Category Archives: Risks & the boardroom

Why you might want a pilot running your Risk Committee

CockpitThere’s a saying in aviation: ‘Never fly in the same cockpit with someone braver than you’. Risk management for a pilot is literally a matter of life and death. Have you ever asked yourself whether you would share a boardroom table with executives braver than you are?

Company risks are often presented as long shopping lists; each with a reassuring comment, about how it’s unlikely but that it’s covered off. A typical audit committee, and now the whole board, will be faced by this list and asked to opine as to whether this is a fair summary of the risks facing the business and the mitigations. The board, or more likely the CFO, will then select a dozen of the juicier risks to list in the annual report.

Neither the non-executive director nor the annual report reader is likely ever to gain much nourishment from this exercise. However, the drive of the regulators to be seen to get action from board on risk will be satiated for another year. Has this sort of exercise ever helped to prevent a financial failure?

It’s not a surprise to find that aviation has developed a more insightful way of looking at risk. As the great aviator Ernest K. Gann wrote; “Rule books are paper – they will not cushion a sudden meeting of stone and metal.” The director could well substitute Annual Report for rule book.

Aviation has developed a Threat and Error Management model, which includes looking at risks by their type and then applying a three stage management process; avoid, trap and mitigate, which can equally be applied to business risks.

1. Categorising the types of risks

There are three high level categories of risks and events; unexpected external, expected external, and internal risks. We are, of course, here in the realms of Rumsfeld’s known unknowns and unknown unknowns. Rumsfeld incidentally was a naval pilot himself. An event is when a risk actually becomes a reality.

o Unexpected external risks are, by definition, the most difficult to foresee. To quote Gann again, “The emergencies you train for almost never happen. It’s the one you can’t train for that kills you.” It was, for example, the failure of confidence in AAA securities that was one of the key problems causing the recent financial crisis, yet almost no one predicted this risk could happen.

o An expected external risk might be a rise in inflation or interest rates. These are risks that might reasonable be expected to have a chance of happening. They are the most common type to appear on a risk register, as they are easy to imagine and therefore easier to plan for.

o Internal risks are those that are under your control in the business and are the ones most looked at in traditional control systems. These tend not to be so prominent in external communication of a business’s risk, as to acknowledge them implies that the control systems are not fully reliable.

2. ‘Threat and error management’

Avoid

Clearly the best outcome is to avoid a risk becoming an event. To achieve this, companies put processes and controls in place or take pre-emptive avoiding action. This is generally applicable only to expected external risks, as it is a tough task to avoid an unexpected external risk. Some expected external risks are also not avoidable. For example, a rise in general interest rates is not within a company’s control, but a campaign against, say working practices, could be avoided by pre- emptively maintaining high standards of care for employees.

Most internal risks are avoided by careful management, strong defined processes and robust control systems. For example, fraud can be deterred by visible deterrents and controls. Increasing visibility of such deterrents (eg cameras) is in fact a prime avoidance technique. However, in any company, internal risks will crystallise into events.

Trap

No matter how good the controls and avoidance techniques are, the assumption should be that there will be a breach. All humans make mistakes. No avoidance system is ever 100% full proof. The next stage is therefore to try to trap the event. This is where information systems are crucial.

It is essential to know that the first defence (avoidance) has been breached, so there has to be an alert. Directors need to understand what systems there are to alert managers to any possible, upcoming or actual breaches.

When an event happens, management needs to (a) notice it and (b) interpret it as important. An unexpected external event is particularly tricky to pick up every time. It does not fit easily into a standard control system, as it may not even be monitored. The event may however cause a performance measure or a forecast to move, which may then trigger an alert.

Generally you hope that senior management has the ‘helicopter vision’ to spot unexpected strategic events, but at working level, it may be any employee who spots an unexpected new risk; for example a sudden bout of arson in a local community. The person who initially notices the event may well not be the same as the one who spots its significance.

How good are the communication systems so that these different people can be linked together? The simplest example here would be an employee looking at a bank statement, and querying a suspect transaction. In this case there should be a system to flag and investigate unusual transaction, and an agreed procedure that follows. However, the information system on other less structured risks may be an informal network; for example a casual mention of something new to someone else over the coffee machine. It is easy to forget the informal information systems, but these can be very important.

