The seven deadly sins of Risk Management No 1 - ‘I can’t believe it’s not Risk Management!’

A lot of things that are called ‘Risk Management’ aren’t about managing risk.  Not really.

They are about regulatory compliance – great lumps of reporting full of traffic lights and whizzy diagrams, reassuringly large amounts of time and cost, but not really about protecting the business.  Charming people regulators, but they are interested in the market as a whole, in protecting customers and in other nice things.  The truth is THEY DON’T REALLY LOVE YOU and, to meet their primary obligations, will happily see you and your shareholders burn in hell.

They are about financial accounting – again lots of work, and getting closer to protecting the business with some of the more recent innovations like the viability statement. But, in the end, your auditors are mostly about validating a set of numbers and, as recent fines and penalties have shown; they have their plates full just doing this.  The prayer of your auditor for your business is not for prolonged growth and prosperity, it’s - ‘DON’T BLOW UP IN THE NEXT 12 MONTHS IN A WAY THAT CAN BE TRACED TO THE ACCOUNTS’.

They are about good old-fashioned ass covering.  Any big corporate transaction will come with long lists of risks, helpfully provided by your lawyers.  Other professional advisors will highlight their concerns after taking your money and canny managers will slip their worries into the footnotes and appendices of reports. PROTECTION IS BEING PROVIDED – BUT NOT TO YOUR BUSINESS.

The illusion of risk management can be dangerous for boards, because it gives the impression that you are meeting your fiduciary and legal obligations without giving really giving the protection that actual risk management can provide.

Still looking in all the wrong places

@dgardner posted this from the excellent It’s a great reminder how people give attention to some risks at the expense of others. We do this at a corporate level also, when we fail to address the those risks that cause the greatest loss of market value - strategic risks (

In terms of personal risk we are drawn, per Daniel Kahneman, to the ‘memorable’, so we worry more about Terrorism than Heart Disease, despite the fact that someone in the UK has about a one in four chance of being killed by heart disease, while their chance of being killed by a terrorist is about one in 11.4 million. This is slightly less than the chance of being hit by lightening (about 1 in 10 million) but still a lot more likely than winning the National Lottery (about 1 in 45 million).

In risk management, rather than the memorable, we seem drawn more to the readily quantifiable and classifiable (Market Risk, Credit Risk) or the more concrete (Operational Risk, Financial Reporting Risk).

It can often be difficult to put hard impact/likelihood numbers to the things that kill companies rather than people, but that doesn’t mean that the effort of working out what they might be isn’t worthwhile.

AI: Less like Skynet, more like coffee

A by-product of techie love of sci-fi is that discussions on the dangers of AI can veer off into the realm of killer robots.

This risk is really about advanced Artificial General Intelligence – AGI – which I simplify as conscious artificial superintelligence. We are very far from AGI, and AI is more prosaic: algorithmic models fed on large lumps of data.

The real risks of AI are that it is dumb but fast and it only works as well as the quality of its programming and the pertinence of its data. Feedback isn't always good either so the roots of error can be hard to find.

Some of the biggest risks with AI are around bias (e.g. embedding racist hiring), inexplicable error (e.g. market ‘flash crashes’) and unethical use (e.g. Cambridge Analytica). These are amenable to practical solutions at societal, organisational and personal levels. This is where our efforts should be directed.

As for the Skynet menace; Andrew Ng, ex AI guru of Google and Baidu, says that while dangerous AGI might be possible, he’s currently not worrying about it any more than he's worrying about overcrowding on our Mars colonies.

The biggest risk of AI is that it provides new ways for humanity to do stupid things quicker.

A bit like coffee.

Brexity MacBrexitface

I was reminded today that there was another poll in 2016 where a majority in a public vote produced a result that was seen by the governing class as producing a wholly unworkable result.

I refer, of course, to the popular vote that named Britain’s new polar research vessel Boaty MacBoatface.

Eventually the government, in the form of the Science Minister Jo Johnson, brother of Boris, intervened, and the ship was called the Sir David Attenborough.

Parliament (it seems inappropriate at this point to refer to the decision making group as a government) seems now to be reaching for its own Sir David Attenborough moment.

