Global convention call for more positive and forward looking approaches to risk management

Global Convention on Corporate Ethics and Risk Management

Corporate Ethics and Risk Management in an Uncertain World

18th February, 2017

Bombay Stock Exchange, Dalal Street, Mumbai, India

Plenary Session X Special Valedictory Session (Conclusions and Recommendations)

Prof. Colin Coulson-Thomas*

Some of the key terms that we have been using at this convention mean different things to different people. We and those we are seeking to help and support would benefit from a shared understanding of what we mean by terms such as ethics, risk and culture.

Increasingly, contemporary organisations are networks of voluntary relationships built upon trust. People and organisations tend to trust those who treat them fairly and who act with integrity.

Integrity and ethical conduct are more than a nice to have. We recognise them when we see them. We also notice and alert others to their absence. Instinctively knowing what the right thing to do is and being able to act as a role model should be key criteria for the selection and appointment of directors and leaders.

In relation to both ethics and risk, we need to be realistic and accept the limitations of our current practices and the dangers of using out-of-date approaches and models. We need to anticipate challenges and failures and be prepared to handle them and both recover and more forward.

Risk is too important to just be left to a small group of professionals in a head office environment. Too often those in the front-line who are closest to emerging issues leave identifying, assessing and addressing them to specialists.

No-one may have experience of a new and unexpected development. Risk needs to be seen as an aspect of a much wider range of roles from the bottom to the top of an organisation. How it is handled needs to be built into systems, processes and tools in a way that can be quickly updated.

Communications relating to risk need to be two-way and all those involved should be vigilant and open-minded. Opportunities should be explored for using personalised performance support to make ethical and risk guidance available on a 24/7 basis whenever and wherever required, including when people are on the move.

Acknowledgement and understanding of ethics and risk should be an integral element of school education. It should have an important place in the curriculum of business studies and business school courses. It should be an integral element of the preparation of the members of most if not all professions. Priority should be given to handling ethical and risk dilemmas and incorporating ethics and risk in decision making.

Education for risk should avoid portraying risk as negative – as a problem. Risk should be viewed positively and seen as an aspect of life, as an integral element of entrepreneurship and as an enabler and an arena of opportunity.

Risk management is more than avoiding downsides, costs and losses. It is about creating a better future. We need to look at what we can do to help customers and others to cope with risks they face and so turn their challenges into business opportunities.

Risk is not just for business and management practitioners and professionals. Assessing risk is important for engineers, medical practitioners and many other professionals. Their instincts and approaches may be more relevant to issues currently faced by boards than those of risk management professionals using approaches developed when different priorities and business models applied.

Medical practitioners understand the risks of various treatments. They accept that for certain conditions there may not be a cure, but it may be possible to manage a long-term condition. If organisations are living organisms we should learn from medical and other professions.

The diversity, variability and unreliability of human beings is a major source of risk. In particular, we need to learn from groups such as human resources practitioners.

People face a variety of risks in their personal lives and in their homes as well as when at work. Individuals like organisations can be hacked and they can become victims of cyber-fraud. Like medicine, risk management can be seen and portrayed as a caring profession – concerned with protecting people as individuals and in their communities and organisations.

We can also learn from the roles of specialists within the medical world. General risk practitioners may only take us so far. Do we need to specialise more, for example offering post-qualification development options in areas such as cyber-security?

In a world of mutating risks and unexpected and disruptive developments, professional qualifications – and even the shared experience of professionals – can quickly become out of date. We need real time updating in certain areas.

Within any profession there are a small number of super-stars and a large number of average practitioners. The more routine, repetitive, structured and rule based activities of professionals will increasingly be replaced by expert systems that will be refined and updated by some of the superstars. Other super-stars might work as consultants to make their skills available to more than a single employer.

Risk management needs to embrace supply chains, customer aspirations and networks of relationships. It needs to be forward looking and concerned with the support of decision making and creating a safer and more secure and sustainable future.

One can sometimes go beyond protection. Cyber-security specialists may have options to track and respond to attacks, either alone or in collaboration with relevant law enforcement agencies.

Risk management needs to offer affordable, timely and practical advice and solutions. When there are narrow and shortening windows of opportunity there may be little point suggesting a multi-year transformation or culture change programme. Requirements and a business model may change long before it is implemented. Living, adaptive and flexible approaches are required.

Complex and interdependent risks do not necessarily require complex and expensive solutions. They can sometimes be best addressed by quicker and simpler approaches. If behaviour change is required, one should use levers that can be quickly operated such as changing a pay plan or updating the performance support that makes it easy to do the right thing and difficult to do the wrong thing.

We need to recognise the reality of threats we face in areas such as cyber-security and that collaboration can be more effective than operating alone. Most cases of hacking and cyber-fraud are not reported. Sharing an experience with ones peers and law enforcement agencies can increase understanding of the threat environment and improve planning of counter measures.

We also need to be prepared to innovate and explore. We must play our part in addressing future applications of disruptive technologies. For example, we should take steps now to anticipate the risks associated with various adoptions of block-chain technology and consider possible next steps.

Compliance with outdated requirements can leave the door open to new risks. To innovate we need to be open to discussion, debate and new developments. Rather than unthinkingly apply a standard approach we need to encourage greater diversity and be prepared to simultaneously explore a number of different solutions.

Ethics and risks are inter-related and inter-dependent. Manufacturers of mobile and internet-of-things devices need to take responsibility for reducing the risk of their connected products being misused. Many users just opt for standard manufacturer passwords which are known to hackers. Responsible manufactures should ensure customers are made aware of the risks involved.

If risk managers want acceptance as a recognised profession they much accept and discharge the responsibilities this involves, for example to protect the public as well as members.

As a profession, risk management needs to become involved in public debates. For example, manufactures of mobile devices feel they have a duty to use encryption to protect the confidentiality of their customers’ communications. This same encryption can prevent law enforcement and security agencies from tracking the communications of criminal and terrorist suspects. Governments and societies sometimes face difficult choices when protecting people from some risks can leave them open to other risks.

In such areas your counsel as leaders of the risk management community could make a difference. In so many aspects of our lives we need your engagement and support. I do wish you all the best.

*Prof. Colin Coulson-Thomas has helped directors in over 40 countries to improve board and corporate performance. He leads the International Governance Initiative of the Order of St Lazarus, is Chancellor and Professorial Fellow at the School for the Creative Arts, Director-General, IOD India, UK and Europe, chair of the Risk and Audit Committee of United Learning and Honorary Professor at Aston University. Author of over 60 books and reports he has served on corporate boards and local and national UK public sector boards, and held professorial appointments in Europe, North and South America, Africa, the Middle East, India and China. Colin was educated at the London School of Economics, London Business School, UNISA and the Universities of Aston, Chicago and Southern California. He is a fellow of seven chartered bodies and obtained first place prizes in the final exams of three professions.


25 Feb 2017
Colin Coulson-Thomas