“Risk Management lets you appreciate the risk while you let someone else shoulder all the worry.”
— Anthony T. Hincks, BDM
No country for old men
At the risk of upsetting the old white men reading this, although risk management is an important component of a financial services business, its value is significantly misrepresented; it’s more problem than panacea because it often misleads management, distracts its attention and creates a false sense of security that seldom survives claims or regulatory scrutiny.
Traditional risk management involves identifying potential risks, assessing the likelihood of those risks occurring, and implementing strategies to mitigate or manage them. While it can be a valuable tool for businesses, it’s important to appreciate that, more often than not, it creates a false sense of security that Licensees often rely on to their detriment.
Many licensees assume that by implementing risk management strategies, they’re insulated from all potential risks, which can lead to complacency. Paradoxically, complacency often results in heightened levels of risk. In this article, we’ll explore this illusion of safety and suggest some better ways to identify and manage non-financial risks.
Certainty can be an enticing prospect, providing a sense of security and reassurance. However, this very allure can lead to a dangerous bias in compliance and risk management practices. In fact, as recent events have shown, over-reliance on established frameworks, rules, and procedures can create blind spots, leaving organisations vulnerable to unforeseen risks.
A key component …
Let’s begin by acknowledging that effective risk management is a goal on which licensees should be focused; it just shouldn’t be their exclusive or dominant focus.
In fact, the ASIC consider risk management to be a licence obligation (s912A(1)(h)) that delivers significant value to licensees. As you might recall, B7 of your AFSL application required you to confirm that your risk management process provided for the identification, analysis, evaluation, treatment and communication of risk and the probability of those risks occurring. Aristotle recognised that ASIC, like nature, does nothing in vain. In fact, the ASIC’s focus on risk management systems is rooted in its belief that risk management contributes to:
- Compliance with Regulatory Requirements: It’s a core regulatory belief that effective risk management helps licensees comply with license conditions and stakeholders’ expectations. When effectively employed, risk management arrangements ensures that licensees identify, assess, and mitigate risks associated with their operations and reduce the likelihood of misconduct, maladministration and non-compliance.
- Consumer protection: At least in theory, risk management plays a crucial role in protecting the interests of consumers, clients and investors. If licensees appropriately identify and manage relevant risks, they minimise the potential harm to their clients, safeguard their financial resources, and reduce the likelihood of claims, losses and adverse outcomes.
- Building Resilience: It may be apocryphal, but it’s often stated that effective risk management practices enable licensees to become more resilient. The logic is that by identifying and mitigating risks, businesses can better withstand adverse events, economic downturns, or financial crises. The reality may be somewhat different, but “as part of a complete breakfast”, risk management does help Licensees maintain continuity and remain sustainable in challenging environments.
- Improved Decision-Making: We know that better data can lead to more effective decision-making so, arguably, effective risk management processes provide licensee management with valuable insights into, and useful perspectives on, their operations which enable better informed decision-making. Further, if Licensees understand the risks associated with their activities, they can make more accurate assessments, better resource allocation and implement more appropriate risk mitigation strategies.
- Reputation and Trust: If you overlook the Royal Commission, numerous public AML failures and systemic maladministration, the fact that the Institutional licensees had well-resourced and highly competent risk functions meant that they could rely on sound risk management practices that contributed to maintaining their reputation in the marketplace. In fact, by similarly demonstrating a commitment to managing risks effectively, other licensees can instil the confidence essential for building long-term relationships and ensuring the sustainability of their business.
- Reduced Financial Losses and Liabilities: Implementing effective risk management arrangements helps licensees minimise financial losses and liabilities. This is, at least, for many licensees the most compelling proposition for an investment in risk management. The proposition is sound; by proactively identifying, anticipating and addressing risks, licensees can avoid or mitigate potential disasters including fraud, operational failures, legal actions and regulatory breaches. Done prudently, it reduces the licensee’s liability and, by extension, protects the interests of its clients.
Although the value, and relevance, of a licensee’s risk management arrangements depends on its compliance culture, ASIC recognises that effective risk management practices (and breach reporting) are fundamental to the stability, integrity, and sustainability of the financial services industry and, obviously, protects consumers and maintains market confidence.
