Zen and the art of risk management

My suggestion to Boards? Try to keep an open mind when confronted with business risks. The sooner Boards recognise that risks offer options, the sooner they can start exercising them.

The next big scandal?

Experience shows culture and ethics generally trump systems when managing risk. Companies’ default response to scandal tends to be to introduce new levels of control, which rarely fix the problem. Has anything fundamentally changed in supply-chain management since the Rana Plaza tragedy or the horsemeat scandal?

Now bribery is making the headlines, and the impact of the Petrobras allegations on Brazil’s economy and bond markets have not been lost on UK regulators.

Employers are usually genuinely shocked when staff in overseas offices are found to have bribed. Yet they may need to look more deeply at the impact of their pay and rewards policy on their ethical culture. 

So culture is crucial, but companies also need to be smart in the risk management processes they use. Too often they force everyone who works for the company globally to attend a compulsory Bribery Act training session. Be forensic. Train those who need it properly, rather than everyone poorly.

In fact, when it comes to risk assessments, actually taking the risk-based approaches recommended by the Bribery Act itself would be a good start – too many companies still don’t.

Inoculating against emerging risks

The impact of falling oil prices are reaching large infrastructure projects in oil-based economies. As dollar earnings slump, investors and construction companies are getting nervous about whether oil-funded clients can pay. This is a risk that’s relatively straightforward to transfer using the right insurance products.

Smart companies will have robust trade credit insurance in place to help protect themselves, their banks and financiers.

More widely, multinationals generally should review their risk registers to see what level of risk they can transfer to insurers. Political risk insurance covers losses from government intervention and confiscation. Physical violence and war risks can also be separately insured against.

The enemy within

When it comes to cyber, rogue employees may grab the headlines, but companies should worry more about those who unwittingly open the door to hackers. Last month’s Kaspersky report found 100 banks had been hit to the tune of $1bn in two years. The Cabanak gang used ‘spear phishing’ to target staff with high authorisation levels, sending them emails which released spy malware when opened.

Some financial institutions regularly ‘phish’ their own staff to tighten security and monitor behaviour change. As the UK’s security services regularly point out, up to 80 percent of cyber-attacks succeed because of a lack of even the most basic defences, like strong password hygiene.

Staying ahead of rapidly evolving cybercrime is now a permanent cost of doing business. IRM’s Cyber Risk: guidance for risk practitioners is designed to help those at the cutting edge help their organisations protect themselves on an ongoing basis.

The talent crunch returns

The City is bouncing back. Jobs in London financial services hit a record of 709,500 in December, with 19,200 more jobs forecast for 2015. But the good times are resurrecting old skills shortages, particularly in risk and compliance.  The Daily Telegraph recently reported nearly one in six staff left the Prudential Regulation Authority last year. Poaching the regulator’s staff may be an easy option for private firms but it highlights a wider supply-side problem.

Poaching talent is a revolving door - if you do it so can your competitors. Attracting qualified and skilled risk staff is half the story, the other is investing in your staff’s risk training and development. The lack of UK plc’s corporate commitment to growing its own wood is surprising.