An interview with Chris Corless, Enterprise risk and audit leader, Associate Director at KPMG (Brisbane, Australia)
Interviewed by: Gareth Byatt, IRM APAC Global Ambassador; Principal Consultant, Risk Insight Consulting
Gareth: Chris, t’s been a while since we last caught up! Thanks for making the time with me this month to talk about “where risk management should be heading” (I’ll add “controls management” to this point). So, let’s launch straight into it. What relevance do you think risk management has in the modern world? Does the “traditional way of approaching risk management” have a place, or is it time that we upend it to something different?
Chris: Yikes, good to see you haven’t lost your panache for asking tough questions to kick off! It’s a great question, and given the amount of interest in StrategicRISK’s #changingrisk campaign, I think there is a recognition that what we currently have is likely no longer acceptable going forward. Before we get too carried away with what’s next, I think it is important to remember just how far we have come in the last 15 years or so, and how young some of the key frameworks that are currently leveraged in risk management are, in the grand scheme of management practices. (COSO ERM debuted in 2004, and ISO 31000 didn’t arrive on the scene until 2009; does anyone remember AS/NZS4360?)
That said, organisations in our society continue to miss the mark when it comes to delivering on what they said they would deliver, often with significant consequences to key stakeholders (I’m thinking of employees, shareholders, customers, communities). You only have to look at the current Boeing 737 Max 8 saga. as an example that highlights room for improvement, and it’s only one of many such events that seem to occur daily, although not always with such high consquences. At the same time, I think the world is becoming less tolerant of these types of misteps. I think we will see more and more rewards for organisations that accomplish what they set out to without major dramas and crisis events along the way. This movement (dare I say, trend), combined with the finite set of resources we have on the planet, means that we have to continue to evolve how risk management operates.
I sense that there is growing frustration with the current state of risk management. Lots of resources are being applied in its name, but at times there seems to be little real, tangible benefit coming from the effort put in. In times of frustration, people tend to want to upend things dramatically and seek a completely different direction, but this often continues to lead to frustration because what’s different isn’t always what’s best (the rise of populism and its impacts on global governments is one example of this occuring).
Don’t get me wrong. I’m not arguing that we shouldn’t pursue change or that in some cases that change might not be quite radically different than what we know today. What I am suggesting is that we have to acknowledge that making changes to and in complex systems takes an enormous of amount of time and effort, and the journey required to move from the current state to the future state isn’t always obvious or simple to achieve. We not only need to know where it is that we want to head; we also need to manage how to achieve it over a timeframe that will be longer than most CEO/Leader’s tenure. Our challenge is not only mapping out what “next” looks like but to understand how we migrate to it. The pathway might not be the same for everyone.
Lastly, I think we need to think through what is the change that we want to aspire to. There are many views about “what’s next?” might look like. How these views have been developed is often shaped by our personal experiences, which inevitably is limited when compared to the entire population. Somehow, we need to be able to harness these experiences and to understand the broader context of what works and what doesn’t work. Every one of us making different decisions on “what’s next?” based on our inevitably constrained experiences may not lead us to the best possible solution. Perhaps something similar to how open source software runs might be the answer. That’s why programmes like #changingrisk are so important, as is the research that is being undertaken in many universities around the world – uncovering what a broad population considers to be the problem and possible solutions, then following up with the rigour and unbiased approach of academic research.
Gareth: So, we have to work together and understand different perspectives (which is part of what good risk management is about). What do you think this means for people who work as risk practitioners? Are we ready to change?
Chris: I’m not sure we are ready for a change universally. In the majority of cases, this is through no fault of our own – we have all learned certain approaches to risk management that we have been told, or advised, is “the way to do things”, and we have spent careers embedding these approaches in the organisations we work for in certain ways. The trouble is, many of these historical approaches or ways of thinking don’t really help us to manage risk, but organisations are not seeing the consequences of this because they are getting lucky. In my experience, there is nothing more helpful to getting you to see a need for change than when your luck runs out. This same effect can lull organisational leaders and board members into a false sense of security which is problematic because the nature of the change required needs to have their support to have a chance of being successful.
Gareth: Is this also a case of certain biases creeping in?
Chris: Well, risk functions and risk management as a practice can’t escape the laws of momentum – it’s genuinely much easier to continue with what you are doing, even if you have a risk manifest itself into a problem or issue. The tendency is to try harder not to rethink your whole approach and the way you go about things but to make incremental adjustments. In some cases, trying harder with small changes or simply more effort is the answer because of how long it takes to get the right practice in place, but in other cases trying harder isn’t the answer. Sometimes, wholesale change is required. A key challenge risk practitioners face is “knowing when to hold them or when to fold them” (Kenny Rogers had a lot of wisdom in his song The Gambler somewhat ironically given how much gambling shapes our risk thinking).
