Imagine that you are worried about your infirm mother and want to make sure that you do everything to protect her. If you adopted typical corporate risk management practice, you would identify a risk that she falls over. You would then calculate the impact (maybe a broken bone) and then identify some mitigations, such as putting some cushions around her bed or installing a handrail. All sensible, but not very through. What if the consequence were a significant chance of her dying? Would you then want to do a more comprehensive risk analysis?
Understanding corporate and financial risks is becoming an increasingly important part of any board’s job. Most companies seem to use this same basic format. However, one of the biggest problems in traditional corporate risk analysis is the general, catch-all nature of ‘mitigations’. Anything you do to reduce the risk or ameliorate the impact is classed as a mitigation. This causes glib generalisations and sloppy thinking.
Good risk management has to be very specific and very clear. You won’t protect your mother from falling by saying that you’ll ‘keep an eye on her’. You would need to be very specific about who does what, when and why.
Typical risk analysis in an annual report
The Principal Risk section in an annual report typically has a description of the risk, its potential impact, mitigations and whether the risk is getting bigger or not. I’m not sure of the value of the trend, as it is surely more important to concentrate on size of the absolute risk. However, it’s the catch-all mitigations that are the key and these are usually high-level generalisations;
“Adoption of rigorous policies and processes…”
“Regular performance reviews…”
“Deployment of high quality people..”
These are real examples of ‘mitigations’ of a risk that actually brought down a multibillion pound listed company1. But they are also typical of most annual reports.
The bow-tie model
If you want to see best practice in risk management, look in industries where it is literally a matter of life and death, such as oil exploration, aviation, mining and maritime. They tend to use the ‘bow-tie’ model, which can also be applied to financial and corporate risks.
Hazard: The model starts by identifying a hazard. In our example, this would be your infirm mother moving around. She’s safe in bed, but the moment she gets up she opens herself up to a hazard. That hazard may lead to an event.
Event: This is the moment at which you lose control over the hazard. The hazard is her moving around, but the moment she loses control of her movement, ie she trips, it becomes an event. This is close to the typical corporate idea of a risk.
We now look at causation of events;
Threats: These are whatever might cause the event to happen. For example, the lady might have had a few drinks, or she might slip on some water, or she might have a funny turn.
Preventative barriers: These are things that might reduce or eradicate the threat. This would include some actions that would traditionally be called mitigations. In our example, it might include hiding the sherry bottle, or getting a carer to mop the floor or altering her medication.
And there are the results of an event happening;
Consequences: These are the outcomes from an event occurring. There can never be absolute certainty that barriers will work (ie prevent a threat causing an event). You can never be sure that your mother won’t ever fall over, despite your best efforts. It is important therefore to look at the results of such a failure. In this example, your mother might slip and break a leg or be left unable to call for help. These are not the risks themselves, but are possible results of the risk occurring.
Recovery barriers: These are things that might reduce or eradicate the consequence. Again, these include traditional mitigations, but are sometimes overlooked as it is often assumed that mitigations will stop any event from happening. In this example, you could put an emergency button on your mother’s wrist or put in cushioned flooring.
And then there are escalation factors;
Escalation factors: Few barriers are perfect. There are likely to be reasons why the barrier might fail. These are called escalation factors and can weaken barriers to both threats and consequences.
This model forces a detailed think through of the risks and how to stop these risks form crystallising and if they do, how to mitigate the consequences. Think about the barriers as gates that stop bad things happening, but the escalation factors sometimes force the gates open.
An example of a corporate risk
Here is an example of a corporate risk, that of poor people management leading to resignations of key people, shown as a bow-tie model;
This model shows the threats that might cause those resignations; uncompetitive remuneration, poor culture, inadequate career development and poor management practices. For each of those threats, the model shows what the company is doing to counter or prevent those threats. It also notes that there is an escalation factor, stress on people, that might exacerbate the threat of poor management, but this itself is offset by the use of in-house counselling.
If there were resignations of key people, the company could suffer the loss of key personnel, difficulty in day-to-day management, having to delay new projects, and putting more strain on remaining employees. To try to avoid or minimise these, the company will: conduct interviews to determine if a counter offer would retrieve the employee; use succession planning to identify replacement people who could be reallocated; use consultants if possible; and identify other personnel at risk who could be offered retention bonuses. The latter could be at risk of financial constraints, but the company addresses this by keeping a contingency budget ready for such an eventuality.
What emerges is a complete story of what dangers the company faces and how it is reacting to all of them. This is a much more powerful analysis than the traditional risk, impact and mitigation model.
This model can be used for any corporate risks and to build the risk register. Quantification could of course be added if required. This would be shown as the severity x likelihood of the risk happening without any barriers and then again with the barriers that are currently in force. In our example, the risk of key personnel resigning might be 80%, and this might be judged to cause £10m of damage, ie an unmitigated weighted risk of £8m. You might conclude that with the barriers in place, the residual risk would be 30% and a likely damage of £5m, giving a mitigated risk of £1.5m.
The full model would be too big to include in an annual report, but could be summarised in this way;
This format is a useful summary, but the full model is better as a management tool in visualising and explaining the stages of risk management.
Planning for risks and risk management needs to be done on a detailed and specific level. Generalisations won’t work. Too much risk work that comes to boards is rife with generalisations and bland ‘mitigations’. The bowtie model, developed in industries that deal literally with life and death safety risks forces a proper step by step plan of risks, management processes and actions that either reduce the risk and ameliorate the impact if the risk crystallises, as well as understanding reasons why those actions might fail. This model has a great deal to offer companies in sharpening up their understanding and presentation of corporate risk management.
1 The risk was ‘Contract management’ and the company was Carillion plc. These quotes are from their last (2016) annual report.