The Paradox of a Predictable Failure in Risk Management

The current crisis the world fell into two years ago had certainly the widest range of qualifying attributes: financial, economic, social, industrial, and maybe lethal as it dramatically affected and eventually destroyed lives beyond the point of no return. Described by contemporary economists as the worst ever crisis experienced by America for a hundred years, it was however another repetition of what seems to be a cyclical phenomenon: the 1929 crisis, the energy crisis in 1973, that of 1997, and more recently the internet bubble. And despite the lessons learnt from the past, with the technology evolving exponentially and the refined risk management, societies, corporations, institutions, and governments failed yet again by not having the right controls at the right time, substantially creating spiraling consequences that took investors and the wider public by surprise. The causes of the 2008 crisis raised numerous questions, some of them leading to the foundations of today’s capitalism and one of the common sins of humans: greed. Nevertheless, one could have hoped that, with the dynamic of industrial countries and the norms of audit and compliance such as those of Basel II and III, in which operational risk and credit risk are separated, the international financial system would be protected against the collapse of the bank sector. But this was without counting on the intrinsic failures of these very norms, standards and risk management tools.

As a matter of fact, the crisis finds its roots in a simplified scheme: the lack of accountability, mortgages and default on large amounts of money against little income, and finally the liquidity for which the same institutions failed to have sufficient capitalization to cover immediate large needs when the whole system started to present default cracks. The problem of sufficient capitalization became a recent issue with the rise in the prices of commodities, whereas speculators can highly leverage their buying power without offering a real financial counterpart in exchange. And that’s certainly why French President Sarkozy recently called for more regulations on commodity markets. However, progresses in that sense are yet to be commonly agreed or applied by governments and leaders of industrial countries.

Overall, today it is the review or maybe the prosecution of an entire system that is taking place. Questions and concerns from governments, investors, officials, and ultimately the public have found few relevant answers so far. The lack of accountability and transparency from the protagonists directly or indirectly involved in the crisis has raised anger and consternation worldwide. The cynicism displayed by bankers and financial institutions who announced remarkable profits for the last quarter of 2010 may be perceived as a new alarm bell ringing for another major financial crisis yet to come.

This paper presents some of the key issues the financial crisis brought into light in terms of risk management and lack of control from corporations, banks, auditors, credit agencies, and governments. It does not aim to provide a solution but rather gives the reader a fair understanding of what could have been avoided or improved and what may come again should the global financial modus operandi not be drastically changed.

Analysis of the Financial Crisis

An article published in the International Business Time, Financial Risk Management: Lessons from the Current Crisis… So Far, ideally summarizes thesubstantial work that has been done to date to analyze the recent economic crisis and cites examples such as: “Enhancing market and institutional resilience (Financial Stability Forum); Credit risk transfer (Working Group on Risk Assessment and Capital); Observations on risk management practices during the recent market turbulence (Senior Supervisors Group); Supervisory lessons from the sub-prime mortgage crisis (Basel Committee on Bank Supervision); Study of market best practices (International Institute of Finance), and; Risk management practices including the identification of risk management challenges and failures, lessons learned and policy considerations (International Monetary Financial Committee).”

Todd Groome, adviser in the monetary and capital markets department of the International Monetary Fund (IMF) interviewed by the same magazine, asserted that “the epicenter of the market crisis was sub-prime mortgages and structured credit products. With them came innovative financing, such as asset backed security CDOs (Collateralized Deposit Obligations) which were followed by more potent variations such as CDO-squares (baskets of CDOs), and synthetic CDOs (CDOs combined with credit default swaps).” Risks were often under-estimated partly due to product complexity and over-reliance on quantitative analysis, including that done by rating agencies which produced reports that were either wrong or purposely misleading. As Groome pointed out, “taking write-downs in illiquid markets will amplify the loss.”

The downfall in housing prices impacted market downfalls. As such, creation or destruction of wealth often relates to consumer spending and as such may be uncertain. Meanwhile, the direction is quite similar. If one goes down, the other tends to follow. Negative trend implies negative trend. Nevertheless, weak risk management isn’t the only reason. Banks and financial institutions regularly rely on data related to a particular period. However, economies can also experience a non-recurring event when the economy moves into unknown or grey areas.

On another plane, bad risk management still played a role. The problem is that despite the fact the models given in a particular circumstance may have been correct pretty much everyone who has them will use them, all at the same time. This phenomenon tends to increase systemic risk and as such it relates to technical market analysis. Indeed, if there is a consensus amongst users over a specific event, say a bullish trend, everyone is likely to follow that trend and buy at the same time, thus creating a momentum. But for how long will this last?

Cracks in Risk Management and Regulation Opacity

The recent crisis also highlighted a failure in risk management on a large scale, due to a failure of the techniques employed, and the fact that some of the risk managers were not well informed. The home market in the U.S. was the nest in which everything began. Low interest rates and government promoting home ownership by with no or little regulations played a role in the increasing demand for home purchases. Underwriters passed questionable loans over highly leveraged investors in order to create even more loans, fueling a spiral of non-recoverable dirty assets.

