TxB/2: Risk, Compliance and Controls. A Ten Times Better (TxB)©️Approach.

#So there I was …                                                                                 

Risk, Compliance and Controls

Stop!! I know some of you are already looking to flick on to a subject that you think is more exciting than risk, compliance and controls. Are you sure?

So, there I was … On holiday last year I fell, ironically on a lifeboat slipway, fractured my right patella, parts of the patella were dragged up into my quadricep, and there was also a complete rupture between the quadricep and the tendon connection to the patella. I’ve had surgery and have titanium pins in my knee cap and have had a re-join of the quadricep and tendon through some lovely permanent internal suturing and am well on the way to recovery.

What has this got to do with risk, compliance and controls I hear you ask? Quite a lot actually.

I fell – because whilst I did a risk assessment of the slipway (the clue is in the name), my assessment did not fully appreciate just how slippery it was going to be, I failed to comply with my assessment in any case, and there were inadequate controls to prevent people walking on the slipway.

My reflection is that this blasé approach to risk, compliance and controls is one of the many reasons why business endeavours such as programmes, buying, supplier management, bidding or contracting fail, and sometimes fail very badly.

So, after some thought here is starter of ten elements of risk, compliance and control which are needed in a business or programme, which if fixed or attended to successfully, in my view will lead to performance being ten times better.

I would love feedback and comments to help me improve my thinking.

One: Risk Framework and Risk Management System – bottom line is that you need one appropriate to your business or programme, without exception. It needs to be clear and concise yet comprehensive. Most importantly it needs to be communicated, and be compelling as to why it is important or it will not be adopted and used.

Two: Overarching and Principal Risks, Risk Coverage and Risk Appetite

Principal risks should be those strategic, reputational or critical operational risks which if not managed appropriately would present a real danger to the execution of the business plan/strategy.

Many risk management implementations over-emphasise financial and/or programme specific risks. This is better than no risk management but not sufficient. Coverage should consider as a minimum, financial, programme and operational, cyber-security, people, regulatory, property, reputational, HSE and environmental, legal, commercial, compliance, supplier, strategic, catastrophic, and other emerging risks.

Below is a picture that I have found useful in the past summarising the types of risks to be considered (courtesy of Capita)

In my experience you also need an effective triage system – ie risks should be knowledgeably categorised as being dealt with “Now, Later, Never”. This will help with prioritisation and application of constrained and limited resources to individual risks in a timely manner.

Three: Controls, Compliance, Reporting, Evidence and Improvement

Once the inherent risks have been agreed then appropriate “business as usual controls” need to be identified to mitigate the impact of these risks. These controls may include for instance access controls, IT asset controls, delegations of authority, disaster recovery & business continuity plans, financial checks on balance sheet items and provisions, data privacy controls, contracts repositories, crisis management plans, key supplier controls.

Regular reporting through a Key Controls Report/Questionnaire and evidence submission, needs to be enforced to check compliance with the mandatory business controls and provide improvement actions to improve compliance and performance.

Four: 3 Lines of Defence and Audit Process

It is really important to establish appropriate 1st line management controls and risk management, backed up by a 2nd line risk and control function, all of which are overseen or supervised by an independent internal audit and risk management body (eg at Group) – who can check that the risk management framework and implementation are appropriate, and help and assist with improvements using their skill and competence. The best are “critical friends”. Of course, there should also be an external audit function at the appropriate level of risk exposure.

Five: Risk Identification, Mitigation, Acceptance, Transfer and Closure

Risk identification involves working with the business to understand the inherent risks in a business, with a particular lens of the Principal Risks. The identification of these inherent risks should involve a wide range of experts from across the business and needs to be reviewed regularly. These experts know the business and are best placed to identify relevant risks.

Once the inherent risks (no controls) and controls have been agreed it is then time to decide whether the residual risk is acceptable – ie at target risk level. If it is not, then it can either be mitigated further through specific action, transferred to for instance a 3rd party, priced into a contract or bid, or an agreement can be made to stop the activity which is causing the risk. Please see below diagram (courtesy of Capita).

Six: Management of Cybersecurity,  Catastrophic/Black Swan and Emergent Risks

I have separated these specific risks owing to their potentially huge and uncontrollable high impact nature (eg Cyber), and because of the unknown and non-specific/unknown nature of emerging events (think recently of Brexit, Covid and geopolitical impacts on prices).

Separate focus needs to be given to these categories of risk, and real attention by experts from across the wider organisation is needed to determine if the wider controls, processes, compliance, reporting, forward looking and early warning systems are sufficient to avoid these types of risk which can be catastrophic and existential.

Seven: Contracting & Bidding, Supplier and Internal Supplier Risk

In my view the best way to think about risk during bidding is as a potential additional cost of implementing the contract should you win. Whatever the cost of the controls, mitigations/risk reduction actions, and residual or target risk is, this needs to be priced into a bid to get a full view of the potential cost of undertaking the contract.

I was once asked to review risks on a £1bn contract bid. £50m of risks had not been identified in the bid. Even on a £1bn contract, £50m is a lot. We incorporated a suitable element of the risk and still won the contract, as we were able to demonstrate our thinking and assessment.

Additionally you need to build a partnership with your own suppliers in taking risk appropriate to the work roles, work breakdown and organisational competency. Risk should be treated as near to the source as possible to be most effective and efficient.

Internal suppliers are a blessing and a potential curse – it is really, really complex to be able to satisfactorily deal with risks caused by internal suppliers and clearly setting up some form or risk / punitive transfer is somewhat counter-productive. Here, the best way is to agree a common risk management framework and who will take up the risk on behalf of the wider organisation, and get this agreed amongst the senior corporate leadership.

Eight: Managing Risk of Change

Managing change is one of the riskiest things we can do in a business. It causes programmes to fail, systems to stop being performant, security breaches, financial loss, and a whole host of other problems. When considering change, it is essential that a full scale review of the risks of change and the impact on any existing business is undertaken, and any new risks treated accordingly.

Nine: Leadership and Demonstration of Primacy of Managing Risks

Many people don’t really buy into risk management, or if they do, they just do it to tick a box, and then put it away in the top drawer of their desk never to be seen again. Hence, the picture “Whatever” at the beginning of this article.

It is critical that leaders change this thinking: there is too much at stake to allow risks and risk management to take a back seat to “can we just get on with running the business”. From cyber attacks, to black swan events such as a pandemic, to inflationary geopolitical events, to failure of disaster recovery systems, meaning they can’t be used when invoked, to simple prioritisation of limited resource to the most impactful activities of a business, risk management should be front of centre of any set of business management tools and processes.

Several years ago a Nasa scientist and sociologist called Diane Vaughan was studying the causes of the terrible 1986 space shuttle Challenger disaster. She discovered that for several months prior to the disaster, managers and leaders had let standards slip and let engineering teams “get away with” breaches of protocol, to keep things on track.  This “deviant” behaviour became normalised as breaches became to be re-interpreted as within the bounds of acceptable risk. She termed this the “Normalisation of Deviance” and in her view it had a tragic and unfortunate catastrophic outcome.

Ten: Operational Management, Prioritisation and Driving behaviours

Finally and crucially – you  will need to constantly emphasise, demonstrate and impose the critical nature of effective risk management in managing the priorities of a business efficiently and effectively, and allocating limited resources to the most important tasks, to ensure the general smooth running of a business

Don’t slip up like me – manage, comply and control your risks. It can be very painful if you don’t.