This is a transcription of our interview with Norman Marks.
You can watch the original video interview here:
Here is the link to purchase the Risk Management for Success book.
Boris: Welcome to our interview with Norman Marks. Norman Marks is recognized as a global thought leader in risk management. He is a prolific blogger, author of several books and multiple articles and the speaker at conferences and seminars around the world. Norman is an original thinker with the business', rather than a technical Risk management perspective. And Norman served as a Chief Risk, compliance and ethics officer for large multinational companies.
Norman, thank you for coming to our virtual interview today.
Norman: It’s my pleasure, great to be with everybody.
Boris: Thank you. Today we will discuss your new book “Risk Management for Success”. In this book, you answer some important questions such as what is world class risk management, why do so many top executives and board members have difficulty seeing how ERM makes a positive contribution to the success of their organization.
Norman, can you give us a little bit more insights about your career path and what led you to write this book?
Norman: Thank you. As some of you might be able to tell from my accent, I was born and raised in England and moved to the States 40 years ago. So I've got a career that spans the Atlantic ocean on both sides, public accounting, and then internal audit and IT Management and then also has been a risk and compliance officer.
Although I've been somewhat technical at times, for example, for what is now a PWC UK, I was their lead technical IT audit manager, senior manager. I wrote methodologies and things like that. My perspective has always been on what it takes to run the organization to be successful rather than the nitty gritty in the weeds kind of things.
I hired people like that, for example, my IT auditors who look first at the business process to understand the business before they understand and try to evaluate the IT area.
So I always come from, as you said, a business perspective, rather than the technical perspective, looking to see what it takes for the organization to succeed. What I've seen as it comes to risk management is that it's clearly not being very effective, not very succesful in the traditional sense.
People are relying perhaps based on guidance from regulators and consultants, even the big auditing and accounting firms, they are producing a list of risks. And they're reviewing that list of risks on a periodic basis and thinking that is risk management.
Yes, any survey of management and executives and the Board, they see what this is about as BS as it's not helping them either set the right objectives or to execute their strategies to achieve those effectives.
So it's not getting the funding, is not getting the support from management on a continuing basis and to add value. If you look at surveys, for example, from the ERM institutes at North Carolina States, every year they do this survey and according to their assessments the maturity is less than 10% each time of saying that they're very mature. I think of the last few years, 7% of organizations that have responding to the survey on Risk Management by saying that they have effective and mature risk management.
And the next level is somewhat effective. What the ERM Institute is saying is that number, which is about 20 - 21% is actually going down. So organizations are not seeing the value out of this. This is actually my fifth book on Risk Management, so I've been trying for the last several years to actually encourage people, to look beyond this and look at it for the customer perspective, from the business perspective and say... What is the business need, What are the decision-makers needs? What are the people leading the organization need for them to be able to make the right decisions to lead the organization to success?
And it’s certainly in my opinion, not a list of risks and that’s the Genesis of the book. Don't talk about Risk in technical language, talk about it in plain English. I've talked about not thinking about managing and mitigating risks, think about achieving objectives of what it takes to do that.
I wanted to write a book about Success Management as being something better than Risk Management, and I realised that people won't necessarily understand what I'm talking about transforming current day Risk Managent. So I set the title and the topic, as Risk Management for Success. So the people eventually will start realizing that what we should be doing is helping the organizations be successful rather than simply avoid failure.
Boris: So what is one commonly held belief as it relates to the risk management that you would like to debunk in your new book?
Or If we go further, how does someone hearing this for the first time will take action based on your book?
Norman:. So one of the things that I talk about it, especially when I do it in person classes, which I will do again in 2021. If you want to persuade somebody to do something, you have to appeal to their W I I F M. For those of you who don't know, this is What's In It For Me. So if you want somebody to do something, they have to see some value in it.
Right? And so what we need to be doing is looking at this from the point of view of the people running the business, and what is the information they need in order to set the right objectives, execute day to day. One of the stories I tell is for my friend, I think, you know, him Boris, Alexy Sidorenko. Alex was the Chief Risk Officer for a very large Russian financial services company in Moscow.
