Why is she just a kid? Well, she's just a kid. So, human error in this instance, is one of our causes, because it just is. Liquid has it on the ground. But why? It rained last night. Is the level of rainfall within Jenny's influence? No, it is not. So, it's one of her root causes. It's an external root cause. I'm not going to say and explain each one of these, I'll leave the rest to your own thinking.
That gives us our root causes. We've now expanded that left hand side to go back to the source, the root cause of the risk. We then go the other way by asking, but what next? We don't stop until one or more of our objectives has been impacted. You can see on the right hand side, those three boxes equate to the objectives that Jenny had in the first place. Now, obviously, in risk management, we call the first one root causes, the bits in the middle risk events, and the right hand side risk impacts. An impact should always equal your objectives. I'm still amazed at the times we go to new clients and we look at their impact. Register impact, list of items and they don't correspond with objectives. There is no linkage between risk and reward, which makes no sense whatsoever.
One of the first takeaways is to ensure that your impact types in risk management exactly equal the objectives out of the strategic and the business plans.
Once we've got that, we can put the outline around it and that obviously gives us the bow tie. We can then start adding our controls on at the appropriate spot. Inspections and clean up for liquid hazard and moss hazard. Training for the child, non-slip shoes, cushion, safety hat and first aid.
What we've done here is gone through that picture of risk from left to right, and put various controls in place. Now, the controls on the left are preventive controls. The controls in the middle are detective controls, and the controls on the right are reactive or corrective controls. Once we look at that, we have the picture of marriage. Because on the board there, we have both partners. Because on the left hand side everything around falling is risk, and there we have the bride. And everything on the right hand side because it impacts is equal to objectives, which is reward, and there is the groom.
One of the key things here is that in risk management, we should never ever talk about risk without talking about its partner. It's rude. If we talk about risk, we need to be talking about reward or the objectives because if you're not, you're not connecting the partnership together. Now, the two ways to do that, or the first way to do that, sorry, is make sure that in every discussion of sentence, you use the word risk. You also mentioned reward. We train a lot of frontline managers, not risk managers, and they complain about risk managers talking about risk and having to control everything and spend lots of money on controls and causing the business a lot of overheads and so on. I say to them, the answer or the question you should ask is, why do you want me to add that control in? If they say, "Oh, it's because it's risky." Then you ask the second question, what objectives of my business does this risk effect? A risk manager who doesn't think risk reward will go, "Well, it's just risk. You've got to control it." Well non-acceptable. You've got to be able to link it and explain how in any way it affects the objectives of the organisation risk reward.
That is a most common diagram that we use to explain the marriage, risk and reward, and it should sit on one sheet. Which means we are looking at both partners at the same time.
Now we understand what the partners in the relationship are, let's have a look at the relationship dynamics. How do they relate together? How does the marriage work? How do risk and reward interact? And secondly, are they enemies or best friends? Well, let's be honest with sustainability, enemies are not going to last long. If they are friends, then we're going to have a sustainable relationship, a sustainable marriage.
So, let's think about now, the dynamics. Let's go back to the definition of risk out of the ISO 31000 standard, and it says risk is the effect of uncertainty on objectives. Risk is the effect of the bride on the groom, the connection. Now, if risk is the effect of uncertainty on objectives, managing risk must be managing the effect of uncertainty on objectives.
I would put to you, sorry for all of you in the room, risk management as a discipline is ridiculous. I don't know why we call ourselves risk managers because it's not what we really do. What we really do is this:
Because we are managing the effect of uncertainty on objectives. What we're really doing is managing objectives.
I wish our industry was actually called outcome managers. This creates magic. Why? You go up to your frontline management team or CEO, or whatever and say, "Good morning, I'd like to have a chat with you." And they go, "Who are you?" "I'm David from risk management." They look at their diary, and miraculously, there's no room for six to eight weeks. I'll come back to you in 10 weeks. "Good morning. It's Dave here. Where are you from?" "I'm from outcome management." At the risk of sounding like a consultant, and they say, "What are you doing?" I say, "I'm here to help you nail your objectives." I bet they're going to say, cappuccino or latte or better, I get a seat at the table on day one.
