IIA South West - Risk Management Seminar People Risk Management Keith Blacker 9 April 2014 “Man is a creature made at the end of the week……………when God was feeling tired” Mark Twain A few words about Keith Blacker • Chartered Accountant - 30 + years in insurance/financial services • MBA & DBA (Henley Management College) – operational risk management in UK retail banks previously • Simplyhealth (Health Insurance) …… CFO • Carivita (Bancassurance), Italy …… Operations Director • LloydsTSB Insurance (Life Insurance, General Insurance, Commerial Insurance Broking) …… Internal Audit, Business Development, Risk Management • Former Chairman IIA South West and IIA Council member currently • Chairman of an IFA business • Chairman of a Health & Leisure business • Consultant and Trainer ……………co-authoring a book with Pat McConnell on People Risk Management © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 2 CEO report (hypothetical board meeting) As the preliminary financials show, we have had another spectacular year, exceeding our guidance to the Stock Exchange by increasing our customer base yet again by over 40%, mostly in our target demographic of 19-40 years old, the tech-savvy generation in need of our banking and insurance products and not well served by our competitors. We expect this success at home to continue to grow but as a management team and Board we are always on the look out for new opportunities. We believe that as an Internet based organization, we can go anywhere and France may be just the first step in that journey. France, our closest neighbour, sometimes friend, sometimes foe, has a population that is almost identical to the UK (some 63 million) and a median age that is about the same (40 vs. 39.7 years). Paris is the famed city of light, a world-class capital of culture, fine wine, amazing food and 'joie de vivre', or joy of life. Using the CEO's discretionary R&D budget, the CFO has already acquired a small office in the middle of Paris as a convenient base to look into the French market as one ready for our products. She has already concluded that French financial institutions are just as staid as ours and our target market is not well served. But first impressions are not enough, so the CFO has already contacted a local marketing consultancy Jeune France (Young France) and engaged a hip Internet developer to do a mock up of what our site might look like for French customers. Our marketing director will give a quick demo of this new site after this meeting. As CEO I have suggested, and the Chairman has readily agreed, that we hold our next Board meeting as an away day in Paris to discuss our strategy and other opportunities for international growth. By that point, our head of Strategic Planning and the CFO will have pulled together the necessary financials and marketing information to allow a decision to be made on whether or not to grasp this opportunity. The initial modelling looks 'trés bon’. I would like your initial feedback on this concept. On a scale of 1 to 9 how do you feel about it? Where 1 is ‘I don’t like it, we should stick to what we are used to’ and 9 is ‘Yes, excited to be part of this new phase in our company’s development’ © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 3 Agenda • What do we mean by People Risk? • The Human Dimension of Risk • Roles and Responsibilities • Internal Audit and people risk © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 4 What do we mean by People Risk? © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 5 The case of Rajat K Gupta “an utter aberration” his lawyer “why such a good person would do such bad things is an unanswerable question” the Judge © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 6 A simple definition “The risk of loss due to the actions or non-actions of people, inside and outside the organisation” Loss may be: Financial Human capacity – death or injury Corporate (or individual) reputation Organisational capacity – inadequate decision-making © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 7 People risk in practice prudent rational responsible Note that: • We’re all on this scale somewhere • A lot will depend upon the environmental factors • ….and the job we have to do zero-risk man © Keith Blacker imprudent irrational irresponsible Excessive-gambling man IIA South West Risk Management Seminar 9 April 2014 Slide 8 The Human Dimension of Risk © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 9 The problem of human bias – some examples Anchoring Overconfidence System 1 and System 2 Framing Groupthink Inattentional Blind Spots © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 10 Anchoring (Kahneman & Tversky plus Hammond, Keeney and Raiffa) • Is the population of Turkey greater than 100 million? • What is your best estimate of the population of Turkey? © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 11 Inattentional Blind Spots (Chabris & Simon plus Trafton Drew) © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 12 Framing (Kahneman & Tversky plus Joseph Hallinan) • People are buying wine in a supermarket and Pavarotti is playing in the background. Which sort of wine are they most likely to buy? – French – Italian – German © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 13 Overconfidence (Kahneman & Tversky and others) © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 14 System 1 System 2 (Daniel Kahneman) © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 15 Key Messages • Human decision making is complex and sometimes irrational • People are often driven by biases of which they are unaware • People, especially experts, operate most of the time on intuition, learned throughout their career, rather than deliberate analysis. This gives rise to the risk that in certain circumstances this intuition may not be correct. • So how do we make better decisions? Checklists and luck © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 16 Roles and Responsibilities © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 17 The 3 Lines of Defence © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 18 6th Line Stakeholders 5th Line Board The 6 Lines of Defence LOSSES 4th Line Internal Audit 3rd Line Risk Management 2nd Line Business Management Ist Line Individual RISKS Human Resources © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 19 People Risk: an example - Fraud • Directive Controls ….. mitigate risks by establishing limits of authority within which people can operate (for example, authorization of expenditure limits) • Preventive Controls ….. mitigate risks by stopping errors or deviations from required practice occurring in the first place (for example, training on how the system works or segregating the duties of people) • Detective Controls ….. mitigate risks by identifying errors or mistakes that may have been made (for example, bank reconciliations) © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 20 People Risk: an example – Fraud (1st/2nd Line) Directive Preventative Detective 1st Line Individual Being aware of the policies (including training) in relation to fraud and reporting suspicious behaviour, transactions, incidents (both inside and outside the company) together with control weaknesses which could result in fraud. Maintaining a diligent attitude towards the possibility of fraud. 