#RISK Founder Nick James in conversation with Michael Rasmussen

Transcript:

Nick James:

We are now living in a world where almost every organization faces extreme uncertainty on a daily basis. More than ever teams need to be integrated and silos need to be removed. I’m the founder and event director of #RISK, a significant and very timely series of events that start in London November of this year. I’m delighted to be joined today by Michael Rasmussen, one of our #RISK ambassadors. Hi Michael.

Michael Rasmussen:

It’s a pleasure to be here today. I’m looking forward to this.

Nick James:

Excellent. I’ve got a number of questions for you, but the first one is I said in my introduction about uncertainty. Do you think the words risk and uncertainty are interchangeable?

Michael Rasmussen:

Wow. I mean, that’s going to get into semantics. If we go by the official definition of risk, that’s found in ISO 31,000, the international standard on risk management, risk is the effect of uncertainty on objectives. Are they absolutely equal, if you go by the definition? No, because risk is the effect of uncertainty and it’s the effect. But, that’s unpacking it probably a little too deeply. Generally yes, risk is about uncertainty management. In order to do risk, you have to truly understand what that risk is about. Going back to that definition, risk is the effect of uncertainty on what? On objectives. We need context to understand what the uncertainty is about, what the risk is about. That’s where the objectives puts that in context.

Michael Rasmussen:

Now, from a corporate point of view, because we look at risk from a geopolitical, broad, global point of view, a country point of view, individual point of view. But, from a corporate point of view, your objectives might be entity level objectives. They might be division level objectives, department, process, project objectives, or even asset level objectives. But, we have objectives at different levels in the organization. Risk is the effect of uncertainty on those objectives. We have to clearly understand the objectives of the organization to be able to manage risk or, and this is what we’re talking about here, uncertainty to those objectives.

Nick James:

As you said, semantics, but a very pragmatic approach. What we’ve seen over the last two years with the COVID-19 pandemic, it’s focused a lot of organizations on the need to build resilience and ensure their ability to respond to and recover from operational disruptions. Does that mean that risk and resilience are two sides of the same coin?

Michael Rasmussen:

There, I would say no. They’re related. Resilience is an outcome of risk management. But to me, risk management should govern resilience. If you look at the operational resilience regulations around the world, you have the UK’s operation resilience regulation from the bank of England. The FCA, the PRA. You got the EU’s DORA, Digital Operation Resilience Act. You got [00:03:36], and the bank for national settlements guidance on operational resilience. Then you have the United States Office of the Control the Currency Guidance on operational resilience. If you look at the U.S. definition in the OCC guidance, it says that operational resilience is an effective outcome of operational risk management. Resilience is a part risk management, but risk management is much broader than just resilience. In fact, if you wanted to look at two sides to a coin, I would say there’s agility and resilience, because it’s not just about managing the risk to the organization from a resilient standpoint, but it’s also effectively maturing your risk management so you can be an agile organization.

Michael Rasmussen:

Let’s take the analogy that I’m running down the street. If I’m running down the street and I’m going out for a morning run, whatever it is. I trip over the curb, resilience is how quickly can I get up and get back running again? Resilience is about the recovery from an event, a risk event. While agility, which is so important to risk management today, it’s being able to see that obstacle like that curb that I might trip over and be able to navigate and not trip over it. Or if I’m doing something like parkour that we can watch out there on YouTube, leverage some obstacles to some great feat of agility and act for our greater gain. Good risk management enables resiliency, the ability to see events and minimize the impact, recover from events. But, really good risk management is the ability to bring in agility, to be able to see what’s coming at us and be able to prepare the organization and navigate and avoid a risk event, or even leverage that, what’s coming at us to greater opportunity and gain for the organization.

Michael Rasmussen:

To me, if we’re looking at two sides of the coin, it’s agility and resiliency. Risk management, good mature risk management, is going to mature and bring both of those to the table.

Nick James:

Excellent. I love the analogy as well. Our strap line for #RISK is risk is everyone’s business. With that in mind, who in an organization should own risk and does it sit with the C-suite? If it does, does the C-suite, does the board have the requisite skillsets to provide effective risk oversight?

Michael Rasmussen:

There’s a lot to unpack there. First off, let’s talk about the three lines model. It used to be called three lines of defense. You have the third line being audit and assurance, providing assurance on risk management. You have the second line function where I spend most of my career and that’s that back office of risk management, the chief risk officer, the operation risk manager, maybe specific focuses of risk, like IT security, or environmental risk, or health and safety risk. But, then the first line is operational management all the way down to frontline employees. What we’re seeing is a big transition to push risk accountability, not from that second line to the first line, up to the board.