In summary, the important features of trapping are; noticing an event and then interpreting it as important. The methods for achieving this are both formal and

informal information systems. This may also require preliminary investigation to understand the nature of the event, including cause, extent and implications. Trapping unexpected external events is particularly problematic, as, by definition, you do not know what you are looking for.

Mitigate

Having trapped the event, the task is now to mitigate its effects. This may well require in-depth investigation, in order to understand fully what happened, which controls failed and what can be done to minimise the ill effects of the breach.

The direct and indirect effects of the breach need to be identified. Indirect effects can be often missed. The event itself may be mitigated by, for example, removing an errant individual, but there may be a loss of confidence in the that department that causes others to move work elsewhere or put in their own informal double checks, reducing efficiency.

The business may need to compensate and replan for the event. A rise in interest rates, for example, may cause the business to reduce costs elsewhere or conserve cash. A spate of arson is likely to cause the business to both review its insurance cover and improve fire suppressant systems.

Finally the business needs to learn from the breach to reframe processes and controls. In rare cases, it may decide that nothing could be done, particularly from unexpected external events. However generally there will be lessons and enhanced procedures that will either reduce the chances of a future breach, or will mitigate its effects. This tends to be, at least on internal risks, the province of the internal audit recommendations. This feedback is often the most important part of the response, as the company has learnt how better to handle the risk and to prevent future such events.

Summary – a risk management framework

Avoid

Trap

Mitigate

Visible deterrence

Information systems

In-depth investigation

Defined processes and robust control systems

Informal and formal communication

Direct and indirect effects identified

Interpretation and sensitivity’

Event compensation

Preliminary investigation

Business replanning

Feedback: reframe processes and controls

Applying this thorough framework could help companies and boards better understand and manage all aspects of risks. In particular, it focuses on the importance of; informal and formal communication, the role of everyone in the business to spot possible events, timely and comprehensive information systems, compensation, and feedback.

It also emphasises that every risk should be assumed to be going to become an event. This forces proper consideration of trapping and mitigating, which otherwise tend to be assumed not to need detailed thought. It’s likely, as Gann said, that it will be the risks that you never thought of, or never believed could happen, that will be the most painful. Just ask the people who used to believe in AAA bonds.

http://www.simonlaffin.com

Why you wouldn’t want a CEO piloting an airliner

Finals at night

The popular image of a pilot is of a dashing hero, who pulls off amazing feats of skill to save his aircraft from imminent disaster. However, in reality, what airlines value most in pilots is keeping to procedures and operating according to checklists, acting with defined responses to various planned and unplanned events. That’s not to deny that pilots possess considerable skills and knowledge. It’s just that these are best deployed in known routines and responses. You don’t really want a pilot inventing a new dashing way to land a jumbo jet full of passengers.

That makes a pilot different to a CEO. You want a CEO who does lead the business into new ventures and innovative ways of working. These sets of skills are rare and so we end up looking harder for the right CEO, and paying them a lot more money. We end up with the superstar CEO.

Whilst this may be the right strategy, it does have some undesirable consequences. Much of the responsibility for performance is placed solely with the CEO. If something goes wrong, the media, politicians, and often investors, are out calling for the CEO’s head.

The CEO can’t complain about this, as it’s the flip side to demanding the superstar salary. Their remuneration and incentives are, after all, based on the idea that the CEO is making a massively disproportionate contribution to company performance.

But it’s also rather convenient for others. For the media, it’s a simple age-old people story; another Icarus melts his wings and falls to earth. For investors, it can be reassuring. Perhaps they didn’t invest behind the wrong business model, the chief just let them down. Even the other board directors can deflect difficult questions about their own role by taking decisive action on the boss.

The problem with this familiar narrative is that, whilst it will have some truth, it is never the whole story. It enables others to avoid the sort of soul searching that might produce more insights and more long-term solutions.

It enables regulators to avoid proper forensic inquiries into company failures; investigations that might produce real explanations as to how all the corporate governance, rulebooks, regulation, overseers, auditors, independent non-executive directors, and well-informed investors have all failed to stop the egregious corporate failures as we have seen in the last few years.

