'The fault lies not in the stars, but in ourselves...' - managing people risk
'The fault lies not in the stars, but in ourselves...' - managing people risk
‘Our people are our greatest asset’, the Chairman or CEO writes in the annual report and accounts. That is undoubtedly true, but the corollary is also true, that our people are potentially our greatest liability in a service industry. People failures, whether through incompetence, poor training or, importantly, poor behaviours, lie at the heart of so many of the risks to which financial services companies are exposed and suffer.
When the dust settled on the banking crisis, the Financial Crisis Inquiry Commission, set up by the US Congress, delivered its report in January this year. It naturally cited appallingly poor mortgage lending, abdication of credit risk responsibility to credit rating agencies and stunning over-indulgence in derivatives, those ‘financial weapons of mass destruction’, as Warren Buffett so memorably called them back in 2003. But before going on to those, it was vituperative about ‘dramatic failures of corporate governance and risk management’ and a ‘systemic breakdown in accountability and ethics’. All failures of behaviour and therefore incidences of people risk, one of the four legs of the common definition of operational risk, ‘the risk of loss from inadequate or failed internal processes, people and systems or from external events’. Yet how often is people risk management treated with the seriousness it deserves, either as part of operational risk management, or at all?
In my article last month on risk governance, I quoted Professor Mervyn King, who chairs the King Committee on corporate governance in South Africa. His point was that it was all right to talk about the tone at the top, but the key thing was to listen to the tune in the middle, the sounds which tell you that a particular risk culture is fully embedded throughout the firm. It doesn’t matter where the risk culture lies on the spectrum from entrepreneurial to conservative. The important thing is that controls will be in place which accord with the risk culture and that the culture will be communicated throughout the firm. That culture stems from the board and senior executives, not just in policies and statements they make, but importantly in their own actions and behaviour.
I also emphasised last month how important it is, in embedding a risk culture, that the firm is able to articulate and then to communicate its strategy and objectives. Too often the strategy and objectives are expressed in a three-yearly document presented by the CEO to the Board, which is as far as it goes. But those objectives should be communicated to all staff and inform their behaviours, their approach to risk and to the firm’s appetite for risk at all levels.
Risk appetite is often portrayed as a pyramid, with authorities and limits cascading down from the board to unit or process level. That may work with financial risks, but it is not true of non-financial risks, such as the soft risks and behaviours associated with people. In those cases, risk appetite will be a co-ordination of various measures of performance, which will include assessments of behaviour.
The strategy and objectives form the basis for risk appetite, but also for the key controls involved with people risk management: selection, appraisal, training and personal development, and remuneration. For instance, with selection, if the overall aim, as I believe it should be, is to develop a firm with common values, then it makes sense to use, especially at a senior level, a specialist cohort of interviewers, as well as the relevant line manager. They will be looking for candidates who embrace the firm’s values and behaviours and they should personally embody those values. Nor do you have to wait for a formal selection process. As Henry Grundfeld, co-founder of SG Warburg, once said, ‘Recruiting is like buying a tie; you buy one when you see one you like; you do not wait until you need one’. But you can only do that if you are clear about your objectives and the values you are looking for.
Strategy and objectives should inform the excellent behaviours which form the basis for performance measurement. Performance is not just a question of meeting sales or profit targets. It should also be about embracing shared values and behaviours – what we mean by excellence around here. If team-working is a core value of the firm, it should be in the performance measurement criteria for everybody from the Chairman down. After all, if the board isn’t working as a team, that very quickly becomes apparent both to insiders and outsiders. It has been said that the reason why 70% to 75% of mergers and acquisitions fail is because the focus is on finances rather than thinking about the consequence of the two cultures being merged. If there’s a lack of direction or infighting, all those behaviours cascade down the organisation and adversely affect performance and productivity. Actions speak louder than policy statements.
Excellent behaviours are also fundamental to customer relations, which is a key element of reputation risk and a source of competitive advantage. If we can articulate what we mean by excellent or acceptable behaviour when it comes to dealing with customers, or when dealing with their problems or complaints, we can review and appraise accordingly. The benefits in performance, risk mitigation and profit will be considerable.
The same applies to training and personal development programmes and, perhaps most visibly of all, including to the public, to approaches to remuneration. Is the system transparent? Does it reward good risk behaviour, which is in line with the firm’s stated risk appetite and its objectives, or does it encourage unacceptable risk-taking? If the firm’s objectives are clearly communicated and, from them, excellent behaviours are clearly identified, the rest should take care of itself.
One further key control in relation to people risk management is succession planning. How often is the succession plan tactical, designed merely to overcome the immediate problem of somebody leaving, rather than strategic, a genuine attempt to plan for the medium term, including the positions of Chairman and CEO? How often do you find that the same executive is pencilled in as successor to a number of other senior executives? There is no planning for what might happen if more than one executive leaves over a period of time. Nor is there a plan for what might happen in the event of a pandemic or a combination of events which remove more than a few key staff. Will you be the first back in business or, indeed, a survivor?
And finally, perhaps the biggest of people risks – their potential to cause reputational damage. It needn’t just be the CEO who by his words or actions can do serious damage to a company or even bring it down – including his own company in the case of Gerald Ratner. It can be the junior on Twitter or Facebook, who can make a comment which is picked up instantly, either by the public or competitors, to the severe reputational and business damage of the firm. Managing that risk depends importantly on agreeing how employees and senior managers should behave.
But any consideration of managing people risk must include a word about the HR function. If people are potentially a firm’s biggest liability or risk, then it should be that HR is a key risk oversight department. Much risk is managed by good human relations, but how much is managed by a good HR department? To what extent is the HR Director merely somebody engaged in ‘transactional’ HR – organising the appraisal system and training programmes, collating personnel data and, too often, doing the firing and sometimes hiring, because nobody else wants to do that – rather than acting as a good risk manager?
Understanding and predicting risk is highly dependent on understanding human and organisational behaviour. HR should have a clear role as senior management’s guide and adviser. In a recent survey, 65% of HR Directors interviewed by Mercer perceived themselves as strategic partners. Yet when the interviewers looked deeper, they found that only 15% of their activities related directly to strategy. The good HR Director should be on the shortlist certainly of the COO and possibly even of the CEO.
We put in place risk management frameworks, but do we ask the HR Director to put in place a ‘people risk management framework’? We develop a risk register and assess the risks it catalogues, but do we also pass those risks through the lens of people risk and assess them accordingly? People risk management is core to the risk management of any firm in the service industry. Ignoring it will do serious harm to your profits.
John Thirlwell is an independent adviser on risk management to boards in financial services and co-author of Mastering operational risk (Financial Times Prentice Hall, 2010).