2nd Line Business Management • Developing a fraud awareness policy including consequences for those found committing fraud • Developing a whistleblowing policy to enable fraud incidents to be reported © Keith Blacker • Creating a fraud • Creating a awareness training Management programme for all Information staff system of • Including fraud reporting to risk in the overall identify potential risk assessment fraud incidents process • Using external experts to sense check the systems for unidentified fraud risks IIA South West Risk Management Seminar 9 April 2014 Slide 21 People Risk: an example – Fraud (3rd/4th Line) Directive Preventative 3rd Line Risk Management • Providing advice and guidance to the Business Management in relation to the management of fraud • Monitoring fraud trends and incidents outside the business • Participating in the • Undertaking fraud awareness specific fraud training audits programme • Undertaking fraud • Participating in the risk selffraud risk assessment assessment exercises and process scenario analysis • Assist with developing fraud prevention controls 4th Line Internal Audit Providing assurance that the above controls are adequate to control the risk of fraud and that the level of fraud risk is within the risk appetite set by the board. Undertaking specific fraud audits, monitoring employees in high (fraud) risk positions (lifestyles, habits, etc..), using audit software to detect fraud on a real-time basis. © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Detective Slide 22 People Risk: an example – Fraud (5th/6th Line) Directive Preventative Detective 5th Line Board Setting the fraud risk appetite and creating and embedding a control culture which seeks to counteract incidences of fraud. Monitoring risk reports, setting key risk fraud indicators, commissioning fraud audits, challenging assurance functions to ‘find’ fraud. . 6th Line Regulators Monitoring fraud trends in the industry and alerting businesses on new threats, collecting/aggregating/disseminating data on fraud across the industry, organising seminars/briefings on fraud. © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 23 People Risk: The Critical Role of HR • The Gatekeepers • Raise the profile of people risk • Owner of the most important process in the organisation – “recruitment and investment in people” © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 24 People Risk: 1st Line = Individual Responsibility YOUR COMPANY NEEDS © Keith Blacker YOU IIA South West Risk Management Seminar 9 April 2014 Slide 25 People Risk: 1st Line = Individual Responsibility • Professional Codes of Conduct: – Doctor’s Hippocratic oath – Aviators Model Code of Conduct – Internal Auditor’s Code of Ethics – Dutch Banker’s Oath © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 26 People Risk: 1st Line = Individual Responsibility The Banker's Oath •I declare that I will perform my duties as a banker with integrity and care. •I will carefully consider all the interests involved in the bank, i.e. those of the clients, the shareholders, the employees and the society in which the bank operates. •In this consideration, I will give paramount importance to the client’s interests and inform the client to the best of my ability. •I will comply with the laws, regulations and codes of conduct applicable to me as a banker. •I will observe secrecy in respect of matters entrusted to me. •I will not abuse my banking knowledge. •I will act in an open and assessable manner and I know my responsibility towards society. •I will endeavour to maintain and promote confidence in the banking sector. •In this way, I will uphold the reputation of the banking profession. © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 27 People Risk: 1st Line = Individual Responsibility • From Professional Codes of Conduct to………… ……..Personalised Codes of Conduct…….. for all staff • Relate specifically to the role – HR provides the templates – Job holder to draft (with help from HR) – Focus on the people that the job holder interacts with (internally and externally) – Organise by specific areas related to the interactions © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 28 Personalised Code of Conduct: Head of Procurement – Bribery (example) • I will not bribe nor accept a bribe especially in the form of excessive entertainment; • I will maintain a personal log of all entertainment provided to me and gain pre/post approval for entertainment above my department’s risk limit; • If I witness examples of attempted bribery or excessive entertainment by colleagues, I will a) Refer to my own and the company code of conduct in discussing the event with colleagues and if not resolved immediately; b) Record it as a risk event in the People Risk database; c) If the behaviour continues, I will report it to the whistleblowing hotline • I will address excessive entertainment in annual reviews and seek guidance from managers as to further actions. In annual reviews, I will discuss and review my department’s risk limits. • Etc… © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 29 Internal Audit and People Risk © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 30 Internal Audit and People Risk • People risk…….. is linked to culture……. which influences the way that people behave • Culture = soft controls…..Tone at the top, employee motivation, organisational values • Soft controls……much more difficult to audit……but not impossible © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 31 Internal Audit and People Risk: 5 principles for evaluating soft controls 1. Ask “constructively challenging” questions of management and “confirming” questions of employees. 2. Identify and obtain management’s agreement on the criteria for evaluation and what will constitute legitimate audit evidence. 3. Get “hard” evidence about the results of the soft control when possible. 4. Focus on the underlying management process. 5. Develop and report results in partnership with those accountable. Use appropriate (perhaps informal) means of reporting. Source: Jim Roth (2010) © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 32 Further Reading • The role of systemic people risk in the global financial crisis http://www.risk.net/digital_assets/4711/jop_v6n3a4.pdf • Systemic operational risk: the UK payment protection insurance scandal http://www.risk.net/digital_assets/5111/jop_mcconnell_web.pdf © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 33 A final thought about people………. • 30 percent of the population will not only steal if an opportunity exists, but will actively create an opportunity to do so. • Another 40 percent will take the opportunity if they’re convinced they won’t get caught. • And only 30 percent will not steal at all. Source: Pinkerton (1980s) © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 34 A final thought about people risk……. Current risk management emphasis: “What are the key risks in the business?” Future risk management emphasis: “Who are the key risks in the business?” © Keith Blacker IIA South West Risk Management Seminar 9 April 2014 Slide 35