Wednesday, April 21, 2010


“Write about models” a close personal friend urged. “Everyone loves models, of one type or another.”

In business we all need to make a profit in a sustainable manner, to verify that the contribution we make in our chosen arena has validity. Doing it right the first time reduces costs, adds to the sense of legitimacy and promotes an air of satisfaction within the operation. It’s good for team morale and serves as a platform for greater challenges.

Let’s look at business risk or compliance models, call them what you will, in plain language, (given the target audience), without reference to complex formulae. Models have to be legislation compliant including, amongst others, King III and the 2008 Companies Act.

It’s all about the emphasis though, which manifests itself in the company culture. Some aspects of the two hypothetical extremes are highlighted; more factors could be added. Before proceeding, please note that risk tolerance does not always partner customer-centricity; many permutations arise in real life. The linkage is being used in this article as a space saving mechanism:

Model 1 – Risk averse / organisation-centric.

  • We are coming from a long history of corporate power and will only deal with those who cannot challenge us effectively.
  • We start with our structures, processes, procedures and return expectations and address our supply-driven (push) customer interactions later. It’s an intermittent process; we change when we are forced to.
  • Protection of our triple bottom line earnings is our biggest risk(s).
  • We use the ‘tough love’ principle on our staff who, through our leadership example, will then apply similar tactics to our customers.
  • We ignore our customers’ views; we know what’s best for them. Where else are they going to go anyway, to our friends down the road?
  • We prefer to de-emphasise business risk. Risk and Disaster Recovery planning is dealt with by the Audit Committee, the Compliance function, the Insurance Department and damage control is handled by the Corporate Communications Department. There is no Chief Risk Officer, Risk Manager or service quality standards or controls. We have flatter, simpler structures this way and reduce our expense ratio accordingly.
  • The savings we gain by taking a minimalist approach to governance and risk, along with the confrontational tack with staff and customers, are used to outsource almost all potential risk exposures and /or increase profit. Any funding shortfalls are passed onto our customers with the minimum of notice, regardless of the economic climate. This approach has worked for us for decades.

Model 2 – Risk tolerant / customer-centric.

  • We are coming from a long history of corporate power and are prepared to adapt our operations to prosper within the changing business environment, where customers and regulators have the power to inflict serious financial or reputational damage.
  • We’ll start with customer / stakeholder expectations, structure ourselves accordingly and reap the concomitant benefits from our demand-driven (pull) approach. It is a continuous improvement process.
  • The development of a satisfied customer / stakeholder base is the best prospect for sustainable success. Whatever interferes with the servicing of our income base represent our biggest risk(s).
  • We will recognise our customers’ and stakeholders’ views, especially staff, as a free source of potential sales, risks and opportunities. Customers generally know what they want even if they don’t know how to describe it and, if we supply it before our competitors do, then we will be seen as a market leader. If we don’t then our so-called friends down the road will take our best customers and staff, those who are prepared to speak up.
  • We actively manage our business risks to local and international best practice standards. The Audit, Risk and Compliance functions are separate. They interact freely, authenticate each others’ work and are represented on the Audit Committee. All functions have the means to report serious incidents or potential hazards to the Board, and /or external authorities if required, independently of Executive management. Business Continuity planning (BCP) is the direct responsibility of Executive management using input from all functions. The BCP is tested at least annually in one or more functions or branches of the company. The BCP includes draft stakeholder communications for distribution by formally authorised staff.
  • We have confidence in our ability to manage our actual and potential risk costs. Therefore we take a substantial self-managed deductible on all outsourced risk mechanisms. This reduces primary risk costs and secondary money-swapping administration expenses for us and our business partners, without greatly increasing our exposures.

Model 3 – Risk / Customer neutral or ambivalent.

  • All stops between models one and two, by design or inertia.

Corporate Governance came into being because there is an international need to prevent further power abuses, both major and minor. Corporate SA now has an opportunity to polish its image, to be the quintessential model citizen, in more ways than one.

Is there better way though? Are refinements possible within the current system?

The King III guidelines are some of the best available so far. I favour the model 2 manifestation described above, as it is more likely to achieve the legislated aims and quickly adapts to further legislation, such as the 2008 Consumer Protection Act due for implementation in October 2010. I would prefer to be their customer or staff too. The difference is not so much in the structure though, it’s in the attitude. Extinction behaviour, ignore it and it will go away, works on people and opportunities, but not risks.

Call it tinkering if you like but the positive side of risk management is rarely seen or acknowledged. A quick and simple way to remedy this situation is to change the title of the Chief Risk Officer (CRO). Chief Risk Reward Officer is a more apt descriptor. You could probably think of an even better title. It immediately gives licence to the incumbent to deliver on a broader range of business options and clearly demonstrates to internal and external parties a more healthy, balanced portfolio approach.

It is also more realistic for the business to have a cost centre with an income and profit potential. It would be a more attractive prospect for candidates too.

Before closing, I believe that there will be an onus on private equity and non-profit business to demonstrate controls, including risk management, to those who deliver the annual audit or audit review opinion on your ‘going concern’, even though these two business entities are specifically excused from some of the provisions of the 2008 Companies Act.

