Why failure is nothing to be afraid of

/

Fear of failure

I have this. You have this. Pretty much everyone around you has it. It’s not about religion, it is not about background. It’s not even about how much money you have in the bank. I’m talking about fear of failure.
It’s always amazing to find out how many people are afraid to do a face plant. Whenever I feel that cold hand sliding up my spine, freezing me to the core, I realize I should try to fail. Or rather, try to do, and if so required, to fail. But we, both you and I, are so very afraid of that failure.

What I realized

The talks I have with my wife are always enlightning to me. She can bring insight into a situation in a way few other people can for me. Recently she said something to me which stuck, and expanded in my mind. Let me set the context:

She recently attended a seminar at an organization we both used to work for. The organization is excellent, but there are, as everywhere, some people that are not as nice as the others. She told me one of our former colleagues had enquired as to how I was, making some disparaging remarks on my recent career choice.

I gave up what some would have considered a potentially highly lucrative career in consulting to work as head of internal audit for the Belgian Development Agency BTC, the Belgian government agency active in bilateral development aid. For me, the job has both an extremely interesting content, a significant human value I craved, awesome and intelligent colleagues and it gives me more time for teaching at a management school I love to work with.

I was very surprised and a little taken aback that this was the first thing this person would have said to my wife after not having seen her for about 7 years. I had not thought about him at all since I left ... and this is where she hit me with one of her deep insights:

“You didn’t think about him because he does not matter to you.”

Which is very true. I had not thought about that person for years because he did not matter to me. I did not have the time to think about him. But, and this is the point I want to get at ... most people don’t think about me. Most people don’t think about you either.

What does that mean?

So, whenever you feel you cannot go through with something because you are afraid what people may think of you, be very aware that they don’t.

Let me spell this out for you again ... they do not think about you ... at all. You, and I, are not important enough in the lives of most people but for a fleeting consideration, not in our successes and most certainly not in our failures.

So if fear of the opinions of others is holding you back, don’t hold back. You just don’t matter that much to them. So why shouldn’t you go ahead with what you really believe in? If you do a face plant, you may be surprised that there is not a large group around you, pointing at you and laughing. Much more likely you will find a very small group, huddling around you and trying to help you get up. Because the people that really care about how you fare are the people that care about you.

One life

This is it. Right here, right now. This is the hand you’re dealt, this is the game you’re playing. No exchanges, no money back guarantee. So you’d better make the most of it. The single most heard regret of people that are dying is not having tried. What a waste would it be if you were not to follow your heart.

329

/

There is a lot of talk about the $329 which Apple is asking for the iPad Mini. It’s a full $80 more than the Nexus 7, a comparable tablet ... euhm. Well, not really.

You are paying the $80 not as some diehard Android users will point out as the Apple premium, but as the price to pay not to have your device totally outdated in less than one year.

Apple has a reputation for supporting its ‘older’ hardware with its new operating systems, both on Mac OS and iOS, for a very long time. This is why you find people with 6 to 7 year old Macs. Calculate the total cost of ownership on that one, and compare that to any other product. The release cycle for iOS devices is faster. It is a less mature market. Still, I can use iOS 6 on a 3GS, without much of an issue.

How many Android devices are running 4.0? Just saying ...

From the bottom up: four horizons of risk management

/

Today's post covers two of my pet subjects: risk management and personal productivity. Rather, I apply some ideas which I've become aware of reading personal productivity literature to risk management. This is an iteration of a 2009 article, but with significant changes.

The missing risk management levels

I've recently reread COSO ERM front to back, to make sure I was fully familiar with all aspects which I either had forgotten or had subjectively reinterpreted after spending a lot of time thinking about and working with ISO 31000.

While both methodologies touch the issue of roles and responsibilities, the very pragmatic key question of what to do at what level and with which frequency always seemed to be just out of reach. It was never quite explicitly covered. And that bothered me.

When "Making it all work" started to make sense

Now, in the realm of personal productivity there is an entire movement around GTD, or Getting Things Done, which was developed by David Allen. He followed up on his initial book which is (unsurprisingly) titled "Getting Things Done" with a new book, "Making it all work" where he revisits the concept and further details and explains it. When I was reading the book, all of a sudden some of what he was writing was not only making sense in the context of personal productivity, but actually became the basis for the answer to the question I had been wrestling with for a long time … what risk management focus to apply at what level, by whom and with what frequency.