What is flagrant today, looking back at the whole process, is the fact that the risk assessment tools used by some investors, despite their sophistication, did not give a realistic picture of what was happening. In other words, although they were certainly giving sufficient information on the potential risks that lending huge amounts of money to low income individuals would create, the likelihood of such risk spreading to a rather large population was totally dismissed by the whole chain of command. Modeling rare events is certainly what the error is all about and not taking them into consideration was the effect that catapulted the system towards a major failure.

Nevertheless, numerous risk managers and experts rang the bell for potential upcoming issues several years ago and whilst greed and arrogance are the common denominators, the irrationality of the markets also comes into light. Clinging desperately to what was an announced disaster seemed to have been the pattern of behavior that inflated the bubble until explosion.

Another root of today’s financial debacle are the regulations applied to some of the instruments used in financial markets. CDOs for instance, often containing a non-negligible part of subprime risk, were heavily exchanged without proper scrutiny from the rating agencies. Transparency becomes a crucial element in the markets’ sustainability. And this is when the accounting standards play a key role for liability valuation and, hence, transparency. The snow ball effect is obvious: no regulations lead to poor transparency, which equally leads to disaster. The financial accounting has proven to be relevant to convey useful and accurate information to markets. Nevertheless, the concept of fair value, for example introduced by the International Accounting Standard Board (IASB) and Financial Accounting Standard Board (FASB), is to “record values for assets and liabilities which are as close as possible to the values these instruments would have in an open market.” As confirmed by Heckman in his essay Transparency and Liability Valuation, the IASB and FASB don’t recognize any difference between methods for valuation of assets and liabilities, which has proven to have perverse consequences as some companies can use the process to turn losses into profits, since liabilities can be valuated at current market price. This has led to the misreading of the balance sheets and profit and loss statements of unscrupulous companies, providing the wrong information to investors and to some extent regulators themselves.

Impact of Liquidity and Failure of the Bank System

The current crisis has shed a light on the fact that the enterprise risk management should not only emphasize the risks to asset and liability values but also the liquidity risk. Liquidity risk is the probability of not having sufficient financial means to cover up liabilities. To some extent, posting collateral poses a liquidity threat as well. In fact, selling off an immature asset engages a loss. As the markets fall into problems, liquidity issues can be drastically worsened as liquid assets become non-liquid.

Liquidity management works pretty much like capital management. As such, the liquidity protection comes with sufficient liquid assets. On the other hand, consistency between cash flows of assets and liabilities can reduce risks pertaining to liquidity. Nevertheless, these strategies may show some limitations during conditions of heavily disrupted markets when credits are unavailable or unsecured. G. Venter in Modeling and Managing Liquidity Risk confirms that “modeling liquidity risk can start with stress tests.” As such, the current market is an example of situations intimately involving assets, liabilities, and credit facilities when cash flow adequacy becomes preponderant. The idea behind the scene is to take into account in the models the different factors which dramatically impact markets. The correlation between price and liquidity comes into the picture and adequately modeling these possibilities can certainly be worth further research.

In 2006, a couple of years before the eruption of the financial crisis, Iyer and Peydro-Acalde discussed the potential risks of an interbank contagion in their research paper Interbank Contagion: Evidence from Real Transactions. They exposed and tested the impact of interbank dependencies over a fraud cause. Interbank markets are crucial to provide liquidity into the overall financial system and actively play a role in monetary policies worldwide as well. The research of Iyer and Peydro-Acalde came to the conclusion that “as the exposure to the failed bank increases, the runs stemming from the higher fraction of deposits held by other banks drastically increase. These results lend support to the theories of financial contagion due to interbank markets.” This is indeed the exact phenomenon observed in 2008 when major banks reached the potential bankruptcy threat. The interbank markets dried up, obliging governments to first inject cash through loans, capital sharing or even nationalization.

As such, the Iceland bank system is now a school case of its own. The three main Icelandic banks, namely Glitnir, Landsbanki, and Kaupthing, were tightly interconnected. With a high reliance on similar macroeconomic models and business partners, they appeared to be dangerously related to one another already on paper. The chain reaction triggered by the difficulties of one bank would mean diminished confidence in other banks, thus shrunk liquidity available from potential resources and financial partners. The worst part of the picture lies in the fact that these three banks encompassed the vast majority of Iceland’s financial system. Hence, one would have conspicuously assumed that a possible failure would have a dramatic impact on the Icelandic economy. However, the reality was often disguised by biased official reports about the financial health of the Iceland bank system, which certainly contributed to further deepen the crisis as investors would be grossly misled.

Eventually, the arrogance of the system ended up in a painful stake. Borrowing in wholesale markets became an issue and banks chose to open high interest savings accounts pretty much everywhere in Europe. As such, Icelandic banks, with government permission, used these savers accounts to provide the liquidity they could not obtain elsewhere. At the end of the story, deregulation and uncontrolled privatization of the financial system in Iceland led to its demise. Lack of ownership from supervisory regulators and governmental bodies and failure to recognize a systemic risk in an artificial economic growth widely contributed to the fall-out of the Iceland financial institutions and overall system.

Ultimately, when the banks were heading for failure the Icelandic government opted for a gamble on resurrection rather than closing the banks down. The government’s bet failed and Iceland suffered a systemic crisis in return.

