They will always find a way to screw you

I worked about six shifts at a Burger King in a shopping mall when I was in my teens. I quit because I didn’t care much for wearing the brown pants and hairnet. On my final night, the closing shift, I helped the veterans take the trash out. When we got to the Dumpster my colleagues ripped open a trash bags and pulled out a sealed bag that included dozens of Muppet Babies toys which they smuggled out of the store. Despite the manager’s belief that he had controls that were “watertight as possible” if your employees want to screw you, they will always find a way to screw you.

Years later, a trader who managed an arbitrage book explained that the bank hired him to exploit opportunities in the market because he was smarter than rival traders and institutional clients. He said to me that if he really wanted to screw the organization he could screw the organization. But he didn’t because he just didn’t.

Pick up any risk management framework to see a common approach to ERM: identify and assess your risks then do something about them. That part is academic. It’s just content. But the frameworks also have a communication and cultural component to them. Changing culture and making risk management a competency is not easy. That’s process.

Andrew Hill from the Financial Times writes about UBS:

Unfortunately, even risk managers working within a well-designed control structure are largely powerless in the face of an embedded corporate culture and a system of skewed incentives. Recent history – particularly in the financial sector – shows rules and processes are far easier to change than bad behaviour and big bonuses.

Remember anyone can generate a list of risks and even if you think “Risk is our business” creating a risk-friendly culture is where the real work needs to be done.

 

UPDATE: I love when I write something and someone crystalized my thoughts precisely after I wrote them. Have a look at this post on cnn.com “The catch-22 of catching a rogue trader” by Shelley DuBois as it complements my post. She quotes someone and writes:

You have to hope that your traders are the finest moral people around. Then, you set up your policies and your rules as if they’re all lying, cheating crooks.”

 

Read Full Post »

From AS/NZS 4360 to ISO 31000 – A history lesson

A consultant from New Zealand named Chris Peace, traces the history of the AS/NZS 4360 standard and the new ISO 31000, due out just in time for Christmas, in this copy of Safety and Health Practitioner dated October 16, 2009.

Although the original 1995 edition of the AS/NZS 4360 standard was developed from earlier risk-management ideas and processes it was nonetheless ground-breaking as the first standard published on risk management.

The subsequent 1999 edition added the “communicate and consult” stage, and a number of handbooks on aspects of risk management was also developed, the majority jointly by Australia and New Zealand.

The 2004 edition of the joint standard¹ incorporated experience from the previous 10 years, and many of the appendices in the 1999 edition were either consolidated into the body of the standard, or removed into the associated handbook, SAA/SNZ HB 436:2004.² Importantly, this included the 5×5 qualitative risk matrix in appendix E. Many users had simply copied this for their own use without thinking about its relevance, or the need for adaptation to their context. Few thought about alternative risk-analysis techniques – the matrix was the method!

Please click on the link above to read the complete story.

Read Full Post »