Eric’s post on Kicking Risk’s Bottom got me thinking. I am also interested in one angle to this whole bottom-kicking business for very personal reasons. My reasons are career impacting I might add! A few weeks ago, yours truly together with my able team members, in a move inspired by free liquor courtesy of the monthly drink-up, decided that we needed to come up with a one page document that summarizes the indicators of the top 10 risks facing the company. The thinking behind it? Simple: we wanted to know and show how well we (as a company ) are doing in kicking risk’s bottom and to show in a very succinct manner, how far we were yet to go on this kick-ass journey, if I may use Eric’s lingo. Something went very wrong in this whole exercise. For one, there was debate as to what really constitutes a risk indicator. And you have to agree that the term sounds very simple and very enlightened but when you really think of it, what does it stand for?
We have a set of risks, presumably identified through some process of assessment. What do we want to track about these risks? How relevant they are? The efficacy of the controls that we have put in place i.e. how apt, how well implemented? Do we also want to identify where the controls are stifling business? I mean, it is a common saying that opportunity and risk are two sides of the same coin. Is there truly one indicator for one risk or will a set of indicators be necessary for one risk? The mother of all debates (I will not comment on her bottom contrary to what some readers may expect), showed up when we started discussing the difference between what is an operational indicator i.e. normal business stuff and what should be taken as a risk indicator? If management has defined a set of closely-watched numbers for example, is it possible that the risk indicators were already inadvertently included in this i.e. risk indicators are simply a subset of operational indicators. The assumption being that diligent management teams would already be managing risk as part and parcel of whatever it is that they do between their trips to the golf course?
Supposing, for example, that we decided we shall use reported leakage as a risk indicator? What does it indicate? If the amount of reported leakage goes up, does it indicate that we have process and data integrity issues that are worsening and therefore more leakage? Or does it indicate that our RA team is stepping up in performance of RA checks and therefore identifying more leakages. So it would be arguable that while the figures may be getting scarier, we are now in deed in a better position i.e. in a sense our RA folks stepping up is only now showing that we should celebrate?
Every now and then we meet at the water-cooler and discuss this. I am sad to announce that we have progressively moved from our initial state of inebriation to a state that I can only describe as desolate. There are many questions, even more opinions but few answers. I have thus suggested that we need to raise the frequency and duration of our drink-up sessions in order to ensure that like-minded team members engage in an environment that is free of distractions and away from the constrictions of the office space. I am not sure why the boss is not so enthusiastic on this idea. I suspect it’s because we are still expected to reach an intelligent consensus and submit in the next few days, the risk indicators. If we don’t, a sharp boot will make contact with some very hapless and confused bottoms! However, should we succeed, I guarantee we shall publish a good read: Battling the Ballooning Bottoms: The Kick-Ass Guide for Risk Managers.
Great post Joseph!
Before you ask yourself what are the top 10 risks facing the business, I suggest you contemplate another question… what are the top 10 objectives of the business? To have an ordered and prioritized list of risks, you first need an ordered and prioritized list of goals. Risks are pitfalls that might hamper our journey. To appraise the risks, we must first know where we want to go and how we might get there.