Michael Rasmussen:

That’s what’s incredibly critical right now is to be able to engage the people that actually take risk and make them accountable for risk. To me, risk is owned at the highest level at the board of directors and the senior executives of the organization. But, obviously it filters down and you’ve got different operational managers and people that take and manage risk at different levels of the organization as well. What’s clearly need is risk accountability and engagement where the second line function becomes more of a facilitator of risk management, but it’s actually the first line all the way up to the board that actually owns the risk and is accountable for the risk. We’re seeing a greater focus on accountability because of this and that’s absolutely important. But, it also does mean as you referenced, that there needs to be greater skillsets and education from the board, but also on down into different levels of executive to operational management that actually own the risk as well.

Nick James:

There was a lot to unpack there and I think you did a fabulous job of doing so. With all of this in mind, how can leaders set the tone. Not only from a commercial or compliance standpoint, but from an ethical position. Bearing in mind that as you alluded to, sometimes not taking risks means missing opportunities.

Michael Rasmussen:

It’s about clearly communicating what risk is and also in that context, building out a culture of risk. What is acceptable and unacceptable risk in your organization? Who takes and manages risk? Risk culture is absolutely critical. Are you an organization that’s very cavalier and takes a lot of risk and doesn’t manage it very well, or are you an organization that’s very adverse to risk taking, but even the risk you take, you don’t manage well? Are you aggressive in taking risks, but you have strong structures of risk accountability and ownership where there’s greater return on risk? It’s critical that organizations foster the right culture of risk management.

Michael Rasmussen:

I’m a global ambassador for the Institute of Risk Management and honorary life member there. We did some work about a decade ago on risk culture. But, it is one of the most fundamental pieces I’ve seen come out of the Institute of Risk Management, because it is so clear and guiding on how do we direct the attitudes, the behavior and the culture in a proper direction of what is acceptable and unacceptable risk and how that risk is taken and managed. There’s a great article in the Economist Magazine about 15 years ago called Goldman Sachs Behind the Brass Plate. It talks about a range of themes, but one theme it gets into is Goldman Sachs culture of risk management and how if you’re taking a significant risk, it can’t be a single person’s effort. It’s got to be a team effort. You got to get multiple people and inputs involved, and that’s all part of our culture. How do we engage and collaborate on risk?

Nick James:

This is playing right into the whole rationale between us wanting to run this series of events #RISK, because it can’t exist in a silo. It needs to be everyone’s responsibility. From my point of view, as a publisher and an event organizer, and a little bit, I guess, of a Johnny come lately to the whole governance risk and compliance sector, I see that almost every day, there are new risks that people have to look at. Obviously, the one thing that we’re seeing is a rise in importance of ESG, which again I know it’s not us. I’m being asked by a lot of people, “Well, who is taking the lead in ESG? Is it the CFO, the CMO, the CDO, the CRO, the CEO?” That’s one question, there is a double question, second part to this question, which is, has COVID-19 helped or hindered the responsible business agenda?

Michael Rasmussen:

Great question. Now, I mean, ESG is all again about accountability. We had iterations of ESG before. We used to call it corporate social responsibility. But, the challenge with corporate social responsibility was it was passed around the organization like a hot potato and often landed in lap of marketing, became a branding exercise that said, “Let’s put green in our logo,” and wasn’t really about changing the practices of the organization. ESG is coming at the organization from so many angles, from the investor, the corporate investor standpoint, boards of directors, to customers and clients, to employees, to stakeholder groups, to regulators. You have to have your accountability for that. I’m seeing most often that the corporate compliance and ethics department, the chief ethics and compliance officer, is being handed the overall ESG responsibility and accountability. To me, the chief ethics and compliance officer, the CECO, that’s ultimately about the integrity of the organization.

Michael Rasmussen:

If I could rebrand the chief ethics and compliance officer, be the chief integrity officer, but we already have a CIO, so maybe that acronym wouldn’t work. But, it’s about the integrity of the organization, that what we communicate are our values around the environment, the social, the governance and other compliance aspects, that it’s a reality in the organization. To me, it gets all down to the integrity of the organization, that what we communicate to the world and internally to our employees, that that’s what’s being done in the organization. That’s the responsibility of the chief ethics and compliance officer. In most of my interactions, the majority, I would say, I see the CECO taking accountability there. But, as you pointed out all these other roles from operational risk to odd assurance, to environmental and health and safety, and IT security and data protection, they’re all involved.

