Embed Size (px)
Citation preview
Making sense of Opportunity and Risk.
Strategy, Tactics and Practice.
Tim Cowen General Counsel & Commercial Director, BT Global Services & Chairman, IACCM
Making sense
• Risk is everywhere : how can we make sense of the risks in the world around us? How can the Commercial community add value?
• Strategy, Tactics, Practise.• Benefits include:
– Security, – Resilience, – Opportunity.. ……..and profit
Generally
WEF, GLOBAL RISKS 2007, Correlation Matrix
Risk?
Strategy• Core vs non-core (but include critical and context).• 5 Forces;
– Bargaining power of Customers, – Bargaining power of Suppliers, – Threats from Substitutes, – Barriers to Entry, – Rivalry among Competitors.
• Focus on clear strategic goal(s).• Decide what activities are internal, external, co-venture, etc: what is
the apportionment of risk and incentives in the relationship? • Ensure that contracts address the risks in the 5 forces, so that
business risk (execution risk) is addressed through processes effectively linked to Governance.
Tactics: 3 M’s of Commitment Management: Make, Meet & Manage. Making a commitment : define who does what
Meeting a commitment :define metrics and KPI’s, reporting , anticipate disputes.
Managing a commitment : provide positive incentives and constantly reinforce the positive. Change what does not work (early)
Risk Sharing and Relationship management are (as/more?) important than the contract . Think about what would happen if the contract fails, but manage the relationship.
Tactics: (Intelligently ) Apply Best Practice Process
• Best practice process can reduce risk and improve profit: but all processes require constant testing and upgrading, not slavishly following.
• Inflexible “Rules based” compliance regime results from:– Complex regulatory and governance regimes– Shift in public expectations of CSR– Added to by uncertainties:
• Credit Crunch, competition, open markets; new competitors; new ideas…
• Inflexibility or 'risk blindness' will result in the loss of competitiveness.
Tactics (Execution)Definition of core and non-core:
core+critical, core+context; and non-core+critical non-core+context.
Many develop principles and processes to identify who does what, whether internal or external, whether out-tasked or outsourced, off-shored or near-shored, on a contract for service (employee) or a contract for services (supplier). All need to be reviewed and risk taken, allocated or shared.
Many think terms and strategies simply shift risk to trading partners.
Creates confrontation, disputes and fear, Fear feeds failure: lack of openness undermines trust.
Lack of incentives for information exchange, lack of spirit,
confidence and innovation.
Buyer power and its challenges: Public Procurement Shifting Risk to suppliers in public procurement contracts is economically inevitable
since government often has buyer power. It undermines the Single Market. Procurement law designed to address this but has it succeeded? Rand/IACCM study.
No Government give in to temptation and shifts risk to suppliers. 2 important effects:– directly affects expected returns from participation (especially to risk-averse
bidders or those with limited access to credit/capital); – create adverse incentives within the contract to assess, manage and minimise
risk. (Civil Servants think about the Select Committee). Flexibility and proportionality in assignment and interpretation are important in
ensuring that parties achieve optimal (or at least workable) allocation. Liability assignments should balance risk tolerance with the ability to mange,
minimise or mitigate risk. Current practice may inhibit efficient risk sharing, distort innovation incentives and systematically deter the best suppliers or solutions.
Rand Report, 2007
Practice: Risk v Opportunity
• Recent IACCM “Risk Maturity” survey confirms that risk management remains too focused on avoiding failure, rather than delivering success.
• 55% of respondents feel that their risk analysis takes greater account of 'adherence to the corporate compliance process' than it does to the needs of the market.
• Who reviews processes on an END TO END basis? 3 lines of defence: management, legal/commercial, and audit. (PWC).
Practice: Regulations and compliance require global coverage
United States of America:
• FCRA 1970• PA 1974/1975• RFPA 1978• CTVPA 1984• ECPA 1986• VPPA 1988• DMPEA 1999/2000
• COPPA 1998/2000• HIPAA 1996/2002• Sarbanes-Oxley• FSMA/GLBA 1999/2001• DITSCAP• NIACAP
Canada:
• The Privacy Act 1983• PIPEDA 2001
Mexico:
• eCommerce Act 2000
South America:
• APPD 1998 (Chile)• PDPA 2000 (Argentina)
UK and Ireland:
• DP (A) A 1995/2003 (Ireland)• DPA 1996/2000 (UK)
Scandinavia:
• FDPA 1995/1999 (Finland)• DPRA 1978, APPD 1995/2000 (Denmark)• PDPA 1995/1998 (Sweden)
Canada:
• The Privacy Act 1983• PIPEDA 2001
United States of America:
• FCRA 1970• PA 1974/1975• RFPA 1978• CTVPA 1984• ECPA 1986• VPPA 1988• DMPEA 1999/2000
• COPPA 1998/2000• HIPAA 1996/2002• Sarbanes-Oxley• FSMA/GLBA 1999/2001• DITSCAP• NIACAP
Mexico:
• eCommerce Act 2000
South America:
• APPD 1998 (Chile)• PDPA 2000 (Argentina)
UK and Ireland:
• DP (A) A 1995/2003 (Ireland)• DPA 1996/2000 (UK)
Scandinavia:
• FDPA 1995/1999 (Finland)• DPRA 1978, APPD 1995/2000 (Denmark)• PDPA 1995/1998 (Sweden)
Pan Europe:
• LPPLRPPD 1992, DPA 1995/2001 (Belgium)• FDPA 1995/2001 (Germany)• DPA 1995/2000 (Austria)• EUD 1995/2002 (Luxembourg)• PDPA 1995/2001 (Netherlands)• ADPDFIL 1978, EUD 1995/pending (France)