And soon after he joined, there was a subject, with kind of regulations that required a Risk Appetite statement, Risk Register and all these different reports. He did all of that and he had a meeting with the CEO of the company. The CEO was very professional, very courteous and said, thank you, Alex, this looks like you've done an excellent job of meeting all of the regulator requirements.
I can see how this is diligent, and I'm sure it was reliable. But if you look at my desk over here on, you can see a number of different piles of paper. Each one of those represents an important decision that I have to make today or tomorrow. And what you've given me will not help me to make any of those decisions. What you given to me wouldn't have helped me to make any of the decisions I have to have to make up for the last two months.
So what I'd like you to do is continue to do what you have been doing, because that you have to meet the regulator’s requirements, but then I want you to meet with my executives and my team and give them help with the information and the processes they need to make the right decisions so that we, as an organization can achieve our objectives.
And that's the transformation that I'm looking for is to keep complying, but then enable the executives to what I call informed and intelligent decisions.
And that involves them taking the right risks in the circumstances and justify them based upon the reward. And so it is not looking at downside by itself. Its is looking at the ability to way the consequences of a decision or lack of a decision and balancing the pros and the cons so that you can now know, okay, which is the right thing to do.
And, that is really to me what it's all about. It's not about just the downside. It’s about the upside as well, but recognizing that anything that we do, any decision, anything that happens has multiple effects. Not just one bad side, but it can be multiple bad effects, but can also be multiple good effects. As we do it on our personal lives, we've got to make a balanced decision.
I written about when we make a decision on, for example, what car to buy, we don't look at a Risk Register. We make a list of all the pros and the cons of each vehicle, right? And then we make an intelligent decision as to which one. Now, if we do that in a personal lifes, why are we doing something different in our professional lifes? Why can't we help the executives understand the ramifications, consequences, the effects of any particular action or the situation, both the pros and the cons so that they can make the right decisions.
And that I think is transforming what we're doing so that the executives and decision makers are not just doing what they have to do. They're doing what they want to do. And we're helping them with the analysis and assessment of information on both sides, the pros and the cons. So they can see the whole picture to make the right decision.
Unfortunately, I've talked to a number of Risk practitioners, and I say, well, you have all of these tools to evaluate bad things that might happen. Why don't you do that on the good things that might have? And they say, well, that's somebody else’s job.
So he would have been waiting for the downside in a very disciplined, structured fashion. And somebody is used to throw a guesswork and optimism on the upside.
And then the executive sitting there in the middle and thinking, what am I supposed to do now? How can I make an intelligent decision? I've got you on this side who is only telling me that this guy is full but guy on the other side painting a rosy picture. And you're making me guess as to what I'm supposed to do.
Boris: Is there is one thing that the risk managers should start doing right now that they are not doing currently, what would it be? Or perhaps another way around, is there one thing that the risk managers should stop doing now that they are doing? What would it be based on your book or your thinking?
Norman: What about risk and managing a mitigating risk? If we do not take risk, we will never succeed. The thing is to take the right risk, given the circumstances. So I think we need to stop thinking of ourselves as responsible for managing risk. We are there to help them. And if we are to help the decision makers and executives, the thing that we have to do is meet with them, understand what decisions they make, how they make decisions, what information they could use, they are using, we could use, which is better.
And then we can step back and say, how can we help them do a better job? The boys I had when I was talking about Risk, Management in plain English and misspeak a four letter word, and we want to try and avoid because It really turns executives off. I'm here to talk to you about Risk, Oh my goodness. You're here to stop me doing what I need to do. Right? You an obstacle to my progress, you are an obstacle in running my business.
So I was talking about this and writing about this. And somebody wrote a comment on my blog that said that they had changed the name of the department from Risk Management to Decision Support. And all of a sudden the executives were welcoming him. Because that difference in mindsets of we are here to help, how can we help? How can we help give you the information and insigh you need to all the things that might happen is appealing to them, because you're now saying I'm going to help you be personally and organizationally successful.
Boris: In many financial companies they have to be precise Risk, Management Department and not something else.