.. with inherent limitations
Make no mistake, when used effectively, a robust and effective “risk management approach” provides significant benefits to licensees; it helps Licensees identify potential threats, assesses their likelihood and impact, and allocate resources effectively. In fact, by contemplating risks and prioritising mitigation strategies to mitigate them, licensees can focus their attention on where their focus and resources are most needed. (This is precisely how we approach “compliance” which, for the record, subsumed risk management ten years ago).
In addition to being more efficient, a structured approach to risk management empowers licensees (and practices) to develop contingencies and prepare for negative events (like misconduct, natural disasters or cyber-attacks).
These are desirable outcomes, but don’t let it distract you from realising that risk management has some obvious limitations.
First, it’s impossible to anticipate and prepare for every conceivable risk. Some external risks, like environmental or economic disasters, are beyond your effective control. Although we’re strong advocates for a risk-based approach to compliance, relying solely on quantified risk management measures can create the illusion of security. In practice, it can confuse precision and predictability and mislead licensees to mistakenly believe that certain risks are more, or less, likely than they are.
Secondly, it’s impossible to anticipate and prepare for every risk. It’s often been observed that “if you fail to plan, you plan to fail” but risk management only starts to become effective when you recognise that it’s not a static process, but an ongoing commitment; it’s crucial to regularly review and update plans to review your assumptions, adapt your expectations to changing circumstances and anticipate future changes.
Don’t forget to avoid the convenient narrowing of your risk management perspective. Financial risks are important, and routinely addressed, but non-financial risks are often overlooked in risk management. In practice, non-financial risks are at least as critical as financial risks and, in Commissioner Hayne’s view, probably more so. Ignoring public perception, regulatory compliance, stakeholder expectations and cybersecurity threats, for example, can lead to costly and profound threats to the the overall health and longevity of your business.
The impact on decision-making processes
If you’re an Australian Financial Services Licensee, you know that the law requires you to maintain risk management arrangements designed to mitigate predictable risks and protect consumers against unhedged and unfavourable outcomes. Unfortunately, this requirement doesn’t always always produce desirable outcomes. The reasons why won’t surprise those of you who work in compliance, are interested in biases and decision making or have read “Thinking, Fast and Slow”.
Let’s start with the most obvious issue. The danger of relying heavily on risk management is that it can lead decision-makers to overestimate their ability to control or predict future events (“overconfidence and optimism bias”). When licensees feel that they have sufficiently reduced risk through various mitigation strategies, they may take on additional risks without fully considering the potential consequences.
Ironically, over-reliance on risk management strategies can also lead to a culture of risk aversion, which can stifle innovation and limit opportunities for growth.
This is the real and present danger of unqualified risk assessment – it creates a false sense of security that often compromises a licensees’ ability to anticipate and mitigate risk.
Despite your confidence in your own risk management framework, try to maintain a realistic view of your risk framework and critically evaluate potential risks and their potential impact. When you’re doing so, try to remember Nobel Laureate Daniel Kahneman’s groundbreaking work on heuristics and his conclusion that people have an inherent tendency to be overconfident in their judgments and predictions. He also observed that people also tend to be overly optimistic about their plans and prospects, leading to underestimation of risks.
You are one of those people.
Unless you’re an inhuman risk-calculating machine, try to be aware of these biases and make a considered effort to temper your confidence in your risk management framework with a healthy dose of skepticism and critical thinking. Unfortunately, despite the best of intentions, that seldom occurs in the face of the quantified certainties risk management provides.
The false assurance of predictability
I’m sure you’re aware that predictive modelling is widely used in risk management. In fact, it’s a powerful tool to identify future risks and mitigate them but there are real and practical limitations to the efficacy of predictive modelling techniques.
One of the main limitations is the potential for inherent bias in the data used to build the models. When the information you use is incomplete, outdated, or inaccurate, you are unlikely to predict future risks effectively. Second, once you acknowledge that predictive models try to identify future risks based on past events, you’ll recognise that they’re profoundly limited because they cannot possibly account for novel or unexpected events.
Finally, predictive modelling techniques can be expensive and time-consuming, requiring significant resources and expertise. For these reasons, it is imprudent to rely on predictive modelling as the foundation of your risk management arrangements. Instead, you should employ a range of techniques and strategies to mitigate your risks.
