About Risk Leadership

Leading To The Right Of Risk

Business teams like to keep moving. They don’t want to be constricted. They don’t want to be fenced in. They think of risk as a chimera: They think they will deal with risk if and when “real trouble” comes. Therefore, they wait too long to go to advisors, from engineers to lawyers. They wait until the term sheet is dry or the problems have festered into litigation. But by then risk has matured into “real trouble”, and the businesses they serve will definitely face the high costs of trouble, from lost sales to damaged reputation, from fines and penalties to litigation.

Your teams need to understand facts, figures, and history to prevent, mitigate and resolve crisis. And you need to understand them and what they are really seeing. You may be the last person they tell. Call me before your risks have matured and the trouble is under foot. Work with me while your decisions are still business decisions.

Call me when that real trouble does come. Together we work out the real parameters of the trouble, limit the damage, and find real solutions. We work to resolve your crisis and your teams’ crises.
Work with me so that we catch trouble early –or make sure that trouble never even comes. Don’t think of it as fear or risk aversion:
Think of it as staying out of trouble and making your model hum. Think of how clearly we can look at you and your business from multiple perspectives. Together we get it done right.

©2007-2015. S. Caroline Schroder. All Rights Reserved.

Update Your Risk Analysis: Technology and Your People

Despite the metrics, risk persists as poorly quantifiable in the real world. The catastrophes occur in unexpected corners of the enterprise or result from unintended consequences of careful plans. A critical contributing factor is the uncertainty of new technology and new variations on edgy products. These uncertain technologies and variations on edgy themes are not so much unreliable as they have unexpected collateral effects and unintended consequences. Take, for example, MSFT Vista or CDO derivatives or social networking tools. A Vista bug unexpectedly costs a system functionality for half a day and workers lose critical work and time. CDO derivatives turn out to be riskier than assumed and take out a formerly solid bank. A trusted employee while social networking compromises proprietary information through mistaken use of a cool tool no one understood, including its developer and social utility enterprise. Or no one expected that an employee would spirit out a large secret data file by IM. The competitive advantage is lost or clients are compromised. The dollar cost is huge; the goodwill loss is major.

This new uncertainty yields these and additional events which will not be rare but are merely new and have yet to spawn statistical data points, except in catastrophic size of financial loss. Short of battening down the hatches and hunkering down with the tried and true, what are you to do?

1. Impress upon your entire range of employees from mail room to C-suite and Board room the material value of their work in both human and monetary terms;
2. Demonstrate comprehensibly the catastrophic human and monetary losses possible through seeming small missteps, mistakes, and omissions. Make it palpable by fleshing out a hypothetical showing that if item A is compromised by this loss B, then consequences X and Y result in dollar loss $Y.
3. Verify that employees, officers and boards understand the technologies they see and use. Teach the technologies. Don’t hire expecting prior training through education and experience. Hire expecting to do the training.
4. Develop a cross-discipline department, section or committee to keep ahead of the technology curve: all the technology, from industry methods to communications, transportation and corporate espionage. Pay your staff to keep fresh and alert and to foresee the unexpected consequence of what is new.
5. Constantly refresh your working rules which work along with the new technologies. Don’t leave the rules in the employee handbook. Make them part of every day function and procedure.
6. Verify not only that steps are followed; verify that the reasons are understood. Too many financial institutions and other businesses have everyday practices which change abruptly when the auditors or regulators are about to arrive.
7. Do not indulge refractory behavior by generation, rank, department, contractor/employee status or upon other excuse. Train, don’t cluck. If you often find noncompliance occurs within a group, look for lack of knowledge, preparation and leadership. It may be that no one knows exactly what to do, or when or how.

© 2009 S. Caroline Schroder. All Rights Reserved.

What Risk?

Ahh, risk.  Too many organizations have only a fuzzy understanding of their risks;  too many only want to have a fuzzy understanding of their risk;  too many stop at the point of knowing there is a risk and throw some self-deceiving analysis at a potential financial impact with the intent of scorning or insuring risks away.  In the process, they never get down to thorough examination of the risks they spot and identification of the risks they miss, let alone prioritizing real and even imminent risks.

Worst, even the most senior of leaders evade such risk examination while intoning their conviction that “the lawyers can take care of it if anything goes wrong” and risks, any risks, do mature. By which time, of course, it’s entirely too late, except for litigation and, all too often, criminal defense.  Meanwhile, government has become so obsessed with chastising the private sector for not understanding threats and risks, that it entirely fails to meet its own risk obligations.  Witness LIPA.  Witness the hacks into government agencies and even the White House.