The risk management horizons

I see risk management now as a set of risk focused activities at several different levels, with different areas of focus and different frequencies, all interacting together, as follows:

The first horizon - Activity Based Risk Management

We practice very concrete, very operational risk management quite naturally every waking moment of the day. These risk management activities occur almost intuitively in our day-to-day activities. They involve very practical aspects such as “Did I make sure I put a lid on that saucer?” or “Did I make sure that person gave me all the required documents to process?”

While the process is mostly intuitive and very ubiquitous, we become aware of it when things of awry, such as situations where responsibility transfers go wrong, or when people trained for a task without understanding the purpose of the task need to deal with exceptions.

Applying all aspects of formal, COSO-ERM of ISO 31000 conform risk management in this context would be below the traditional operational risk management level, which I discuss further below. I've called this level of risk management Activity Based Risk Management. It occurs at the level of the individual activity or even at the level of individual process steps. If we make sure we do not overburden the process of risk management at this level, using a light risk assessment, reporting and treatment approach can be very beneficial to optimizing the results of these individual activities.

The second horizon – Project and Process Risk Management (or Operational Risk Management)

Most of us risk management nerds are familiar with this level. We delve into issues which can be found in either processes (ongoing activities) or projects (one shot activities). This level of risk management is likely to be impacted by the non-mitigated risks at the level of the first horizon.

Quite often we will described the actual process flows at an intermediate to high level and then analyze them for risks. In essence, this second horizon presents the link between the actual execution or the concrete next action, which is assessed for risk at the level of the first horizon on the one hand, and the strategic level on the other.

This type of analysis is familiar for most risk consultants. They tend to spend a lot of time at the process level. However, given this level is significantly impacted by the activity level (the first horizon), we need to make sure that we do not ignore issues flagged at this level by our collaborators, who often understand the processes and related activities a lot better than any external consultant may.

The third horizon – Strategic Risk Management

Ideally, all processes and projects are related to a set of strategic objectives to be reached. We execute processes and projects (horizon 2) (each containing multiple activities (horizon 1)) to make sure these strategic objectives are reached.

Strategic risk management then focuses on risks which can interfere with achieving these objectives. Again, this horizon can be found in most ERM and integrated risk management texts. However, it should not end there. After all, where do you go with strategic risks that cannot be mitigated? How do you capitalize on these? How do you learn from these issues and translate them into an adaptation? You need to take these risks one level higher. Each strategic intent integrates and rolls up into an overarching vision.

The fourth and final horizon – Vision related risk management

At this high altitude level we aim to gain perspective on risks threatening the realisation of our ultimate goal for the organization and even beyond the organization.

And at this point, a risk management tool becomes a key tool for vision and strategy enhancement and improvement. It helps answer the key question: "are we doing the right things the right way?" This is where the true value of risk management really comes forward.

An important caveat

There is a key assumption that is explicitly not made in this approach: I do not assume that all risks roll up to the higher or highest level or roll down from there to the lowest level. On the contrary, some risks may get treated at the higher level, but only because they cannot be adequately mitigated at the lower level.

Each horizon has its own risks, and each horizon has the prime responsibility to deal with these at that level. If they cannot be adequately managed, only then do they need to be escalated.

Who does what and when?

Below you will find a table which gives you an overview of the four horizons, the people responsible at each level, what we aim to achieve with risk management at this level and what a suggested frequency interval for dynamic risk management would be.

The four horizons of risk management

The four horizons of risk management

How to get rid of internal controls' Cinderella complex

/

A high degree of indifference

Whenever you utter the words "internal control" in an environment where COSO is not a household word, you are likely to be confronted with a number of reactions, ranging from boredom over surprise over fear back to complete indifference. Overcoming that reaction is one of the key prerequisites for a successful further development of internal controls in any environment. So let's try to understand some of the underlying reasons for these diverse but not necessarily positive reactions.

High cost, no tangible value?

One of the root causes are expectations regarding internal controls. Implementing internal controls takes a considerable amount of time and means. In exchange for time and means there is an expectation of finding a measurable added value. However, most internal controls do not directly add any measurable value. They only become relevant and prove their value if and when things go wrong. And even then, most internal controls reduce the direct exposure to the impact of the problem. And that's their role, nothing more and nothing less.

That nicely brings us to the second reason, closely linked to the first: what is the cost-benefit ratio? Implementing internal controls most often occurs under pressure from an external source, such as a supervisory structure, an internal or external auditor, a finance inspector, a commissioner to the government, the Court of Auditors … and their point of view is one of control, with less attention being given to the cost side of the equation.