Unfortunately, it seems unlikely that whatever outcome is reached will provide as neat a resolution.

Brexity MacBrexitface will haunt us for some time to come.

Brexit: Infinity War

It's not the despair...I can take the despair. It's the hope I can't stand.” John Cleese - Clockwise

It is too easy to get drawn into the Brexit soap opera and forget that the uncertainty we see is likely to continue for some time regardless of the next cliff-hanger.

Bear in mind that, even if Mrs May’s deal is finally landed, most of Britain’s trading relationships remain to be negotiated and, even with the EU, the 21 months scheduled may need to be extended as the nitty-gritty negotiations surface new conflicts.

The other Brexit possibilities; no-deal, further parliamentary option-choosing and even revoking Article 50, all mean an even more unpredictable future.

There are effective strategies for dealing with Brexit uncertainty and getting above the noise.

Ask your organisation:

• Do we understand our vulnerabilities (and our opportunities)?

• Do we have a strategy?

• What uncertainties can we address?

• What decisions must be made, and when?

• How do we assure our stakeholders?

So, don't get bogged down in the despair (or the hope); address the practicalities.

It really is time to take back control.

Time to let go

Most of us will have been in organisations that just couldn’t give up on an initiative that was clearly beyond saving. This occurs in our personal lives as well – we hold on to things (or ideas) and defend our holding on beyond what reason would really allow.

There is a very human reason for this; characterised in the ‘Sunk Cost Fallacy’: we have invested so much in something emotionally (but usually in most business contexts also financially or at least in terms of time ‘invested’) that we find it hard to give it up, in part because to do so seems to be to acknowledge some kind of failure .

A wholly rational being (one of Richard Thaler’s ‘Econs’ would happily pull the plug on a project that was going nowhere.

Humans, not so much.

Nevertheless, building an organisational discipline that allows you to call out projects or initiatives that are going nowhere is both possible and healthy. There are approaches that allow you to test decisions without blame and to draw a line without unhelpful recrimination.

Of course, sometimes when you hold on to something too long it may just get away on its own.

Not thinking about Mrs May’s Brexit deal at all.

It always takes longer and costs more

The government’s air of barely controlled panic generally makes me think of their Brexit management activity in terms of business continuity/disaster recovery, but Tim Harford has entertainingly compared it to major IT or construction projects

I was reminded of this when I came across a reference to Larry Summers’ time as a professor at Harvard, where, frustrated by the over-optimism of his research assistants, he developed a rule of thumb for the time likely to be required for any task:

Double the estimate that the assistant gives and move to the next higher time unit. So, if the estimate is an hour, expect the task to take two days; if the estimate is two days, expect four weeks.

This is, of course, wickedly cynical. However, given that the government has only managed to replace six of the 40 agreements that it currently has through EU membership, perhaps it isn’t wildly off target.

It should also be noted that as the six include such major partners as the Faroe Islands, we can’t expect too much of a trade boost from the new terms negotiated.

Puffin anyone?

Not Appetising

In our well-oiled world it’s easy to forget that efficient movement of product is the only thing that makes some activities viable. It avoids both shortages and local surpluses.

Looking at practical steps to address Brexit risks (, I've referred to Honda’s publication of the drastic implications of exit from the customs union on its supply chain (elapsed time going from 5-24 hours to 2-9 days). But at least Honda doesn’t have to worry about auto parts rotting as they wait for customs clearance.

Delays in shipping broccoli, mushrooms and lettuce can close the saleability window in a very smelly, messy way.

How we see fresh produce tends to concentrate on farmers and fields, but timely transportation is also fundamental.

It's amusing for MPs to say that we can just eat more local produce because our shortages will be balanced by more British food to buy. I can only say that as a housesitting teenager I was once left with a quarter of an acre of rapidly ripening strawberries to deal with. I found that in a market where there is a local glut, you quickly reach the point where you can’t even give some things away. Not great for British farmers.

Oh, and I don’t eat strawberries any more either.