Every company needs to derive a real solution to the problem of risk in a time when too many managers, boards, investment bankers, accountants, and even risk averse lawyers minimize the risk and concept of risk simply to get the deal done or the funds raised, ignoring technological, political, physical hazard, and all manner of structural risks.  Major failures used to be a symptom of hard fraud; now major failures are a symptom of non-thought –which opens the door to hard fraud.

©2013. S. Caroline Schroder. All Rights Reserved.

Argh, Risk

The truth of risk is:  it never ends.  Risks are.  Risks mature and those incidents, those circumstances, those issues, those disasters spawn their own risks.  It is vital to continue to track what happens next as risks mature.  Call what happens after risks mature “issues”:

1. Issues generate their own risks which may become significant through time, including ongoing risks.  Emergent risks would only have to recaptured and identified in the future, so track issues and emergent risks along the way.

Think of volcanoes:  eruption may settle the question of whether to visit a volcano, but it also generates a  plume, which will itself change in intensity, size, and content over time and may re-emerge after a hiatus, potentially disrupting transportation, as Eyjafjallajökull in Iceland did in 2010.

The volcano may also be associated with seismicity, as was Eyjafjalla beginning in 2009, and seismicity  including aftershocks, and on-ground damage, including tsunamis, as at Mauna Loa and Kiluaea, or in Alaska, where tsunamis were triggered by landslides down the volcano slope.   Think Santorini and the end of Minoan civilization as Thera erupted and collapsed for the final time.   Think L’Aquila, Italy and Fukushima, Japan for parallel but not identical risks.

While clearly not every volcano every time or every seismic swarm or major quake will affect every entity or even any entity, L’Aquila stands for the need to track ongoing issues along with risks.  On Santorini, given a history of eruptions and quakes, the city of Akrotiri was evacuated before the final big one in the 17th Century B.C. (www.santorini.com).

2. Learn as you go; don’t wait for after the fact to record ‘lessons learned’.  Experiential learning from risks, issues, planning, responses, and consequences progresses over time reinforces good execution and improves poor execution and documents issues and risks for which the significance emerges over time.

Think of the CDC documenting isolated deaths caused by resistant bacteria for the ability to track down sources of contagion and eradicate bacterial contamination if a trend emerges.

3. Document even tangentially related facts along with issues for a comprehensive company record of emergent risks as well as matured risks – even where not required for compliance or obvious risk management.   One never knows what will yet prove relevant.  One never knows what will prove germane to internal and external party performance, both for evaluation and further planning, future strategies, transactional negotiations, legal compliance, and, grimly, pre-trial discovery and trial or settlement of litigation or regulatory proceedings.  Or jail.

Think Graham  and Buffet.  Or Holmes…Or Morse.

©2013. S. Caroline Schroder. All Rights Reserved.

Risky Business

The current crisis in risk management is of long standing:  decades of critical risks have been missed, ignored, neglected, or deep-sixed along the way.  The dismal results have shown no improvement despite the investment of time, effort, and cash into the increasingly entrenched risk management systems and personnel.   Entities have adopted new systems, new software, new calculations only to see risk failure catastrophes and economic convulsions hit worldwide.  Is it the nature of risk or is it the risk management?

Certainly risk is complex and nuanced,  but how does that explain the disasters in which the obvious has been overlooked, from economic gambles to natural hazards to terrorism?   Apart from the disasters resulting from active manipulation, and firing, of risk management, the obviousness of the risks missed indicate that risk management is being applied subjectively, myopically, or not at all.

The critical goal for senior managment must be to develop a consistent, replicable, intellectually honest system and assessment, usable by all levels of management and transparently accessible for senior management and the board, (including in the context of, say, sentencing guidelines).   The personal performance goal for the risk manager must be  to go beyond the familiar while also not turning in a bravura performance of imagination.  Critically, risk management must not be  biased by substitution of personal interpretations of what the entity is or should be doing, punctuated by flashes of insight into what “people really mean.”

©2013. S. Caroline Schroder. All Rights Reserved.

Getting Down to the Nitty, Gritty of Risk

These days, everyone seems to want a share of top down analysis to prove their worth. While top down analysis is valid and essential, it is naturally biased and inevitably filtered. It builds-in the historical not only as foundational experience but also as ongoing operational and strategic perspectives and assumptions. Top down management by itself is slow to respond to fundamental changes, good or bad, innovations as much as defects, disruptions, and delays. Facts from the bottom, the interfaces, and the margins are interpreted, structured, filtered, and massaged as they move up. The real-time pulse of the entity is inevitably lost.

