Iaccm Risk Slides
- 1. Making sense of Opportunity and Risk. Strategy, Tactics and Practice. Tim Cowen General Counsel & Commercial Director, BT Global Services & Chairman, IACCM Making sense
- 2. Risk is everywhere : how can we make sense of the risks in the world around us? How can the Commercial community add value? Strategy, Tactics, Practise. Benefits include: Security, Resilience, Opportunity.. ……..and profit Generally
- 3. WEF, GLOBAL RISKS 2007, Correlation Matrix
- 4. Risk?
- 5. Strategy Core vs non-core (but include critical and context). 5 Forces; Bargaining power of Customers, Bargaining power of Suppliers, Threats from Substitutes, Barriers to Entry, Rivalry among Competitors. Focus on clear strategic goal(s). Decide what activities are internal, external, co-venture, etc: what is the apportionment of risk and incentives in the relationship? Ensure that contracts address the risks in the 5 forces, so that business risk (execution risk) is addressed through processes effectively linked to Governance.
- 6. Tactics: 3 M’s of Commitment Management: Make, Meet & Manage. Making a commitment : define who does what Meeting a commitment :define metrics and KPI’s, reporting , anticipate disputes. Managing a commitment : provide positive incentives and constantly reinforce the positive. Change what does not work (early) Risk Sharing and Relationship management are (as/more?) important than the contract . Think about what would happen if the contract fails, but manage the relationship.
- 7. Tactics: (Intelligently ) Apply Best Practice Process Best practice process can reduce risk and improve profit: but all processes require constant testing and upgrading, not slavishly following. Inflexible “Rules based” compliance regime results from: Complex regulatory and governance regimes Shift in public expectations of CSR Added to by uncertainties: Credit Crunch, competition, open markets; new competitors; new ideas… Inflexibility or 'risk blindness' will result in the loss of competitiveness.
- 8. Tactics (Execution) Definition of core and non-core: core+critical, core+context; and non-core+critical non-core+context. Many develop principles and processes to identify who does what, whether internal or external, whether out-tasked or outsourced, off-shored or near-shored, on a contract for service (employee) or a contract for services (supplier). All need to be reviewed and risk taken, allocated or shared. Many think terms and strategies simply shift risk to trading partners. Creates confrontation, disputes and fear, Fear feeds failure: lack of openness undermines trust. Lack of incentives for information exchange, lack of spirit, confidence and innovation.
- 9. Buyer power and its challenges: Public Procurement Shifting Risk to suppliers in public procurement contracts is economically inevitable since government often has buyer power. It undermines the Single Market. Procurement law designed to address this but has it succeeded? Rand/IACCM study. No Government give in to temptation and shifts risk to suppliers. 2 important effects: directly affects expected returns from participation (especially to risk-averse bidders or those with limited access to credit/capital); create adverse incentives within the contract to assess, manage and minimise risk. (Civil Servants think about the Select Committee). Flexibility and proportionality in assignment and interpretation are important in ensuring that parties achieve optimal (or at least workable) allocation. Liability assignments should balance risk tolerance with the ability to mange, minimise or mitigate risk. Current practice may inhibit efficient risk sharing, distort innovation incentives and systematically deter the best suppliers or solutions. Rand Report, 2007
- 10. Practice: Risk v Opportunity Recent IACCM “Risk Maturity” survey confirms that risk management remains too focused on avoiding failure, rather than delivering success. 55% of respondents feel that their risk analysis takes greater account of 'adherence to the corporate compliance process' than it does to the needs of the market. Who reviews processes on an END TO END basis? 3 lines of defence: management, legal/commercial, and audit. (PWC).