The first thing to remember that we're not risk managers were our objectives managers, and each of you that is a risk manager, I want you to add a translator chip into your brain right now and give one to every employee in your organisation. And it works like this, slot it in right now and it goes and every time you hear the word risk management, you say to yourselves, outcome management. Your face will go from a grimace to a smile, because you're now talking about the relationship between risk and reward, not risk in its own right.
Let's have a look at outcome management as an example. This is a lovely main road in Nairobi, in Kenya.
We used to have an office over there, but because of the road like that, or partly that's the scenario. Our objective in my example is to get to the end of the road safely. The potholes, obviously represent risk because they create uncertainty as to the achievement of my objective of getting to the end of the road safely.
So, let's have an approach at management wise how we might try and achieve our objective. Number one, just floor it, flat out. Drag race up to the end, hopefully jump over the potholes. Now, this is about she'll be right brigade. Because they want to get to the end of the road. When you mention the potholes, she'll be right. What could be the result of this? The first time they go, they might luckily make it, second time might luckily make it, seventh time. On the eighth time, however, that's what happens. We call this boom, bust management. Boom, boom, boom, boom, all the time, life is good. Something comes along, bust. We're very good at that in business, particularly financial services. It usually takes seven years for the bus to come along, but it does.
This kind of relationship is where the mile or reward is the biggest, and the female risk is tiny, because we're not listening to the voice of risk. That will be Boom, boom, boom, bust. Because after a while, the risk partner who's being ignored, gets kind of annoyed and frustrated and burst out of the closet and go, "Remember me?" "Who are you?" "I'm your partner in your marriage." "Oh, sorry, I forgot about you." And then we have the global financial crisis. And then we worry about the risk partner lots and ignore the reward partner. I'll come to that later. That is not a happy marriage.
Number two, we look at the holes and they scare the hell out of us. We are so paranoid about falling in a hole, we are so scared, we give up. I'm not even going to attempt it. This is called avoidance or elimination. In this instance, obviously zero success. We just give up, we go home, so we're never going to achieve anything.
Then in this instance, we've got a tiny male reward and a really big female risk because we're focusing too much on risk in this scenario.
Number three, we look at the potholes, they scare the hell out of us. But we really want to get to the end of that road. So, what do we do? We buy some really big wheels and tires. It slows the car down dramatically and costs an absolute fortune. It takes two hours to get to the end of the road, and by the time we're there, we're bankrupt. This is the same problem as the first one, but for a different reason. This is where the male is very small. We're not worrying about reward. Cost doesn't matter and risk is huge.
Same as the one before, but through too many controls bogging the business down. What's the solution?
I would suggest that smartly maneuvering around each pothole as you come up to it; quick left, quick right, 25 kilometers an hour, slow down, break, left, right, and we weave our way up through the road. Now, as we're doing that, we are now focusing on the reward yes, and we are focusing on risk, but we're not overdoing it.
I will put to you that there is where we will get success. Success is sustainable reward. It's not boom, boom, boom, boom, boom, boom, bust, its boom, boom, boom, which is reasonable profits but not crazy. But we can keep on repeating that year after year and will end up with our partner at 95 years old still holding hands because we got a balance between the two. Now, that to me is success. That's what sustainability is all about.
My number one objective in risk management is sustainable reward. That's it. That's what we do, is sustainable reward.
To sum that up then, if we look at the partnership, reward is the main focus, risk is secondary, she'll be right, boom, bust. Rewards, secondary focus, everything's too risky around here, our main focus is risk. No boom whatsoever, therefore a long term bust. 50%, 50% equals long term sustainability. That is the dynamics between the partnership.
