People Risk Management - Chartered Institute of Internal Auditors

advertisement
IIA South West - Risk Management Seminar
People Risk Management
Keith Blacker
9 April 2014
“Man is a creature made at the end of the week……………when God was feeling tired”
Mark Twain
A few words about Keith Blacker
• Chartered Accountant - 30 + years in insurance/financial services
• MBA & DBA (Henley Management College) – operational risk management in UK
retail banks
previously
• Simplyhealth (Health Insurance) …… CFO
• Carivita (Bancassurance), Italy …… Operations Director
• LloydsTSB Insurance (Life Insurance, General Insurance, Commerial Insurance
Broking) …… Internal Audit, Business Development, Risk Management
• Former Chairman IIA South West and IIA Council member
currently
• Chairman of an IFA business
• Chairman of a Health & Leisure business
• Consultant and Trainer
……………co-authoring a book with Pat McConnell on People Risk Management
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 2
CEO report (hypothetical board meeting)
As the preliminary financials show, we have had another spectacular year, exceeding our guidance to the Stock
Exchange by increasing our customer base yet again by over 40%, mostly in our target demographic of 19-40
years old, the tech-savvy generation in need of our banking and insurance products and not well served by our
competitors. We expect this success at home to continue to grow but as a management team and Board we are
always on the look out for new opportunities. We believe that as an Internet based organization, we can go
anywhere and France may be just the first step in that journey. France, our closest neighbour, sometimes
friend, sometimes foe, has a population that is almost identical to the UK (some 63 million) and a median age
that is about the same (40 vs. 39.7 years). Paris is the famed city of light, a world-class capital of culture, fine
wine, amazing food and 'joie de vivre', or joy of life. Using the CEO's discretionary R&D budget, the CFO has
already acquired a small office in the middle of Paris as a convenient base to look into the French market as
one ready for our products. She has already concluded that French financial institutions are just as staid as
ours and our target market is not well served. But first impressions are not enough, so the CFO has already
contacted a local marketing consultancy Jeune France (Young France) and engaged a hip Internet developer to
do a mock up of what our site might look like for French customers. Our marketing director will give a quick
demo of this new site after this meeting. As CEO I have suggested, and the Chairman has readily agreed, that
we hold our next Board meeting as an away day in Paris to discuss our strategy and other opportunities for
international growth. By that point, our head of Strategic Planning and the CFO will have pulled together the
necessary financials and marketing information to allow a decision to be made on whether or not to grasp this
opportunity. The initial modelling looks 'trés bon’. I would like your initial feedback on this concept.
On a scale of 1 to 9 how do you feel about it? Where 1 is ‘I don’t like it, we should stick to what we are used
to’ and 9 is ‘Yes, excited to be part of this new phase in our company’s development’
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 3
Agenda
• What do we mean by People Risk?
• The Human Dimension of Risk
• Roles and Responsibilities
• Internal Audit and people risk
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 4
What do we mean by People Risk?
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 5
The case of Rajat K Gupta
“an utter aberration” his lawyer
“why such a good person would do such bad things
is an unanswerable question” the Judge
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 6
A simple definition
“The risk of loss due to the actions or non-actions of
people, inside and outside the organisation”
Loss may be:
Financial
Human capacity – death or injury
Corporate (or individual) reputation
Organisational capacity – inadequate decision-making
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 7
People risk in practice
prudent
rational
responsible
Note that:
• We’re all on this
scale somewhere
• A lot will depend
upon the
environmental factors
• ….and the job we have
to do
zero-risk man
© Keith Blacker
imprudent
irrational
irresponsible
Excessive-gambling man
IIA South West Risk Management Seminar 9 April 2014
Slide 8
The Human Dimension of Risk
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 9
The problem of human bias – some examples
Anchoring
Overconfidence
System 1 and
System 2
Framing
Groupthink
Inattentional Blind
Spots
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 10
Anchoring (Kahneman & Tversky plus
Hammond, Keeney and Raiffa)
• Is the population of Turkey greater than 100 million?