- 11. Practice: Regulations and compliance require global coverage United States of America: FCRA 1970 PA 1974/1975 RFPA 1978 CTVPA 1984 ECPA 1986 VPPA 1988 DMPEA 1999/2000 COPPA 1998/2000 HIPAA 1996/2002 Sarbanes-Oxley FSMA/GLBA 1999/2001 DITSCAP NIACAP Canada: The Privacy Act 1983 PIPEDA 2001 Mexico: eCommerce Act 2000 South America: APPD 1998 (Chile) PDPA 2000 (Argentina) UK and Ireland: DP (A) A 1995/2003 (Ireland) DPA 1996/2000 (UK) Scandinavia: FDPA 1995/1999 (Finland) DPRA 1978, APPD 1995/2000 (Denmark) PDPA 1995/1998 (Sweden) Canada: The Privacy Act 1983 PIPEDA 2001 United States of America: FCRA 1970 PA 1974/1975 RFPA 1978 CTVPA 1984 ECPA 1986 VPPA 1988 DMPEA 1999/2000 COPPA 1998/2000 HIPAA 1996/2002 Sarbanes-Oxley FSMA/GLBA 1999/2001 DITSCAP NIACAP Mexico: eCommerce Act 2000 South America: APPD 1998 (Chile) PDPA 2000 (Argentina) UK and Ireland: DP (A) A 1995/2003 (Ireland) DPA 1996/2000 (UK) Scandinavia: FDPA 1995/1999 (Finland) DPRA 1978, APPD 1995/2000 (Denmark) PDPA 1995/1998 (Sweden) Pan Europe: LPPLRPPD 1992, DPA 1995/2001 (Belgium) FDPA 1995/2001 (Germany) DPA 1995/2000 (Austria) EUD 1995/2002 (Luxembourg) PDPA 1995/2001 (Netherlands) ADPDFIL 1978, EUD 1995/pending (France) DPA 1995/2000 (Spain) DPA 1995/1998 (Portugal) PIPPD 1995/1997 (Greece) PIPPD 1995/1996 (Estonia) PIPPD 1995/1998 (Poland) PIPPD 1995/1998 (Slovak) PIPPD 1995/1999 (Slovenia) PIPPD 1995/1999 (Hungary) PIPPD 1995/2000 (Czech) PIPPD 1995/2000 (Latvia) PIPPD 1995/2000 (Lithuania) Asia Pacific: PA/PA (PS) A 1988/2000, 2001 (Australia) Privacy Act 1993 (New Zealand) Personal Data 1996 (Hong Kong) CPPDP Law 1995 (Taiwan) eCommerce Act 1999 (South Korea) Cross Geography: Basel II (International Convergence of Capital Measurement and Capital Standards – Revised November 2005) ISO 27001 Standard Pan Europe: LPPLRPPD 1992, DPA 1995/2001 (Belgium) FDPA 1995/2001 (Germany) DPA 1995/2000 (Austria) EUD 1995/2002 (Luxembourg) PDPA 1995/2001 (Netherlands) ADPDFIL 1978, EUD 1995/pending (France) DPA 1995/2000 (Spain) DPA 1995/1998 (Portugal) PIPPD 1995/1997 (Greece) PIPPD 1995/1996 (Estonia) PIPPD 1995/1998 (Poland) PIPPD 1995/1998 (Slovak) PIPPD 1995/1999 (Slovenia) PIPPD 1995/1999 (Hungary) PIPPD 1995/2000 (Czech) PIPPD 1995/2000 (Latvia) PIPPD 1995/2000 (Lithuania) Asia Pacific: PA/PA (PS) A 1988/2000, 2001 (Australia) Privacy Act 1993 (New Zealand) Personal Data 1996 (Hong Kong) CPPDP Law 1995 (Taiwan) eCommerce Act 1999 (South Korea) Cross Geography: Basel II (International Convergence of Capital Measurement and Capital Standards – Revised November 2005) ISO 27001 Standard
- 12. Practice: Benefits of Trust Reduced costs Enhanced brand and reputation Gain business integrity through business security Implement secure communication and management strategies Collaboration internally & externally Improved productivity and job satisfaction Protection of customers’ data Increased financial transparency
- 13. Practice: Common Risk Perception Problems People exaggerate spectacular but rare risks and downplay common risks. People have trouble estimating risks for anything not exactly like their normal situation. Personified risks are perceived to be greater than anonymous risks. People underestimate risks they willingly take and overestimate risks in situations they can’t control. People overestimate risks that are being talked about and remain an object of public scrutiny. (Bruce Schnier, Beyond Fear (1) )