Let's now think about the relationship and how the dynamics work. Firstly, generally, as long as you're taking reasonably smart risk, the greater the risk, the greater the average expected reward. However, the greater the risk, the greater the potential variation around that expected outcome.
Now, many many years ago I did a degree in business finance and so on. I remember doing a class on economics, which introduced me to the concept of this. Some of you might remember this from your uni days, the capital asset pricing model or CAPM. Probably gives you nervous twitches, thinking about that. Here it goes.
This is a map of the partner, male return or reward up the left. We have now risk, the other partner on the horizontal axis, and we map the two as how they relate. They relate like this. Let's have a look at expected reward or expected relationship. It looks like that.
On the left hand side, that's the level of return we're going to get for taking no risk. We call it the risk free return. If you're thinking about it financially, let's say investing in a three year government bond, very low risk, only sovereign risk, but obviously a very low reward. As you move to the right and take more risk and make the risk partner bigger, on average, expected return for the other partner goes up. Now, obviously without any other additional information, it would make sense to always have massive risk and massive reward. But it's missing something, and that's variation.
So, let's now add variation on, variation. The more risk we take, there is a bigger chance of not meeting that outcome in a negative sense, in a huge way, massive losses. Over here, very low variation, the outcome's fairly certain. Equally though, as long as the risk has an upside, we call it opportunity risk, it could also be that. Where we take a risk and the actual outcome is better than what we expect. This is really important in risk management is that we've got to appreciate that some risks have an upside and a downside where some risks have downside only. Downside only we call threat risks. Once they have an upside, the upside we call opportunity risk, and the downside, threat risk. Obviously, we need to be smart about this because the opportunity risk can actually add to our outcomes, the green side. Threat risk can hurt us.
Maximise the upside, minimise the downside. One of the things that we're going to talk about in a minute is how far up this side can we go? How big can we get the risk partner to be? Well, that's determined by risk appetite. In this instance, it tells me the marriage can never go further right than that blue line. That's our risk appetite. Now, I'm going to talk about risk appetite in a second. The key is, the higher the risk, the greater the expected reward. However, the greater the variation around that expected outcome.
Now, we understand the relationship dynamics. When I talk now about the managing the marriage, the keys to a happy, sustainable marriage, making great relationship decisions. Because a lot of what we do in risk management should be focused on helping our people make better decisions. In a marriage, good decisions will equal sustainable marriage. Finally, incentives for success. Let's have a look.
The keys to success:
- Number one, understand each partner really well. Get to know your partner extremely well before you go and walk down the aisle, know each other. Get to know reward really well and get to know risk really well.
- Understand the needs of each partner. What is the needs of reward? Where does that come from? Strategic plans and business plans. Understand the needs of risk. What are the risk targets? What are we aiming for? What's the right balance.
- Understand the boundaries around the relationship, particularly around risk appetite.
- Ensure both partners have equal say in the relationship. I would argue a relationship while one part that dominates the other is not going to end in a happy position. It's going to have a limited life. Equally, a business that downgrades risk to the detriment of reward, we know what that looks like. A decision is made, it's all based on reward, and when it's made, someone says, "Can you tell risk? Apparently, they have to do some tick off or something." That's disgraceful. Risk should be at the table at the same time reward is at the table so their voices are heard equally.
- Ensure the performance of the marriage is measured based on the optimal outcome for both partners, not just one. We have so many incentive schemes based purely on reward. Yes, sales volumes and goodness knows what. We see that in financial services a lot, and that ends in tears.
- Ensure that those that make decisions that affect the partnership are incentivised for both risk and reward performance. So, the incentive scheme is there to make sure the balance between the partners are managed appropriately.
Let's go to two of those. Let's understand then the reward part really well. For that, we need a really good strategic plan, which is, where do we want to be in three years' time, and the right business plan of how are we going to get there? I'm still amazed at the number of times we go out to clients and we start doing risk work with them. I always asked for a series of information from the customer or the client. The top of the list is the strategic plan and business plans.
