A few years ago, I went to visit a client’s team manager at their site off Mombasa Road. The client who was in the manufacturing business, had an extremely convoluted walkway from the car park to the main offices, with clearly marked lanes that were deliberately placed adjacent to building walls. Being a former boarding school resident, where breaking (what seemed to be unfathomable) rules was de rigueur, I promptly started to cross the car park in what appeared to be the most direct, sensible and shortest path to the main reception. A security guard yelled out at me and hurriedly came to redirect my delinquency to the luminous yellow painted pedestrian walkway. Grumbling to myself, I humbly made my way down the well-trodden path. About a month later, I met the team manager walking on crutches, with a heavily bandaged left foot. Apparently she had been hit by a fork lift whose driver had breached the company rules and driven on the clearly marked pedestrian walkway. An operational risk in the area of safety had materialized.
While training some board directors on risk management a few years ago, a few muttered under their breadth about just how boring the whole subject was with their eyes darting about the room lookingfor the nearest exit from the risk management educative hell.Look,it is boring. Roll your eyes into the back of your sockets kind of boring! Determining key risk factors and the probability of their materializing versus impact of such materialization as well as the resultant bottom line effect that may occur is not as exciting as discussing strategy and innovation of an organization.
In a 2001 operational risk paper by Hans-Ulrich Doreig, then vice chairman of the Credit Suisse Group, he summarized what many bank managements and boards reduce themselves to: only what is measured, observed and recognized gets attention.Board member expertise on day to day management of the organization is significantly exceeded by the management who are in a much better position to determine what should get measured, observed and recognized as they live, breathe and eat the organization. Doreig demonstrates the struggle to define what operational risk and concludes it thus: Operational risk is the risk of losses resulting from inadequate or failed processes, people and systems or from external events.
It therefore becomes imperative for boards of not only financial institutions, but other organizations as well, that directors must have the capacity to interrogate the process by which management has arrived at its recognition of what the organization’s risks are and therefore what the key focus for risk mitigation is. A good example would be Nakumatt Supermarket chain. With the benefit of hindsight, the company was running its cash flow operation off the backs of suppliers. Just like banks actively track liquidity risk, a good Nakumatt board would have identified that cash – the lifeblood of any retail entity – or lack thereof is a real risk worth tracking and would have placed key triggers for monitoring the company’s liquidity at the audit and risk committee level. But such risks related to day to day management like liquidity or health and safety, while easy to identify and track, cannot tame the ghost of fraud that floats through the ignominious collapse of Chase, Dubai and Imperial banks.
As regulated institutions on a risk based supervisory system that allocates capital to identified risks such as credit, liquidity or market risk, in plain and simple terms no amount of capital can be allocated to fraud. Which is why corporate governance developments in the western economies are pushing for the requirement that Chief Risk Officers report directly to the board where they are able to clearly articulate why and how they have chosen the specific risks to measure, place limits and approval structures without such voices getting swallowed in the layers of bureaucratic cotton wool that exist between management and the board.
The team manager on crutches did eventually recover and her accident exposed me to my ignorance about why risk mitigants, such as a clearly demarcated pedestrian walkway is created. It turned out that the forklift driver, despite being very well trained on the health and safety rules of the organization, had been having personal problems that caused him to be highly distracted as he drove the forklift. Risk management can indeed be boring to non-risk practitioners but it does and has saved lives and institutions. Board directors are well advised to be alive to this critical oversight aspect.