Cinderella

We often find the management team of an organisation under pressure to invest in internal controls against their will, because of external pressure and without much of an expectation of a measurable benefit. As a result, these investments are not really a key priority to this team. As a result, internal controls will be implemented in an incremental fashion, without integrating the controls in processes or linking the controls to one another. This makes these controls often far to easy to bypass or eliminate all together. The already contested added value decreases even further.

Internal controls may be implemented, but they are never really owned or even liked or loved in these circumstances. At the end of the day, internal control becomes the Cinderella of process organisation: hidden, never to come out. And that is a missed opportunity.

The underlying reason for internal controls development

Because what are internal controls really all about? What we aim to achieve is to ensure (within certain limits) the health of a process in an organisation. Our aims are pretty much comparable to what quality management has been working on.

Our origins differ. Quality management was born in production environments while internal controls development saw the light of day in finance and reporting. In essence however, there are few differences. The only real difference is the point of view, the difference in perspective on what in essence comes down to the same challenge: how do we make sure that we develop the best possible product or service with as few problems as possible along the way.

The biggest challenge usually is to identify the correct solution for the specific problem we're trying to address. In order to do this in the most effective manner, we need to dare let go of our dogmatic adherence to a perspective, be it internal control, quality or whatever else exists. We need to look at the challenge from the reality of the user or the person who is responsible for the issue we're trying to address. Once we have clarified the problem, then we can start looking at what framework is best for solving that particular problem. And the best possible way of achieving that is to evolve towards a common approach for risk identification and analysis. ISO 31000 is a clear and welcome step in that direction.

Making it concrete

Let's make this as tangible as possible: let's examine three scenarios, each with a quality approach and an internal control based approach. Up to you to decide which one is most relevant.

Scenario 1 - decreasing client satisfaction

Let's assume a risk assessment has identified a significant decrease in client satisfaction as a key risk.

A quality based approach will develop standardised procedures which aim to minimize deviation in service delivery. Internal controls development will develop a process to timely identify unacceptable deviations as early as possible in the process.

The two approaches are highly complementary and add value to each other.

Scenario 2 - key personnel approaching retirement

Let's assume a risk assessment has identified the organisation is at risk of losing an important part of its competencies because of the existing age distribution, with key personnel approaching the age of retirement.

A quality approach will develop functional descriptions which link into task and process descriptions, while internal control will focus on knowledge management systems builds.

Again, both approaches are highly complementary, in that they focus on retaining and structuring the information.

Scenario 3 - strategic indicators using erroneous information

Let's assume the risk assessment indicates that there is a risk of key indicators being fed with erroneous information. A quality based approach would focus on developing a balanced scorecard, while internal control will develop risk indicators.

Both approaches complement one another.

In conclusion

Internal controls are not well understood. Quality often is more accessible and better understood. As both approach complement each other well, quality can be used to allow for internal controls to ease their way into processes, without the usual resistance.

Government's role as a stakeholder to administrations and agencies

/

As with some of the articles published in the past week, I've rewritten an article I wrote in 2009. I am trying to integrate all articles from the past into this blog, rewriting them where that appears necessary.

I am very surprised at how relevant it still feels, reading this more than three years after it was initially written. That said, I've rewritten quite a few key passages.

A reactive stance

Public administrations’ and public agencies' effectiveness, efficiency and economy are quite often an unintended victim of the existing interaction model with the elected representatives of the people, the government and the ministers. I’m talking about the often reactive stance which administrations and agencies are required to take with respect to ministerial or governmental decisions. This issue might be solved by a simple change in perception and related behavior at the side of the public administration or the agency, subject to acceptance of this changed approach by the elected representatives.

Striving for efficiency, effectiveness and economy

Public administrations and agencies look at government and ministers as active decision takers in their respective areas of responsibility. After all, the minister is politically responsible. However, the political decision process that guides and directs the government and its ministers can be and often is a bottleneck. This bottleneck in turn influences the speed and direction of actions of the public administration or agency and thus its efficiency, effectiveness and as a result its economy. Whereas this a a very common and traditional situation, this is likely not most optimal position of a public administration to ensure these three objectives.

A minister is not a CEO

Public administrations tend to see their ministers and government as CEO’s. They are not. They are chosen representatives out of an elected body. They are closer to a board of directors chosen from amongst the shareholders.

While they can significantly contribute to vision and mission, they should not adopt a day-to-day role in the strategic or – worse – operational activities of a public administration or an agency. The administration or the agency, which in essence should be a-political in nature and staffed with a competent management team, needs to be able to continue to execute a long term vision, which is being “tweaked” or “influenced” but not or only in very few cases dramatically changed by the government or the ministers.