The Streetlight effect in Risk Management

A policeman sees a man searching for something under a streetlight and asks what he’s lost. The man says he lost his keys so they both look under the streetlight together. After a few minutes the policeman asks if he is sure he lost them here, and the man replies, no; he lost them in the park. The policeman asks why he is searching here, and the drunk replies, "this is where the light is."

 It has occasionally occurred to me that risk managers, particularly those in banks, have this tic – because they have great tools for managing certain kinds of risk, they concentrate their efforts on using those tools to the point that they forget to ask themselves; Is this really where are most serious risks are?

 In my own experience I have had a conversation with a bank CFO who, in all seriousness, told me that the only risk information he needed was a single number that quantified his VAR.*

 You may not be easily able to quantify the risks most likely to kill you (legal or market change, inability to manage people or growth, disruptive competitors…) but this shouldn’t mean that you don’t get your board to take them as seriously as the ones your regulators want or for which you can produce the coolest graphs.

*His bank no longer exists, but you’d probably guessed that.

Five useful takeaways from the WEF Global Risks Report

I read the 114 page WEF Global Risks Report over the weekend, #dryjanuary #marathontraining #bluemonday. In this bleak season it seemed almost like fun.

For most companies the risks set out in the WEF report are interesting and can inform decision making but, in a practical sense they may not be the most worrying for the very human reason that, even if they crystallise and affect a company, management are unlikely to be blamed for external events that affect the whole market.  There are a couple of caveats to this - management can’t be seen to have handled such events much worse than most of their competitors and, if your main competitors are based somewhere else, unaffected by this macro crisis, and it hits your company badly, you’ll probably still be punished by the market.

While a lot of the risks discussed in the WEF report have particular relevance for individual industries, for example those in the energy sector, I’d like to call out a few more general points for UK businesses.

It is worth noting that while the report has a section on short term risks, most of its attention is on the longer term big ticket items.  However, even some of these have concrete impacts:

1.     Cyber – Oh, you’d heard about this already?  The sobering thing that comes out of the report is that the various risks that get lumped under the ‘cyber’ heading are probably even more serious and wide-ranging than you think – specifically: many more big data breaches in 2018, black hat AI capability increasing attack potency, new risks related to hardware weaknesses and indirect damage via attacks on utilities and infrastructure, including information infrastructure.

2.     Political – Brexit has given us a painful insight as to how political risks can translate into real disruption at company level.  Wider public discontent and feelings of powerlessness mean that this may just be the start, and further political changes will come with potentially negative effects for business, possibly including further migration restrictions and protectionism.

3.     Trade wars – Beyond the macro level, these can bring supply chain issues, risks to staff posted abroad (ask Canada), inward investment reductions, digital data flow restrictions and, more obviously, tariffs and trade barriers, including disguised ones e.g. around health and safety.

4.     People risk – Not ones were used to, about key people loss or staff behaviour, but something more subtle, well-characterised as needing remediation along the lines of mental health and safety rules and practices.  The risk centres around heightened levels of anxiety, depression and stress.  In the business context this comes from psychological stress arising from such things as ‘always on’ contactability, time pressures, job insecurity, loss of status and the workplace element of the widespread feeling of lack of control.

5.     Climate – At this stage, the effects on most companies will relate more to government policy decisions (see this excellent Gillian Tett article in the FT @gilliantett there may also be supply chain issues and other nearer term impacts.

 One final thing worth a look in the WEF report  is the article toward the end from Andras Tilcksik and Chris Clearfield on ‘Managing in the Age of Meltdowns’, drawing on their book on the same topic. Some useful and practical advice on managing risks in complex systems.

Yes, you too can be one of the cool kids

I went to an interesting presentation yesterday evening of Marsh’s Global Risk Report for the WEF #wef #risks19 #mmc

 As a risk manager I’ve been a bit sceptical of this kind of macro report; in part because there seems to be a lagging, even a ‘flavour of the month’, taste to the risks called out.

 I’ve also had the feeling that these kinds of exciting ‘Big Risks’ don’t really connect to the practical problems of my company.

My suspicions have diminished over time with the understanding that this kind of report provides leverage and substance for discussions with senior stakeholders, where I can use it to inform the more local implications in our own risk reporting.

