In a world that has been on a multi decade trajectory of ever increasing globalisation and interconnectedness, society has become addicted to efficiency. Businesses have been centralising their processes, relying on their just in time supply chains and offshoring to shared service centers to cut costs.
Redundancy, often seen as the opposite of efficiency, is perceived as a dirty word and seen as an impediment to short term profits. However, recent history showed us how fragile the systems have become that we created in our craving for efficiency and short term thinking. Cutting intensive care beds in good times because “we don’t need them”, invisibly makes you fragile to a health crisis. Shutting down nuclear power plant because “we can currently meet power demand with cheap gas”, makes you fragile to a supply shock. While chasing efficiency might improve your P&L, you are adding hidden risk and fragility. Complex systems (like organisations) need redundancy to survive and absorb shocks, hence businesses should embrace and imbed redundancy to mitigate risk and increase performance in the long-run.
The following series of articles tries to provide a different perspective on risk management by using analogies from real life which help to understand the role and importance of enterprise risk management. Also, the idea will be presented of dealing with uncertainty and randomness, propose adjustments to well-known risk management frameworks, how understanding and applying incentives is key to effective risk management, and how to use first principles when solving complex problems.
Protiviti May 2022
At a Glance
- How incentives predict outcomes.
- Understanding the principal – agent problem through the lens of skin in the game.
- Why designing skin in the game is a pre-requisite for effectively mitigating risk.
“Let engineers and decision makers sleep under the bridge they built.”
Skin in the game — it’s all about incentives
“Show me the incentives, I’ll show you the outcome”. A quote from Charlie Munger, perceived as one of the all-time greatest Investing gurus and known as being the business partner of Warren Buffet. It helped Munger to assess Apple’s and Google’s incentives and outcomes to make his investment decision, however this can be applied to any situation. Knowing people’s incentives, outcomes can be predicted.
A helpful tool for assessing incentives is the principalagent concept of the extent of skin in the game that a person has when making decisions or giving advice. The easiest way to explain this is to show examples of the inverse, not having skin in the game.
For example, a national politician living in the country’s capital, having a very decent salary, would like to be re-elected in the next election (maximum 4 years) to keep his job. This politician (their skin) is making decisions and implementing policies for less wealthy people living in the suburbs or countryside who are planning to live there for the coming 30 years (the game).
Or think of the doctor you consult for some annoying pain you feel in your stomach. The incentive is to get rid of the pain fast by subscribing some antibiotics, because otherwise you would blame the doctor for not taking action. While the long-term effects of medicine and in particular antibiotics are neglected at that time, as any future negative effects will not be attributed to the doctor, while the patient has to face the consequences.
Not having skin in the game is not problematic within itself, but unknowingly being exposed to advise/ decisions from people or institutions who don’t have their skin in your game is. Being aware of and understanding incentives (and thus outcomes), you should be able to assess the value of the advice.
Let’s consider how this applies to Risk Management: Is the person making the decisions exposed to the risk/ consequences of the outcome of the decision? Does the person have skin in the game? This completely depends on the incentive structure. If a CEO or Directors KPI’s are designed to focus on profit, (s)he will cut costs dramatically, which can present some really impressive short term profit gains, but also removes some of the redundancies that are vital for the long-term longevity of the company. The CEO’s skin is not in the right game (company owners/shareholders). One of the most commonly used practices to deal with this principal-agency problem, is providing part of the salary of the CEO in stock options which can only be executed in 5 years, aligning the incentives of management and the shareholders, hence transferring the skin to the right game.
Often risk events do not emerge at the C-Suite level, but at middle level management or other staff. Plus, we know that human error is a given, thus should be expected and considered when designing processes and controls. That’s why Risk & Control frameworks exists: to identify, assess and mitigate potential mistakes, fraud or other threats. However, viewing the problem through the skin in the game lens, shows that employees act and make decisions, but the shareholders are bearing the consequences. In reality employees often do not see the risk, simply because they are not exposed to the consequences. Which makes risk & control frameworks vulnerable if only assessed theoretically and not seeing the practical implications of this principal-agent problem.
You are probably thinking; but we are testing the controls right? Yes, for controls that are considered to not operate effectively, staff is made responsible to remediate and mitigate the risk going forward. But how do you make sure they really care instead of doing the bare minimum for the sake of doing it? Are they exposed to the consequences?
Take as an example the Ancient Romans, who knew that aligning incentives is key to manage decision makers and humans in complex systems and organizations. Roman engineers that designed and built a bridge, were obliged to stand under it while the first legion of roman soldiers marched over it.
A common pitfall of organizations in managing their risks, is ownership and responsibility. The majority of corporations have an organizational chart defined, describing people relations and department structures. Processes and systems however, typically spread through-out several departments and hierarchies. Who actually owns and is responsible for the process or application? Without defining process and system owners, no one owns it, hence no-one is really exposed to the consequences of a process or system failure.
As an organization, if you want to achieve effective risk management, assessing and designing skin in the game with your staff is a pre-requisite. Let engineers and decision makers sleep under the bridge they built.