Change management will play a big part in how we successfully navigate away from our current practices and move toward what’s next. We have to realise that this isn’t just about orchestrating change for risk professionals, it’s about requiring an entire entity to change. Change management, systems thinking, and “nudging” people will be core skills for us to evolve how risk management is approached.
Gareth: We’ve previously discussed how technology is changing risk management. Which technologies do you think will be the most influential to help people take and manage risk in the next five to ten years? Is there any “first mover advantage” at the moment for risk practitioners and organisations?
Chris: I don’t think my thinking has changed that much on this from last year. I think technologies that help us to understand how the real world is behaving and informing our modelling around how uncertainty changes as the real world changes will be paramount. Of course, the bigger and more complex the modelling gets, the more we will be dependent of the speed of data processors, our ability to tap into the ever-growing amount of data and, finally, how to make sense of it all. The internet of things, wireless networking coverage and speed, low cost sensors for various operating machines and plants etc., quantum computing, machine learning and artificial intelligence will all play a role.
When I think about this, I think about how our approach to navigating (be it in a car, a boat, whilst out hiking) has changed in the last 15 years. Anyone remember the hard copy maps you used to buy? Dog-eared and sun-bleached artefacts found in cars of old. They were great - better than not having anything to guide you, but they depended on two key elements being in place: (1) you knew how to find where you were and (2) you had some idea of where you were going (the former being more of a challenge than the later unless the maps index was terrible). At the time, I couldn’t begin to imagine a world where I could hold a portable TV in my hand, and it could communicate with satellites and show me on a map my real time location. And from there I could just put in an address, and it would automatically compute the best way to take me there, and that would change depending on how I travelled or even better automatically reroute me if there was traffic on the way, all in real time. It’s a very simple example of the kind of transformational change that lies ahead – all we need to do is to continue thinking about how technology can assist us in our pursuit of risk management.
A couple of words of caution here. I think when it comes to risk and our ability to have our models interact with the real world, it might take longer than ten years, not because the technology won’t be ready but because our organisations (and sometimes our key stakeholders – and ourselves too) might not see the benefits of this type of transformational change. I think we also need to be careful as we use automation more and more, both in a control sense and in detecting problems with controls. (or changes in risk) We need to understand what it will take from our organisations and society as a whole to trust automated systems.
Most of us have an innate distrust for results and insights that are not provided by humans. Just look at the negative press that occurs when there is an accident with an autonomous vehicle – yet how many accidents every day are caused by human error? We also have a lot of work to do when it comes to designing these systems, so perhaps our mistrust at the moment is well placed. We only have to look at the MCAS system on the Boeing 737 Max 8 to see the consequences when automatic control systems are not designed well. There is still a lot of work to do in designing automated systems and demonstrating that they can be trusted (KPMG is one of many working on this and has completed some interesting work with the City of Amsterdam specifically on the trust issue). There is a great TED talk on Weapons of Math Destruction. Clearly we have a lot of work ahead to get it right.
The “first mover advantage” as I see it is twofold. Firstly, you can reduce the resources that are currently used in the name of risk management quite simply because the machine will do it. Either the machine will execute the control (as a Tesla does when it is autopilot) and/or the machine will monitor the performance of the control. (as so many of the systems in a modern car monitor the human’s performance or how software monitors the performance of Tesla autopilot performance). Second, an organisation has a greater probability of achieving what it sets out to achieve without drama.
The first mover advantage helps you to reduce the resource required while at the same time improving your ability to understand the uncertainty and variability in your business. Using data and technology, we can achieve this with a vast amount of data that is no longer limited to the knowledge and experience of the last couple of management generations. This will lead to better and more informed decisions. Ultimately though, if technology helps the organisation to manage the uncertainty that matters, then it will better achieve its objectives without drama and be appropriately rewarded for it.
Gareth: Does certification and training in risk management need to change to keep up with where things need to head?
Chris: I think when we land on what our next evolution looks like, we definitely need to revisit what our certification programs look like. That said, I think we are fooling ourselves if we think that any one skillset will be all that is needed in the risk functions of the future. Whilst I think it is very important to understand the various fundamentals of risk, the risk functions of the future will also have expertise in behavioural psychology, data science, engineering, finance, and change management to name just a few. Yes, it will be good to have general knowledge in each of these areas, but we should recognise that the risk functions of the future will need to have deep expertise in each area, and we will need to think about what that means when we develop the risk certifications of the future.