All of which isn’t to say that I’m going to take the ‘Weapons of Mass Destruction’ risk to a Board anytime soon, but there is value to the depth of information for specific matters like cyber risks/data theft and a useful context for taking account of external stakeholders concerns around, for example, environmental risks.

You can make these your own even if your invitation to Davos hasn’t come through this year.

Never too late to be cool.


Measurement ≠ Management

To explain why a man slipped on a banana peel, we do not need a general theory of slipping (Sidney Morgenbesser) Good article by @andrewtghill in FT before Christmas; The essential point is that we, particularly in business, tend to default to those things (goals, performance metrics, ideas of success) that we can subject to ‘hard’ measures.

This can mean that effort is misdirected. A case he does not cite is that of risk management, where the problem can be acute. Risk management’s crush on quantification comes from the fact that much modern risk management originates in banking, where there are some ‘harder’ risk disciplines (market, credit) and regulatory drivers to quantify.

To see if quantification might help you, ask the following questions:

- How accurate a predictor is the quantification really likely to be? This goes beyond confidence levels and standard deviations; it represents an exposure of the underlying assumptions and their ‘knowability’.

- Do you really need this kind of quantification? What purpose does it serve?

- How accurate does it need to be in order to be useful? Go that far and no further.

So; quantify if you can, but don’t go mad.

Company Killers

A few years ago the HBR published an article on strategic risk (, which included an extravagant claim from CEB.

It proposed that strategic risks caused 86% of all significant losses of market value, in contrast to the 3% from Legal & Compliance risks and 2% from Financial Reporting risks.

Aside from taking a gratuitous pop at auditors for where their efforts were expended (guess), there was a serious point: risk management effort wasn’t being directed to where value was really at risk.

Before any banks start to congratulate themselves for their quality of ERM and breadth of risk analysis, it’s a good bet that the effort still doesn’t map terrifically well to where the real company killers lurk. There are some regulatory drivers to this, but a big factor is that strategic risks can be hard to define and harder to quantify, and the controls are often ‘soft’, and organisationally involve awkward things like better communication and cross-disciplinary working.

Potemkin AI

Is your risk software as smart as it seems?

As the capacity for automating risk management grows, there’s a lot of buzz about AI. Risk managers like it because it gives credibility to areas that are harder to quantify (i.e. pretty much everything except market and credit risk) and their stakeholders like it as it promises sharper answers.

At a recent AI event, a point was made about how enthusiasm for AI has raised both promises and expectations, resulting in a degree of ‘backfilling’ to keep up, with concealed, or at least downplayed, human decision making.

In risk this isn’t new. I’ve written elsewhere about the ‘tweaking’ of assumptions. With AI this kind of manipulation can hide deeper in the software.

‘Potemkin AI’ can also come from undiscussed human activity between the system and the reports.

I am greatly in favour of increasing the use of AI but risk managers must be honest about their interventions and readers of risk reports have to keep up and apply an educated scepticism to what they receive.

Time flies like an arrow, but fruit flies like a banana.


When you write a report, meaning is taken not just from the content of the individual phrases, but also from how they fit into what’s around them, the choice of words, and the expectations and experiences the of the readers.

Reports, in one way or another, tell stories. A danger for readers is that the interpretation of ambiguity can mislead. This puts a burden on the writer to be as clear as possible, which can be particularly difficult in risk reporting, where much of the content describes contingencies.

Expressing something variously as a ‘Very Low Probability’, a one in a hundred year event or having a 1% chance of occurring in a given year, may all be intended to mean the same thing, but they can convey different impressions.

These descriptions also include assumptions, which may be explicit, but are more likely either not to have been described, or, at best, to be have been described in general terms some time in the past.

Ambiguity in reporting can be a sin of commission or a sin of omission. If you think something needs to be brought to the attention of your Board, it's best to make it clear.

Why take the risk?

Thank You For Smoking

A corollary of my last post ( about the importance of risk managers ‘just getting out there’ is the equally important need to build connections closer to home.

Unless the process is consciously addressed, all organisations tend toward a tribalism of functions, and for risk managers, getting stuck in one's own silo can significantly affect both an understanding of what’s going on and the ability to get things done.

