In Simon Franklin’s article back in June 2010 he examines the Key Person risk issue which of course is a major consideration, especially for investors.
At Dequity Partners we are very keen to ensure that all our clients have adequate risk management strategies, management plans and mitigation procedures in place. However, having a risk management strategy in place is one thing. The real question is whether the risk management and mitigation strategies that have been put in place actually work when you need them.
Two recent events have brought this back into focus for me.
1. Computer data files taken offsite
I was attending the board meeting of a company where I am a director and where I had instigated a formal risk management process which included a regular review by the board. One of the simple standard issues that always comes up is the need to provide a back up of the company’s software and data to protect against the risk of it being unavailable for an extended period.
This seems quite straightforward and involved a simple process of taking a copy of all the relevant data on a file and taking it offsite. As usual with this type of activity it became simple administrative process with little further thought being given to the actual purpose for doing it.
However, I have had previous experience in a major corporate where simple risk management processes were followed to the letter but when the relevant event actually happened the process did not protect the company. In that case, it was an Uninterrupted Power Supply (a large powerful battery used to power computer systems when the normal electricity supply is suddenly unavailable), which simply did not work i.e. the battery was dead and no one had tested it.
So, when I was in the next board meeting of the company where I had instigated the risk management strategy and we were reviewing the process, I asked for a random copy of the computer software files that had been taken offsite to be tested. As a director, I wanted to see how long it would take to recover the data and to ensure that we or our computer support supplier had or could quickly get the relevant hardware. I wanted to know what impact this could have on the business. Sure enough, when this process was finally undertaken (much to my frustration, it took a while as it was seen as a low priority issue), the tape was corrupted and the data could not be recovered. If we had needed to recover data after a real incident we would have struggled to do so. Needless to say we have now instigated some more processes to further protect the company.
2. NAB computer glitch
In the Australian Financial Review on Friday 26 November 2010 there is an article entitled “Millions unpaid in NAB system crash”. This so called computer “glitch” at NAB has meant that many people have been unable to get funds from their ATM and many funds have simply not been credited to clients accounts and more than you would think because NAB undertakes some banking processes on behalf of other financial institutions.
This leads me to ask what happened to the NAB’s risk management system? A computer “glitch” is one of the most obviously foreseeable events that might happen to a bank. I would have thought that the bank would have had a business continuity plan, disaster recovery plan or back-up system ready to click into place as soon as the problem was discovered. Obviously not or it did not work. Maybe this time it will be just a legacy system issue and it will invoke new investment in banking systems. Why didn’t the auditor or risk analysts pick up this risk and insist that it was mitigated? Maybe they did and they were ignored by the business?
It is unclear so far as to how an organisation with the resources of a major bank could not only have allowed the glitch to occur but, at least as importantly, did not have a risk management mitigation strategy in place that worked to allow it to handle the issue seamlessly. I am sure that when this is finally sorted out by the bank there is going to be a major review of it’s risk management systems and the introduction of a regular testing regime. More likely, the IT people will be blamed by the business and a few backsides kicked, but what if the regulators investigate? What impact could that have on their reputation and bottom line? Was that considered in their strategy?
Many companies, especially outside the top tier, do not take formal risk management seriously. This is like playing Russian Roulette with the business. You can get away with ignoring the risk of potentially adverse events happening for so long but eventually one of them will happen and, depending on which one it is, it could be easily be terminal for the business as Russian Roulette always is for one of the participants.
Even for those companies that do have risk management strategies in place, it is important to understand that the intellectual process of developing it, putting it and the mitigation strategies in place and then just ticking it off regularly is not sufficient. The recovery processes for all potentially significant adverse events should be tested regularly. Although this can take up time and resources these are usually quite small when compared with the effect on the business of not being fully prepared like the NAB when the actual event occurs. Risk management strategies and assumptions need to be constantly reviewed, kept in line with business changes and market conditions.
Boards, shareholders, stakeholders, regulators and customers will judge you if things go awry. Risk, compliance, business continuity and disaster recovery are certainly not sexy boardroom topic but an essential element in today’s business world. I insist on it in every board position I take. I don’t want a ticking bomb ignored.