Gareth: What role do international risk standards and industry standards have to play in the future, do you think?
Chris: Another great question. I think there is a role, but I think it will be different from the role they have historically performed. Whilst I believe there have been many benefits from the standards that have been created up to now, I think we are very quickly approaching a time where they’re not as useful to help guide risk practitioners in understanding what needs to be put in place next. In some cases, these standards might be limiting innovation because doing something different might jeopardise the ability of an organisation to say they are ISO compliant. I think it’s also possible that they can stifle innovation because there is still a large contingent that believes they define leading practice and prevent organisations from advancing or short-circuiting their maturity journeys.
That said, I think it is important to realise that there is a wide range of variability when it comes to risk management maturity around the world and across industry sectors, I think for some on the low end there is still something very important to learn from these standards. It’s probably safe to say I have a love hate relationship with the standards – early on in my career the standards and the people who wrote them were immensely helpful in how I thought about risk, but as I have refined my thinking over many years of experience, they have played a much lesser role.
In the future perhaps, standards will focus more on specific elements – perhaps how public companies will report on risk or maybe articulate the best way to manage specific types of risk which have been particularly problematic historically. I would be very interested to hear what your readers think about this question.
Gareth: Maybe standards will evolve into “a family of standards”, as they have for other disciplines. When we spoke last year, I asked you about your predictions ten years from now on how technology will be helping and shaping how we take risk and try to predict uncertainty. You wrote a popular piece about “the risk radar” back in July 2018. Where do you think that risk management, in general, will be by 2030?
Chris: I really think some organisations will be well down the road on their digital journey as I discussed earlier in our conversation, and they will be more successful as a result. We will see risk and uncertainty models integrated into real-world control systems, and there will be very little human interaction required when your risk intelligence systems identifies problems. There are quite a few organisations innovating in this space today, albeit perhaps not specifically under the guise of risk management. Today we have to wait for a risk problem to be identified, hopefully by people in the business (as opposed to some form of independent audit), who in turn make recommendations of changes to remedy the problem and then it goes through a chain to more people to implement agreed solutions. This tends to be very periodic, time consuming and not a very reliable way of informing decisions. In my risk radar piece, I likened the current state to the radars of old, far from intuitive and required a lot of practice to be used effectively and even then, challenging to use effectively all the time. As with most things today, the new radars are exactly the opposite – highly automated they reliably and repeatably detect risks that could impact the achievement of your objective of arriving safely at your destination.
I can see a future where risk intelligence systems would identify a problem (perhaps a control that is not as effective as it should be), and then artificial intelligence capabilities would make a determination of what the best solution would be.
It will make necessary changes, monitor the change to see if it had the intended impact, and if not make another change. This is rapid experimentation at its finest. To some extent, this happens in our daily lives already today. One of the major mining companies this week announced its next generation haul trucks will automatically check themselves into the maintenance shop when they detect an issue, perhaps with a critical safety or productivity issue and as that happens, the scheduling system automatically brings spare parts and the right resources together to help the truck get back into the production line up. What will be different ten years from now is the scale at which this happens, the complexity of the models and learning capability of the systems that execute it.
Gareth: Thanks Chris for these insights. Let’s check in this time next year to see how things are moving forward!
I’d like to finish by asking what you’re currently reading, and finding of interest around the world? I must say that I always find your posts on LinkedIn of interest. Please keep them up.
Chris: Thank you for your continued support on my LinkedIn feed, I spend a fair bit of time trying to post about complex failures that can provide insight on improving risk management as well as key areas around leadership, strategy and culture.
I have just finished reading Richard Thaler’s Nudge, which I found to be a great companion to Daniel Kahneman’s Thinking Fast and Slow. While Kahneman explained how we think and the nature of our various biases I found Nudge was sort of a field guide to how you might practically apply the theories. I also just finished Tommy Caldwell’s book Push. It’s a little different from my traditional risk space reading, but It’s an amazing biography of Tommy, a professional rock climber who overcame many, many obstacles in his life before completing the first ever free climb of El Capitan’s the Dawn Wall which also became a great movie of the same name. (on Netflix in many countries) Jim Collins of Good to Great is a friend of Tommy’s so it must be a good story, right? After starting climbing myself relatively late in life, the capability of Tommy and climbers like him is simply incredible. The next cab off the rank will be Taleb’s Anti Fragile and I am looking forward to it and his not so self-deprecating writing style.
Gareth: Thank you once more for your time, Chris. Fascinating, as always!