• What is your best estimate of the population of Turkey?
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 11
Inattentional Blind Spots (Chabris & Simon
plus Trafton Drew)
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 12
Framing (Kahneman & Tversky plus
Joseph Hallinan)
• People are buying wine in a supermarket and Pavarotti is
playing in the background. Which sort of wine are they most
likely to buy?
– French
– Italian
– German
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 13
Overconfidence (Kahneman & Tversky and
others)
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 14
System 1 System 2 (Daniel Kahneman)
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 15
Key Messages
• Human decision making is complex and sometimes irrational
• People are often driven by biases of which they are unaware
• People, especially experts, operate most of the time on
intuition, learned throughout their career, rather than
deliberate analysis. This gives rise to the risk that in certain
circumstances this intuition may not be correct.
• So how do we make better decisions? Checklists and luck
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 16
Roles and Responsibilities
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 17
The 3 Lines of Defence
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 18
6th Line
Stakeholders
5th Line
Board
The 6 Lines of Defence
LOSSES
4th Line
Internal Audit
3rd Line
Risk
Management
2nd Line
Business
Management
Ist Line
Individual
RISKS
Human
Resources
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 19
People Risk: an example - Fraud
• Directive Controls ….. mitigate risks by establishing limits
of authority within which people can operate (for example,
authorization of expenditure limits)
• Preventive Controls ….. mitigate risks by stopping errors
or deviations from required practice occurring in the first
place (for example, training on how the system works or
segregating the duties of people)
• Detective Controls ….. mitigate risks by identifying errors
or mistakes that may have been made (for example, bank
reconciliations)
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 20
People Risk: an example – Fraud (1st/2nd Line)
Directive
Preventative
Detective
1st Line
Individual
Being aware of the policies (including training) in relation to fraud
and reporting suspicious behaviour, transactions, incidents (both
inside and outside the company) together with control weaknesses
which could result in fraud. Maintaining a diligent attitude towards
the possibility of fraud.
2nd Line
Business
Management
• Developing a
fraud awareness
policy including
consequences for
those found
committing fraud
• Developing a
whistleblowing
policy to enable
fraud incidents to
be reported
© Keith Blacker
• Creating a fraud
• Creating a
awareness training
Management
programme for all
Information
staff
system of
• Including fraud
reporting to
risk in the overall
identify potential
risk assessment
fraud incidents
process
• Using external
experts to sense
check the systems
for unidentified
fraud risks
IIA South West Risk Management Seminar 9 April 2014
Slide 21
People Risk: an example – Fraud (3rd/4th Line)
Directive
Preventative
3rd Line
Risk Management
• Providing advice
and guidance to
the Business
Management in
relation to the
management of
fraud
• Monitoring fraud
trends and
incidents outside
the business
• Participating in the • Undertaking
fraud awareness
specific fraud
training
audits
programme
• Undertaking fraud
• Participating in the
risk selffraud risk
assessment
assessment
exercises and
process
scenario analysis
• Assist with
developing fraud
prevention
controls
4th Line
Internal Audit
Providing assurance that the above controls are adequate to control
the risk of fraud and that the level of fraud risk is within the risk
appetite set by the board. Undertaking specific fraud audits,
monitoring employees in high (fraud) risk positions (lifestyles, habits,
etc..), using audit software to detect fraud on a real-time basis.
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Detective
Slide 22
People Risk: an example – Fraud (5th/6th Line)
Directive
Preventative
Detective
5th Line
Board
Setting the fraud risk appetite and creating and embedding a control
culture which seeks to counteract incidences of fraud. Monitoring risk
reports, setting key risk fraud indicators, commissioning fraud audits,
challenging assurance functions to ‘find’ fraud. .
6th Line
Regulators
Monitoring fraud trends in the industry and alerting businesses on
new threats, collecting/aggregating/disseminating data on fraud across
the industry, organising seminars/briefings on fraud.