As reported by the Telegraph in its 10 March 2009 edition, it was now a matter of “twenty billion dollars here, $20bn there, and a lush half-trillion from the European Central Bank at give-away rates for Christmas. Buckets of liquidity are being splashed over the North Atlantic banking system, so far with meager or fleeting effects.” A very alarming situation, quite unreal as one may have observed.Numerous economists are now warning the world’s central banks to focus on the right issue now rather than later. Creating further liquidity without proper backup means such as gold or a strong economy is likely to fuel the disaster.

York professor Peter Spencer, chief economist for the ITEM Club, said at some point that the global authorities had just weeks to get this right: “The central banks are rapidly losing control. By not cutting interest rates nearly far enough or fast enough, they are allowing the money markets to dictate policy. We are long past worrying about moral hazard.” For instance, in Europe, the European Central Bank (ECB) was facing a dilemma with a record high inflation forecast at 4.1 per cent in July 2008, the highest since the monetary union advent. Meanwhile, the worse is probably yet to come as fragile countries such Iceland, and now Spain, Italy and Greece, which are sharply falling into recession, may be running out of liquidity and may have to be backed up by other European members. The question at the end is: Will the European tax payers accept to pay this bill when their own country is at risk? Hence, this may show the true reality of the Eurozone: the weak solidarity of a supposedly mature organization, in fact not quite yet ready for the real thrill.

Finally, major banks like Citigroup, Merrill Lynch, UBS, HSBC and others have recently stepped forward to reveal their losses. Two years after the crisis hit the world, the IMF (International Monetary Fund) estimated the total losses to reach $2.28 trillion. But it seemed to have been just a beginning.

Passing the Risk: Who is Next?

As described above, financial crises appear to be repetitions of History. Working cyclically, they differ from their inherent nature though. For instance, the current crisis rose from the weakening of the U.S. home market and became a global crunch. Furthermore, the fact that the problem spread from financial and banking sectors to the entire economy at a global scale in such a short time made it a quite unique momentum. Increased speed, advanced communications and information technologies evolving exponentially have created a greater risk with deeper and long lasting consequences as ever before. Global markets with stronger interdependence and high complexity are paradoxically more prone to correlated risks.

Most people are driven by the simple desire to succeed and do well financially. This means they work harder, enhancing productivity, creativity and innovation. But where and when does this legitimate feeling get overtaken by greed and unscrupulous envy? Why does a minority change the principles of innovation into a gambling leverage for immediate profits?

If one considers some of the past economic crises such as the London Market Excess (LMX) fall out in the late 80′s and the equivalent substitutes during the following two decades, they all started at some point from promising innovations. These initiatives were all new and seen as very profitable during the early stages. And they all implied a promise on huge benefits, fast and furious. However, the promise turned hopes into ruin and despair. Out of the multiple questions this series of dramatic and unfortunate events can raise, some of them could pose the problem of the impact of risk management that is meant to promote innovations that work and praise individuals for their will to succeed.

Two important factors can shed some light: the fact that new communication means have propelled the finance community to another level of instant profits driven by frenetic greed. Rumors, news whether good or bad instantaneously drive markets to their best or worse. Data signification is amplified far beyond comprehension in a momentum that magnifies exponentially in spiral dive fallout when not controlled adequately. And on another plane, looking at the amplitude of the issue, there is no doubt that financial markets, industries and economies are now fully interdependent. The impact economic and financial shocks can create are far beyond the spectrum of a region or even a nation and can be wide-spread on a global scale instead. While the LMX fall out was limited to the reinsurance market in U.K., the Internet bubble at the beginning of the past decade had a wider range globally but yet remained restricted to investors who had placed financial interests in the sector. From a weakening home market in the U.S., the 2008 crisis shortly developed into a global financial issue bringing down economies, industries and sometimes governments worldwide.

A parallel can be made between the LMX spiral and the subprime fiasco that ignited the global crisis. CDOs and similar financial products were created to temper the risks generated by unscrupulous investments by diluting them into cleaner credits. However, the plan did not work as expected and spread all over the credit system. In fact, Schwartzman (2008) confirmed that the LMX spiral and subprime debacles share similar roots by saying: “an attempt to mitigate risk by spreading it to market participants, a series of new and complicated instruments not understood by most people and not even well understood by market professionals, a pool of unsophisticated investors not adequately advised of the risk they were taking on, a collection of unscrupulous brokers who took advantage of the situation to increase commissions by encouraging as many deals as possible with no concern as to how they might play out in the future, and huge profits that continued as long as nothing happened to change the situation on the ground.”

Conclusion: Towards a New Order?

Following the debacle of the financial and banking systems in 2008, one could have hoped that executive managers would be taking a more serious insight of what risk management is all about. Indeed, their priority has always been to successfully run corporations in which investors had shares and interests. As such, incentives based on performance should have sent a clear message to these top executives who should have then adjusted the risks they were willing to take for their company and somehow as well as for themselves as professionals. But this is the theory of should have happened and not what happened at the bottom of the chain. Indeed, the fiduciary responsibility of many was not met.

