Below is the text of a speech I recently gave at a private dinner, where I was exploring the future of risk management – as you might guess, I am focussing on risk culture. If you would like to join me on this exploration, do let me know!
Fish rot from the head – the establishment view of corporate governance
Ladies and Gentlemen, I am delighted to have this opportunity to talk to you this evening. I know that you have been talking about risk management at this series of dinners, but I thought I would explore with you some new ideas that I have been developing.
I was sitting in one of those interminable conference sessions recently, when one of the speakers uttered five words. Five words that I have heard so many times they seem to be indisputable. And those five words were: “fish rot from the head”. It has been said so often that the very phrase now seems to encapsulate the establishment view of corporate governance and indeed risk management. But as I sat there, listening, my mind wandered off to the sprats that my partner had bought for supper that night and it occurred to me that not a single one of them had a rotten head. In fact, I asked myself, just how many fish do die from head rot? Of course I don’t have an answer, but there must be thousands of reasons a fish might die: it might be caught or eaten (after all these were sprats so mackerel might well have been involved, but instead, since they were by now in my kitchen, it was probably a trawler), the fish might be terminally ill, conditions might change because of global warming leading to a loss of habitat. Much like fish really: companies disappear for a wide variety of reasons. And of course I am not saying that the head is not terribly important! The head, the brain might not be very good, it might be a bit thick, it might be greedy, it might have an overwhelming sense of its own importance, it might not have a very good fight or flight response, but rarely does it rot before the fish, I mean company, dies. I am not giving the board a free pass or underestimating their importance: I am simply saying that no company dies because the board suffered collective fish rot: far more likely there was a multiplicity of issues of which an incompetent board may just have been one.
The first brick in the wall of dishonour: the South Sea Bubble, 1720
So this got me thinking: if it is not rotten head syndrome, before they implode, where should we be looking in our banks, our listed companies, indeed our private companies as well (lest we forget BHS)? It seems to me that the exploration for answers to this thorny question started almost 300 years ago when the South Sea Bubble burst (in 1720 to be precise…). This was the first of a very long line of candidates in our global wall of dishonour with more recent entries including those brought low by the Global Financial Crisis, Volkswagen and of course the illuminating case of Wells Fargo over the summer. Since 1720 onwards, the response from governments, regulators and others, whether here in the UK, or in the States, or Europe, or Canada or South Africa has been to change the law, set up inquiries, produce reports and ultimately to tinker with the ways in which boards operate. And of course many of those early development enabled the creation of trade as we know it today. But now, all that we see is merely rearranging the dead fish. Because none of these companies went bust because their head was rotten, but rather because the head was unable to discern the life threatening risks that they faced and to work out what should be done. Quite simply the boards of these organisations, which after all are only legal fictions, did not have adequate fight or flight responses. And just for the record, fight or flight is sometimes described as being a state of hyperarousal, and before anyone gets the wrong idea, this is the acute stress response in animals where there is a physiological reaction that occurs in response to a perceived harmful event, attack, or threat to survival…
Anyway despite all of the codes of governance and risk management that have ever been written by eminent people (and indeed pulped), the very next corporate governance disaster is incubating right now, somewhere out there, waiting to shake the market, to result in mass redundancies, to reduce pensioners to penury and which will enable a small clutch of directors to retire gracefully from public life while politicians, regulators and commentators cluck like headless chickens. So tinkering with board structures has definitively NOT made the problem of failing organisations go away. So for me, the bottom line is that it is now time to think better about risk management. And I don’t mean by that the life-sapping, energy-draining nonsense that we so often see. Nor do I mean the data-free zone of Nigel Turnbull’s cosy annual or semi-annual chat around the board room table, but rather I mean something that really begins to equate to a proper fight or flight response where initial impulses can be over-ridden by the front of mind thinking that we are capable of as humans.
This is important: if you don’t deal with it, you won’t be here tomorrow
And why should you, sitting around this table tonight, be thinking about this issue today, right now in the full flow of the 21st Century with regulators and politicians watching over your every step? The answer quite frankly, is because if you don’t, you will not be here tomorrow! Here we are in a world of staggering uncertainty, post-Brexit, Trump and Italy, with the Euro likely to collapse, and the world-order turned upside down and trade barriers being promised like there is no tomorrow. And that is without mentioning global warming, mass migration, a newly confident Russia and the Middle East in turmoil. This is the kind of uncertainty that paralyses organisations, puts investment budgets into a tailspin, and sends the global economy into a juddering reverse. And you thought the Global Financial Crisis was bad! We are heading into the greatest era of uncertainty the globe has ever seen. Is this really a time when we need to be thinking of rotten fish heads? Shouldn’t we be thinking much more about the agility of our organisations to deal pro-actively with issues so that we can protect the societies where we operate, and pro-actively build the future of our organisations. These are issues which extend far further than the structure and activities of our boards.
The license to operate that is granted by society
In my mind we need to turn to risk management because the value of our organisations is entirely based on two things: the license to operate that is granted by society AND also what we do in the future. Sure we can count what we have done: how many of your organisations have spent (or in some cases earned) oodles of money on accounting systems that can tell you (or your clients) exactly what you (or they) have done in the past five seconds? And increasingly in the financial sector you are playing with risk management under the guise of “risk controls”, what as a trainee Chartered Accountant, I learned to call “Internal Controls”. Some of you might have some kind of Enterprise Risk Management approach, but I am willing to bet that in most cases it adds little value and is largely ignored (especially by the board) making hardly a fraction of a difference in what happens in the organisation.