How did the boards of Lehmans, Merrill Lynch, Royal Bank of Scotland, and others, fail to spot their looming problems? They were full of very intelligent, experienced directors, so there must have been a systemic problem. But there has been very little attempt to learn from these events, because the focus has always tended to be on blaming the individuals at the very top, not understanding the systemic issues.

I joined the board of Northern Rock in late 2007, just after it had suffered the first run on a British bank in 150 years. I then conducted an inquiry into what had happened, in order to understand if there was a case to sue either the previous management or the auditors (there wasn’t). However, I learnt a lot about why it had happened. The then UK banking regulator never once spoke to me about the inquiry, and, to my knowledge, never forensically investigated what really happened at the bank.

It’s so much easier just to shoot people, than it is to find out the real story. It’s also much less likely to expose your own failings.

The result is that we haven’t really learnt the lessons of the last few years. Well-meaning corporate governance rules have however proliferated. Regulators have begun to accept that behavioural factors are an issue. However they have responded by, for example, insisting now that companies list out their risk factors and opine about their ‘risk appetites’. You somehow doubt that an expert in human behaviour was involved in devising that remedy.

No one links new governance rules to the precise reasons for previous failures. No regulator assures us that if only companies had been applying their new rule, that failure wouldn’t have happened. There is simply no linkage between corporate failures, analysis of their causes and new regulation. That’s because regulators go straight from reacting to the public outcry about corporate failures to drafting new regulation, missing out the analysis stage completely.

So you wouldn’t want a CEO piloting your airliner, but we could certainly do with business problems being focussed less on ‘pilot error’ and more on really understanding what exactly happened and why. This must be primarily aimed at preventing failures recurring. Isn’t that more important than taking revenge on individual executives?

Why aviation is safer than the boardroom

Featured image

The basic model of commercial aviation is a thin tube of highly pressurised metal being propelled at 600 miles per hour by inflammable fuel at 35,000 feet in all weathers at temperatures of -57 degrees. So have you ever wondered how aviation got to be one of the safest forms of transport, despite being inherently full of such potentially catastrophic risks?

On the other hand, the average boardroom, comfortably at 20 degrees, often going nowhere, an executive suite above the ground, continues to struggle with business risks, and major business incidents and errors are showing no signs of reducing.

There are of course many reasons why aviation risk management is more advanced than the corporate equivalent. There is also one reason why it is not. It’s not because one group is cleverer or more dedicated than the other.

Most of the explanation lies in the imperative to get aviation safety right. The feedback loop on an aircraft is very fast and exceptionally forceful. If bad decisions can kill both you and hundreds of passengers at once, then you will tend to take risk management very seriously indeed. By contrast, poor board decisions usually take months, if not years, to become evident, and tend to result in financial losses that are often survivable for the executives concerned.

Business could learn a vast amount from the risk culture that aviation has developed as a result of its safety imperative. When something goes wrong in aviation, the major drive is to find out what went wrong, rather than finding culprits. The aim is to learn the lessons and then disseminate recommendations to manufacturers, pilots, operators, air traffic and anyone else, to ensure that this set of events cannot be repeated.

In business, by contrast, the focus is on naming and shaming the director held to be responsible, ensuring he doesn’t get a bonus and possibly gets fired. It’s driven by blood-lust, not analysis.

Aviation puts the emphasis on process, procedures and systems, accepting that humans will make mistakes. Moreover, the higher the stress levels, the more the mistakes that will be made. In the corporate world, the conventional assumption is that executives are too highly paid to make errors, and so if they do, the key outcome is for them to be punished.

Many will argue that this is simplistic. There are of course many other features of aviation risk management. It is often the media and politicians who personalise corporate failures. However, I haven’t heard many corporate commentators argue that the recent problems at Tesco and Morrisons, for example, shouldn’t be blamed on the outgoing CEO’s, but need to be understood in the broader context of the changing market and process failures in the individual companies.

In the end the question is; which of these two models produces a better understanding of what went wrong in a particular event? Which is therefore more likely to produce a lasting improvement in risk management?

Then ask yourself, how safe would you feel in an aircraft regulated by the standards of today’s corporate governance codes?