Welcome! This site is your entry point to learn more about the practical insight in The Operational Risk Handbook from Brian Barnier and his contribution to Managing Risk and Performance: A Guide for Government Decision Makers
Failing to learn from the past is foolish, failing to prepare for the future is arrogant.
Risk management is not a paperwork exercise for compliance. Compliance will always leave gaps and exposures to real business risk that can harm customers, partners and shareholders. Look at the litter of companies over the years who have been compliant and still suffered loss.
-- Brian Barnier
This is different, it's about managing risk to performance, not just compliance
Whether growing a company, investment fund or country -- it's about making better decisions to more easily and safely achieve performance objectives.
Risk to Return -- Why didn't we know?
Business and markets continue to react to nasty surprises. Supply chain disruptions, “unusual” trading events, natural disasters, civil unrest, trading system outages, communications network failures, frauds and more. After hundreds of years of risk management history, why are we so surprised when a bad thing occurs? What root cause or early warning was missed? Who knew before we knew and why?
What wasteful activities distract risk managers and business leaders to managing real risk to return in the real work?
Most importantly, why do enterprises sadly miss the opportunity to earn more risk-adjusted return?
These weaknesses in risk management apply whether evaluating the purchase of a share of stock in an individual company, the market for those shares or a broader view of the economy.
Failure to Act
People, good people, fail to act when they don't feel the full pain of the sickness, or feel the cure is worse or too costly. In risk management, this means not fully understanding risk faced or the response. This is a tragedy in itself and opens the door to disaster.
Learning from across time, industries and professions
Yes, we have decades and centuries of experience in risk management – across professional disciplines and industries. Yet, individual human beings are often too focused in their silos to draw on the wide range of proven tools and methods. Further, the varying terminology and methods of different disciplines often muddy the waters. This deprives them of the opportunity to better understand risk in their piece of the system and to understand how the risks in the rest of the system might affect their piece.
Shifting toward performance-oriented risk management
Brian Barnier steps back to appreciate this diversity and attempts to harmonize. He seeks to help people become aware of the rich history of risk management disciplines -- Alexander the Great, the father of managing risk to operations -- and apply that library to their individual situations to improve performance.
Performance is measured in profitable revenue in an individual enterprise or in sustaining broader economic growth. His objective is not only to help leaders improve, but also to guide them to improve more efficiently -- to do “six months of work in six weeks.”
Good risk management is the laser eye surgery of business -- it sharpens focus.
A key metric for your risk management program is how quickly it is ignored or treated as a compliance program.
The best risk management is about managing risk to business performance against specific outcomes or objectives.
· Changing situations may bring gain or loss.
· Risk management is not a paperwork exercise for compliance. Compliance will always leave gaps and exposures to real business risk that can harm customers, partners and shareholders. Look at the litter of companies over the years who have been compliant and still suffered loss.
· Risk management should improve agility, making it safer to move in a changing environment.
The big drivers of risk to your business are complexity, change and exhaustion. What tick-box risk management program is going to fix those?
Universal legal translator -- "I don't recall the specifics." means "I wish I paid more attention to risk management!"
Root cause is the key to finding and fixing risks to performance—especially to finding problems early and fixing them fast.
A systems view of risk is needed to understand the dependencies of products on processes, people and technology.
· An ‘event’ is not isolated. Potential and realized risks are chains that cascade in time, triggered by causes in dependencies or other related events.
· Thus, risks must be analysed in robust scenarios that consider environments, systems and cascades to understand how situations might be prevented and, when they arise, contained.
· Scenarios are therefore the central feature of risk evaluation.
Little is truly new in the world. This is especially true of root causes, although consequences play out differently due to different environments. After each situation arises, people often emerge who have already tried to call attention to the problem.
· A key role of the risk manager in facilitating scenario analysis workshops is simply to ensure that the right people are in the room to bring their insight to the discussion of how products and processes work in systems—the dependencies, the timing, the gaps and what is already broken or likely to break under stress.
· The power of the risk manager is in wisely using the"invite and flashlight" so the right people are looking at the right information.
· You must push to see enough to understand potential problems and opportunities in a changing environment.
Understand the business value of your options: the value of knowing now, rather than later; the value of acting now, rather than later—having more time to act. And the value of having a range of options, rather than being forced into one.
What's an "oops?" The risk you wish you had managed better.
Risk management is like new athletic shoes for business -- more agility for running the rocky road.
Always have a plan B. Use this not only to prevent and prepare, but also to test the quality of your risk evaluation.
· Base responses on root-cause data that can provide early warnings and point to what to fix, not proximate-cause data.
· View risk-status in the context of cascading situations in time created earlier in scenario analysis. This gives meaning to ‘What could happen next?’ and provides insight for action. This is situational awareness. Look for changes and patterns that create the need to act.
· Use plan Bs to guide you under pressure to take the right action, instead of making the situation worse. Consider the cost/benefit of the range of options.
Evaluating a risk management program by its controls is like evaluating a football team by the weight of its players.
Risk management -- It's about having the personal character to balance risk and return, when others are just grasping for return.
How do you define "bankruptcy?" A skill gap in risk management.
More risk-return-aware decisions form the best path to reducing risk to performance.
Ensure board-level (especially independent member) engagement in operational risk:
· Firstly, that the board risk committee has skill in risk management and a wide range of risk types.
· Secondly, that the chief risk officer has clear authority and ‘voice’ to the board.
· Lastly, that levels of assurance are matched to the nature of risks. ‘Reasonable assurance’ used for risk to financial statement preparation (and audit committees) is not sufficient for managing risk to a business initiative or human safety.
Continually improve maturity of risk management capability:
· Stress a culture of ‘find early, fix fast’, with a mandate for open communications (full disclosure, no defensiveness). Become time-sensitive.
· Deeply build risk awareness and risk response into your organization. Everyone has a role in preventing and responding.
· Be humble. Realize limitations. Understand bias. Seek people, training and past lessons to expose blind spots.
Demand an end-to-end view of risk by business activity/product/process—cross the silos.
As a speaker, he is appreciated for his clarity, focus and enthusiasm, motivating people to actions that produce results.
Always having a Plan B (and C, D and ...)
The laser eye surgery of business -- it sharpens focus.
Improving agility to more safely seize opportunity.
Managing change, complexity and fatigue.
Systems, dependencies and root causes
Cascading and unfolding situations, not "events"
Powered by the "invite" and "flashlight"
Fighting bias to overcome blind spots
Creating options to overcome limitations
Knowing the business value of your options
Knowing now, rather than later
Having more time to act
Simple for any kid who loves role-playing computer games
More easily achieving performance objectives