So which model will you adopt to comply with King III, the 2008 Companies Act and other new legislation? Will you miss the business opportunities that come your way because of your structures, titles, attitudes or some other distraction?

Paul Brightman - ART (Pty) Ltd.

Creators of Risk Therapy. or or or

+27 (0) 83 708 3634 & +27 (0) 11 646 2777.

Websites or or

ART is an authorised Financial Services Provider - FSP16339.


There is no doubt that a million years from now our individual lives and actions will prove to be of little lasting significance. Nevertheless, we are destined to promote our immediate personal interests to the best of our abilities. Have you dwelt on what the best way to achieve this? There are many solutions of course.

The intention of this opening statement is to sharpen the focus on the here and now; also to reveal the individual’s exposures in a broader society or in regulated self-interest vehicles such as companies. We should not consider ourselves immune to, or shielded from, the effects of large positive or negative events, either because we are not the boss or responsibility is not specified in our job description.

What is meant by ‘risk is personal’ and what does this mean in our lives? There are many factors for us as individuals to reflect on; here are a few of them:

  1. Many of us shy away from thinking about the personal impact of the risks that we encounter in a group, team or association. Why confront such potential nightmares if we don’t have to? In SA as in many other countries, there are many more pleasant distractions. We tacitly encourage ourselves to escape our responsibilities by saying it is not our problem. This is neither true, nor does it encourage constructive behaviour! A useful motivator for new legislation then.
  2. ‘Corporate Risk’ is a convenient yet obfuscatory umbrella label which some use to shield or obscure the responsibility and personal exposure of the individual. Gone are the days when consumers have no rights.
  3. Corporate Governance standards were established for various reasons. One of these was because some individuals conducting business, not just in corporations, thought that certain laws, rules or morals didn’t apply to them.
  4. Ignorance abounds in the field of Corporate Governance / Risk Management legislation within the numerous levels and functions of business. What are your latest responsibilities, more work for the same pay no doubt, but what are the longer term benefits?
  5. Lucrative business models recognise and reward positive individual and team performance success over a prolonged period when compared to the market average. Where would you prefer to be?
  6. New legislation increases the reporting responsibilities and accountability of directors and officers in business. If you are not directly affected by this then you can guarantee that the individuals who are will surround themselves with hand-picked support staff. Would they choose you to contribute to their teams?

You can debate or ignore the above points if you like. However, it would be madness to believe that when your employer or team encounters a major problem, that you would remain magically insulated from the effects. To put it more simply, if they lose, you lose too.

The tide is turning. We are quickly approaching a tipping point of sorts; transparency is coming into the practice of business regardless of size. Logically this means that there will be knock-on effects for individuals too, the primary one being the need to take responsibility for your actions.

So where to from here? We are faced with the usual choices, to buy-in and self-improve, ignore it do nothing and hope it goes away or there’s always the King Canute option, to demonstrate through our activities that there is nothing we can do to stem the tide.

To close on a positive note, I heartily recommend that you choose to give yourself the best chance to win the business evolution race and adapt to your changing environment.

Paul Brightman - ART (Pty) Ltd.

Creators of Risk Therapy. or or or

+27 (0) 83 708 3634 & +27 (0) 11 646 2777.

Websites or or

ART is an authorised Financial Services Provider - FSP16339.


In 2010, all business owners in South Africa will be given a choice within the new Companies Act legislation and King III Commission guidelines, to ‘comply or explain’ their position on formal Risk Management processes. Similar legislation is being or has been enacted in many parts of the world; yet another global phenomenon. So far so good, but what are the issues?

  1. There are far too many business entities in SA for the authorities to quickly and effectively police the implementation of legislation.
  2. Risk Management is generally perceived as a costly, time-consuming, complex and a boring issue; greyer than insurance.
  3. Ignorance abounds regarding Risk Management and legislation relating to it.
  4. Expertise and solution suppliers are few and generally expensive.
  5. Business owners are in the higher pressure section of the business cycle, mainly due to economic circumstances.
So Risk Management could end up being treated as a dull cousin of AIDS and global warming, but with far fewer supporters, denialists and activists.
There are some positives though:
  1. We all practice some form of Risk Management, usually informally.
  2. You can discover business opportunities in the process.
  3. Corporate and Government operations will not escape scrutiny and will tend to deal with those entities who share their protocols, imperatives and cultures.
  4. There is a social police force to comply or explain to as well as the regulators; you, your family, shareholders, customers, suppliers, banks, insurers and so on. The list is long.
  5. This is an international business initiative with a sound logical and intellectual foundation.
  6. Business risk assessors such as banks and insurers can supplement existing information requirements with Risk Management profiles.
  7. The practice of Risk Management gives you a semblance of control, enabling you ‘thrive not survive’ in the business cycle.
  8. Support systems are available from as little as R3,500 per year, including VAT.
So the choice to exercise this preferred and legislated business imperative is to some extent in your hands, in the same way that your risks are your own. You can expect pressure to adopt formal Risk Management practices from other stakeholders over time though.
Will you be complying, explaining or embracing Risk Management in 2010?
Paul Brightman - ART (Pty) Ltd.
Creators of Risk Therapy.