Michael D. Moberly   July 28, 2010

It’s common to hear experienced risk managers express the view that its impossible to eliminate all risk.  To that I say, perhaps it is possible, however the actions one would have to take - undergo to eliminate all risk would, for most, be far too draconian and require virtually no interaction which essentially renders the statement moot insofar as businesses are concerned.

First, it’s important to define ‘risk tolerance’ and the various ways in which it can be determined - assessed, i.e., by an organization’s:

1. Experience - the level of a company’s current knowledge pertinent to - necessary for the successful management of a particular risk.

2. Resiliency - the level of residual strength and/or asset fragility within a company’s base of financial, physical, or intellectual resources should a particular risk materialize or cascade.

3. Flexibility - the ability of an organization to positively respond (apply mitigation measures) to an array of (identified) risks in a timely manner to elevate the probability that a previously agreed upon (accepted) level of business operational continuity is sustainable should a particular risk actually materialize.

So perhaps the next logical question to ask is why should management teams, boards, and companies in general, tolerate risk?  The answer, in my view, is not so much that risk is an inherent aspect of doing business, rather, it’s that organizations tend to tolerate risk because:

1. The level of risk is deemed (assessed to be) so low in terms of probability, vulnerability, and criticality that specific treatment (risk mitigation initiatives) are neither appropriate or necessary given a company’s available resources.

2. The nature of the risk itself is such that there are no available treatments or perhaps the risk, should it materialize, falls outside the capabilities of an organization/company to actually mitigate.

3. The cost of risk mitigation (the treatment), including insurance costs, is excessive, relative to the benefits, making ‘risk toleration’ the only, or perhaps the most viable option.  Such circumstances often arise with risks that are assessed as being a low priority in terms of probability, vulnerability, and criticality.

4. The (business) opportunities presented (become available) outweigh the threat, i.e., the vulnerability, probability, and criticality should a risk actually materialize) to the point that a management team and board can justify (rationalize) assumption of the risk on behalf of the company.

(This post was inspired by the work of Dr. Marc Siegel related to organizational resilience.)

The ‘Business IP and Intangible Asset Blog’ is researched, written, and produced by Mr. Moberly to provide insights and additional and sometimes alternative views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   June 22, 2010

A first, and very important step toward developing a ’risk intelligent company’ is recognizing that risk is not solely an external phenomena, i.e., all risk emanates from outside the company. 

A second, and equally important step in developing a risk intelligent company comes from recognizing that company value can be favorably affected by integrating - merging risk management and human resource management.  The rationale for doing this lies in the reality that a significant percentage of (company) risk actually evolves from - is inherently embedded in employee behavior and actions, which includes the management team and board.

In other words, according to Deloitte’s, The People Side Of Risk Intelligence: Aligning Talent And Risk Management, risk touches virtually every aspect of employee (HR) management, and employees touch virtually every aspect of risk management.  Is there no better reason to develop a risk intelligent company culture?

Effective risk management (and a risk intelligent company) Deloitte suggests, executes at the point in which the following converge:

1. Risk Governance - how a company treats risk and assumes responsibility for risk oversight and strategic decision making…

2. Risk Infrastructure Management - how a company assumes responsibility for and understands how to design, implement, oversee, and sustain a risk management program…

3. Risk Ownership - employees knowing what their risk responsibilities are, i.e., they assume (some)  responsibility (ownership) for identifying, measuring, monitoring, and reporting risk…

In light of the economic fact that U.S. businesses lose an estimated 7% of their annual revenue to various forms of occupational fraud, a risk intelligent workforce can be a very valuable (intangible) asset for a company, because one does not have to look far to see the adverse strategic consequences - affects on companies when they rely primarily on ’unwritten rules’ for how things get done and how, or if, risk is managed.

In a risk intelligent company (culture), management teams and boards assume an obligation to understand what those ‘unwritten company rules’ are and how they’re being interpreted-executed by employees.   A good starting point is (a.) to critically assess a company’s ‘unwritten rules’ by getting answers to the following  questions, and (b.) recognizing the questions’  relevance insofar as how they may serve to influence and perpetuate a company environment of unmanaged risk taking:

1. What (employee) behaviors are actually being rewarded?

2. Are company (employee) incentives (properly, effectively) aligned with the company’s risk management priorities?

3. Do all employees, including the management team and board, understand the companies risk management priorities, objectives, and the strategic reasons-rationales behind them?