• DPA 1995/2000 (Spain)• DPA 1995/1998 (Portugal)• PIPPD 1995/1997 (Greece)• PIPPD 1995/1996 (Estonia)• PIPPD 1995/1998 (Poland)• PIPPD 1995/1998 (Slovak)• PIPPD 1995/1999 (Slovenia)• PIPPD 1995/1999 (Hungary)• PIPPD 1995/2000 (Czech) • PIPPD 1995/2000 (Latvia)• PIPPD 1995/2000 (Lithuania)
Asia Pacific:
• PA/PA (PS) A 1988/2000, 2001 (Australia)• Privacy Act 1993 (New Zealand)• Personal Data 1996 (Hong Kong)• CPPDP Law 1995 (Taiwan)• eCommerce Act 1999 (South Korea)
Cross Geography:
• Basel II (International Convergence of Capital Measurement and Capital Standards – Revised November 2005)• ISO 27001 Standard
Pan Europe:
• LPPLRPPD 1992, DPA 1995/2001 (Belgium)• FDPA 1995/2001 (Germany)• DPA 1995/2000 (Austria)• EUD 1995/2002 (Luxembourg)• PDPA 1995/2001 (Netherlands)• ADPDFIL 1978, EUD 1995/pending (France)
• DPA 1995/2000 (Spain)• DPA 1995/1998 (Portugal)• PIPPD 1995/1997 (Greece)• PIPPD 1995/1996 (Estonia)• PIPPD 1995/1998 (Poland)• PIPPD 1995/1998 (Slovak)• PIPPD 1995/1999 (Slovenia)• PIPPD 1995/1999 (Hungary)• PIPPD 1995/2000 (Czech) • PIPPD 1995/2000 (Latvia)• PIPPD 1995/2000 (Lithuania)
Asia Pacific:
• PA/PA (PS) A 1988/2000, 2001 (Australia)• Privacy Act 1993 (New Zealand)• Personal Data 1996 (Hong Kong)• CPPDP Law 1995 (Taiwan)• eCommerce Act 1999 (South Korea)
Cross Geography:
• Basel II (International Convergence of Capital Measurement and Capital Standards – Revised November 2005)• ISO 27001 Standard
Practice: Benefits of TrustReduced
costs
Enhanced brandand
reputation
Gain business integrity throughbusiness security
Implement secure
communication and
management strategies
Collaboration internally & externally
Improvedproductivity andjob satisfaction
Protection ofcustomers’
data
Increased financial
transparency
Practice: Common Risk Perception Problems
People exaggerate spectacular but rare risks and downplay common risks.
People have trouble estimating risks for anything not exactly like their normal situation.
Personified risks are perceived to be greater than anonymous risks.
People underestimate risks they willingly take and overestimate risks in situations they can’t control.
People overestimate risks that are being talked about and remain an object of public scrutiny.
(Bruce Schnier, Beyond Fear (1) )
Flawed Approaches Lead to Poor Risk Management Examples1990’s, BSE in the UK:
Scientific advisory committees were revealed to be overly assumptive in their approach to risk issues, unable to recognize and address areas of uncertainty, open to political and market influence, and overly defensive of mainstream scientific opinion in the face of criticism. As a result, scientific advice was incorrect in its risk assessment of BSE and in the regulatory advice which was derived on this basis. (2)
August 2008, Hope Cove, South Devon:
A volunteer coastguard crew face disciplinary action after going to the rescue of a teenage swimmer in a boat that had recently been repaired and was awaiting a seaworthiness inspection. (3)
Currently – the credit crunch:
Disproportionate impact of sub-prime lending. Inadequacy of existing financial regulation. Fragility and interdependencies of the financial system have been exposed. Moral hazard implications where central banks act as lenders of last resort.
Practice: Benefits of risk resilienceA risk resilient organisation is able to:
– make informed risk-based decisions – conduct strategic risk-testing and
analysis of level of risk associated with key strategies and objectives of the business
– respond to risk management codes/regulations and related conformance requirements
– identify, assess, and manage the level of political risk inherent in a company's international business activities
– understand how its systems, network and people can be both vulnerable spots and points of defence against risk
– quantify and measure the magnitude of the risk and its impact on the business in financial terms.
Practice: the links to Corporate Governance
Turnbull Guidance
Sarbanes-Oxley
Assessment and disclosure of risk to shareholders
Practice: Companies tend to focus too much on price but customers also require quality and continuity which makes company collaboration with suppliers essential to effectively manage risk
Rob Handfield, Bank of America University (5)
The Role of the Commercial and Legal Community in Practice
• Varies• Typically to address and mitigate risk through contract• Raise strategic issues on contracts with both Suppliers and Customers; (often critical
to joint ventures and other forms of risk sharing).• Apply the law to the (full) facts, awareness and training.• Ensure that management understands the risks (and the rewards)• Provoke accountability for risk registers, identification of risk, actions owners and
timetables, so that contracts work in the real world ?• Discharge legal obligations to shareholders under Sarbanes Oxeley, (depending on
whether caught by the rules). However, these rules are designed to mitigate risks for investors and only ask a simple question: Can you show what has been done to address the risks facing the business?
References
1. http://www.schneier.com/blog/archives/2006/11/perceived_risk_2.html2. http://www.defra.gov.uk/Environment/risk/policymaking0509.pdf3. http://www.timesonline.co.uk/tol/news/uk/article4534934.ece4. WEF, Correlation Matrix, http://www.weforum.org/pdf/CSI/Global_Risks_2007.pdf5. IACCM Americas Conference 2007, Supply Chain Risk
