From Stagnant Tokenism to Effective Capitalism

Counting Tokens

Most executive managers would admit openly that they see the consumption of resources by risk management in their organisation as a necessary defensive measure for a 21st-century enterprise. But few would see it as a primary vehicle for delivering a substantially enhanced shareholder return, and even less would be delivering on that vision. Yet, in a small number of organisations, risk management does deliver substantially enhanced shareholder returns on a continuous basis. In order to realise this state, however, risk management needs to be taken out of the hands of the defensive minded and handed over to those who don't need a prescribed pathway to work out what delivers most for their organisation. In other words, there is a need to let go of the follow- the-pack philosophy and think freely. Let's see if we can persuade you to do so.

First — a question for readers. How do you react when the shopping precinct and traffic-light predators (aka charity collectors) step into your eye line and shame you into a donation? Perhaps, like us, you get a little peeved because no matter how many donations we make, badges we buy, third world children we support, or raffles we enter, they always want more. It's not even a serious drain on our income, but it keeps us in a kind of Groundhog Day where each morning on the way to work, or as we walk to lunch, somebody approaches us for a contribution to something they believe makes a difference ... and quite frankly, we're not at all sure that it does.

If we thought raffles and badges were a real game changer, we'd all jump in the deep end. Half our income so that Africa has no more hungry children? What a bargain — where do we sign? But we don't believe it's the case, so we mumble some apple pie and motherhood encouragement to the collector and keep putting the tokens in the collection box. We're buying off the annoying collector and diluting our guilt a little, but it's a long way short of achieving genuine peace of mind.

This is also what has happened to risk management in most organisations. Executive management donated generously to the cause for a long time and had hopes of a no-more-surprises world. After a while, they saw little real change in their business, but it's now neither politically correct nor in some cases legally possible to say, 'Enough! Let's use these resources to better effect'. Like the targets of street collectors, executive management keeps the tokens flowing long after belief in the cause has faded.

Consumed by Process

From 1990 to 2002 the world saw increasing focus on corporate risk management acts, guidance notes and standards. You may recognise some of the titles that became folklore, including Sarbanes Oxley, COSO, Cadbury and Turnbull, and AS 4360 and its offspring ISO 31000 (more on all this in Chapter 2). The corporate world was too sluggish to make risk management its own initiative; it was now a matter of compliance, and corporations through the decades have argued that compliance is a poor route to excellence.

Even the smartest people are prone to stop thinking when the early promise isn't delivered and compliance-capture offers an easy way out. Our risk management champions may never have been the smartest people in the room, but the zombie-like lovers of process — people who want to check what they do against a piece of paper and not real outcomes — have taken firm control. As a result, the risk world is teeming with conveyor-belt facilitators following the simplest possible interpretation of risk standards, and auditors aplenty doing what they do best — checking that we do what we say we do, whether it makes an iota of difference or not.

Compliance isn't the only road to tokenism. An unfounded but passionate belief that your organisation manages its risk brilliantly because it is inherently good at what it does will take you there too. In the early days of the risk management surge (circa 1992), a risk consultancy was engaged by one of Australia's largest companies to undertake a major risk review. The results were to be presented to a regulator to obtain permission to undertake a major development. The chief operating officer was a hard, confident character who laid down the following parameters for the report to the consultant:

'It will cost no more than $80,000, will be two inches thick, and it will promise nothing other than this company will always hire the very best people.'

It never occurred to this extremely talented man that any process he hadn't already adopted could possibly add benefit to his massive project. The regulator accurately described the resultant report as 'both confused and confusing' and approval was withheld. By the time the second version was completed by the same consultant, but with no parameters other than to get approval on reasonable grounds, the individual had sanctioned several fundamental changes to the project that had been uncovered by a genuine attempt to undertake a thorough risk review. In fairness to that manager, he went on to make the risk process mandatory on all of the company's developments around the world, including locations where no such process was stipulated by law.

The point here is that this larger-than-life character was not afraid to show his confidence (arrogance?), and it was therefore possible to account for it and go on to reach a good outcome. In fact, there is little doubt that the regulator and the consultant were in some degree of conspiracy to bring this outcome about. The problem today is that arrogance and complacency are not outwardly displayed when it involves widely endorsed risk processes or values that find themselves deep in the political correctness zone. It's a motherhood, apple pie and risk management world in the 21st century.

Recognising you have a sickness is the first step to curing it, so let's take a look at some of the many ways the tokenistic approach to risk management in organisations can be detected.

Risk Management in a Box

One-stop packaging is everything today. We pay the required sum and all of our problems go away. In an executive committee meeting at a major resources company a few years back, the tension in the room was higher than normal when discussing the introduction of SAP, a life-changing and expensive enterprise resource-planning IT system. This was somewhat surprising, given that these same individuals regularly discussed massive investments where an inappropriate decision, or lack of one, could cripple the company. The tension was explained when an executive director reminded the committee members that more...