Ultimately, becoming more intelligent (and objective) about company risk is an important and necessary prelude to creating a risk intelligent company culture wherein management teams and boards assume a responsibility for elevating and cultivating a company-wide awareness of risk that fosters risk intelligent behaviors at all levels.  It begins by:

1. Adopting a common definition of risk in accordance with national standards and best practices.

2. Clearly defining roles, responsibilities, and authority (for managing risk) with appropriate levels of transparency.

Lastly, it’s important to recognize, insofar as developing a ‘risk intelligent company culture’ that (a.) a change in (company) culture generally follows a (employee) behavior change, and (b.) culture and behavior changes are less a product of formal risk policies, controls, and pronouncements, than they are the result of effective incentives and rewards.

(This post was inspired by a paper produced by Deloitte titled ‘The People Side Of Risk Intelligence: Aligning Talent And Risk Management.)

The ‘Business IP and Intangible Asset Blog’ is researched and written by Mr. Moberly to provide insights and additional views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   June 21, 2010

In 2010, and for the foreseeable future, risk management must be about the interdependancy of companies intangible assets.  In the not too distant past, companies often had the twin luxuries of time and (geographical) space when dealing with risks-threats that materialized.  Time and space served as ’buffers’ for companies that routinely provided leeway insofar as how a company may elect to react (adapt) to the risk-threat at hand.  To be sure, in 2010, such luxuries no longer exist! 

In previous years, it was not always essential, nor expected, broadly speaking, for risk managers to have specific and individualized contingency-action plans in place to deal with each potential risk-threat that could possibly materialize.  Of course, there were many reasons (rationales) for this, among them being, risks-threats, when they did materialize, were less interdependant.  In other words, risks-threats could often times be compartmentalized or segregated, thereby mitigating the probability that adverse affects/consequence could literally ripple through an entire organization. 

Also, conventional risk management tended to be focused on protecing a company’s tangible - physical assets through insurance, i.e., risk transfer, in which pieces of a companies tangible assets would be insured vs. adopting a holistic perspective that included recognizing the highly interdependant nature and contributory value of intangible assets. 

But today, with 65+% of most company’s value and revenue being directly tied to intangible assets, it’s the interdependancy of a company’s intangibles, and the potential for almost instantaneous cascading affects, i.e., economic and competitive advantage hemorrhaging and undermining of asset value, etc., that must form the managerial criteria (starting point) for genuinely managing the varied and assymetric nature of company risk.

(This post was inspired by ’Surviving and Thriving in Uncertainty, Creating the Risk Intelligent Enterprise by F. Funston and S. Wagner)

The ‘Business IP and Intangible Asset Blog’ is researched and written by Mr. Moberly to provide insights and additional views for company management teams, boards, and employees to aid in identifying, assessing, valuing, protecting, and profiting from their intangible assets.  I welcome and respect your comments and perspectives at m.moberly@kpstrat.com.

Michael D. Moberly   May 18, 2010

This post describes strategies for making presentations to management teams and boards about mitigating business risks.  An important underlier to this discussion however, is to recognize that 65+% of most company’s value, sources of revenue, and ’building blocks’ for future wealth creation and sustainability today lie in intangible, not tangible assets.   Accordingly, in my view, business risk management today should be largely focused on intangible assets.

Unfortunately, as many risk management specialists know all too well, a disconserting, and often costly prelude to executing an enterprise wide (business) risk management/mitigation program, is for a risk to materialize in a company (or, a close competitor) that produces:

1. Significant and sudden hemorrhaging of value, revenue, brand, reputation, image, goodwill, competitive advantages, etc.

2. Adverse public, political, and/or regulatory spillovers that lead to even further and more long term hemorrhaging of market share and value.

When business risks do materialize, its common for previous expressions of disinterest to give way to setting a more receptive stage for a substantive committment to business risk management planninng thats particularly directed to sustaining control, use, ownership, and value of intangible assets.

I have found there are (generally) two factors that influence how business risks will be received (interpreted, assessed) by management teams and boards and ultimately influence their propensity for action, i.e., if the business risk is…

1. Presented in subjective vs. objective contexts.  Any tendency for risk advocates to over-dramatize a company’s vulnerability and probability, to the exclusion or minimalization of criticality, i.e., near-long term business impacts, will inevitably allow the decision to boil down to competing interpretations and assessments (vs. consenus) of the risk relative to the company’s vulnerability, probability, and criticality.  Therefore, an essential requisite to making a business risk presentation is to recognize that while management team and board may not be familiar with the intricies of current business risks/threats, they typically grasp the ’big picture’ and have already framed certain perspectives, albeit from their managerial - fiscal position.

2. Portrayed as a single occurring event rather than conveying the potential for multiple risks materializing simultaneously that produce enterprise-wide cascading affects that significantly elevate both the cost and challenge to stop the value, revenue, and competitive advantage hemorrahging that’s occuring.

I welcome - look forward to learning your perspectives.

