Explaining risk management to your clients
Risk management is often viewed as something of a thankless task. Sonnie Bailey discusses the best way to sell the concept to clients.
If you want a thankless job, try risk management. The ordinary understanding of risk is that it is about avoiding bad outcomes, which means if you do your job well the only evidence you have to show for it is… nothing. And even if you manage risks well, things can still go wrong.
This is a challenge that legal firms that focus on preventative law face every day.
It’s a challenge that risk and compliance professionals face as they discuss the importance of their role with people who have to implement risk management procedures.
And of course, it’s a challenge for smaller operators, who often have little opportunity to think about the future of their businesses.
However, there is an upside to risk. If you manage it well you can provide comfort to shareholders and add value for them. You can also build stronger relationships with clients and suppliers.
Managing risk requires a balance of optimism and realism. It is about dealing with uncertainty, which is at the core of what many of us do. As well as challenging you, it can work in your favour.
The legislative requirement to manage risks
Australian Financial Service Licensees that are not regulated by the Australian Prudential Regulation Authority have an explicit obligation under s912A(1)(h) of the Corporations Act 2001 (Cth) to have adequate risk management systems.
And more broadly, section 180 of the act imposes a duty of care and diligence upon directors and officers, which under any reasonable definition encompasses the management of risk.
Risk permeates the Financial Services Reform regime.
Specific obligations, such as the s912A(1)(aa) obligation to have in place adequate arrangements for the management of conflicts of interest, or the s912A(1)(d) obligation to have adequate resources to provide the financial services authorised by the licence, flow from inherent risks.
What is risk?
There are various debates about what risk is. For this discussion I adopt the definition set out in the current Australian standard AS/NZ ISO 3000:2009, which states that “risk is the effect of uncertainty on objectives”.
This is a very recent standard and not yet adopted by ASIC for its regulatory purposes; the prior standard, AS/NZS 4630:2006, defines risk (less elegantly) as “the chance of something happening that will have an impact on objectives”.
We can’t predict the future, so we are constantly making decisions under conditions of uncertainty. Risk pervades everything we do.
The upside of risk
While risk has negative connotations, uncertainty can work in your favour. If you fail to exploit an opportunity, you risk missing out on the potential benefits.
The definition of risk points to uncertainty. Sometimes unlikely events can increase the speed with which you can achieve your objectives, or can even make you overshoot your objectives.
Failing to address potential upsides resulting from uncertainty is arguably an inadequacy in risk management processes.
Perhaps you could think of risk management as “uncertainty management” to avoid the downside connotations of risk.
Daniel Kahneman, Nobel laureate and expert on decision-making amid uncertainty, has created a recipe for success that works for organisations as much as it does for individuals.
To paraphrase, the difference between mild success and wild success is luck. Note that one can have good or bad luck, but unlike risk, luck more often has positive connotations.
Arguably, your obligation as an AFSL holder, or as a director or an officer of an organisation, is to ask, in a systematic and a methodological manner: What can I do to expose my company to good luck?
Competing types of risk
Often, a client is so intent on managing regulatory risk that they miss the point of the regulation.
The Anti-Money Laundering and Counter-Terrorism Financing Act is a perfect example.
The focus of most reporting entities involved with this regime often appears to be avoiding regulatory risk in the form of AUSTRAC, as opposed to the actual risk the regime is designed to prevent (ie, being inadvertently involved with money laundering or the financing of terrorism and facing the subsequent damage to reputation).
Regulatory or compliance risk is important. We have found that clients who adopt more of a relaxed attitude towards their compliance obligations find that their objectives (to keep costs low as a way of increasing projects) are affected more than those of clients who are more diligent.
Clients should ensure that things tick over smoothly by establishing appropriate processes, monitoring and reviewing these processes, and seeking feedback and advice when appropriate.
Dealing with risk issues tends to be more expensive than preventing them from occurring.
As well as having obvious downsides with failures to meet compliance obligations, risk management can also have an upside.
Having a better understanding of your regulatory obligations than your competitors can lead to relative efficiencies and competitive advantages.
Often, regulatory risk is a starting point for deeper thought about an issue. But it’s not the only form of risk you need to address.
Difficult realities of risk
Managing risk is important, but it’s difficult to implement.
In the corporate world it is incredibly easy to judge the quality of a decision based on its outcome. In the face of uncertainty, this can be a dangerous approach.
There is a strong argument that the quality of a decision should be based on its own merits, rather than its outcome.
The reason for this is that in a complex world, the relationship between inputs and outputs is not linear. Good outcomes can flow from very bad decisions.
This can occur where enormous risks are taken, but the risk taker was lucky; or where long-term risks accumulate but are concealed by short-term gains. On the flip side, bad outcomes can result from good decisions.
Our experiences, and the experience of others, can teach us significant risk management lessons. For many, September 11 showed why business continuity and disaster recovery procedures are crucial.
This of course needs to be tempered with the findings in behavioural economics that show we are subject to predictable, consistent errors of judgment — with biases such as hindsight error and overconfidence.
We can also be oblivious to significant risks. An activity that our firm has performed several times now is to brainstorm, with the entire staff, the risks that the firm is exposed to. The first time that this was done, approximately 60 risks were identified.
The partners, Grant and Tim, readily admit that if they had undertaken the risk identification themselves, there would have been five or so risks that they would have overlooked.
Furthermore, in relation to the assessment of some of the identified risks, Grant and Tim’s assessment was more favourable than the staff’s. In other words, they thought they had some risks under control but the staff had a less optimistic view; a view which they needed to hear.
Sold on risk management
An appreciation of risk and the inherent uncertainties of life should be factored into any business decision.
But risk management systems are also vital for systemic and operational risks. These systems require you to articulate future challenges and opportunities, providing you with a context to discuss them, expose them to external scrutiny and monitor how you are addressing them.
I mentioned at the beginning of this article that managing risk can be a thankless task.
That may be true, but it certainly isn’t boring. It may still be a hard sell because it’s so intangible, and in many cases it’s hard to distinguish whether you’ve contributed to your good or bad luck.
But there are other factors in our lives that we value highly. Our physical health and safety, and that of our families, is a good example.
If you think of managing risk as maintaining the health and safety of your business (and the time and investment that your business or career represents), then you will appreciate that risk management, or uncertainty management, is an important factor in your long-term professional success.
If, on top of this, you think about the upside of risk (ie, taking advantage of uncertainty and opportunities) then you will realise there is no time to waste in adopting a healthy attitude about risk.
Sonnie Bailey is a lawyer at Holley Nethercote Commercial Lawyers.
Recommended for you
The FSCP has announced its latest verdict, suspending an adviser’s registration for failing to comply with his obligations when providing advice to three clients.
Having sold Madison to Infocus earlier this year, Clime has now set up a new financial advice licensee with eight advisers.
With licensees such as Insignia looking to AI for advice efficiencies, they are being urged to write clear AI policies as soon as possible to prevent a “Wild West” of providers being used by their practices.
Iress has revealed the number of clients per adviser that top advice firms serve, as well as how many client meetings they conduct each week.