At last: regulators are looking at risk culture
So if ERM is not the place to turn to, where is? Rather surprisingly, I am delighted (even if the FRC did make such a ham-fisted attempt at looking at it this summer) that regulators have begun to explore ideas of culture, and in the case of Financial Services, risk culture, because that is where understanding the future has to start. My case starts with the indisputable fact that the value of our organisations is entirely in the future. And for the value to be sustained, society and investors have to have faith that we can navigate the multiple futures that we all face as we sit here today looking towards tomorrow. So in my view, it is time to rip up the risk registers, to junk the risk workshops and begin working with the real risks. I am talking about an approach to risk management which works with the risk culture (as well as the organisational culture – and yes, I am saying that the two are different), and where risk management becomes cultural. A feedback loop if you like from the front office to the brain and back again. Just like a proper nervous system in any organic (as opposed to fictional) animal.
Already I am talking to clients about HOW we can measure the risk culture by understanding the DNA of the organisation, the conversations about risks that take place. How we can move assessment of the risk culture away from speculation and subjectivity to a measurable, discernible feature of the organisation, where we will understand whether the organisation lives the values the board espouses, whether short termism trumps (if you will excuse that phrase) long term value creation. We can understand where there are individuals who control and suppress information about risks, and we can see how vibrant the dialogue about risk is up, down and across the organisation. As one major bank said to me: at last we can begin to put numbers around the culture! I actually prefer to think of it as starting to provide timely, relevant and actionable information that enables businesses to manage their risk and organisational cultures.
We can create a flow of relevant risk management information: perspectives on the future
By using the information that we garner from this process we can also begin to use it to repopulate our understanding of which risks are really important in our work and indeed for our multiple futures. We can begin to use it to understand the risks that extend outside our corporate borders and which permeate our value chains, our off-shored IT providers, our partners and indeed our regulators. Then we can begin to harness the power of AI. The computing power that you all have at your fingertips, the information that you can access, combined with an understanding of your risk culture can transform the way in which we manage our organisations tomorrow so that we can build firms that balance off the needs to produce results today with the utmost importance of building value into tomorrow. We can create a flow of relevant risk management information – in other words perspectives on the future – that will genuinely inform the way in which decisions are made.
No longer a moribund process carried out at audit speed, rather risk management will become cultural, it will be in real time, dealing with real issues as they bubble up through the organisation. We can create a sandpit approach where people can explore different possible futures, looking for validation from the system before making confident decisions, addressing the forward looking needs of the organisation and helping you to harness the multiple futures to your best advantage.
Looking for the “Ah Ha!” moment!
I first became involved with risk management way back in the mid-90’s, when COSO was new, but even back then in Coopers & Lybrand, I was looking for new ways of doing risk management, so much so that after the merger with PW, we invested in thought leadership with the LSE. I was the very first partner in any of the big accountancy firms to work full time on what we now call ERM, and I was the first to recruit an organisational psychologist to support me (in the client work that is, not just to look after me!) But I have been looking for the “ah ha!” moment all of that time. It took Luca Pacioli, a 15th Century monk to create the double entry bookkeeping system that has been at the forefront of measuring the value of transactions and thus our organisations. And nothing has come close to being as important in value creation in the subsequent six centuries, until now. And I think I can finally discern a way forward so that we can move from a reactive, rearward looking form of accounting information, to a forward looking, proactive approach to risk management that helps us to live sustainably into the future. And of course this is only relevant if you, and people like you, sat around this table are willing to take up the baton with me – because if I develop this for myself it will be entirely meaningless!
So recognising that we have leaders from banking and technology sitting in this room, I would like to suggest that these ideas that I am drawing today imply some considerable IT investment. And as many of you will recognise, the digital future requires us to make this personalised, both to companies and to individuals in the organisation (addressing the “What’s In It For Me” question). We will be leveraging AI, and creating something that will be easy to use while giving back a sense of control (which incidentally is why so many organisations fail to implement change effectively). We have to create this in a mobile environment, because that it is how people want to manage their lives. It needs to be social in that it needs to transcend organisational boundaries. We will remove the unnecessary barriers, the agents if you like, who grit the wheels of current management processes. And of course, as we develop it, this will be constantly upgraded as new thinking, new developments and new technology come on stream.
So what are my takeaways from this brief talk?
- Current governance, reporting and management frameworks are flawed. They are principally based on looking through the rear view mirror while simultaneously navigating between the rocks dropped in our path by the regulators, and scarcely any regard to what is going on in wider society. But risk is dynamic, and peoples’ perspectives of risk are too. By forcing people to report against a tight risk framework that sits in the past or suits some regulator, you are naturally excluding some risk situations, and creating bias against dealing with others.
- Risks need to be cross-validated to identify false reports and missing risks. I don’t need to tell this audience that clever computing power can vastly improve outputs and pattern recognition is one of the keys.
- To map risk, you have to extend way, far beyond the organisation chart and off into the realms of where the maps currently say “Here be Dragons”.
- We need to rip up the accumulated moribund mess that we accountants, bankers, lawyers and technologists have created out of risk management, and we need to create a new vibrant approach to risk.
- But above all, we need finally, to be taking into account all those people who are working inside and outside our organisations and who face risk all day, every day, so that we really begin to manage our futures as well as count our pasts.
Risk management should be the disruptive intelligence that pierces perfect place arrogance
Finally, Ladies and Gentlemen, I have a mantra, a motto if you like, that says that risk management should be the disruptive intelligence that pierces perfect-place arrogance. If you sense any perfect place arrogance creeping into your organisation, I suggest that you need to be addressing the issues that I have raised now. Of course, if you don’t feel any perfect place arrogance creeping in, perhaps you should indeed be looking for rotten fish heads.
Anyway, I am conscious that I am between you and dinner and a flow of erudite conversation around the table. But before I finish, and with a view to inviting you to joining me in developing THIS risk conversation, let me just ask, are there any questions, observations or comments on what I have said?