Bottom up analysis, by contrast, is the only valid means of understanding the real composition of the company, the basic details of what a company actually has and does not have –and what the company can really do. Bottom up analysis is essential to quickly teasing out the risks inherent in new or exogenously forced strategies and strategic objectives. The deeper risk management can get into the weeds and really understand the root issues, the more valuable that risk management is. Even then, bottom up risk management has to push those root issues to the top for senior management and board to have th real pulse of the company.

Unfortunately, over time, hands on management of the company’s roots has become equated with lack of prestige. The trendy eschew the fundamental facts as “weeds.” Suddenly everyone stakes a claim on ‘driving’ the strategic plan. In truth, everyone wants prestige. However, if in a bid for personal prestige no one puts together the ‘big picture’ through the granularity of facts and ‘weeds’, there is no clear real time or near time comprehension of the the entity. Risk management, senior management, and the board lose a necessary tool. Getting risk management down to the weed level so as to understand interconnections and root issues with high accuracy is thus very important for the quality of the judgments made by the board.

Risk management has the highest utility when enabled, and motivated, to detect anomaly early. Only then can risk management distinguish and track red flags, and senior management and the board capture inventive strength even as they skirt the precipices.

©2013. S. Caroline Schroder. All Rights Reserved.

Risk Is A Many Un-splendored Thing

When risk matures into an event, impact is not known absolutely: every event spawns additional risk and continues pre-existing uncertainties. Final impact may not be known for a very long time. Look at BP Horizon.

Risk is multi-factored. It has reach and it has depth. Risks are potent even when emergent. Inchoate, nebulous risks can mature quickly and devastatingly. Exogenous risks can be destructive well before their relevance is entirely clear. Risk managers should not make judgments about leaving out such risks and uncertainties on their own. They should thoroughly vet the facts and factors with the people who understand the substantive operations and operating environment: the business units and senior management. Only then can risk management and those to whom they report really understand risk in the context of the entity itself and the experience of entities across its industry sector and in adjacent and other industry sectors, as well regulators and entities farther out in the value chain.

Risk managers must understand that the risk or uncertainty they rule out could actually have been the topic of a recent discussion in R&D, on the shop floor, in an industry trade journal, for a poster session at a scientific conference. It might be even now under discussion among senior management –or the board.

Does any entity of any sophistication actually ignore its ‘stakeholders’? Not for long. The vagaries of stakeholders are the topic of conversation from Marketing to Law and all the way up to the board. Ruling out a risk may seem efficient, economic, or mathematically correct, but it may be disastrously wrong, based not on future hindsight but on real knowledge within the company all along.

The risk or uncertainty risk managers don’t vet could already have hit an entity elsewhere and already be the subject of a lawsuit, a regulatory proceeding, or some other active legal threat. Don’t forget that legal analysis is the application of law to fact situations: it’s the who did which to what or to whom and how and why. The potential for a risk manager missing cutting edge emergent issues and material and substantive risks which have already made their way into the courts as litigation elsewhere is enormous. It is critical that the risk manager not just presume to know best and clear the radar.

©2013. S. Caroline Schroder. All Rights Reserved.

Momentum By Itself Is Not Success

Business teams like to keep moving. They don’t want to be constricted. They don’t want to be fenced in. They think of risk as a chimera: They think they will deal with risk if and when “real trouble” comes. Therefore, they wait too long to go to advisors, from engineers to lawyers. They wait until the term sheet is dry or the problems have festered into litigation. But by then risk has matured into “real trouble”, and they will definitely face the high costs of trouble, from lost sales to damaged reputation, from fines and penalties to litigation.  You need to understand facts, figures and history to prevent, mitigate and resolve crisis.  Work out the real parameters of opportunity and  assess the probable parameters of trouble;  optimize potential, limit damage, and find real solutions. You need to look at your business from multiple perspectives.

The time to ask for guidance is before your risks have matured and trouble is under foot.  Work on your vulnerabilities and uncertainties while your decisions are still business decisions and not  legal choices.  Capture opportunities and catch trouble early –or make sure that trouble never even comes.   Don’t think of it as fear or risk aversion:  Think of it as staying out of trouble and making your model hum.

©2008. S. Caroline Schroder. All Rights Reserved.