So many times I get a call back saying, we want to know why you want these, and I just shake my head and go, what on earth is happening? There is an organisation that doesn't in any way link risk with reward. Or secondly, they say, "Well, I actually am a strategic plan and business plan isn't very good. We don't have very measurable targets. So, we often backfill." We don't really do strategic planning as a firm, but we do because we get dragged back into doing it. Because you can't do any decent risk management unless you have a very strong strategic and business plan with measurable KPI targets.
Second part then is risk appetite.
What is the maximum amount of risk that we are allowed to take? This puts a size around the risk partner. We think about what risk appetite is, the maximum amount of risk that we are willing to take in pursuit of our objectives. So, how big, and I don't mean physical, but how big can the reward with risk partner be? Because that is going to determine the maximum size of the reward partner, because they are linked.
Now, in this instance, we call the risk appetite, freedom within boundaries, freedom within boundaries. I want to give you a little illustration of this. So at the same time, we're going to use this illustration to really have a look at the relationship between risk and reward for decision making. Let's start off then with risk appetite, an illustration. Imagine that you and your partner have two children, Jenny, we've already met Jenny and Johnny.
This weekend you want to go to the local park. And your objective with your partner is to have wine and cheese and chat about the film you saw last night on a picnic rug in the middle of the park. There it is there, the picnic rug.
Johnny and Jenny, they got a different idea. They are off, they want to go play. They want adventure and fun. They go, "We're off Dad, mom." You go, "Wait a sec. Before you go, don't go too far away." Why? Because over there, there's really high trees, there's a rock ledge over there, there's a main road over this side of river over here. And we know that the further they go away from the picnic rug, the greater the risk. It's a risk proxy or risk indicator. In addition. We can't supervise them as well, so our controls are weaker the further they go away.
So, Johnny says, "How far is that dad or mom?" Now, you're not allowed to mark the parks. The line's a little bit invisible but it's about there in your head. Poor old Johnny doesn't know quite where that is, and you have to explain it. So, you say to Johnny, "It's, a pretty big area." In our view of the world, big is risk appetite. Appetite is the size of risk manifested in a qualitative measure, qualitative. It's fantastic for mom and dad to discuss the relative risk appetites we have.
Now, mom and dad might say, "Well, playing risk medium, sugar risk, zero." I'm probably making this up. It's good to articulate the relativities between your different risk types. However, poor old Johnny doesn't know what big is. So, it's not very good to operationalise into the business so that your business decision makers can make decisions.
What do we need? We need a measurable metric that supports the appetite. I'd suggest the best one we might have is meters from the picnic rug. We now put 22 meters away. That is a tolerance supported with a measurable indicator. We are assuming Johnny and Jenny know what a meter is. We need to educate them in what that indicator means. But we'll assume they do. Once we've got that, they now know that they are free to play within that circle, but they're not allowed to go outside, and they are free to do what they like in that circle to have fun.
Now, ordinarily, in risk management, we generally like colours. What we generally do is we have an inner sanctum called the green zone. Which means with an appetite, no action required is what most of us say. Between now and the boundary, we usually have amber, which means with an appetite, raised attention. Outside is pretty obvious, which is outside of appetite, action required. That then gives us that classic RAG, red, amber, green. Some of you might have red, amber, green, pink, blue spots, whatever, it doesn't matter. I've just got three, it seems to be the most basic.
Now, in addition, we've got capacity. Capacity is the point at which you take risks that could threaten your survival. That's when Johnny and Jenny walk across the main road over here or go into the river. We have now, capacity, maximum risk we are able to take. Come back in, we have appetite. Come back in, we then have a trigger, which gives us a green, amber, red. That then gives us a maximum amount over the size of the risk partner.
That is critically important because the bigger the risk partner on average, the greater the reward. But equally, the greater the potential variation. So, you want the kids to have fun, but you don't want to risk their personal health to a degree, which is obviously potentially going to be long term injury. That then leads us to relationship decision making.
