building a risk management system that works
DESCRIPTION
This is a detailed presentation on creating an effective risk management system based on the idea that "Everyone is a Risk Manager"TRANSCRIPT
1
Building a Risk Building a Risk Management Management
System That WorksSystem That Works
Vincent H. O’NeilVincent H. O’Neil
www.vincenthoneil.comwww.vincenthoneil.com
2
This May Sound FamiliarThis May Sound Familiar
““Risk Management? That’s not my job. Risk Management? That’s not my job. Don’t we have a department for that?”Don’t we have a department for that?”
““Risk Management’s just a bunch of Risk Management’s just a bunch of pain-in-the-neck rules that don’t do pain-in-the-neck rules that don’t do anything.”anything.”
““Oh yeah, we do annual training for Oh yeah, we do annual training for that . . . You get through it as fast as that . . . You get through it as fast as you can and then get back to work.”you can and then get back to work.”
3
Risk Management is Risk Management is Everyone’s JobEveryone’s Job
In the last few years, millions of people In the last few years, millions of people lost their jobs because of risky practices lost their jobs because of risky practices in a small number of industries in a small number of industries
Within those industries, thousands of Within those industries, thousands of people lost their jobs even though they people lost their jobs even though they followed the rules and knew nothing followed the rules and knew nothing about the unacceptable risk being taken about the unacceptable risk being taken in other parts of their firmsin other parts of their firms
Risk management is your job Risk management is your job because it can cost you your jobbecause it can cost you your job
4
Everyone is a Risk Everyone is a Risk ManagerManager
Even with all the people and systems Even with all the people and systems dedicated to monitoring risk, dangerous dedicated to monitoring risk, dangerous practices are often discovered by people not practices are often discovered by people not assigned to a risk job who were just keeping assigned to a risk job who were just keeping their eyes opentheir eyes open
In 2010, a car bomb parked in Times Square In 2010, a car bomb parked in Times Square was safely removed because a t-shirt vendor was safely removed because a t-shirt vendor operating nearby reported the vehicle as operating nearby reported the vehicle as suspicious. Not a police officer. A t-shirt suspicious. Not a police officer. A t-shirt vendor.vendor.
Everyone is a Risk ManagerEveryone is a Risk Manager
5
Risk Management is Not a Risk Management is Not a DepartmentDepartment
Risk management is Risk management is
a system, a system,
an awareness, an awareness,
and an attitudeand an attitude
6
Risk Management is a Risk Management is a SystemSystem
Here are some of its components:Here are some of its components:
Processes for monitoring, analyzing, Processes for monitoring, analyzing, and reporting riskand reporting risk
Policies and regulations Policies and regulations People designated as Risk ManagersPeople designated as Risk Managers People designated as Managers of People designated as Managers of
any kindany kind Every employeeEvery employee Every departmentEvery department
7
Risk Management is an Risk Management is an AwarenessAwareness
That awareness is created through:That awareness is created through:
TrainingTraining Continuous reinforcementContinuous reinforcement The understanding that risk threatens The understanding that risk threatens
everyoneeveryone Historical examples of how risky Historical examples of how risky
practices have been detected—and practices have been detected—and what happened when they weren’twhat happened when they weren’t
8
Risk Management is an Risk Management is an AttitudeAttitude
That attitude is generated by:That attitude is generated by:
The recognition that risk anywhere in The recognition that risk anywhere in an organization is risk everywherean organization is risk everywhere
Training in how to identify risky Training in how to identify risky practices, coupled with the means to practices, coupled with the means to report themreport them
Discussion of examples proving that Discussion of examples proving that individuals can put a stop to the risk individuals can put a stop to the risk that threatens their very employmentthat threatens their very employment
9
Building the Effective Building the Effective SystemSystem
Here are four elements of an Here are four elements of an effective risk management system effective risk management system based on the premise that everyone based on the premise that everyone is a risk manager:is a risk manager:
1.1. Emphasis from Senior ManagementEmphasis from Senior Management
2.2. Training at All LevelsTraining at All Levels
3.3. Effective MonitoringEffective Monitoring
4.4. Corrective ActionCorrective Action
10
Emphasis from Senior Emphasis from Senior ManagementManagement
Senior management must take the lead Senior management must take the lead in creating a risk management climate in creating a risk management climate which encourages every employee to which encourages every employee to study, understand, and monitor risk study, understand, and monitor risk
This can not be a one-time, or even a This can not be a one-time, or even a once-a-year, thing: Creating a risk once-a-year, thing: Creating a risk management climate is an ongoing management climate is an ongoing efforteffort
11
Emphasis from Senior Emphasis from Senior ManagementManagement
The CEO as Chief Risk Officer:The CEO as Chief Risk Officer:
Although the organization will still have a Although the organization will still have a Chief Risk Officer, senior management Chief Risk Officer, senior management must be seen promoting risk awareness must be seen promoting risk awareness
This will not only motivate subordinates to This will not only motivate subordinates to do the same, but it will also serve to do the same, but it will also serve to reinforce the seriousness of this effort reinforce the seriousness of this effort
One possible route is to treat this like an One possible route is to treat this like an internal advertising campaign, with posters internal advertising campaign, with posters and videos showing various employees, and videos showing various employees, from senior management on down, stating, from senior management on down, stating, “I am the Chief Risk Officer.”“I am the Chief Risk Officer.”