Norman: Well, you know, here's another story for you. Another friend of mine, Martin Davis in Singapore, is a very smart guy and a great technician. He was a risk officer for, I think it might've been in Australia, but anyway, this is another financial services company, a trading company. And he was a risk officer and the traders typically would propose a new financial instrument they wanted to try.
And that would go to the Risk Officer who would take that running for a sophisticated model to determine whether it meant to be defined parameters for being acceptable. Most of them worked to say yes or no. And if no, go away. What Martin did, if it was no, he would look at it, he would understand what the trade is trying to accomplish.
And then he would go to the trader and say, if you change this here and that there, it will meet the guidance and it would do what you want. So he changed from the department of NO, to the department of HOW. He changed from being an obstacle to being an enabler and a partner and help them make the right decision and its kind of mental shift. We heard in some ways again, because we have this idea that the RISK officer is there to STOP people taking too much risk and they see themselves as being the sheriff in town and stop those rowdy Cowboys, doing something to jam the organizations instead of saying, my job is to help the organization succeed.
Now, how can I do that better? It’s not just to stop people but they have to help people understand why it's not good, but basically I'm there to provide them with information, the process, the tools, the inside, the advice so that we, as an organization can be successful. So it's a mental shift.
Boris: I know in many organizations, risk management is seen not as a strategic partner, but rather a cost of doing business. So what do we see as the main role of risk manager? Is it the policeman, a check box ticker or a trusted advisor or else. And what is the risk culture? Is this just a vage description and how to embed it in organizations?
I always hear on all conferences, Risk culture, Risk culture, but nobody knows what, what it means.
Norman: I think that the Risk practitioner should see themselves not as the policemam but as the partner to the organization. Now there are times when the partner has to be an adult and say to the child you're doing something which may seem right to you, but it's wrong for the organization. There are going to be times when tactfully and diplomatically, you need to escalate it. But most of the time, you are there to help that person be successful.
If we really have that attitude, I think that can be the one thing and, the rules police - no, no. That is, you're never going to get anybody to want to come in and work with them if you see yourself as a policeman. They are going to see that you have hidden agendas.
I've had people tell me about one of my staff presented and they didn't trust him because they thought he had a hidden agenda. He was there to cach them out.
But one of the ways I feel you should evaluate Risk Management and see whether it successful is whether the people running the business say. Yes, Risk Management is actually helping me and the organization to be successful.
I want them to come in for this reason and that reason, not to stop me from doing something wrong, but to be an advisor. Because I know they're on my side. I know we had the same shared values and the same objectives. So I want you to come in because they've actually adding value to me personally as well as to the organization.
Now to the Risk Committee that's what I set up when I was Chief Risk Officer, I think they are there to make sure that everybody understands the process to help people in the right decision-making processes.
If there are compliance requirements, to make sure that that is communicated and so on. And there's also a need sometimes for a forum to have a discussion where multiple departments are affected by the same situation and they have to make a decision together.
So this can be an area below the executive committee of the organization where you can tackle specific issues where you've got a disagreement perhaps between the department heads. So I think that there is some logic there, but you've really got to look at it and say, how can these executives come together and add value to themselves and to the organization as a whole.
I think that they too often set up as a compliance committee, to approve policies and things like that, which none of the executives really want to spend their time doing.
They're really not interested in spending an hour reviewing and approving time printing in a Risk policy. But if you talk to them about how can we as an organization make better decisions, I think that there is some value.
Boris: What is your take on current a software solution for risk management? I know you probably implemented hundreds of solutions during your career path. What are your tips on selecting them? Because in our community, we have a lot of questions and people always asking about this solution or another solution.
Norman: Well, first of all, I do tiniest tiniest bit of consulting. I retired quite a few years ago now. And although I was looking at solutions for my own organization and I talked to companies and I talked to the software vendors today, I'm an independent of any of them and I don't recommend any particular. So for a company, what I have been seeing all the time is you have to understand what you want to achieve with risk management and decision-making and the Management of the organization, and define a need and then go either the best, maybe a combination of solutions in order to achieve those best.