The first major objective of risk management is sustainable reward. How do we get that at a micro level through better decision making, risk reward decision making. When you make a risk reward decision in a relationship in your business, step number one is to ask the question, can I? The can I test. The can I test is the level of risk in the decision within your risk appetite. If the answer is no, you can't. If it is, you can.
Now, there's a second risk appetite called society's risk appetite, which is given to us by compliance, compliance obligations. Is it within the law? Yes or no? Is it within your risk appetite? Yes or no? If either of those answers is outside, the answer is we can't do it. If it's within, it means we might do it, but not necessarily we will, we might. We then move on to the second question. If it is with an appetite, we move on to the should I test. The should I is where we balance the reward with the risk. Hi, this looks like having a look at relationship decision. What is the optimal relationship between the reward and risk once we've determined the maximum size of risk?
Let's go back to the picnic rug and apply the Should I test.
In order to do this, we need one more zone, and that zone is in the middle called the blue zone. Some of our clients have it, not all. It's a one meter boundary around the picnic rug. You're going to see how we use that in a second. Once we've got that, you then need a really good risk system. This risk system is an app on your iPhone which measures the location of the kids, with respect to the picnic rug by geo locating the kids with a chip somewhere. We can measure how far away are from the picnic rug.
Risk Appetite: The Red Zone
So, let's have a read. Okay, beep, beep, beep, 23 meters, which means they're in the red zone. You're having a lovely chat with your partner. If it goes into red, you need to interrupt your partner and say, "Excuse me." And go running off. Grab Johnny, Jenny by the ear, pull them back in, "What the hell are you doing out there?" Because red is outside of appetite. Don't tell me you're having a great time. It's irrelevant because you are outside of appetite.
Unfortunately, a lot of people in risk management start accepting red as the norm. Maybe the CBA from the APRA reports highlighted that red became the norm. We often called it the SOR report, the sea of red, it becomes norm. That's unacceptable, totally unacceptable,
Risk Appetite: The Amber Zone
The next then is 21 meters. 21 meters is just on the amber zone. 21 meters, amber zone. A lot of people think amber is not good. I disagree. It depends on the other partner in the relationship. A lot of people go if it's an amber, get it back to green, not necessarily. Let's see what I'm going to do if it's in amber. I'm chatting with my partner, they're in a good bit about the film, and I say that I'm sorry to interrupt you. But can I just quickly ask a question of the kids? Because it's within appetite raised attention.
What I do now, I call over to Johnny and Jenny, I go, "What are you doing over there?" The first thing they say is, "Oh, we're playing on our iPads?" What am I going to say if they playing their iPads? I'm going to say, "For God's sake, come back into the picnic rug." Why? Because I know they can get the same reward playing with their iPad sitting on the picnic rug with a lot less risk. So, that is not a good relationship dynamic. I'd go, "Come on, get yourself back here." Or they say, "Oh, Dad, we found a fantastic cave. Bats are in here, Bear Grylls is with us down here. We're having so much fun." What I'm going to say now, I'm going to say, "Good on you guys. Awesome, tell us all about it when you get back because they've justified that their reward is worth it for using that level of risk." There's the relationship.
Risk Appetite: The Green Zone
Next, 14 meters, they're in the green zone. What am I going to do now? We're talking about a great part of the field, I'm not going to interrupt my partner. I'm going to wait because green is kind of okay, and I'm going to wait for a nice break when they're done. I just turn around, "Johnny, Johnny what are you doing?" "Playing with our iPads." "All right guys, look, I know you are. But honestly, come back to the picnic rug." I'm pretty chill because it's green. But it's not optimal, because I can get a lower risk for the same reward.