Administrations and agencies need the flexibility to act now

This is not necessarily different from what is happening today, other than the fact that the administrations spend too much time in limbo, waiting for direction from the government. After all, most of the (operational) activities of the administration will not significantly change no matter what the government’s direction is. Taxes need to be collected, whatever the tax rate or tax structure. Vehicles still need license plates, whether the number is associated with a person or with a vehicle. Food safety needs to be assured whether or not it incorporates the Commission’s REACH objectives or not …

Thus, an administration can commit to a long term action plan of improvement and change, designed by its president and managers, presented to its stakeholders (minister, government, parliament and even the wider population) and tweaked, fine-tuned in view of their feedback. However, and administration should not wait to take action in its areas of responsibility pending a ministerial decision which may be bogged down in heavy political negotiations. This delay is not acceptable to its stakeholders (enterprises and citizens alike) as they have limited to no understanding of or appreciation for this process.

Why sum formulas better reflect the risk appetite in calculating risk levels

/

How to determine a risk profile and calculate a level of risk?

Introduction

This is a significant rewrite and a first time write-up in English of an article I published in Dutch in May of 2009. I'm revisiting it because I had an interesting exchange with my ERM class at Solvay Brussels School last week, where we discussed the issues related to risk calculations.

As is always the case in this area of risk management, there will be both proponents of the approach and people contesting it. For me, a large part of the value of these posts is in the discussion that follows. For that, I refer to the ERM group on Linked-In, where I will post a link to this post.

Finally, I understand that the number of readers of a post halves with each formula you put into an article. This may actually mean I will be the only one reading this one to the end.

The controversy

Risk analysis tasks you with "measuring" risks. To date, we most often use qualitative information. There are a couple of reasons for that.

First, quantitative information is most often not readily available in sectors other than banking or insurance. Even if it were available, it can cloud rather than clarify the issue. Look for example at risk management failures in the banking sector over the past years.

So, we start with qualitative information. My implicit assumption here is that definitions of scales are agreed upon with all evaluators and are consistently applied in the evaluations. Everyone evaluating should be very clear about what "high", "medium" or "low" risk actually means.

In some cases, simple scoring along the axes of probability of occurrence and impact on objectives is not enough. Some analysis requires a roll-up from these "traditional" scores for impact and probability of occurrence to a single dimension, which we will refer to here as the "risk level".

Now, most of us, risk management nerds, agree that the risk level is a function of impact and probability. However, the controversy starts right after. Traditional risk management usually uses a product formula to calculate the level of risk:

Level of risk = I(mpact) x P(robability) = I x P

The problem with this approach becomes apparent pretty quickly. Risk related events with a high impact and low probability are scored in a similar manner to risk related events with a low impact and a high probability. The assumption these events are comparable in "risk level weight" is an unfounded assumption. Let me give you a concrete example:

The likely low impact even of a fly hitting your vehicle has an overall lesser level of risk than the luckily unlikely high impact event of a deer hitting your vehicle.

However, traditional risk management will yield a same risk level for a event with P=6/6 and I=1/6 as for an event with P=1/6 and I=6/6. Both are valued at 6.

See the problem? Right. Now, what can we do about it?

Alternatives to the product formula

Using a sum formula rather than a product formula allows us to attach a numeric weight to the dimensions impact on objectives (which we'll call impact or I) and probability of occurrence within a certain time frame (which I will refer to as probability or P). This weight is a function of the relative importance of impact and probability to the organisation where we are performing the risk analysis.

How does that work? Well, depending on your risk appetite as an organisation, you can give more weight to one dimension over another, which allows you to tweak the risk analysis to the risk profile of your organisation. This is where product formulas fall short. They cannot be used to integrate this aspect:

W x (I x P) = (W x I) x P. However, W x (I+P) does NOT equal (W x I) + P

You could rightly remark that weighting in the product formula can be realised when applying exponential values to the dimensions. However, it's exactly that exponential nature that will quickly reduce the relevance and weight of the not-weighted dimension to virtually nothing as compared to the weighted dimension. Hence, it makes little sense to take the non-weighted parameter in account. But as it is valued, we do need to take in account the scores that have been attributed to that dimension for the different risks evaluated.

In short, applying a sum formula to calculate the risk level ensures a more transparent calculation which allows the management to better reflect their risk appetite … provided the dimensions are weighted in a manner that reflects the risk appetite of the organisation.

