August 2020 was an exciting month for 52 Risks®. The innovative Regtech start-up company, 6clicks, and 52 Risks® announced a global partnership agreement that will see the 52 Risks® framework used in 6clicks’ enterprise risk management software as its core risk library for the management of strategic, financial and operational risks. Check out 52 Risks® on 6clicks here
Notwithoutrisk Consulting will also be an implementation partner of 6clicks – feel free to email here if you want to learn more about managing business risks better using 52 Risks® and the 6clicks software. The 52 Risks® website will continue to be free of course.
Risk management is all good in theory…
An investment in risk management functions, frameworks, policies and procedures should pay off. But how do we know if this is the case? This question is often asked, and can be difficult to identify the shareholder value or benefit that accrues. Many of the benefits are in ‘losses avoided’ – which are in turn hard to quantity.
Near misses can be a good way to identify such value but even then, it can be hard to attribute avoidance of loss to specific risk management measures. Similarly, the value of investment in a Three Lines of Defense approach (now a Three Lines approach – see the last 52 Risks® newsletter here) can be hard to quality.
The real world, however, gives us many examples of where damage or loss has been incurred due to risk incidents, events and/or risk management failures. In recent months there have been a number of high profile, corporate stories that highlight the value of the ongoing sound management of risk.
- The destruction of two 46,000-year-old Aboriginal rock shelters by global mining group Rio Tinto has resulted in significant and ongoing reputation impact (Reputation Risk under the 52 Risks® framework). The caves were destroyed to access A$135 million worth of iron ore that would not have been available under alternative mining plans avoiding the culturally significant site. Rio Tinto is likely to see it face new and increased regulatory scrutiny, oversight, and potential disruption to its planned mining activities, both in Australia and overseas. In addition, it also faces the potential exit from its share register of shareholders for failing to meet their ESG investment criteria. Interestingly, it has been speculated that an organizational restructure in 2016 contributed to a loss of controls over the management of heritage sites.
- The collapse of the UK based foreign currency group, Travelex, is one of the highest profile company collapses attributed, in part, to a cyber-attack. Travelex was the victim of a ransom ware cyber-attack over the Christmas New Year period at the start of the year. It never fully recovered operationally, and it went into administration in June 2020. This is (yet again) a wakeup call that all companies – particularly small to medium enterprises – need to do more to manage cyber risk exposures. Even a modest investment in risk management and cyber security tools and processes can reduce the likelihood and impact of a severe cyber security incident.
- The Chair of the Australian-based financial services group, AMP, resigned last month after ongoing, adverse media exposure and investor pressure over the promotion of a senior executive who had been disciplined for serious misconduct several years earlier. This incident followed many years of ongoing underperformance, restructuring, and regulatory sanctions and oversight at the group. The market value of the Group has gone from A$13.4bn in 2016 to A$3.8bn today as a result. From a 52 Risks® perspective, the risks that have arisen in this period have included Business Model Risk, Hidden Liabilities Risk, Key Person Risk, Regulatory & Compliance Risk, Reputation Risk and Revenue Risk. The Sydney Morning Herald published a very good summary of the sad and sorry tale at AMP last month. It will remain to be seen if the numerous missteps will be the end of the 170-year-old institution.
As an outsider, it is always difficult to identify the true root cause of risk management failures – we are always seeing the consequential impact. Nonetheless, they should always prompt a discussion around the board table – does our company or organization have similar issues, could these risks materialize?