CRO speaks the truth about risk management
It’s shocking, but it’s the truth.
Multiple news organizations reported this month that the UK’s Lloyds Banking Group is going to make significant cuts in its risk management function.
Background: Lloyds is one of the largest banks in the UK with revenue of £28 billion and next income of just under £5 billion. It has over 62,500 employees and something like 30 million customers.
It is in the process of a transformation project. According to the Telegraph, “Chief executive Charlie Nunn is seeking to overhaul Lloyds by cutting costs and driving up sales as the environment becomes harder for UK banks this year”.
Now for the truth.
This is what another UK newspaper, the Independent, reported (with my highlights):
Lloyds Banking Group is shaking up its risk management team in a bid to speed up transformation, as a top executive said some processes are time-consuming and blocking the business’s progress, according to new reports.
The restructuring will put a number of roles under threat of redundancy, but will create jobs in other areas.
Lloyds told staff it is “resetting our approach to risk and controls”, according to an internal memo sent last month from chief risk officer Stephen Shelley, seen by the Financial Times.
Mr. Shelley said two-thirds of executives think risk management is a blocker to its strategic transformation, while less than half of its workforce believe “intelligent risk-taking is encouraged”, according to the reports.
The Independent also said that:
Around 175 permanent jobs in the bank’s risk division and related roles are under threat of redundancy as a result of the change.
But it is expected to create about 130 roles which are focused on specialist risk and technical expertise.
City AM told us that Shelley said:
“We know people are frustrated by time-consuming processes and ingrained ways of working that impede our ability to be competitive and leave us lagging behind our peers,” Shelley added.
This is sad news for the practitioners at Lloyds.
But it should be a HUGE wake-up call for risk practitioners everywhere!
I have said for a long time that the way to determine whether risk management is effective is to find out whether operating and senior management believe it is helping them make the best decisions and take the right risks.
Lloyds found that woefully lacking.
My congratulations to their leadership for recognizing that and for their decision to make necessary changes.
Do I know whether those changes will be successful? I have no insights, but I certainly hope so.
My advice is for risk practitioners everywhere, with the help of the board, internal audit, and senior/executive management:
- Focus on what decision-makers need if they are to make the decisions, taking the right risks, necessary for success (achieving enterprise objectives).
- Make sure they have the reliable information they need, when they need it, in a readily actionable form.
- Ditch heat maps, risk registers, etc. that are not useful in decision-making.
- Be flexible and adapt with agility to the changing needs of decision-makers.
- Be sensitive for the need for speed in decision-making. Sometimes it is fast, but not always.
- Talk to and listen to decision-makers all the time, at every opportunity.
- Eliminate work that they don’t value and use.
- Don’t be a blocker. Be an enabler! Change your mindset.
- Make risk management something executives want instead of a compliance activity, something they have to do.
…and make sure the board knows when risk management is not effective.
I also suggest reading Risk Management for Success.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I believe this commentary is rather narrow in focus. It is tragic that the only reason for effective risk management is ‘decision-making’.
Risk Management ought to be a tool for better planning and increased effectiveness in business operations, execution of strategy and creating changes that reflect adaptability and not continuous improvement, which is proven to be very outdated.
It all comes down to mindset. If that doesn’t change first, the rest is pointless.
I agree except I would point out that planning is a decision-making process, and decisions are how you run the business, execute on strategy, etc.
Agreed, research shows execution is often more important than strategic decision making. There is also a feedback loop from execution that feeds into strategic decision-making. I do wonder what work Lloyds risk management team actually were performing having worked in the industry I not sure it is ERM based, likely more based on assessing underwriting risks. Seems like an internal cultural challenge situation? Point taken though the same thought process could be applied to ERM.
There is a tendency to think of ‘decision makers’ as senior management but every employee is a decision maker. If they aren’t, what are they being paid for?
This doesn’t affect your argument but does show the range that risk management must consider.
I agree that risk registers are no use in decision making, except deciding which risks should be examined as part of an audit. Not all risks are linked to decision making, for example the risk of a computer virus.
I think that businesses still need to focus on the ‘bad stuff’ they don’t want to happen (traditionally done via risk registers, matrices etc.), regardless of what their objectives are. These risks may not directly link to achievement of objectives but may damage what the organisation values (i.e. its people, reputation, resources, relationships, ability to operate etc.). Risk management is not just about businesses taking the right risks to succeed; it’s also about eliminating or reducing some risks so they can operate safely, efficiently and legally.
If bad stuff happens, it damages the ability to succeed.
Yes – but it’s not just about ‘taking the right risks’, and I believe well-designed heat maps and/or registers can have a role in helping to assess and monitoring ‘bad stuff’ risks.
But if you don’t know your objectives you can’t completely identify the ‘bad stuff’ risks
If you don’t know your objectives you won’t achieve them. That’s a bigger problem!
Norman, thanks for sharing about Lloyds. That´s the way things will go.