Meanwhile, the vast nebula created around financial markets has, until recently, hidden the fact that the credit crisis was in the end caused by unscrupulous people who were seeking short term profits rather than long term growth. Lenders with few scruples did take advantage of credulous borrowers, and fortunately or unfortunately these lending businesses disappeared killed by their own counterproductive strategies. Borrowers lied about their incomes to live in homes they could not afford in reality and were given full consent by lenient banking institutions. This spiral of controversial and ineffective stubbornness towards failure could have been stopped or maybe controlled if a relevant structure of regulations had been put in place. Improved and stricter regulations on loans policies could have avoided a large chunk of the crisis dramatic effects, but will those rules, if ever truly and transparently implemented, ever prevent futures crises?

Unfortunately, history reminds us that for each regulation or procedure created there is a loophole that can be exploited. Hence, the whole issue lies in the effective design of regulating systems, taking into account the various risks inherent to the relation between economies and private investments. Better focus on the matter would certain reduce systemic problems in the future and it is becoming now a serious concern in Europe and the U.S. who are looking at introducing enhanced reforms on the regulatory system and the quality of rating agencies. Improved risk management is now a definite requirement. The systems in place today are too limited to encompass the numerous issues they are intended to address. Hence, weak risk management systems imply more risk. The role statistical and probabilistic models play in the equation is far from being negligible. However, they often tend to focus on the wrong perspectives such as the occurrence of a major loss in a year rather than the likelihood of a Black Swan event for instance. As such, models must not be considered as finite and should evolve and adapt in correlation with their environment. The key to prevent markets from dramatically failing beyond control may also simply lie in the capability of predicting these rare events, a concept that is yet to be fully understood and mastered.

Posted in Uncategorized | Comments Off

Risk Management

What is Risk Management?

Without referring to the millions of websites and documents knocking about that talk about Risk Management, I want to try and give a simple view from the perspective of someone who has to manage risk day to day across major projects. This is real risk management, hands on.

Of course, “Risk” and “Risk Management” will have variations of the same general meaning depending on the circumstances or context to which it is applied, but in principle, all risk management will follow more or less the same process.

So, what is a Risk? A risk can be any influence on an expected or planned outcome that changes that outcome. In child-talk, it’s anything that could stop you getting what you want or expect.

Here’s an important note: Risk hasn’t happened yet. If the outcome has already changed as a result of a risk “happening” then it’s no longer a Risk, it’s an Issue and has to be managed differently.

So basically – A risk is something, anything, that could happen that will impact or change a desired or planned outcome. There are so many different ways to state this that, as simple as the concept is, it can easily get confusing. Let me give you an example;

“If it rains today then the field trip has to be cancelled” – the risk is that it may rain. The impact is that the planned trip will have to be cancelled. Risk Management is recognizing the risk potential analyzing the probability and impact and either mitigating it or preparing alternative options that will allow the original plan to succeed.

Risk Management 101

On some of my projects in Asia I’ve had to seriously consider the impact of rain on project outcomes. I was on one job in Korea, Seoul, where we had a limited time to move a banks’ trading office from an old building that had been sold off, to a new building. The old building owner declared bankruptcy and sold off the office block. The new owner, the government, kicked everyone out on short notice. We had 3 months to find a new building, fit it out and move 200 staff including 120 trading positions.

This really tested my teams Risk Management ability. This was a working business, the only window to move the 200 staff was over a weekend – after trading stopped on Friday evening and before it started on Monday Morning. Guess what, we had a Typhoon heading in, and for those that don’t know how things work in Asia – Typhoons are given warning signals as they approach by the local authorities.

Each signal indicates a level of “threat” and or probability of a direct strike. As the signal rises in strength the threat (and danger to life and property) becomes imminent and public services shut down. People are told to go home or stay off the streets and, for several hours to several days, everything grinds to a halt.

I had a stressful time managing risk by the hour. The decision to roll back the move to the old office or proceed and hope we got everything in before the typhoon hit was a 15 minute review, every 15 minutes for the first half of the weekend. That was Risk Management like I never had to manage before. Risk Management is critically important to project work.

What is Risk Management?

So, the meaning of “What is a Risk” should, I hope, be graphically clear now..? Risk Management is the process of managing risk as it relates to specific circumstances. The techniques, tools and processes used to manage risk are quite pragmatic and common-sense. But we all know that there’s no such thing as “Common Sense” so the best way to get a consistent framework around managing risk is to learn some best practices based on industry proven templates and methodologies.

I’m not here to push one methodology or best practice against another. I have my personal preferences based on my industry and experience but I know and have seen many other project managers use varying techniques and tools in Risk Management, all valid and most of them effective at doing the job.

In a follow up article I will talk more specifically about Project Risk Management. I’ll share some templates and examples and hopefully stir up some discussions too. There’s no one right way to do Risk Management but there is a consistent framework that should be followed and there are some very good industry standards in Risk Management space.

If you would like to read more on Project Management and some of the Challenges Project Managers face, please go to IT Project Management Singapore [http://www.itprojectmanagementsingapore.com/] for more great information. Here you will also find links to key resources and organisations that can provide first class Project Management services to any business, small or large, local or international. We have a range of professional services partners that have a great track record of services delivery across Asia.

Posted in Uncategorized | Comments Off

Risk Management In Film

In the film industry, Risk Management Plans covering Occupational Health and Safety do exist and must be put in place for every film made in order to conform to legislative requirements. However, because I was unable to obtain any Risk Management Plans for a film which covered other types of risk, it is impossible to know whether Film Studios actually use them other than for Occupational Health and Safety.