Or they might sit and go, "Oh, we're playing tag, we're having okay fun." I go, "Okay, cool." Because I've now met risk reward. Although they go, "Oh, we're bored. We want to go home?" What am I going to do then. I'll say, "God's sake, get out to the cave." Go and take more risk because the reward is not worth it. And then the favourite spot for me is 0.5 meters on the picnic rug, wingeing, moaning. We've had enough, we want to go home. What are you going to say to the kids? The first one I'd say, is why are you wingeing? "Oh, we just had enough." What are you going to say as a parent? I know what I'm going to say. "Go away. We brought you here to the park to have fun and you're moping around the picnic rug." I take more risk.
A risk manager should encourage the business to take more risk.
And I know it goes against a lot of philosophies. Rubbish, we are risk managers, we are not risk minimisers. If we're not getting enough reward we should be pushing the business. In financial services we talk about the three lines of defense. I don't like the word defense, it should be called the three lines of defense and attack. Because attack is when we're taking too little risk. Or they go, "Oh, dad, I've broken my leg." If they've done that, they've justified why they are taking little risk and I would be remiss of me to go off we're going to say go away. I'd be going, "There, there, there." Fix it up and it's okay to be in that zone if you have a reason.
That is then bringing in the can I, should I test together. You can see the importance of the relationship dynamics once you are within the area of freedom. So, let's finish up then talking about the reporting the performance of the marriage.
How well is the marriage going? Let's have a look. Let's have a look at how the male partner's going. There we go.
A few little measures, we might call them performance indicators, and we might scale them green, amber, red. Green's great, red's not so good.
All right. That's a little snapshot of how reward is going. What about risk? How is she going? Chuck a few indicators on and see how they're going. We've done it individually now. But the key is going to be to bring it together because we should be looking at the balance of how they're feeling, not one over the other.
But that then brings me to a section of the APRA report on the CBA. One of my favourite parts of it is all about the voices. In that prudential or that report, some of you may have read it. It gives us some key lessons around the voices.
It says particularly, that the objects of different stakeholders must be balanced. The voice of finance and the voice of customer must be heard equally. The short term, long term objectives must be balanced. The voice of risk must be balanced with the voice of reward. Sound familiar? Bonuses linked directly to sales volume relating to how the groom is feeling alone is unacceptable. Because you're only looking at one side of the equation. Bonuses should be linked to a balance of metrics covering all relevant stakeholders, and both risk and reward, which is the state of the combined partnership.
So, balancing the voices of risk and reward, what might it look like?
Well, here's the voice of the groom. Here's the voice of the bride. Now, it's slightly more complex than that. There's not only two people in this relationship. I won't go any further with this analogy, but there's lots. Because each of the stakeholders has a partnership, the voice of customer, the voice of shareholder, the voice of employee, the voice of supplier. What we have, therefore, is a matrix. We have risk and reward but by stakeholder. If we look at that, and we measure all of that, and we put the two together, it might be something like that.
Without knowing the metrics that's gone behind that, how do we feel about this organisation? Well, I would figure the shareholders' pretty happy. Reward's good, green and amber risk, pretty good. The customer, oh dear. We can't really care about the customer do we? Both red and both reward and risk, the voice of customer is not being listened to. The employee's happy days. Great reward, very little risk for the employees. Sounds like a very selfish organisation to me. Shareholder and employee are key. Regulator, not really happy. Society don't seem to care too much about that. But that is an example then have of a little snapshot of the marriage. What might it look like? Here's an example.
Over on the left here, we have the performance of the groom. On the right we have the performance of the bride. Now again, without looking at great metrics, what does this tell us? Well, again, shareholder happy days. Green reward, green risk. Customer, oh dear. The employee, pretty good. Regulator, not happy. Supplier, third party, not happy. I didn't model this off anything particular, CBA. But this probably highlights what a report for the CBA might look like after reading the APRA report. It said the voice of finance is the strongest, which is the reward for shareholder. It said the voice of customer was not being listened to. It said that CBA were aggressive and adversarial against the regulator for us a regulator. So, I did model it a bit of that.