Michael Rasmussen:

This isn’t a one department function. It’s a federated function that involves all these different departments. Somebody’s got to lead it. Most often, I see that being the chief ethics and compliance officer, but not always. Other times, it is operational risk. Other times I’ve seen odd assurance in other roles. But, if I had to pick the role that I’ve seen the most action on it, is the chief ethics and compliance officer. But, that is a facilitation role because to deliver on ESG requires all these different departments and functions that tie into some aspect of ESG risk from procurement, to human resources, to IT security, to internal controls. All these have to be part of it.

Michael Rasmussen:

Now, your other question about COVID-19, I would say COVID-19 has helped. If you go back to December of 2019, I published a blog article on my web website called A Tale of Two Futures. It was our future a blade runner future, or a Star Trek future. We’re headed towards one or the other, and the decisions governments make, but also individuals make. But, also corporations make are going to impact if we’re headed towards that environmental and social disaster, a blade runner, or that more environmentally green and friendly, intergalactic cooperation of alien races of Star Trek. You just watch the most recent series of Picard, and you see that San Francisco is a very green type environment. We’re headed towards one or the other. I point out in this blog article that what corporations do now is going to impact that future. But, then I state, if you look at a lot of enterprise and operational risk management programs, you would think their only risk that is a concern to them, is IT security risk, and that’s a huge risk.

Michael Rasmussen:

I started my career in IT security, but I state in that report, if you look at the world economic forum, global risk report that comes out every year, is the most significant risks we face are environmental risks, like climate change and health and safety risks, like pandemics. I’m saying this in December 2019, and saying a lot of enterprise operations management programs have to change to address a broader range of risks. COVID-19 comes along to prove my point. But, the challenge is, is that it’s an interconnected risk environment. The physicist [inaudible 00:15:04] states, “The more we study the major problems of our time, the more we come to realize that they’re interconnected and interdependent. They cannot be managed in isolation.” The risk environment today is an interconnected risk environment. What starts off with a health and safety risk, like the pandemic, cascades and bring in IT security risks from the work from home environment.

Michael Rasmussen:

Conduct risks, as people are on Zoom meetings and they’re in their home office and they’re saying things that crosses the line of harassment discrimination, because they don’t think the same rules apply to them because they’re at home and not in the corporate office. Increased risk of fraud or in bribery and corruption because of restrictions at customs and limited governed contracts and permits. Greater risk of social accountability issues, like international labor standards, the child labor and force labor, because our supply chain factories go dark because of the illness and they reopen with child labor and force labor. It’s an interconnected risk environment and we’ve got to do something about that. That’s why ESG is becoming so important and what really caused a lot of people to open their eyes was the pandemic.

Nick James:

Wow. I totally agree with you on that, and I just fingers crossed hope that we’re aiming and going to end up in the Star Trek scenario. That ESG might be a guiding light to take us in that direction. I’ve got one final question, Michael, and this is obviously from a business point of view, rather than a personal point of view. But, what keeps you up at night?

Michael Rasmussen:

Geopolitical risk, no doubt about it. But, that can unpack into environmental risks and geopolitical tensions. One of the things I’ve been monitoring for 15 years is geopolitical risk. A lot of organizations don’t feed that into their enterprise and operational risk programs, because they’re so focused on IT security and things, which is still an important risk. I’m not downplaying that. But I mean, geopolitical risk is definitely the thing that keeps me up at night, because of all the tensions that we see and the potential for tensions and global disruptions. From the Suez Canal being blocked and the back up in global supply chains, to environmental disasters and things that might impact our global businesses, to geopolitical tensions that we’re seeing play out in the Ukraine and Russia right now. Geopolitical risk is top of the line.

Michael Rasmussen:

The other one that would come to mind is regulatory change risk. Financial services, global financial services are dealing with, gosh, what is it? 1,217 regulatory change events every … No, I’m sorry. They’re dealing with 257 regulatory change events every business day, that’s coming from 1,217 regulators around the world. There’s so much regulatory change every business day. New regulations, change regulations, enforcement actions, and just keeping up with the volume of change in the environment. The regulatory change, the risk change, the business change, that’s all extremely challenging.

Nick James:

Michael, this has been absolutely fascinating and we could go on for a long time. But, I’m hoping to see you very shortly in person where we can maybe debate all of this over a glass of red wine. Absolutely wonderful to see you again and look forward to catching up soon.