When we think of Risk Management in any business, even though very important, we are not just referring to Occupational Health and Safety, we are also considering any other kind of risk associated which has implications on the business itself. The list of risks can be many depending on the context and setting of which the film occurs.

In the film-making process, the setting or environment in which the film occurs can drastically change, causing various risks to befall a production, some risks which may be familiar and others which may have never been dealt with before. In film, this means there are many, many risks which can occur on a production.

When one thinks about how many films are made each year, it would mean film-makers constantly deal with a high turnover of risks, risk which are complex and can vary, depending on the film itself. This actually means that film-makers themselves are Risk Management Experts in their own right because they are not just constantly dealing with risks, they are dealing with risks which constantly change.

Indeed, the utilization of ‘risk benefit’, especially when it comes to stunts and action sequences is extremely heightened, all in the name of the thrill seeking audiences and the money to be made from them.

If Film is one of the highest risk industries, the fact that they travel the globe and visit many communities, shouldn’t they then be obligated, to let communities know, in detail, what’s going on in their own back yard so to speak?

Often in our community or local area, when an apartment complex is going to be built or construction takes place, more likely than not, those in the neighborhood would receive information from the council detailing the exact building plans where the community is consulted. On the contrary, when a film is made in a certain area, town or country, more often than not, film production companies do not provide the exact details of the dangerous activities that may be involved, to the people in the community, often these activities posing much more of a threat than the construction of a building.

The film industry will not communicate and consult with the community in exact detail, because this would simply run a risk of letting their competitors know their plans. Even though fire and explosions are controlled to a certain extent, these dangerous elements are still present and there is always a risk when dealing with these elements no matter how controlled.

This is an example of a reason not to communicate or consult but sometimes at the expense of ethical and moral values, where members of the community are oblivious to exact details, when they should be in fact more informed.

In fact there are many kinds or risk in film and it’s ‘sister’ industry television which breach ethical and moral standards, for example, one only had to look at the numerous times journalists and camera crew, risk their lives in a worn torn or volatile country to secure a story for a major news station.

In film, every time a stunt person performs a stunt, no matter how controlled the stunt, the risk is still high, if a stunt person dies, the film will still go ahead because the stunt person is considered expendable – here we see an extreme case of Risk Benefit utilizing death in exchange for the immortality of the Stars presence and the success of the film. The only other industry I can relate to similarly, which incorporates a similar view is the military or Special Forces.

Considering how risk plays such a big part in film, it’s quite surprising that the subject of Film and Risk at present is a very much neglected by most academics and scholars today which is why I decided to take up this subject as part of my study in Risk and Project management. In regards to the film industry and these topics I came across a knowledge gap. Here are some of the issues I encountered while studying the subject:

- I could not locate or find any sufficient examples of the Project Management Model being applied to the film-making process, even though it’s quite easy to apply when considering the processes the film industry uses.

- On the internet there are many ‘Risk Management Plans’ for a variety of different industries however, for the Film Industry, there was not one example.

- ‘The Australian Film and Television Industry Safety Guidelines’ (144 page document) has been in ‘Draft’ format for 10 years. There are so many Safety Considerations to consider not all of them can be accounted for.

- My local Paddington, Sydney Library had no books or published material on the topics of Risk or Project Management in Film. Both of these areas extremely applicable and valid to the film-making process, one marvels why the lack of information.

- The Australian Film Television and Radio School Library at Fox Studios, despite the enormous collection of books on film-making, again there were no books on either of these topics of ‘Risk Management’ and ‘Project Management’. Both librarians I consulted were baffled and surprised at finding the knowledge gap when I had asked for information on the topic. They believed they had everything there is to find on film-making in their library, however they did not have what I was looking for, perhaps one of the most important things there is to read about in film.

- On top of that, not many professionals in the industry are willing to talk about their work and government bodies like Screen Australia, are not interested in providing examples of ‘Risk Management Plans’ used on previous films because of ‘privacy’ reasons. I consider this excuse quite poor, since many Project Management and Risk Management students, on most cases, easily ask their industry type for a copy in which it will gladly be provided – in the film industry it is quite closed and unhelpful, well at least in Australia that seems to be the case.

There was one rare instant, while I was studying this topic, in which a lady whose name and ex-employer I won’t mention, was resigning from her job and she forwarded me a small example of a ‘Risk Register’ for a film production. I am very grateful for this information. After viewing the Risk Register I realized, as suspected, that it indeed was very much the same kind of ‘Risk Register’ you would use in ANY business type. Sometimes I find all the secrecy in film unnecessarily!

During my research I created a blue, yellow and grey model based on my own understanding of how the Risk Management Process, the Project Management Process is entwined within the Film-making Process.

Even though the environment/setting of every film changes, there are still certain key aspects of Risk to consider, which are relevant for every film.

Even though Risk and Project Management aren’t widely taught at film school, it should be because it actually adds, in a significant way, to a student’s mind, a much better and wholesome understanding and awareness of risks in their industry type, this also adding to a better management and handling of risks overall. Most learning facilities teach their students a widely understood awareness of risk principles applied to their industry type, the film industry should also do the same for the students and filmmakers.