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 23
People Risk: The Critical Role of HR
• The Gatekeepers
• Raise the profile of people risk
• Owner of the most important process in the organisation –
“recruitment and investment in people”
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 24
People Risk: 1st Line = Individual Responsibility
YOUR COMPANY NEEDS
© Keith Blacker
YOU
IIA South West Risk Management Seminar 9 April 2014
Slide 25
People Risk: 1st Line = Individual Responsibility
• Professional Codes of Conduct:
– Doctor’s Hippocratic oath
– Aviators Model Code of Conduct
– Internal Auditor’s Code of Ethics
– Dutch Banker’s Oath
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 26
People Risk: 1st Line = Individual Responsibility
The Banker's Oath
•I declare that I will perform my duties as a banker with integrity and care.
•I will carefully consider all the interests involved in the bank, i.e. those of the
clients, the shareholders, the employees and the society in which the bank operates.
•In this consideration, I will give paramount importance to the client’s interests and
inform the client to the best of my ability.
•I will comply with the laws, regulations and codes of conduct applicable to me as a
banker.
•I will observe secrecy in respect of matters entrusted to me.
•I will not abuse my banking knowledge.
•I will act in an open and assessable manner and I know my responsibility towards
society.
•I will endeavour to maintain and promote confidence in the banking sector.
•In this way, I will uphold the reputation of the banking profession.
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 27
People Risk: 1st Line = Individual Responsibility
• From Professional Codes of Conduct to…………
……..Personalised Codes of Conduct…….. for all staff
• Relate specifically to the role
– HR provides the templates
– Job holder to draft (with help from HR)
– Focus on the people that the job holder interacts with
(internally and externally)
– Organise by specific areas related to the interactions
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 28
Personalised Code of Conduct: Head of
Procurement – Bribery (example)
• I will not bribe nor accept a bribe especially in the form of excessive
entertainment;
• I will maintain a personal log of all entertainment provided to me and gain
pre/post approval for entertainment above my department’s risk limit;
• If I witness examples of attempted bribery or excessive entertainment by
colleagues, I will
a) Refer to my own and the company code of conduct in discussing the event
with colleagues and if not resolved immediately;
b) Record it as a risk event in the People Risk database;
c) If the behaviour continues, I will report it to the whistleblowing
hotline
• I will address excessive entertainment in annual reviews and seek guidance from
managers as to further actions. In annual reviews, I will discuss and review my
department’s risk limits.
• Etc…
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 29
Internal Audit and People Risk
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 30
Internal Audit and People Risk
• People risk…….. is linked to culture……. which influences the
way that people behave
• Culture = soft controls…..Tone at the top, employee motivation,
organisational values
• Soft controls……much more difficult to audit……but not
impossible
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 31
Internal Audit and People Risk: 5 principles
for evaluating soft controls
1. Ask “constructively challenging” questions of management and
“confirming” questions of employees.
2. Identify and obtain management’s agreement on the criteria for
evaluation and what will constitute legitimate audit evidence.
3. Get “hard” evidence about the results of the soft control when
possible.
4. Focus on the underlying management process.
5. Develop and report results in partnership with those accountable.
Use appropriate (perhaps informal) means of reporting.
Source: Jim Roth (2010)
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 32
Further Reading
• The role of systemic people risk in the global financial crisis
http://www.risk.net/digital_assets/4711/jop_v6n3a4.pdf
• Systemic operational risk: the UK payment protection insurance
scandal
http://www.risk.net/digital_assets/5111/jop_mcconnell_web.pdf
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 33
A final thought about people……….
• 30 percent of the population will not only steal if an
opportunity exists, but will actively create an
opportunity to do so.
• Another 40 percent will take the opportunity if
they’re convinced they won’t get caught.
• And only 30 percent will not steal at all.
Source: Pinkerton (1980s)
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 34
A final thought about people risk…….
Current risk management emphasis:
“What are the key risks in the business?”
Future risk management emphasis:
“Who are the key risks in the business?”
© Keith Blacker
IIA South West Risk Management Seminar 9 April 2014
Slide 35
Download