AML Q&A: 5 key questions
Tim Pinkney and Bill Bewes share their knowledge and experience, answering five key questions to help accounting...
READ MORE
Risk is a crucial, but oft-overlooked, factor for a large number of businesses. Here, Simon Laffin shares his insight into how best to approach it.
I’ve seen grown men weep at the prospect of a half-day board review of the risk register, eyelids drooping on risk prioritisation. I’ve yet to meet anyone who actually reads the risk section in the annual report, even probably the regulators who insist on it.
What is the board’s role on risk? All business discussions need to encompass risk. Presented in a glib, superficial form, directors are easily bored into submission. Here is a way to rescue a risk discussion and turn it into a vital debate about the business, using the methodology developed by high-risk industries, such as aviation and nuclear, to manage their safety risks.
Stress = mistakes
High-risk systems accept that humans will make mistakes, and that the higher the stress levels, the more mistakes will be made. They emphasise the need for several barriers to any threat, knowing that some will fail, so others are needed as back-up. Some barriers are there to monitor or detect a threat and others to prevent or recover from it.
There are four key principles to risk-management processes:
1 All systems have weaknesses, and will fail at some point.
2 All humans make mistakes, and you need to plan for this.
3 You need to detect an event to manage it.
4 You need multiple lines of defence against any risk.
A hazard (or risk) can create a number of specific threats. You therefore create a number of preventative barriers, like successive slices of cheese, to detect and prevent that hazard becoming an event. However, every slice of Swiss cheese has holes in it, as any risk management barrier will have some weaknesses and of course human operators make mistakes.
A hazard will only crystallise into an event when the holes in the different slices line up, i.e. all the barriers fail in some way to stop the threat. For a pandemic hazard, for example, barriers against mass spreading of infection (ie the event) will include taking temperatures, vaccines, washing hands, wearing a mask, and maintaining social distance.
None of these are completely effective on their own, but together they provide a significant degree of protection. If all of them fail in enough cases, the hazard will become a real event i.e. a pandemic.
Hole lot of trouble
The Swiss cheese model demonstrates why any effective control of risk requires multiple barriers to maximise your chances of stopping a hazard becoming an event. It also explains how you attempt to stop an event having adverse consequences – by having multiple recovery barriers.
Like preventative barriers, you need several levels of recovery barriers, as one barrier is unlikely to be enough on its own. In a pandemic, once there is a mass infection event, recovery barriers would, for example, include mass testing, lockdown and rigorous isolation measures.
The Swiss cheese model is the basis for a detailed risk methodology, called the Bow-Tie model. Take the hazard of poor-quality people management. This might lead to an event, such as the resignations of key people. You identify the threats Image: Getty that could cause such resignations and, importantly, what preventative barriers you can put in place to stop them.
In this case, the threat might be uncompetitive remuneration, and the barriers would be benchmarking salaries (detecting the threat) and pay reviews (action to prevent it). This model then identifies the need to mitigate the effects of the event, with recovery barriers designed to reduce the consequences. Here it would include post-resignation interviews and counter-offers to staff who want to leave.
The model also identifies the consequences if the recovery barriers don’t work. This is the gold standard of risk management, but it won’t necessarily be popular with management, because it requires a lot of work and thinking. But that precisely is the point of risk management.
Calculating wasted effort
Corporates spend lots of time trying to quantify risk, often at the expense of working out how they would stop the threat. An airline doesn’t spend a lot of time working out the cost of a major aircraft accident. It knows that such an event is an existential threat.
The airline industry focuses not just on how to avoid an accident, but also how to reduce the harm once the event happens. This is why there are safety systems not just to reduce the risks of an aircraft accident, but also safety systems that protect life in the event of an accident (such as strong seats and oxygen masks).
The Bow-Tie model considers how you would deal with an event happening. Too often corporates list out their ‘mitigations’ and then decide that the event won’t happen, so they don’t bother working out what to do if it did. Around 90% of all corporate risk ‘mitigations’ are preventative barriers, and barely 10% are recovery ones.
Regulators keep insisting on written reports about risk. However the real value in risk management is the thinking and discussion that goes on at all levels on how to manage risks. Boards should be investing in this discussion time. As the saying goes, if you think safety is expensive, try the alternatives. If you think risk-management takes up too much time, just write a boiler plate report for the annual report and leave yourself open to risk. After all, how bad could it get?
This article is an extract from Simon Laffin’s book, ‘Behind Closed Doors. The Boardroom: How to Get In, Get On and Make a Difference’, available from Amazon and all good book stores. Find out more at simonlaffin.com