Most people would agree that the film industry is shrouded in secrecy, mystery, exclusivity giving us the impression that the way they run is very different and unique. Through my research I would like to point out that exclusivity and uniqueness is not the case, and that the film industry is just like any other business in the way that it runs and the processes that it uses, only that, when it comes to risk, they may be the biggest risk takers of them all.

Posted in Uncategorized | Comments Off

Risk Management on Projects

Project Risk Management

How does project risk management differ from any other type of risk management? Well in most regards it doesn’t. However, as this is a project focused activity it helps simplify the overall focus by looking only at the core project fundamentals of scope – which are cost, quality and time. Remember that, I may test you later!

There are a number of good training videos available on YouTube that cover this principal. I’ve added a couple below to help bring home the point of this article. I find watching a presentation often easier to take in than reading some else’s thoughts.

Project Risk Management

So what is project Risk Management is all about? In an earlier article I talk about what risk and risk management are about. If you are still confused about what risks are and what risk management is about then read this article, it should bring you into the picture. On projects we talk about risk as any event that could cause an unplanned change to the projects scope – i.e. impact the project costs, timeline or quality of the deliverables, or any combination of the three.

What isn’t always obvious when talking about project risk management is that we also need to consider the positive impact a risk may have on a project – i.e. reduce costs, decrease the time line or increase the quality of deliverables. In reality it’s not very often that project risks present positive opportunities. Never the less, as project managers we have a responsibility to recognize and act on these risks positive or negative. That’s Project Risk Management.

David Hinde wrote a good article back in 2009 about using the Prince 2 Risk Management technique. Without getting imbedded in any particular methodology, the general approach to project risk management should follow a similar framework and this is as good as any for the purpose of this article:

David talks through a Seven Step process,

Step 1: Having a Risk Management Strategy

This means setting up a process and procedure and getting full buy-in from stake holders in how the organization will manage risk management for the project.

Step 2: Risk Management Identification Techniques

Where do you start in the identification of risks around a project? There are many risk management techniques and David suggests a few which are excellent. However, I like to take a step back and make a list of all the critical elements of a project on the basis of “if this task doesn’t happen will it be a show stopper?”. This helps be build a prioritized list of critical tasks against which I can then consider the risks – what could go wrong to impact this task.

Here’s my thought process on risk identification outlined:

List out critical deliverables
List out, against each deliverable, dependent tasks
List out against all dependent tasks and critical deliverables “any” potential event that could delay or stop the delivery to plan.
Grab a template risk analysis matrix and complete the first pass of assessment – probability v impact for each risk.
Take it to a project meeting and use it as the baseline for brainstorming.

Step 3: Risk Management Early Warning Indicators

Don’t rely on basic performance of the project as an indicator that everything is going well. Status reports showing a steady completion of tasks could be hiding a potential risk.

In risk management a number of other factors need to be on the project managers radar on daily basis. Things that I always look for are delivery dates from vendors – how confirmed are they, is there a movement in delivery dates (you’ll only see this if you regularly ask for confirmation updates from the vendor), resource issues – key individuals taking sick leave or personal leave more often than normal.

Delays in getting certain approvals signed-off by the steering committee or other governance bodies – will this impact orders going out or decisions being made on critical tasks? Getting qualified people in for inspections and certification (new buildings for example require a lot of local regulatory inspections). These are just a few of the daily challenges a Project Manager will face and all can be indicators of trouble to come.

As you gain more experience in risk management you start to instinctively recognize the early warning signs and challenge the culprits earlier in the process. You’ll also finds the a good project manager will build-in mitigation for the common project ailments at the very start, sometimes seeing the tell-tale signs when selecting vendors or suppliers will be enough to select better alternatives and this is what I call dynamic risk management at work.

Also keep an eye on the world around you – economic or geological events elsewhere can have a dramatic impact on local suppliers and supplies of key project materials. For example, flooding in Thailand has impacted the delivery of various computer components that are manufactured there, causing impact in both supply lines and pricing. (Yes, I work in Asia so see this type of impact first hand..)

Step 4: Assessing the Overall Risk Exposure in Risk Management

Taken directly from David’s article as he says this quite clearly – “PRINCE2 2009 gives an approach to show the overall risk situation of a project. Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms. By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.”

There are many similar ways I’ve seen risk calculated in organizations variations on risk management. Â As long as there is a common approach for showing all risks, prioritization and impact on a project then risk management will work and add value in protecting the investment in the project. Each project and each organization will have their own requirements in terms of how they want to see risks analysed and presented. By and large it doesn’t matter how this is done, as long as it IS doesn’t and it makes sense in the context of the project and organization. There are risk management tools to help organise and manage this.

In another article I’ll talk more about the Risk Management matrix and show a few examples. In my mind the only wrong way to do this is to not do it at all.

Step 5: Considering the Effect of Time on a Risk and Risk Management

The effect of time when analyzing risks is that the more imminent a risk the higher priority it may take. I say “may” as it may be that a very low priority risk with low impact may be about to happen where as a higher priority risk may be weeks or months away. How do you manage this?

Common sense (of which there is no such thing) would suggest that if the higher priority risks are still a long time away then the imminent lower priority risks should be dealt with first, as a higher priority..? Perhaps?