But what do these weights mean?

Weights are applied to a dimension to give that dimension more importance in the calculation of the risk level of the specific risk. If the risk appetite calls for the avoidance of high impact events, impact will be weighted heavier than probability. If we want to reduce the probability of event occurrence, we will put more weight on probability.

There is some, but not a perfect, correlation between impact preferences and organisations with a preference for proactively managing the consequences of risks and probability preferences and organisations with a preference for proactively managing the sources of risks. That however is the subject of another blog post.

If we let W be the weight factor, we can distinguish three different profiles, which depending on the value of X can be more or less extreme.

impact oriented profile

This profile weighs impact as more important than probability of occurrence. This organisation will prefer to work on high impact risks with less attention given to the probability factor. Coverage of frequently occurring, low impact risks, such as clerical errors, is less important.

The risk level calculation is RL = (W x I) + P) / (W + 1)

probability oriented profile

This profile weighs probability of occurrence as more important than impact. The organisation wants to avoid the frequently occurring risks, but sacrifices coverage of high impact, lower probability risks.

The risk level calculation is RL = (I + (W x P)) / (W + 1)

indifferent profile

This profile does not weight probability or impact. Risks with high impact and low probability are treated in the same manner as risks with low impact and high probability.

The risk level calculation is RL = (I + P) / 2

Who gets to determine these weights?

Well, management does. It's there responsibility to determine weights as these represent the risk profile of the organisation. They need to translate the mission and vision into a strategy which is supported by a risk profile. That decision is theirs and theirs alone.

An example

Let's assume we have two situations for which the impact and probability of occurrence have been established. Let's further assume that the impact score for the first situation equals the probability score for the second, and the probability score for the first situation equals the impact score for the second. The traditional calculations using the product formulas will of course show these risks to be at an equal risk level to one another.

Let's further assume that the weighting factor applied will be W = 2. In essence, the parameter it will be applied to will be considered to be twice as important than the other parameter. In this case, we chose for an environment which values impacts more than probability of occurrence, as stated with a factor of 2.

Let's finally assume that the evaluation of each dimension is done on a five point scale and that the final risk level score needs to be normalised to a five point scale.

  • Situation 1 is a collusion between a responsible and a supplier to perpetrate a fraud damaging the organisation.
  • Situation 2 is a clerical error in the administrative registration of a demand for a service of that same organisation.

We first perform the calculations to get a non-normalised result, which then needs to be brought back to a score on an axis from 1 to 5. We then normalise to a five point scale.

Evaluation of situation 1

the weighted product formula yields: (2 x I) x P = (2 x 5) x 1 = 10

the non weighted product formula yields: I x P = 5 x 1 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 5) + 1 = 11

the non weighted sum formula yields: I + P = 5 + 1 = 6

Evaluation of situation 2

the weighted product formula yields: (2 x I) x P = (2 x 1) x 5 = 10

the non weighted product formula yields: I x P = 1 x 5 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 1) + 5 = 7

the non weighted sum formula yields: I + P = 1 + 5 = 6

Normalisation

As all risk scores need to be brought back to a five point scale, we need to perform a "normalisation", which is just a fancy way of saying we are bringing the score back to a reference scale. Depending on the formula used, the normalization calculation is different.

For the product formula, we divide by the maximum possible score (normalisation to 1) which we then multiply by the maximum value on the scale, in this case 5. This leads to:

2 x Imax x Pmax / 5 = 2 x 5 x 5 / 5 = 50 / 5 = 10

In other words, the normalized risk level for situation 1 becomes:

  • for the weighted calculation: 10 / 10 = 1
  • for the non-weighted calculation: 5 / 10 = 0,5

The normalized risk level for situation 2 becomes:

  • for the weighted calculation: 10 / 10 = 1
  • for the non-weighted calculation: 5 / 10 = 0,5

For the sum formula, we divide by (W + 1), where W is the weight given to the dominant dimension. This yields the following normalized results for situation 1:

  • for the weighted calculation: 11 / 3 = 3,66
  • for the non-weighted calculation: 6 / 3 = 2

For situation 2, this becomes:

  • for the weighted calculation: 7 / 3 = 2,33
  • for the non-weighted calculation: 6 / 3 = 2

In other words, where the product formula fails to distinguish the two very different risk events, the sum formula distinguishes the risk events and considers the risk with the higher impact as of a higher priority.

The example demonstrates the sum formula better answers the needs of management to reflect its risk appetite in the calculated risk level of individual risks.