ARC (trade) talks with... Karin Nadels, Risk Manager and blogger

To keep close track of developments in our field, every month we interview an audit, risk or compliance expert from the field. Among the questions we ask are: what developments do you see and how do you deal with them? In the second interview of this series, we talk to Karin Nadels, who has held the position of Risk Manager at several organizations. With some regularity, Karin blogs about her learning experiences and insights within the field of risk management; some 20 blogs by Karin have already appeared.

I have been a Risk Manager at Holland Casino for a year and a half now. Before that I held the same position at several financial institutions. Looking back, I see that the approach to risk management in the financial sector is very similar. Everyone does the same annual risk analyses of the processes, estimating 'chance x impact', then draws up the corresponding diagrams and then tests the (key) controls. Regulators also always like this standard way of working and other sectors have often adopted it one-to-one, perhaps because of the recognizability? I always complied with this as well, but I started to wonder more and more: why do we do it this way ... and where does it come from? I don't have the full answer to that yet, but I am exploring to find that answer. 

So am I now doing risk management in a totally different way? Not so far, I haven't found the optimal way (if it even exists), and in a difficult Corona time I am not going to burden an organization with experimenting with new methods. I think one of the most important skills of the risk manager is: to know what is going on in your company and to know when to call for something, but certainly also when to stand still. You are at their service, not the other way around. 

The first thing I would like to move away from is the estimation of probability x impact with a scale of, say, 1-5. The more I delve into this, the clearer it becomes to me that we humans cannot make such an estimate properly. This exercise is quite time-consuming, but it does not, in my belief, give an accurate picture of the risks. We can get more value out of it by moving from absolute estimation (1-5) to relative estimation. In relative estimation, you look at whether a risk is greater or less than another risk. Within IT, relative estimation is used a lot, for example, to estimate "how much work will this work package cost me, relative to another work package? In Corona days, while working from home, I picked up this method from my husband. To make this method very practical: when we look at a tree, we are quite capable of saying whether one tree is bigger than another tree and if so, by how much (for example, 1.5 times bigger). In this, we as humans are many times better than estimating exactly how many feet tall that same tree is. If we work more with this skill when estimating risk, it will take less time and we will still have a good estimate, maybe even better.

I wrote a blog about strategic risks before. I notice that the Corona crisis has further increased the desire to have strategic risks mapped out as an organization. I like to distinguish between risks that can be seen as hygiene risks (such as cyber security and complying with the law) and risks that follow from (the changing) organizational strategy. Hygiene risks are always there and, if done properly, are secured in the (daily/monthly/etc.) processes. 

Actual strategic risks come from a formulated strategy and thus are not in those processes. This requires a different approach. By the way, this distinction is not black and white, but that doesn't matter; the point is to have a good discussion about it. In addition, I am not an advocate of copy and paste: last year's risk list may look different again this year, so delve into it.

For the strategic risks, I like to talk to the board members personally, because those risks affect them. With some regularity, we from risk management attend meetings, for a presentation or to facilitate a discussion. Then, of course, we also talk to the layers below the management about risk management. It is precisely the input from the various organizational layers that contributes to broad-based risk responsibility, with which people really get to work.

Where the layout of a company is concerned, I favor small staff functions. In particular, it should revolve around the first line, where the money is made and the real expertise is. Of course, this varies from company to company and is not an end in itself, but it is a principle I keep in the back of my mind. As a risk manager, I like to work close to the front line. I recently completed the postgraduate study in Internal Auditing at the UvA. I really appreciated that course. Among other things because of the vision towards data-driven working. This can offer many advantages such as: assessing the entire population instead of a partial observation, or that on the basis of available data you already know which risk areas you can zoom in on. I do realize that getting the right, clean data in a timely manner is still a challenge at many organizations. If you start working toward this way of working today, you can often get started on it sooner than you expected. 

On the other hand, I think the RO study focused too much on models. What I missed in it was: how do you make sure that you know how to translate the model into practice, so that it gives you tools and does not become the end goal in itself? After all, a model is nothing more than a simplified representation of reality: the latter is always more complex than a model can tell you. And because of that complexity, the trick is to find solutions that fit the company, the people and the goal being pursued. One should not spend half a day filling in lists and not get around to the regular work. In that, I think creativity is an important skill of the risk manager. Can we do it in a new, smarter(er) way? But creativity is also: being open to not knowing certain things yet ('knowing that you don't know things yet'). Or daring to let go of models, if you want to consider (for example) important elements such as culture, attitude and behavior. In such investigations, by the way, showing genuine interest is also enormously important, because without showing genuine interest, you won't get to the good conversation.

In the ideal relationship between Internal Audit and Risk Management, I see two separate functions, both of which fall under a different board member and operate independently of each other, but have a very clear signaling function to each other. I can ask the auditors if they want to dive deeper into something, by means of an audit. Conversely, the auditor may find something outside the scope of the audit, which is important input for me as Risk Manager. Or they can pass on an issue to me that has "fallen down" among the other findings, but is good to know.

You are successful as a risk manager when you see steps being taken compared to last year (improved control, preferably combined with efficiency). But especially when the board and the management layer below can make better decisions. For example, about 'which projects have the greatest chance of success' or 'where should the energy of the people on the shop floor be put in particular?' That, by the way, requires you as a risk manager to always be well prepared and to-the-point. Management usually has so much on their plate, show them where the added value lies. This can be in risk mitigation, but also in scenario planning and increasing opportunities. This quickly removes resistance. Regarding operational risk management: stay alert that the management measure has not become an end in itself; keep reasoning from the goal and the associated risk. Do not forget that doing business goes hand in hand with taking risks. Opportunities should be taken, as long as you know the associated risks. That is the other principle I adhere to: thinking from "how do you increase the chance of success?", rather than just "how do I make sure things don't go wrong?".

We still view risks too much as static. But a risk can occur more than once and can have different consequences, which can accumulate. The BowTie methodology can help you identify all causes and consequences of a risk, giving you clear insight into what you can influence. Also, we still think too much in silos: risks and (external) factors can also influence each other, where now they are approached as a list and mutual influence is not taken into account.

Another shift is taking place around culture, attitude and behavior. Fortunately, more and more managers are putting these topics on the agenda and people are starting to see their value. That shift is important, though, because the risks are mainly in the people. If something goes wrong, nine times out of ten it is because someone was not paying full attention. For example, in the case of a company being hacked or held hostage, it is most likely that someone forgot to update their laptop or clicked on an unsafe link. A practical example: hotels that put a sticker in the bathroom that says "73% of guests reuse their towel." This leads to far fewer towels that have to be washed after just one day, which saves costs and reduces environmental impact. This method is called nudging.

Risk management still offers many opportunities and challenges for me. There is also still so much to learn. Among other things, I am currently delving into the many different strategy streams and how to make more use of quantitative methods in operational and strategic risk that are usually used a bit more in financial risk management. And I stay alert to what we can learn from other professions. For example, I recently wrote a blog about how teams work together in Formula 1. Very interesting. So all in all, I see myself enjoying working in risk management for the time being!