Norman Marks on Governance, Risk Management, and Internal Audit

Alexei Sidorenko has a great blog that we should all subscribe to, the Risk-Academy Blog. He describes it as “Controversial thoughts about modern day risk management in non-financial companies”.

He recently wrote “What should an awesome risk report look like?”, in which he said:

If we wanted to really make a difference to decision makers we would switch from risk reporting to risk-adjusted performance reporting instead. Risk managers always have a choice: generate own risk reports or use the outputs of risk analysis to improve existing performance and management reports instead. To me the choice is clear. Integrating risk information into existing management reporting is the future.

The first suggestion he makes is:

1. Probability of achieving a target or an objective / likelihood of success

A useful metric that risk managers should communicate to decision makers is the probability of meeting/achieving an objective or target. Think of it as achievability given the risks. If your performance report has targets or objectives, then risk managers can measure and report how achievable they are and whether they are more achievable today than last month. Norman Marks calls this likelihood of success and Tim Leech calls objective centric. I provide a step by the step guide how to do it here.  This can be represented as a single number (70% probability of achieving business plan objective) or as bands (forecasted performs falls within acceptable range). Separate likelihood of success needs to be reported for each significant objective. Archer Insight, for example, does a good job presenting risk information as probability distributions around the objective.

As you might imagine, I am pleased that Alexei has this as the first of the five items he would include in a risk-adjusted performance report.

This is what I said in Risk Management for Success:

Reporting to management and the board

In Risk Management in Plain English, I suggested a format for performance reporting (performance integrated with risk reporting). I have since reviewed this with multiple executives and boards and they liked the actionable information it provides.

Objective	YTD Status	Fall short	Achieve target	Exceed target
Revenue growth of 10%	9.85%	15%	80%	5%
EPS improvement of 5%	8.00%	10%	80%	10%
Maintain customer satisfaction levels	98.00%	8%	90%	2%
Improve market share by 5%	5.00%	20%	70%	10%
Introduce new product on time and budget	72.00%	30%	65%	5%

An executive or board discussion around a report like this will focus on the areas where the current status and/or likelihood of achieving an objective by the end of the year are unacceptable. In the example above, these are highlighted in red. There will also be discussion of those pinkish areas, where achievement is marginal.

By drilling down into those cells, management and the board can identify which risks and opportunities are drivers of the assessment[1]. They can then determine the appropriate actions to improve the likelihood of success.

For example, I can imagine a report being discussed at a weekly meeting of the CEO and his or her direct reports. Jane sees that the likelihood of achieving the revenue target is only 80%. She asks what would happen if she joined the team in a meeting with a major customer, increasing the likelihood of that deal closing. That underlying factor is adjusted and she can then see that the likelihood of hitting the 10% revenue growth number increases to 85%.

The report has not only provided actionable information but led directly to a CEO decision and action.

Note that the report also identifies where there is a possibility of exceeding targets. I would expect those to be discussed with a view to improving those possibilities as well.

One of the values of a report like this is that an executive can consider where to allocate additional resources. It not only highlights all the areas that merit attention, but also enables a comparison of their severity. Then options can be considered, including letting one objective remain at a questionable level while attention is given to another.

The smart organization will prioritize its objectives.

For example, the year before I joined one company, it was very close to bankruptcy. The CFO held cash meetings twice each day, just to make sure they could make it to the next meeting. While the ability to make their revenue and profit targets was very important, it was even more important to generate cash. They granted significant discounts and sacrificed profits to close a sale that would bring them fast funds.

Another organization may find itself in trouble with the regulators for non-compliance with, say, anti-bribery laws. It might have to sacrifice profits and market share objectives, redirecting funds planned for a marketing initiative to upgrading its ethics staffing, processes, and systems.

Alex has four other items he would include in periodic reports to management:

• Risk-adjusted performance metrics
• VaRs, EaRs, cVaRs
• Limit breaches and activated stop losses
• Transparent methodology with a back test

OK.

I suggest a principle we should follow:

Help leaders and decision-makers get the information they need.

While Alexei’s suggestions are excellent, these are from the perspective of the risk practitioner.

I am suggesting we need to look at this from the perspective of the leader and decision-maker.

Find out what they need and only then figure out what to give them!

A second principle is:

The success of any organization depends on the quality of their decisions.

Decisions should be informed and intelligent. They should be made by the right people, at the right time, with an understanding of what might happen (i.e., risk and opportunities).

Then:

Different people need different information to inform their decisions.

While I am a strong believer in managing the organization so that there is at least an acceptable likelihood of achieving enterprise objectives, there is more.

Consider the needs for risk-related information of these individuals:

• The CEO
• The CFO
• The Treasurer
• The head of Sales
• The head of Marketing
• The CIO
• The COO
• The CISO
• The Chief Compliance Officer
• The head of Procurement
• The Safety Officer
• The head of Human Resources
• The head of Manufacturing
• The head of Engineering
• The head of Product Development
• The manager of Physical Security
• The head of Investor Relations
• and the list goes on

Each has different decisions to make and needs different information. We can’t expect them to find all the information they need in the same report.

Yet, a poor decision by any one of them might have serious ramifications on the ability of the organization to achieve its objectives.

The risk practitioner should work to ensure each has the information they need.

There’s a difference between providing a report and providing information. For example, a CISO needs to be alerted every time there is a serious attack on the cyber defenses. A CFO needs to know as soon as there is a significant movement in exchange or interest rates. A Manufacturing executive needs to information about manufacturing or supply chain issues as soon as they occur.

Reports are, by their nature, periodic. But risk management should be a continuous activity.

In other words, we need to tie in KPI and KRI into the discussion.

In his recent posts and videos, Alexei has made the point that the most important part of risk management is the risk assessment. While that is important, and the risk practitioner can bring excellent tools and techniques to develop valuable insights, it is of little use if it is not used by the right people in their decision-making.

Each decision should have reasonable information about what might happen (i.e., risk analysis).

A final premise:

More decisions are being made every day that require an understanding of risk than the risk practitioner has resources to provide.

Where does that leave us?

We have to rely on management to collect and analyze risk information in the absence of the risk practitioner.

My advice:

1. Work with those responsible for periodic (and hopefully continuous) performance reporting to make it risk informed. Make sure leaders understand the likelihood they will achieve their and the enterprise’s objectives. Feel free to adapt and use my suggested report format, above.
2. Work with them and those who own each enterprise objective to develop the next level down of reporting. Take each objective and identify the related risks and opportunities, highlighting which are at acceptable levels and which are not.
3. Talk to management to understand which of their decisions are most critical, and help them obtain the information they need.
4. Help train management to make quality, risk-informed decisions.
5. Allocate your time to where it will be of most value.
6. Constantly ask if you are doing what you should be doing to help the organization succeed, which is far more than avoiding failure. Adapt.

I welcome your thoughts.

P.S. If you liked World Class Risk Management, I suggest you read the book that continues the discussion, Risk Management for Success,

[1] The left side of a bowtie or a tornado analysis may help.