12
Emphasis from Senior Emphasis from Senior ManagementManagement
Frequent, meaningful reminders:Frequent, meaningful reminders:
Senior management plays a key role in Senior management plays a key role in creating a sustainable level of risk creating a sustainable level of risk awareness, and should take the awareness, and should take the opportunity to provide some of the opportunity to provide some of the instruction themselves instruction themselves
From breakfast speeches to classroom-From breakfast speeches to classroom-style training and off-site seminars, style training and off-site seminars, there are numerous ways for leaders to there are numerous ways for leaders to reinforce the institution’s dedication to reinforce the institution’s dedication to risk management risk management
13
Emphasis from Senior Emphasis from Senior ManagementManagement
Enforce the rules: Enforce the rules:
All the talk in the world will not create All the talk in the world will not create risk awareness if violations are not risk awareness if violations are not correctedcorrected
Remedial training and verbal reprimands Remedial training and verbal reprimands can reinforce a risk management system, can reinforce a risk management system, but they must be backed up, when but they must be backed up, when appropriate, with more serious appropriate, with more serious punishment including terminationpunishment including termination
14
Training at All LevelsTraining at All Levels
Building an all-around risk management Building an all-around risk management system is not an easy task system is not an easy task
Overcoming complacency and Overcoming complacency and ignorance is often a function of ignorance is often a function of motivation, and so the training must motivation, and so the training must convince the participants that risk convince the participants that risk management is important—both to the management is important—both to the institution and to them as individualsinstitution and to them as individuals
15
Training at All LevelsTraining at All Levels
Offer a free, recognized, and Offer a free, recognized, and transportable Risk Management transportable Risk Management certification course: certification course:
This is an excellent way to motivate This is an excellent way to motivate employees at all levels to learn the employees at all levels to learn the fundamentals of risk management fundamentals of risk management
It can be an internal program, an external It can be an internal program, an external certification, or a combination of the two certification, or a combination of the two
Employees who complete the course and Employees who complete the course and receive this certification will know what receive this certification will know what they’re talking about—and what to look for they’re talking about—and what to look for
16
Training at All LevelsTraining at All Levels
Sustainment training:Sustainment training:
The training effort must be more than an The training effort must be more than an annual or quarterly requirement annual or quarterly requirement
Middle and junior management can take the Middle and junior management can take the lead here lead here
Using a series of brief, “snapshot” lessons, Using a series of brief, “snapshot” lessons, these mid-range managers can reinforce the these mid-range managers can reinforce the message that the danger is real—citing message that the danger is real—citing examples taken right from the news which examples taken right from the news which show how people not assigned to “risk” jobs show how people not assigned to “risk” jobs made (or could have made) a differencemade (or could have made) a difference
17
Training at All LevelsTraining at All LevelsConstant reminders:Constant reminders:
Flash videos, wall posters, and junior Flash videos, wall posters, and junior management talking points can serve as a management talking points can serve as a frequent reminder of the importance which frequent reminder of the importance which the institution places on risk awareness the institution places on risk awareness
To gain the proper impact, these reminders To gain the proper impact, these reminders could be focused on the consequences of could be focused on the consequences of failed risk management, citing the number failed risk management, citing the number of jobs lost and legal penalties incurred of jobs lost and legal penalties incurred
18
Effective MonitoringEffective Monitoring
Most large organizations already have a risk Most large organizations already have a risk management structure in place, but merely management structure in place, but merely appointing a risk hierarchy and installing appointing a risk hierarchy and installing monitoring software isn’t enough—even if monitoring software isn’t enough—even if this system is fully understood and obeyed this system is fully understood and obeyed
One of the key benefits of establishing a risk One of the key benefits of establishing a risk management climate in which every management climate in which every employee acts as a risk manager is the employee acts as a risk manager is the multifold increase in monitoring represented multifold increase in monitoring represented by all those extra sets of trained eyes by all those extra sets of trained eyes
19
Effective MonitoringEffective MonitoringConduct TestingConduct Testing to actively determine if to actively determine if systems and personnel are performing to systems and personnel are performing to standard:standard:
Internal audits of departments and teams should Internal audits of departments and teams should be conducted on a regular basis, sometimes be conducted on a regular basis, sometimes with no noticewith no notice
Where applicable, test cases should be Where applicable, test cases should be introduced into a system or workflow and introduced into a system or workflow and monitored to determine if the resulting actions monitored to determine if the resulting actions are in accordance with standardsare in accordance with standards