One of the biggest challenges that licensees face in responding to emerging risks, is the uncertainty that comes with these risks. Emerging risks are, by definition, new and relatively unknown threats that demand immediate attention. Unlike traditional risks, emerging risks lack a clear historical record that can help Licensees predict their magnitude, impact and frequency. This makes it much harder for Licensees to know how to allocate their resources and prepare their response strategies.
It’s tempting to ignore emerging risks altogether. Since you can’t confidently assess the potential costs and benefits of different courses of action, it seems reasonable to prioritise other risks. Unfortunately, that’s a counter-productive approach: licensees need to find ways to respond effectively to emerging risks, by anticipating, preparing contingencies or simply monitoring changes.
While you’re grappling with this idea, consider the hidden threat of low-risk events. In our experience, low-risk scenarios (and minor compliance issues) can be particularly dangerous because the low-risk classification itself creates a false sense of security. Dismissing issues as low-threat risks can lead to significant consequences for a licensee because they misidentify lead indicators or recurring failures. Low-risk events often appear trivial, promising and profitable, but they can easily, and suddenly, become high-risk problems. Your risk management arrangements must therefore acknowledge the potential risks “low-risk” scenarios represent, and put controls in place to lessen their impact.
The fallacy of assuming that risk management minimises uncertainty is also particularly problematic. Risk management can significantly reduce the negative impact of potential risks, but it does not, and can not, completely eliminate the possibility of uncertainties. Nor can it fully anticipate all events or their potential severity.
The challenge of dealing with uncertainty
“There is a big difference between risk and uncertainty. You are dealing with risk when you know all the alternatives, outcomes and their probabilities. You are dealing with uncertainty when you don’t”
— Gerd Gigerenzer
One of the biggest challenges licensees face when dealing with unpredictable events is the lack of control they have over the situation. With risk management strategies in place, they often believe they have mitigated their exposure to unforeseen circumstances. But the truth is that unpredictable events can still materialise, regardless of their preparation.
You may have a comprehensive disaster recovery plan in place, but if a natural disaster or cyber attack exceeds your expectations, the plan may no longer be effective. In fact, your inability to control unpredictable events also means that you may struggle to respond effectively in the face of uncertainty which could have significant consequences on your overall performance and reputation.
The particular challenge is that our own minds sabotage our capacity to deal with uncertainty, ambiguity and equivocation. In fact, there are a range of heuristic and biases that compromise our capacity to do so. For example, our judgments about the likelihood or frequency of events are often influenced by how easily instances or associations come to mind (“Availability Heuristic”). Rresearch has shown that after watching news about a train derailment, people overestimated the risk of trains and chose alternative (and riskier) transport options.
“Anchoring” affects our decision-making and negotiations. In simple terms, once a number or value anchor is set (for example, “a one in one-hundred year flood”), subsequent discussions, negotiations, and decisions are unduly influenced by that anchor and seldom (quickly) adjust to new data. So, if something is classified as a 1 in 100 year event, you’ll have a tendency to dismiss it as a real or present threat (something known to recent flood victims).
It may be obvious to you, but the way that risks are presented (“The Framing effect”) can also drastically change our responses and priorities. Don’t forget that collective biases (“Groupthink”) can also impact our decision-making processes by promoting subjectivity and conformity over objectivity and independent consideration.
This last point, in particular, should encourage you to acknowledge human fallibility and the potential for human error to cause significant risk; risk management measures are not foolproof and the possibility of human error infects every stage of risk management, from identifying risks to implementing controls.
Human error can lead to devastating consequences. Studies have shown that human error accounts for the majority of car incidents and accidents and, in our experience, for most systemic compliance failures. For these reasons, your risk management arrangements need to anticipate and mitigate these risks by including cross-training, automatic backups and regular reviews and audits as core elements of your compliance and risk framework.
If you need help, please reach out.
Risk management is not a game of perfect information but, rather, an attempt to impose order and predictability on uncertainties and probabilities. It is both admirable and practical for you to try to anticipate predictable risks and mitigate their impact, but its dangerously naive to assume precision and exactitude.
You’re navigating the grey, and if you can recognise the inherent limitations of risk management, you can at least take steps to mitigate their impact and improve your ability to manage risks effectively.
Mitigating biases and improving outcomes
The seduction of certainty in compliance and risk management highlights the need for a more dynamic and adaptive approach.