Michael D. Moberly   March 8, 2010

In Stone v. Ritter (but also, In Re Caremark and In Re Disney) Delaware courts drew attention to board/director oversight (management, stewardship) of compliance programs and company assets.

As we know, court decisions carry the potential to serve as, if not broad precedents, at least as a basis for framing future tactical - strategic (litgation) arguments in similar cases.  The courts’ opinion in Stone v. Ritter, in my view, carries such potential particularly when board/director liability is at issue relative to the effectiveness, and even perhaps questioning how actually engaged boards’ were, in the oversight (stewardship, management) of a company’s compliance programs.

An inferrence I drew from reading the court’s decision (Stone v. Ritter) and Rebecca Walker’s fine paper titled ’Board Oversight of a Compliance Program: The Implications of Stone v. Ritter’, is that Stone will come to be viewed (applied) not so much for its specific focus on board oversight of compliance programs per se, as it will for bringing operational clarity to the definition of ‘board oversight’.  That is, describing the key elements - what constitutes (basic requisites of) oversight (e.g., stewardship, management) of a company’s assets, and by extension, its intangible assets.

And, when 65+% of most company’s sources of revenue, value, and building blocks for future growth and sustainability lie in - are directly related to intangible assets, bringing operational clarity to this increasingly critical arena is a good thing!  Particularly, that is, when the elements, as outlined below, will surely not be lost on, or overlooked by plaintiff’s counsel. 

Integral to this of course is enterprise risk management (ERM) and its perspective of being ’proactively defensive’.  Therefore, company management/leadership teams, legal counsel, and boards/directors in general, would be well served by becoming familiar with these elements to position themselves to more effectively address - meet boards’ (fiduciary) duties, i.e.,

 ’…ensuring the board is kept apprised of - receives accurate information in a timely manner that’s    sufficient to allow it and senior management to reach informed judgments about the company’s business performance and compliance with the laws…’  by

1. Expanding the type of information that boards receive.

2. Scheduling meetings with members of the management team to inquire about:

    a. how the company’s (internal, external) reporting system is structured

   b. the company’s investigation policies relative to suspected incidences of (internal, external) misconduct

  c. employee perceptions of the company’s reporting - compliance - audit programs, and sufficiency of employee training in this arena.

3. Structuring the company’s reporting (compliance) programs to include sufficient resources and authority for effective execution.

4. Examining the manner in which the company actually conducts risk assessments, prioritizes its risks, and actually addresses (prevents, mitigates) those risks. 

Michael D. Moberly   February 8, 2010

Not unlike other enterprise-wide (business) initiatives, advocates of, and those charged with implementing an enterprise risk management program will likely encounter some internal obstacles and resistance. 

Initially, ERM advocates should strive to achieve acceptance and consensus on the following two points, (1.) business risks are real, pervasive, and asymmetric, and (2.) business risks today extend well beyond financial risks to include intangible assets.

Its also essential for ERM advocates to recognize the importance of bringing a wide range of business and operational units to the (ERM) table’, all-the-while recognizing they will be inclined to conceive and portray (enterprise) risks narrowly to fit their interests, perspectives, and operating ‘turf’ as being the lynchpins to the company’s sustainability.  Entering initial ERM planning discussions absent a clear, respectful, and well articulated repertoire of dialogue geared toward elevating awareness and achieving consensus will likely exacerbate, not mitigate or ameliorate those obstacles, that resistance, and/or their ’turf protection’ inclinations.

The initial ERM planning discussions should especially focus on team member recognition that today’s business risks are seldom subject to compartmentalization or containment to single (targeted) business units.  Instead, business risks today are internally inter-connected and will likely produce cascading effects that ripple throughout a company posing particularly adverse affects on a company’s intangible assets, i.e., brand, reputation, image, goodwill, internal/exteral relationships, know how, etc.

An especially prudent (ERM) strategy is to avoid the common (risk management) pitfalls, i.e., subjective, and often times argumentative ’dark hole’ types of questions, i.e., proving a negative.  This can be best avoided by preparing business focused responses to the proverbial, (a.) if it (the/a risk) hasn’t materialized yet and adversely affected the company, why do you think it will now?, (b.) why should the company assign resources (beyond the very minimum) to try to mitigate risks that have yet, and may not ever materialize?, and (c.) if a risk does materialize, demonstrate how it will have the dramatic-adverse (enterprise-wide) affects suggested.

An equally important preparatory responsibility for the ERM team is to integrate respectful and well articulated business plans in the initial ERM planning.  This cannot be underestimated.  These plans should clearly (a.) demonstrate how ERM will favorably affect each business unit, (b.) objectively and dispassionately describe business operating options should ERM be rejected, and (c.) provide plausible return-on-investment metrics for decision makers should they elect to undertake-execute an ERM program, 

A key to successfully intergrating an ERM program, is getting the ERM team, business unit management, and company leadership to reflect on and recognize the universality of business risks and their rapidly cascading elements (ripple effects) as constituting the primary business rationale for ERM.  That is, converging business risks (enterprise-wide) to achieve collaborative, coordinated, and timely responses to truly prevent some risks from materializing, and effectively and rapidly mitigating other risks that do materialize!