There's very few software products that I've seen that will do everything that I would want, and I was very encouraged. I did not know if you saw this, but Michael Rassmussen recently wrote a blog talking about RFPs for Risk Management. And I think he got it very much, right when he said it has to do with achieving objectives. And unfortunately, most software vendors, when it comes to risk management solutions there's no link to the objectives at all.
It's all about traditional list of risks, not about achieving objectives. Now the good news is that over the last month, I've talked to a number of different companies that are now rapidly developing solutions, knowing some of the thoughts of my books which is flattering and they say that it starts with keeping objectives.
And as I say, in my books, how can we have an acceptable likelihood of achieving those objectives? I want to achieve my objectives and I want a 90% likelihood of achieving objectives, but they are designing their solutions around that and then understanding what might happen to achieve them. And that's a very encouraging indeed. Some of these companies are building some very sophisticated tools and techniques to do that enabling much more continuous Risk Management, management of what might happen.
Risks and opportunities - you need to look at both sides, so that people can make the right decisions, but then revisit it and correct a decision if it turns out that things aren't working out in the way it did. My advice to everybody is first of all, understand what you're trying to achieve. Hopefully in my book I put the maturity model in there talking about a lot of things that I believe should be considered for effective management of the organization from setting the right objectives to tactical and strategic decision-making all the way through to evaluating the things that might happen and bringing it back to assess the likelihood of achieving the objectives.
To understand what you want to do, define your needs and then determine the best way to achieve those. And it could take some time and it could, frankly, take some number of different products.
Boris: Maybe a last question about your process as a as an author, because I'm a self I'm trying to write something in as a book, but it makes me very sick. So what kind of research do you do? Or maybe you just, just write as you hear something from the God of something, how long do you spend your research before starting the book, and have you gotten the writer’s block or something like this?
Norman: I've never really had writer's block. So as you know, I blog all the time and I read a lot of different articles and studies and thought leadership pieces. Each one of those makes me think about what the person is saying, learning from that as much as anything else. And sometimes it's trying to say why do I not like what they say?
So that is it. That is a major part of it. And then once I have something that I figured out I want to write about, because I think people need to make a change of perhaps I can influence to a modest degree, the change that they're making. Once I have that, I have some idea of not so much the structure, but the overall message and what the sort of things do I need to include.
And the next thing I do is I go out and get the best people I could find to be my review panel. Because as I'm writing, it depends on the nature of the book as to whether it makes sense to do it as I'm doing it, or once I've completed a live part. For example, on this last one, I put more of a high level, maturity model together talking about the things that I want you to talk about.
And I send it to my reviewers, and they gave me a very constructive feedback. I was really going a little bit too far and, and the book actually turned out to be much more lengthy because the maturity model itself is about 50 pages long. The book is very comprehensive in the ideas to pick up to the top of it. Then I put it together, I probably, re made it and re-edited three or four times.
Boris: You like Leo Tolstoy, who re-wrote about 20 times his War and Peace novel.
Norman: I pick very critical people. They have different perspectives, different experiences. So I don't necessarily pick people that I know about their life. And so I was very lucky, I've got a dozen people from all over the world and with different backgrounds, perspectives contributing that don’t necessarily agree with everything that’s there and I think they definitely enriche that. The thing for me is that I have a passion for the topic. I have a passion for helping people in general. I think that I have something to say, and if nothing else, I want to make people think, even if like disagree with me, I want them to feel challenged in what they have been doing and thinking, and perhaps over time, we'll see some progress.
I'm very pleased to see a lot of the comments on my blog these days of so many people moving in the same direction as I have when I started, which is now for a long time ago, a 12 to 15 years ago. I wouldn't say that people are necessarily on the same page as me.
Boris: I remember when I started Global Risk Community, your blog was the No, it was the only that I could find about Risk Management.
Thank you Norman for your Interview. If someone would like to read the book, we will put a link, in either a podcast show notes, or the blog post, depending on where you consume in this Interview content.
So I would like to wish you a good luck and the successfully producing another book for Risk managers. And the most important thing is that your ideas will be implemented, is a practice. Thank you very much for us. Thank you for everybody.
Here is the link to Norman’s blog https://normanmarks.wordpress.com/