You’ll have to take a pragmatic view on this, every situation needs to be taken on its merits and in risk management, not being an exact science, you’ll be expected to make judgment calls and discuss options with your client and project board or steering committee. After all, the governance board of a project has a responsibility to steer such decisions so the role of a good project manager should be to collate the facts and present the data with recommendations. Let the higher paid guys make the big decisions.

Step 6: Giving a Clearer Approach to Help Define Risks in Risk Management

David gives an example in his article which I’m struggling to relate to the world of projects as I know them. I think essentially what this focuses on is the “mechanics” of the risks in such a way as to help us understand and look at the cause and effect of scenarios that could lead to the risk happening.

In this way we can focus on the lowest common denominator(s) that will generate the risk and mitigate those items. Is that a little confusing? The principal is, I believe to nip the problem in the bud by recognizing what or where the bud is. Don’t get hung up on this, I would say this is something you’d tend to do naturally as you gain experience in reviewing risks and dealing with risk mitigation (prevention).

Step 7: Focus on Opportunities in Risk Management

Finally – and last but not least, where can we make or recognize risks as opportunities. An example David talks about suggests that, for example, a new release of a software product that would offer major benefits if included in the project would be a possible “positive” risk.

This I can relate to more, with the experience of being asked to change the specification on a traders dealing system half way through a major project because the manufacturer had released a major systems improvement, a completely new model, that the bank saw as a strategic advantage.

The analysis of this risk covered the obvious change in costs, the new system was more expensive, the implementation was zero impact compared to the older system however there was a large element of re-training the trading staff and proving the system for the bank before go live. This became the biggest challenge once the cost differential had been signed-off by the project board.

The additional training time required was squeezed into evenings and weekends so the final project delivery schedule was not impacted – but getting vendor and project resources to support the additional work and making sure the system was fully functional and supported operationally when the new facility went live, added cost and stress that hadn’t been anticipated. This is where risk management and change management overlap – a topic for another article.

The client was happy with the result and additional investment made. Simple risk management gets the job done.

Posted in Uncategorized | Comments Off

Risk Management in Accounting Firms: Overview of The New Australian Standards

INTRODUCTION

At its most basic level, risk is defined as the probability of not achieving, or reaching, certain outcomes (goals). Risk is measured in terms of the effect that an event will have on the degree of uncertainty of reaching stated objectives. Risk is commonly thought of in this context as a negative connotation: the risk of an adverse event occurring.

This article discusses the risks faced by accounting firms in Australia, and gives an overview of the new risk management standard (APES 325) issued by the professional standards board.

WHAT IS RISK IN ACCOUNTING FIRMS?

In the context of the professional Accounting Firm, risk is not a new concept for practitioners: it has been attached to the profession for as long as accountants have offered services in a commercial setting. However, as the number and size of legal claims against professional public accountants has increased over the years, so too has the issue of risk and risk management also increased in importance.

Risk management is the system by which the firm seeks to manage its over-arching (and sometimes, conflicting) public-interest obligations combined with managing its business objectives. An effective risk management system will facilitate business continuity, enabling quality and ethical services to be supplied and delivered to clients, in conjunction with ensuring that the reputation and credibility of the firm is protected.

WHY IS A STANDARD REQUIRED?

The Accounting Professional & Ethical Standards Board (APESB) recognised that public interest and business risks had not been adequately covered in existing APES standards, notably APES 320 (Quality Control for Firms). In releasing the standard, the APESB replaces and extends the focus of a range of risk management documents issued by the various accounting bodies. Accordingly, APES 325 (Risk Management for Firms) was released, with mandatory status from 1 January, 2013.

The intention of APES 325 is not to impose onerous obligations on accounting firms who are already complying with existing requirements addressing engagement risks. All professional firms are currently required to document and implement quality control policies and procedures in accordance with APES 320/ASQC 1. Effective quality control systems, tailored to the activities of the firm, will already be designed to deal with most risk issues that arise in professional public accounting firm. However, APES 325 does expect firms to consider the broader risks that impact the business generally, particularly its continuity.

THE NEW REQUIREMENTS

The process of risk management in the Professional Accounting Firm requires a consideration of the risks around governance, business continuity, human resources, technology, and business, financial and regulatory environments. While this is a useful list of risks to consider, it will be risks that are relevant to the operations of the practice that should be given closest attention.

Objectives

The ultimate objective for compliance with the Risk Management standard is the creation of an effective Risk Management Framework which allows a firm to meet its overarching public interest obligations as well as its business goals. This framework will consist of policies directed towards risk management, and the procedures necessary to implement and monitor compliance with those policies. It is expected that the bulk of the Firm’s quality control policies and procedures, (developed in accordance with APES 320) will be embedded within the Risk Management Framework, thus facilitating integration of the requirements of this standard and that of APES 320, and ensuring consistency across all the Firm’s policies and procedures.

A critical component of the Risk Management Framework is the consideration and integration of the Firm’s overall strategic and operational policies and practices, which also needs to take account of the Firm’s Risk appetite in undertaking potentially risky activities.

Whilst the standard allows for the vast majority of situations that are likely to be encountered by the accounting firm, the owners should also consider if there are particular activities or circumstances that require the Firm to establish policies and procedures in addition to those required by the Standard to meet the stated aims.