(This post was adapted by Michael D. Moberly from a document produced by ASIS Internationals’ CSO Roundtable titled ‘Enterprise Security Risk Management: How Great Risks Lead To Great Deeds’.)

Michael D. Moberly   February 3, 2010

It’s prudent today to assume there are - will be risks embedded in every business operation or transaction.  And, since 65+% of most company’s value, sources of revenue, building blocks for future wealth creation and sustainability lie in intangible assets (IA’s) and intellectual property (IP), it’s also prudent to assume that IA’s and IP will be in play, that is, either or both will be integral and negotiated elements and/or features to those business operations and transactions.

In other words, intangible and IP assets can be sold, licensed, and/or transferred to other parties or ’shared’ with other companies in strategic alliances or partnerships.  In the latter (in enterprise risk management - ERM contexts) the assets’ holder/owner should expect the assets’ will be returned intact to the rightul owner/holder upon conclusion of the alliance/partnership. 

By intact I mean, (1.) the assets’ value, revenue producing capability, and ability to contribute to future wealth creation and sustainability has been sustained, (2.) no costly, time consuming, and momentum stifling disputes or legal challenges have been lodged or are on the horizon, and (3.) no circumstances have arisen in which the asset(s) have been infringed, stolen, misappropriated, counterfeited, and/or pirated (during the course of the alliance/partnership) that will undermine the assets’ contributory value, competitive advantages, and jeopardize the company’s continued (future) use of the asset!

Simply stated then, the key objectives with respect to intangible asset enterprise risk management, lie with…

1. company management teams executing relevant processes, procedures, policies, and practices to position their company (internally and externally) to identify, unravel, assess, and effectively utilize and exploit their IA’s through,

2. consistent and effective stewardship, oversight, and management of the assets so as to enable the company to,

3. sustain indeterminate control, use, ownership, and retrieval capabilities of the assets, and monitor their value and materiality and associated risks, in both pre and post operation and/or transaction contexts.

Embedded within ERM IA objectives, as conveyed above, are even more specific management and leadership ’skill sets’ which encompass the absolute need to acquire a genuinely holistic and ’big picture’ understanding and appreciation for the company’s business, its direction, and the globally interconnected business operations and transactions environment in which it operates.

(This post was adapted by Michael D. Moberly from a document produced by ASIS Internationals’ CSO Roundtable titled ‘Enterprise Security Risk Management: How Great Risks Lead To Great Deeds’.)

Michael D. Moberly   February 2, 2010

In 2010 it would seem to be a management team, board, and c-suite ’no brainer’ that enterprise risk management initiatives should universally encompass, without much argument or opposition, a company’s intangible and intellectual property assets!  

The full inclusion of intangible assets in ERM initiatives is epecially relevant today in light of the global economic fact (business reality) that steadily rising percentages (65+%) of most company’s value, sources of revenue, building blocks for future wealth creation and sustainability lie in - are directly related to the (a.) production, (b.) acquisition, and (c.) effective utilization of (a company’s) intangible assets and intellectual property. 

Taking this perspective one, and perhaps obvious, step further, it would also seem prudent, when the risks to those valuable, yet frequently fragile, assets are experiencing elevated vulnerability (probability) to loss, infringement, misappropriation, value erosion-dilution, and/or competitive advantage undermining, as they are today, that designing a position to oversee a company’s intangible asset risks would be an equally prudent consideration that would compliment management teams’ mounting fiduciary responsibilities for consistent and effective stewardship, oversight, and management of those assets.  

And, even more complimentary, the intangible asset risk positions’ overall performance (results, outcomes, and contributions, etc.) would be readily observable (transparent), measurable, and quantifiable.

At this point, risks to the intangible assets that a company produces and/or acquires is often spread, sometimes haphazardly and absent coordination or consensus, across an enterprise and subject to the sometimes subjective (risk taking) perspectives and spirit of business unit management.  While it is entirely imprudent to dismiss or disrespect the perspectives espoused by business unit management, stakeholders, and/or owners, it is true that efficiencies and effectiveness can be achieved when there is consenus and collaboration (enterprise wide) regarding the:

1. stewardship, oversight, and management of a company’s intangible and IP assets

2. abiliy to sustain control, use, ownership, and monitor the value, materiality, and risks to intangible and IP assets is articulated and understood as requisites integral to a company’s success, profitability, and sustainability.