Three Lines of Defence’ (TLD) sounds like a robust approach to risk management, but it failed to prevent the recent banking crisis. The Treasury’s ‘Orange Book’, which sets out risk management guidelines for government departments, sounds authoritative but shares the same flaw.
The TLD model, ubiquitous in financial services and widespread elsewhere, commonly has four layers. Line managers deal with risks as they encounter them. Centralised teams monitor and report on risk. Internal and external auditors bring an independent view. And the whole is overseen by non-executive directors – typically the audit or risk committee.
The Parliamentary Commission on Banking Standards criticised TLD for promoting a “wholly misplaced sense of security”, blurring responsibility, diluting accountability, and leaving risk, compliance and internal audit staff with insufficient status. In so doing, the commission spotted a failure of implementation – but TLD and the Orange Book share a deeper, more dangerous flaw. Neither takes account of the evidence on the real root causes of failures.
I’ve been deeply involved in several studies of the root causes of major crises and failures, including a 2011 Cass Business School report for the professional risk managers’ body Airmic. These reports identify the root causes of over 40 major crises and failures – including three public sector debacles – and it’s clear that these were not simply failures of implementation: there is also a fundamental gap in classical risk management know-how.
The breakthrough came in recognising that the roots of most failures – and the factors that tip potentially manageable crises into reputational disasters – lie in human behaviour and the way in which people are organised and led. Previously unrecognised in the classical risk management lexicon, we call these risk areas ‘behavioural’ and ‘organisational’ risks – collectively, ‘people’ risks.
Though people risks lie at the root of so many failures, the Orange Book does not even mention them. This is no criticism of its authors: mainstream risk management thinking is only now beginning to embrace people risks, so few risk professionals understand them; and these risks are often dangerous to handle because so many emanate, ultimately, from leaders.
This gap allows crises to develop slowly, lurking unnoticed before exploding unexpectedly into view. No wonder armies of diligent risk managers failed to anticipate, let alone prevent, the reputational crises that we studied – including the banking crisis. Nor, with the current tools, can they prevent future calamities.
With commendable speed, the Bank of England’s Prudential Regulation Authority has recognised these risks, and the Financial Reporting Council (FRC) has issued guidance that will have a profound effect on risk management in UK-quoted companies. The FRC now expects regulated companies to report publicly, and in clear language, on the most critical risks to the business – specifically including important risks to reputation and risks from people.
The council’s complementary Guidance on Risk Management came into effect on 1 October, putting risk management at the core of board activities. It is laced with dozens of practical questions for boards to consider about behavioural and organisational risks. And it sets the standard for boards as to the practicalities of how they manage such risks below them and recognise the risks that surround them.
The Orange Book has become inadequate. Its status and widespread availability maintains the dangerous illusion that it remains an adequate guide to managing risk. It is not. So what should be done?
The Airmic report focused on the private sector. But ‘The Blunders of our Governments’, by Professors King and Crewe, confirms that people risks are equally at work in the public sector. Groupthink, complexity and defective communication are but three examples of people risks that were at work in ‘blunders’ as diverse as the Poll Tax, the London Underground PPPs, and numerous IT procurement fiascos. But we have observed subtle twists and variations on people risks as a result of the special features of the public service. These need to be analysed and catalogued, and an apolitical case book created to include the sector’s special features. The Orange Book should be revised to integrate the new learning. Public sector leaders and risk professionals will require tailored education to embed the learning system-wide.
There is an additional crucial step. Many of these risks emanate from leaders. It is therefore essential that civil service heads give risk professionals the explicit direction and authority to deal with these risks, even if they emanate from the highest levels in their departments. Risk managers must be certain that they can speak truth to power with no risk of wrecking their careers.
It is a tragedy when a respected organisation fails or suffers a reputational crisis. The cost can be catastrophic, and leaders regularly lose their jobs. Civil service leaders and their political masters should welcome the opportunity to find, prioritise and deal with these previously unrecognised but potentially devastating risks, before they are allowed to cause further serious harm.
Anthony Fitzsimmons is the chair of risk management consultancy Reputability LLP. www.reputability.co.uk