When Tony Hayward was appointed to the top job at BP, he vowed to improve safety. In 2010, that promise came back to haunt him after an explosion at the Deepwater Horizon oil platform killed 11 people and caused an environmental nightmare - and cost the oil giant more than $60 billion.
A repeated theme of the many official reports into the disaster was that BP put cost savings before safety, rushing to get work done on a drilling project that was running late. It is an example of how badly projects can go wrong when risk is misunderstood.
Many companies regard risk management as a compliance and therefore rules-based issue; comply with the regulatory framework and that’s the job done. But risk is far more complicated than that; it covers the whole culture of an organisation and requires every employee to take an intelligent approach.
According to a 2016 report from consultants EY, The route to risk reduction: “Rules…address only a part of how we behave and make decisions. Behaviours and decision-making are also influenced by culture and the relationships and power structures that shape our work environment.”
Hywel Ball, head of assurance at EY, says one of the key themes in risk management is predictive compliance, using technology to scan for odd behaviour patterns among staff such as trigger words in communications. “For example, in West Africa, the word ‘goat’ is local slang for fraud. Or you might see a phrase out of context, or a transaction taking place at an odd time. Technology gives us the ability to join the dots on a series of data signals.”
Technology can also transform compliance, according to Raza Sadiq, chair of the Institute of Risk Management’s special interest group in enterprise risk management in banking and financial services. He says: “Companies such as IBM/Watson and Droit [a New York-based tech firm] automate global regulations within real-time trading systems, minimising legal and regulatory risk. The money spent on compliance is significant and companies could make better use of the technology.”
Critically, risk management needs to be adjusted to the unique needs of each organisation; there has to be a level of flexibility, not to mention an increase in timeliness. Sadiq says a standard risk dashboard that is updated quarterly has limited value; he suggests a monthly or even daily updating brings optimum benefits. Risk modelling only goes so far, not least because it has tended to use historical data and, as the financial services disclaimer points out, “past performance is no guarantee of the future”. But the 2008 crash proved the dangers of many traditional risk metrics in the financial sector; such measures may be useful in a “normal” market, but risk management needs to be more agile and proactive.
We should be mindful of what a model is telling us.
“We should be mindful of what a model is telling us,” says Mr Sadiq. “Models need to be developed with more realistic variability in play.”
Moreover, such models need to be understood at board level, yet explaining complex metrics to the C-suite is often not part of the skill set of the IT teams who develop risk management tools. The capacity to flex risk management also requires an ability to distinguish between different types of risk – preventable risk (such as not asking a client the correct regulatory questions before selling a product) may be tackled with training or technology, but strategic risk (such as the decision to drill for oil in the Gulf of Mexico) cannot be subject to rules.
Assessing the dangers of reputational risk is the highest level of all; the risk of a rogue employee or a cyberattack may be small but the reputational risk can be enormous. Moreover, even beyond simple risk frameworks, there are elements of risk that need to be understood; the risk of a rogue employee or a cyberattack may be small but the reputational risk can be enormous.
There are costs, yes, in reducing risk. But increasingly it can also be a selling point. John Davies, head of data and analytics at insurance brokers Marsh, is only too well aware of the new generation of risks; the company has in place carefully established procedures for handling client data that is designed to prevent any breach. He says: “We have very clear rules in place to manage that risk, which sounds quite boring on the face of it; but it’s a very compelling sales message when talking to clients.”
See the original post on The Times