Select Page
Strategic Initiatives and Risk

Strategic Initiatives and Risk

When an organisation goes to the trouble of articulating its VISION, MISSION and STRATEGIC objectives, it is a major issue if the organisation does not follow through, by  provisioning INITIATIVES and PROJECTS, to enable STRATEGIC objectives to move forward.

So if you are a reviewer (for example an auditor) why not check out whether the Board and Senior Management are able to recognise high-priority, high-value activities (strategic initiatives and projects) as being necessary for the proper development of organisational strategy; and then check that the Board and Senior Management ensure that resources (money, people and time) flow to those activities?

If there is no additional resourcing for new strategic initiatives or projects or if it is assumed that resources can be stolen from other activities then there is a high risk that the strategic initiative won’t get off the ground, and this in turn might mean that the strategic objective will be stalled.

Resources don’t materialise out of thin air!

Culture risk and the nature of the organisation.

Culture risk and the nature of the organisation.

Culture Risk

Regulatory staff – and the public sector as a whole – understand risk primarily as a threat. They see risk analysis as a vital tool to help them contain and prevent hazards.

Commercial staff, by contrast, see risk as an obstacle that can be identified, structured and controlled to pursue opportunities for profit.

Although these two different risk cultures are not exact opposites, they show a contrast in emphasis which helps to explain why there are gaps between regulatory design and the reality of compliance, why, in the real world, rules are broken, and why different risk cultures exist.

As an auditor your journey into auditing Culture, might begin by an exploration of risk management and to find out whether there any clues in the organisation’s risk register as to whether ‘Culture’ is recognised as a dimension of risk. And, from here you might want to explore how the organisation interprets the management of culture risk: is culture risk an obstacle to business as usual that can be overcome? or is it a threat to the organisation’s very existence? Answers to these two questions will give you clues as to what to expect when you begin to talk to individuals about risk and culture.

Strategy and projects – the connection between the two.

Strategy and projects – the connection between the two.

Looking at a ceiling-hanging mobile the other day it reminded me just how important the notion of connection or connectedness is in our world of risk and control.

We were looking at the business case for a project and something appeared odd. We could see nothing in the business case that connected the project with any of the organisation’s defined strategies. So where was the connection between this project and strategy, defined? A search through all of the remaining project documentation and minutes of early project meetings drew a blank. Nada. Nothing.

Here’s how our thoughts go: you first define your vision, this then leads on to your mission, and this in turn leads you to define your strategic objectives. To deliver the substance of your strategic objectives, over time, you generate strategic initiatives (plans, tools, processes and projects). It should therefore follow that new projects are linked to a strategic objective. There may occasionally be cases where we have to deliver infrastructure in order to support a raft of other initiatives but the business case should make this clear too.

Where a business case doesn’t have connections to strategy, to refreshment (where a legacy process is due for renewal) or to infrastructure then we have an ‘orphaned’ project – a project with no connections. And this raises the spectre of an unconnected project – something that someone thinks ‘is a good idea?‘ or something that someone thinks ‘makes sense?

In the world of risk and control, as in business, most things should be connected. Where they are not we run the risk of wasting money, time and effort on projects that produce no measurable value.

And as strategy is about generating value, whether we operate in the private, public or charitable sectors it’s about time we made more fuss about connections. And, perhaps get a ceiling mobile to remind us?

Internal Auditors and Conduct Risk

Regulators have an expectation that firms – financial services operators – treat consumers respectfully and with regard to customers’ reasonable expectations. This means that firms have to imagine or try and imagine what reasonable expectations might be from a consumer perspective – and these expectations might vary depending on the financial sophistication of the customer. This is part of the new world of conduct risk.

So who challenges products and services from the customer’s perspective? What internal process exists to represent the customer/consumer’s perspective?

Internal auditors should check that there is a provision for appropriate Customer Challenge to be made (inputs coming from appropriate stakeholders [possibly NEDs, customer representatives, or representatives from regulators] to help ensure Customers’ interests are fairly represented) during a Product’s Lifecycle and in the approach to Product Design, Product Distribution and Product Service.

It may not be necessary to do this for all products, but it would be wise to do this for products that are defined as ‘high risk’ products or for those where it would be reasonable to assume that the customer’s financial sophistication level was low.

To quote the FCA: ” The Financial Conduct Authority (FCA) will put consumers’ needs at its heart and will focus even more on ensuring there is a fair deal between firms and their customers.”

In part this means that firms must learn to think like customers, in part this means that firms must pay greater attention to conduct risk and, taking both factors together, a pretty good reason for firms operating an internal customer challenge function.

Risks with new systems?

Listening to a radio broadcast today about the risk associated with technology we heard a senior manager apologising for the poor quality of service provided to his organisation’s customers. This was due, he claimed, to: “Problems with the new computer system”.

It’s weird isn’t it, that more than half a century after computer technology (IT Systems) were first introduced into commercial organisations that we are still blaming computer systems for what are fundamentally human problems. Maybe we are blaming ‘computer systems’ in the hope that the listener – who by and large won’t be an IT Professional – will shake their head wisely and agree that technology is a baffling, and sometimes uncontrollable, thing.

But if we look at the problem from a risk based reviewer’s perspective, and from the many published reports on ‘Problems with new systems’ we keep finding references to: “Poorly articulated, documented and managed change support and change management regimes” and “Errors not being identified, communicated and cleared through formal working practices” and, again, “Systems becoming unstable, following incomplete testing, leading to fragile working environments and frustrated users and consumers.”

There are well known best practices such as ITIL, developed especially for the management of IT services from a user perspective. And there is ISO 20000, that further uses ITIL as a springboard to generate an international standard for IT Service Management. A read of these would at least provide a clue to the direction to be taken and what ‘good practice’ might look like. And, none of the good practices is impossible to attain, all that’s required is concentration on process and sequence and not making arbitrary decisions to bypass critical control steps.

So if we know what the underpinning problems are – why don’t we fix those first, by applying the solutions that are available? Or, is speed of implementation seen as more important than satisfied users, customers and consumers?