Grant Purdy and Roger Estall have recently published a book on decision-making called Deciding. Written to help decision makers (they call them Deciders) to make ‘even better decisions’ it goes directly to the two big challenges for every Decider – ensuring that each decision will contribute to (rather than detract from) achieving the purpose of their organisation, and being sufficiently certain that the outcomes that result from the decision, are those they intend.
Despite ‘risk management’ having no solid foundation or universal meaning, the advocates of its many guises – each pulling the levers available to them – created a perception in those responsible for the governance of organisations that ‘risk management’ was ‘good’ and should therefore be adopted.
‘Risk management’ thus became promoted as something that is both valid and indispensable: in effect something to be believed in as essential to good governance.
Organisations were therefore encouraged by ‘risk management’ advocates to give effect to this belief by superimposing a ‘risk management framework’ across the organisation comprising various edifices. Common examples included ‘risk committees’ of the Board, ‘Chief Risk Officer’ positions and various ‘risk management’ structures, policies, reporting requirements and so on. The purpose for establishing this paraphernalia, was seldom transparent, explicit or understood. Consequently, to the extent that it actually existed, this ‘framework’ was seldom integrated with day to day decision making.
Some national stock exchanges (i.e. share trading markets) included practice of ‘risk management’ as a necessary condition for a stock being listed on their exchange. The (entirely untested) belief was that practising ‘risk management’ (in whichever guise) was prima facie evidence of, and a prerequisite for, sound management. The belief was that investors could and should have greater confidence in such companies.
This has been proved repeatedly to be a false assumption, best illustrated by the extraordinary failure of the Enron Corporation and by two spectacular examples of corporate failure that occurred while we were writing this book.
The first of the contemporary examples was the two tragic crashes of Boeing’s new 737MAX aircraft that took 346 lives in 2019. The subsequent technical and congressional investigations showed that the manufacturer’s system of’risk management’ had failed to detect or communicate the latent deficiencies in the design modifications incorporated in this model and that these had gone undetected or acted on by the regulator’s own ‘risk management’ system.
Following the second crash, the world-wide fleet of B737MAX aircraft were grounded and production of further aircraft ceased pending resolution of the problems. This had a major effect on Boeing’s reputation, profitability and stock value and caused much soul searching concerning the interface between manufacturers and regulators.
The second contemporary example was that which played out in a Royal Commission of Inquiry into perceived misconduct in the Australian banking, superannuation and financial services system.
Banks (as well as others in the financial services sector) had been early adopters of the ‘risk management’ belief system and all had established the related paraphernalia of Risk Committees, Chief Risk Officers, ‘risk policies’, ‘risk appetite statements’ and formal ‘risk reporting’, etc.
And yet the Royal Commission found a deeply disturbing trail in most of the banks reviewed, of unethical and arguably, in some cases, criminal practice. Examples included knowingly charging for services that were never provided, harshly treating borrowers (such as farmers who were not able to maintain loan repayments after succumbing to natural disasters) and providing investment advice to clients that benefited the financial institution rather than its client.
As with the Boeing 737:MAX aircraft failings, the ‘risk management’ systems of the financial sector’s regulators had also failed to detect and remedy these failings.
In the aftermath of the Royal Commission, several bank Chief Executives, Chief Risk Officers and even Directors were replaced. Shareholders of some banks exercised their power to reject the future remuneration packages for senior executives, massive costs
were incurred in making remediation payments to customers (with resultant significant drop in the value of bank stocks) and large fines were imposed.
Above all, the Royal Commission showed that the ‘risk management’ belief system and related edifices that the banks, their shareholders, customers and the regulators had strongly relied on as evidence of good governance, failed miserably. But that was hardly
surprising. Belief systems inevitably start with the answer (which is the belief) rather than with careful and objective definition of the problem.
As an article of sound governance, ‘ risk management’ in the banking sector was largely illusory.