In my experience, by acknowledging the limitations of rigid frameworks and cultivating a culture of compliance, you can enhance your risk management practices and better protect your business and your clients. By mitigating biases, embracing technology, and adopting a risk-based approach you’ll more effectively navigate the complex and equivocal regulatory landscape and ensuring the long-term sustainability of your business.
If you’re a leader looking for practical solutions (beyond engaging industry leaders) you can start by building a:
- Risk-Based Approach: A risk-based approach shifts the focus from rigid rule compliance to identifying and managing risks effectively. By prioritising the most significant risks, licensees can allocate resources more efficiently and develop tailored compliance strategies.
- Robust Compliance Culture: Cultivating a strong compliance culture starts at the top, with senior management setting the tone for ethical behaviour. Implementing comprehensive training programs, whistleblower protection mechanisms, and performance metrics tied to ethical conduct can reinforce a culture of compliance.
- Technology-Driven Solutions: Harnessing technology can enhance compliance and risk management processes. Automated monitoring systems, machine learning algorithms, and data analytics can help detect patterns of non-compliance and identify emerging risks in real-time. I’ll offer one caveat, appreciate that excessive reliance on technology in compliance and risk management can dehumanise processes. While technology is a good tool, it’s a poor master, and its effective utilisation requires human oversight and judgment to contextualise and interpret data accurately.
Don’t misunderstand our position – risk management can help identify and mitigate potential threats, it cannot completely eliminate them. Embedding a culture of risk awareness and resilience is crucial to ensuring that a licensee can survive and thrive in the face of uncertainty.
Your risk management arrangements should help you to identify potential hazards and minimise losses, but you need to cognisant that an excessive focus on risk management can lead to decision paralysis and missed opportunities for growth. You need to implement a balanced approach in your business; one that acknowledges that both risk management and risk-taking are necessary for sustained and sustainable success. So, while acknowledging the limitations of risk management, try to analyse the known and anticipated risks, determine their likelihood and potential impact and use this information to make informed decisions about your business.
Risk management is, in my view, a necessary, but not sufficient, condition of a successful business. It’s part of the solution but its effectiveness depends on your capacity to recognise, and respond to, its critical limitations. Despite the widespread use of risk assessment tools and techniques within licensees, risk management is not the panacea you might expect.
First, these tools and techniques often rely on past experiences to make future predictions, but in a dynamic and constantly changing business landscape, past experience may not always be a reliable indicator of future risk.
Second, risk assessments are often biased by the subjective opinion of those conducting the assessment, resulting in a misunderstanding of the true level of risk.
Finally, even when risk assessments are accurate, they may not adequately account for the potential consequences of a risk event, particularly in the case of high-impact, low-probability events.
While risk assessment tools can be a valuable aspect of risk management, they have to be used in conjunction with other approaches, such as qualitative assessments, scenario planning and preparedness measures if they’re to more effectively manage risk.
To achieve this, Licensees need to incorporate regular risk assessments, ongoing training of employees, and continuous monitoring and evaluation of preparedness measures into their compliance framework. Plus, they need to take a proactive approach to risk management that carefully balances risk-taking with strategic planning. Despite the common view that commercial success and compliance are mutually exclusive, the reality is that reconciling your risk appetite with the likely risks is crucial for your long-term success.
You might bristle at my assessment, but risk management is not a universal cure but rather a useful perspective that should be strategically employed to sustain your risk-aware compliance culture.
Don’t forget that one of the critical factors in risk management is the continuous monitoring of risks. This is essential because new risks emerge over time, and previously identified risks may change in severity or likelihood. Your regular monitoring of identified risks will equip you to respond to emerging and evolving risks and act, proactively, to mitigate them. This is why we believe that active, real-time risk monitoring is an essential element of your compliance arrangements.
Regulatory technology, like OpenAFSL, provides real time data that ensures that businesses remain vigilant towards significant risks that may have been overlooked or underestimated in the initial risk assessment. Some may argue that implementing sophisticated compliance systems and cultural changes can be expensive for financial planning businesses, particularly smaller ones but the long-term benefits, including reputation protection and improved customer trust, far outweigh the costs.
We frolic in the grey, and our approach can help you develop a strategic risk-taking framework that minimises non-financial risks while facilitating your growth and long-term success.