Negative test cases (which would be expected to Negative test cases (which would be expected to be thrown out or flagged in some fashion) be thrown out or flagged in some fashion) should also be used to assess the effectiveness should also be used to assess the effectiveness of systems and policies within an organizationof systems and policies within an organization
20
Effective MonitoringEffective MonitoringTesting (cont’d):Testing (cont’d):
The individuals or entities conducting The individuals or entities conducting these tests should be made aware that these tests should be made aware that fraud and waste are frequently discovered fraud and waste are frequently discovered in this fashion; high-level management in this fashion; high-level management involvement is therefore necessaryinvolvement is therefore necessary
Understand the Data: Risk analysis is only Understand the Data: Risk analysis is only as good as the data, so learn how it was as good as the data, so learn how it was collected and processed—don’t just collected and processed—don’t just accept itaccept it
21
Effective MonitoringEffective MonitoringAsk, “What if Ask, “What if thisthis happens?”: happens?”:
In the field of management, one of the In the field of management, one of the key questions is: “What don’t we key questions is: “What don’t we know?” This refers to potential events know?” This refers to potential events and outcomes that haven’t been and outcomes that haven’t been considered beforeconsidered before
While it’s impossible to imagine every While it’s impossible to imagine every threat to a system or a business, one threat to a system or a business, one way to identify unknown hazards is to way to identify unknown hazards is to ask, ask,
““What if What if thisthis happens?” happens?”
22
Effective MonitoringEffective MonitoringAsk, “What if Ask, “What if thisthis happens?”: (cont’d) happens?”: (cont’d)
Train managers to examine the potential Train managers to examine the potential ramifications of their decisions, and then to ramifications of their decisions, and then to extend that analysis beyond the obviousextend that analysis beyond the obvious
Don’t trust computer models and simulations Don’t trust computer models and simulations to cover everything to cover everything
Don’t rely too much on historical data; just Don’t rely too much on historical data; just because something never happened before because something never happened before doesn’t mean it can’t doesn’t mean it can’t
Create high-level teams to ask the outlandish Create high-level teams to ask the outlandish questions, and invite outside experts and your questions, and invite outside experts and your own clients to ask, “What if own clients to ask, “What if thisthis happens?” happens?”
23
Effective MonitoringEffective Monitoring The consequence of not asking “What if The consequence of not asking “What if thisthis happens?” is vulnerability to threats happens?” is vulnerability to threats that could have been identified and that could have been identified and neutralized neutralized
The collapse of the sub-prime mortgage The collapse of the sub-prime mortgage industry in America had international industry in America had international ramifications, and many businesses were ramifications, and many businesses were later surprised to learn of their exposure later surprised to learn of their exposure to the world of credit default swaps even to the world of credit default swaps even though they’d never been directly involved though they’d never been directly involved with any of these products with any of these products
24
Corrective ActionCorrective Action
All the rules, managers, and software in All the rules, managers, and software in the world will not create an effective risk the world will not create an effective risk management system if that system has no management system if that system has no teeth teeth
One sure-fire way to ruin a risk One sure-fire way to ruin a risk management system is to tolerate management system is to tolerate repeated violations repeated violations
25
Corrective ActionCorrective Action
Punishing violations is seldom easy, Punishing violations is seldom easy, particularly when the offending party is particularly when the offending party is perceived as a star or rainmaker, but perceived as a star or rainmaker, but allowing these transgressions to allowing these transgressions to continue brings the entire system into continue brings the entire system into question question
Corrective action can range from re-Corrective action can range from re-training to termination, but it must take training to termination, but it must take place—and the reality of its presence place—and the reality of its presence must be understood by employees at all must be understood by employees at all levels levels
26
ConclusionConclusion Risk Management is your job Risk Management is your job
because it can cost you your jobbecause it can cost you your job
Risk Management is not a department; it’s Risk Management is not a department; it’s a system, an awareness, and an attitudea system, an awareness, and an attitude
This is an ongoing effort that includes This is an ongoing effort that includes senior management emphasis, training at senior management emphasis, training at all levels, effective monitoring, and all levels, effective monitoring, and corrective actioncorrective action
Everyone is a Risk Everyone is a Risk ManagerManager
27
About the AuthorAbout the Author
Vincent H. O’Neil is a risk consultant, an Vincent H. O’Neil is a risk consultant, an author, and a public speaker. A graduate author, and a public speaker. A graduate of West Point and The Fletcher School, of West Point and The Fletcher School, he has managed risk in one way or he has managed risk in one way or another throughout his working life.another throughout his working life.
He can be contacted through his writing He can be contacted through his writing website, www.vincenthoneil.comwebsite, www.vincenthoneil.com