- 14. Flawed Approaches Lead to Poor Risk Management Examples 1990’s, BSE in the UK: Scientific advisory committees were revealed to be overly assumptive in their approach to risk issues, unable to recognize and address areas of uncertainty, open to political and market influence, and overly defensive of mainstream scientific opinion in the face of criticism. As a result, scientific advice was incorrect in its risk assessment of BSE and in the regulatory advice which was derived on this basis. (2) August 2008, Hope Cove, South Devon: A volunteer coastguard crew face disciplinary action after going to the rescue of a teenage swimmer in a boat that had recently been repaired and was awaiting a seaworthiness inspection. (3) Currently – the credit crunch: Disproportionate impact of sub-prime lending. Inadequacy of existing financial regulation. Fragility and interdependencies of the financial system have been exposed. Moral hazard implications where central banks act as lenders of last resort.
- 15. Practice: Benefits of risk resilience A risk resilient organisation is able to: make informed risk-based decisions conduct strategic risk-testing and analysis of level of risk associated with key strategies and objectives of the business respond to risk management codes/regulations and related conformance requirements identify, assess, and manage the level of political risk inherent in a company's international business activities understand how its systems, network and people can be both vulnerable spots and points of defence against risk quantify and measure the magnitude of the risk and its impact on the business in financial terms.
- 16. Practice: the links to Corporate Governance Turnbull Guidance Sarbanes-Oxley Assessment and disclosure of risk to shareholders
- 17. Practice: Companies tend to focus too much on price but customers also require quality and continuity which makes company collaboration with suppliers essential to effectively manage risk Rob Handfield, Bank of America University (5)
- 18. The Role of the Commercial and Legal Community in Practice Varies Typically to address and mitigate risk through contract Raise strategic issues on contracts with both Suppliers and Customers; (often critical to joint ventures and other forms of risk sharing). Apply the law to the (full) facts, awareness and training. Ensure that management understands the risks (and the rewards) Provoke accountability for risk registers, identification of risk, actions owners and timetables, so that contracts work in the real world ? Discharge legal obligations to shareholders under Sarbanes Oxeley, (depending on whether caught by the rules). However, these rules are designed to mitigate risks for investors and only ask a simple question: Can you show what has been done to address the risks facing the business?
- 19. References http://www.schneier.com/blog/archives/2006/11/perceived_risk_2.html http://www.defra.gov.uk/Environment/risk/policymaking0509.pdf http://www.timesonline.co.uk/tol/news/uk/article4534934.ece WEF, Correlation Matrix, http://www.weforum.org/pdf/CSI/Global_Risks_2007.pdf IACCM Americas Conference 2007, Supply Chain Risk
Editor's Notes
- #2: Risk resilience isn’t just about the elimination of risk – it’s about the effective management and mitigation of risk as a business process . This presentation will examine the growing focus that risk resilience is attracting in business, identify the wide range of risks that need to be managed, and show how BT has the portfolio, people, partners and reach to help you create and implement an appropriate risk management strategy to improve your business performance and gain competitive edge. In fact one of the important things that I think differentiates our approach at BT is that we’re not just a supplier. As a global company ourselves we’ve been facing the same issues as you and a significant value that we can add, I believe, lies in the fact that we’re not just a supplier, but a practitioner too. When you get your process right, it will no longer feel like gambling. In other words it’s not jumping off a cliff without a parachute. It’s managing risk and making it work for you.