Risk managers are given one of the best excuses to break through organisational barriers and being able to wander at will*, you should be able to deepen work relationships with less directly purposeful informal contacts (coffee, lunch, chats in the office kitchen…).

In a recent article ( @pilitaclark gracefully made the point that the decline of smoking has cut off a useful networking tool, but that shouldn’t stop you from looking for other (less terminal) ones. Don’t be deterred by suggestions that this is time-wasting chatter: understanding of the ‘soft’ side of your organisation is fundamental to doing your job.

*If you don’t think that you are reasonably free to wander, you should be hearing some pretty loud alarm bells at this point.

The Mountains Are High And The Emperor Is Far Away

Tiān gāo, huángdì yuǎn 天高皇帝远,

Talking recently to a number of Chief Risk Officers working in internationally dispersed organisations, one thing struck me strongly: those that I thought were doing a better job seemed to spend a lot of time on planes.

If your organisation is spread all over the world, or even all over the UK, there can be a temptation gather data by conference call or, god help us, by email. Travel is time-consuming, often destructive of your personal life and expensive. Some firms act as if foreign travel is a treat and it’s very, very tiresome to have to justify something that you don’t really want to do to someone who believes you are doing it for fun.

It's hard to overestimate the value of just being somewhere in terms of really understanding what's going on. Conference calls are useful in a transactional type of way, but aren’t great for building relationships and rarely give you much in terms of picking up the ‘soft’ insights that give you the big picture.

The risk is that if you are not there, people carry on doing things that are dangerous, bad or just not very useful for your business.

So get out there!

Hierarchical Smoothing

Hierarchical Smoothing’ is a term with a specific meaning in statistical modelling. In a Sir Humphreyish aside a few years ago, a civil servant at conference I attended mentioned that it was also a term of art within government departments.

Essentially, it signifies the dilution of bad news as it travels upward within an organisation, as each layer seeks to make it more palatable to those to whom they report. The net result of this is that badness of bad news is progressively diminished as it rises so that by the time it reaches the final layer, the Minister, or the Board, the bad news has become so scrubbed, cavilled and euphemised that it is no longer accurate as a guide to useful decision making.

This is not a healthy outcome. Pressure to do this is not unknown to risk managers either, nor is unusual for risk managers to see evidence of it happening in layers further down an organisation.

One to watch and control for.

Your Risk Department as Lion Repellent

“Our Risk Department is operating perfectly; no major unexpected issues have arisen.”

“Our Lion Repellent is operating perfectly, we haven’t been attacked by lions at all.”

No evidence of risk is not the same of evidence of no risk and your Lion Repellent can seem to work well if you live in urban England.

A problem with running a function that is preventative in nature is that it’s hard to measure your own effectiveness, which can be tiresome when competing for resources but, more fundamentally, it can also create difficulties when trying to evaluate what you are doing well and what you are missing.

The difficulty in measuring is true right to the point there is a massive unexpected event, when you are manifestly seen to have failed. It’s better to try to avoid this.

The only solution is to constantly refresh your activities, scope and understanding of the risks to your organisation.

Do you understand changes to strategy?

Are you keeping up with changes to your business environment?

Are you updating your reporting in line with what you know?

The alternative is to keep believing in the effectiveness of your Lion Repellent.

A Footnote on the Dunning-Kruger Effect

For completists following my earlier posts on the same topic and

Although there has been considerable research since, to validate the idea, there was an original case that inspired Professor David Dunning of Cornell University to start looking into the proposition that many low-ability people are impressively unable recognise their lack of ability.

The case concerned a Mr McArthur Wheeler, who on April 19, 1995 robbed two Pittsburgh banks in broad daylight. He did not wear any kind of disguise or mask and was even recorded smiling into the security cameras.

He was, nonetheless, amazed when the police arrived at his home to arrest him. This amazement stemmed from the fact that Mr Wheeler believed he had committed the perfect crime. Apparently, having heard that you can use lemon juice to make invisible ink, Mr Wheeler had liberally rubbed his face with juice prior to entering the bank believing that it would render him invisible.

Police stated that there were no drugs involved, just extraordinary stupidity.