Establishing & Maintaining

Ultimately, it is the partners (or owners) of the Accounting Firm that will bear the ultimate responsibility for the Firm’s Risk Management Framework. So it is this group (or person if solely owned) that must take the lead in establishing and maintaining a Risk Management Framework, as with periodic evaluation of its design and effectiveness.

Often times, the establishment and maintenance of the Risk Management Framework is delegated to a single person (sometimes not an owner), so the Firm must ensure that any Personnel assigned responsibility for establishing and maintaining its Risk Management Framework in accordance with this Standard have the necessary skills, experience, commitment and (especially), authority.

When designing the framework, the firm requires policies and procedures to be developed that identify, assess and manage the key organisational risks being faced. These risks generally fall into 8 areas:

Governance risks and management of the firm;
Business continuity risks (including succession planning, and disaster recovery (non-technology related);
Business operational risks;
Financial risks;
Regulatory change risks;
Technology risks (including disaster recovery);
Human resources; and
Stakeholder risks.

The nature and extent of the policies and procedures developed will depend on various factors such as the size and operating characteristics of the Firm and whether it is part of a Network. In addition, if there are any risks that happen to be specific to a particular firm – caused by its particular operating characteristics – these also need to be identified and catered for. At all times, a Firms public interest obligation must be considered.

A key factor in any risk management process is the leadership of the firm, as it is the example that is set and maintained by the Firms leadership that sets the tone for the rest of the firm. Consequently, adopting a risk-aware culture by a Firm is dependent on the clear, consistent and frequent actions and messages from and to all levels within the Firm. These messages and actions need to constantly emphasise the Firm’s Risk Management policies and procedures.

Monitoring

An essential component of the Risk Management process is monitoring the system, to enable the Firm overall to have reasonable confidence that the system works. The system works when risks are properly identified and either eliminated, managed, or mitigated. Most risks cannot be entirely eliminated, so the focus of the system needs to be on managing risks down (preventing occurrences as far as practicable), or mitigating the risk (handling the event should it occur).

As part of the system, a process needs to be installed that constantly ensures that the Framework is – and will continue to be – relevant, adequate and operating effectively, and that any instances of non-compliance with the Firm’s Risk Management policies and procedures are detected and dealt with. This includes bringing such instances to the attention of the Firm’s leadership who are required to take appropriate corrective action.

The Framework needs regular monitoring (at least annually), and by someone from within the Firm’s leadership (either a person or persons) with sufficient and appropriate experience, authority and responsibility for ensuring that such regular reviews of the Firm’s Risk Management Framework occurs when necessary.

Documentation

A Risk Management system needs to be properly and adequately documented, so that all the necessary requirements can be complied with, and referred to (if necessary). The form and content of the documentation is a matter of judgment, and depends on a number of factors, including: the number of people in the firm; the number of offices the Firm operates, and; the nature and complexity of the Firm’s practice and the services it provides.

Proper and adequate documentation enables the Risk Management policies and procedures to be effectively communicated to the Firm’s personnel. A key message that must be included in all such communications is that each individual in the firm has a personal responsibility for Risk Management and are required to comply with all such policies and procedures. In addition, and in recognition of the importance of obtaining feedback, personnel should be encouraged to communicate their views and concerns on Risk Management matters.

In documenting the risk framework, the Firm needs to include and cover following aspects:

The procedures to be followed for identifying potential Risks;
The Firm’s risk appetite;
The actual identification of risks;
Procedures for assessing and managing, and treating the identified risks;
Documentation processes;
Procedures for dealing with non-compliance with the framework;
Training of Staff in relation to Risk Management; and
Procedures for regular review of the Risk Management Framework.

In alignment with the monitoring of the Risk Management system, all instances of non-compliance with the Firm’s Risk Management policies and procedures detected though its Monitoring process need to be documented, as with the actions taken by the Firm’s leadership in respect of the non-compliance.

Finally, all relevant documentation pertinent to the Risk Management process needs to be retained by the Firm for sufficient time to permit those performing the monitoring process to evaluate compliance with the Risk Management Framework, and also to follow applicable legal or regulatory requirements for record retention.

SUMMARY

Risk is an ever-present and growing component of delivering professional accounting services to clients, and is not confined to taking on client work that can put the firm’s reputation into decline. It is the everyday business conditions and decisions made that can weigh heavily on a firm.

The modern accounting firm is in the unique position of having all the operating risks of a main-stream business, with the addition of those imposed by the various regulators and authorities.

A comprehensive and effective Risk Management Framework will assist owners of firm in identifying deficiencies and blind-spots that can impact a firm, as well as placing a commercial assessment on the probability of an occurrence, and putting in place clear plans on what to do and when.

With more than twenty years in the fields of accounting and finance, sales and marketing, and operational activity, Michael (MK) has an extensive understanding how businesses succeed in a holistic manner.

He is also the Director of Insignia Consulting, accounting and business management consultants. Insignia Consulting has particular expertise, and specialises in The Quality Control Manual for Accounting Firms in Australia, with experience with QA Audits and developing customised manuals for public practice firms.

Posted in Uncategorized | Comments Off