Now, for me, if we instead reported like that, this was then the focus of the bonuses that were given to CEOs and whatever, the world would change. I would argue coming out of the CBA APRA report, and the Royal Commission is this is a bit of a practical solution to make this happen. Maybe where those of you that have attended the discussion on the Royal Commission tomorrow, might expand that a little bit further.
Finally, what does the risk side look like? Because I'm not here just to talk about performance, more risk side. Well, traditionally, and I think it was earlier this morning that spoke about the different ways you can measure risk. Traditionally, we might do it by five by five matrix, very basic. We might add on to that some indicators, but to us, is that risk measure is a whole myriad of things. We happen to call it, as a firm, Protecht RiskInMotion.
What RiskInMotion is, is coming up with an overall score of that risk by bringing all the risk information together. In the first column, we've got our risk assessment, typical five by five matrix. In the next column, the results of our controls testing on that risk at the stations on that risk, key risk indicators on that risk, audit findings, outstanding actions on that risk. The past incidents on that risk and amalgamating all that information up to an overall score.
I know this morning was talking about continuous monitoring, picking up information from the internet of things. That's indicators, that's going in there. This now creates a dynamic risk profile so that we're always checking in with the risk partner and going, "How are you going? Are you okay today?" And not shutting them in the closet for seven years and ignoring them on the shell be right brigade, and then they jump out after seven years very upset and cause a crisis. We don't want that, we should be checking in with each partner on an ongoing basis.
I believe the risk partner isn't checked in often enough because we do risk statically and we need to move to a dynamic level.
Let's finish up them with the motivation to create a happy marriage. That moves us finally to incentive schemes remuneration.
In the APRA report, it says bonuses linked directly to sales volume and sales targets should be removed. Hallelujah, we should not measure the performance of a relationship purely on how the husband is feeling. It's not going to work. Bonuses should be linked to a balance of metrics covering all relevant stakeholders and both risk and reward. Exactly what we just spoke about.
Finally, tips through a resilient marriage.
Not that I should be speaking, given that I'm on my second one, but I'll give it a shot because I've learned from past mistakes. Risk and reward partners are equal. They have equal voices. One partner risk, supports the other partner, reward. It is not enemies.
A lot of people think that risk management stops us doing stuff. The business prevention unit, as it's often called. Rubbish, it's completely the other way around. It's a business enablement unit.
Reward requires risks. They can't live without each other, and reward cannot be achieved without risk. Risk and reward are best friends. They're not enemies. Risk and reward must consider every stakeholder in the relationship, not just one or two, such as the shareholder.
If you achieve that, you'll have a happy marriage and sustainable reward. Now, I've spoken a bit about the APRA CBA report hundred, 111 pages, which some of you may have read. If you haven't read it, I did do a blog when it came out that I think goes to 12 pages or so. It is on our website as a blog. I'm also on LinkedIn. So, please have a look at that.
I just want to finish with this thought, and it's something I couldn't tell you up front, because no one of you would have listened to a word I had to say. And that is, over the past six years, one of my biggest training clients is the Commonwealth Bank of Australia. I do all their internal operational risk training.
When the CBA Report come out, my wife looked at me over the breakfast table in a wonderful way. She said, "Dave, you can't be doing a very good job." My response was this, and it's a really important takeaway for you.
All the training we do, in these conferences you come to, we can show you, and you know, because you're here, we need to show people all of us, all our employees, the wonderful lake that is risk management. Beautiful water, very good for your health. But we can't grab their heads, dip it in and go, suck, they've got to do it themselves.
The only way they're going to do that is if you show them the incentive of drinking from the beautiful lake that is risk management because then they'll have the incentive to do it.
Hopefully they will realise that their reward which they loved so much cannot survive without risk. That way we will all then be brought into the decisions up front and be an equal partner in the marriage. Other than that, thank you, cheers and we'll enjoy the happy marriage tonight when we have our dinner. Thank you.
Ready for more risk management courses?
We hope you enjoyed this recording. If you're interested in attending more risk management and other related courses, check out this year's available workshops in your city: