A conversation with Kurt Meyer, Risk Talk

A conversation with Kurt Meyer, risk management expert and co-CEO of Risk Talk

As part of ‘PwC 2019 Global Risk, Internal Audit and Compliance Survey’, we interviewed Kurt Meyer, risk management expert and co-CEO of Risk Talk. In an interview with Marc Buser, expert in governance, risk and compliance at PwC, he explained his approach as to how digitisation combined with the company’s feedback culture can lead to greater transparency.

What level of maturity do you believe digitalisation has reached in Switzerland?

As far as I can tell, the digitalisation process is advancing at a rather slow pace in Switzerland. There are often cases of partial digitalisation, which can be seen with isolated initiatives; individual employees or teams who are driving things forward in their departments. On the other hand, many companies still do not have a Head of Digital to steer digitalisation effectively throughout the company. Digitalisation opens up huge opportunities in risk management. But the benefits of a reliable decision-making basis, for example, are only reaped once it is been implemented across all departments.

What is your opinion of risk maps?

Today there are still a lot of risk management functions that are focused on quarterly interviews with the company’s managers. Risk maps are created on the basis of these interviews. This is indeed common practice and it also satisfies the regulatory requirements for many organisations, but what added value does it bring? In such a process, risks are often only identified and analysed when it is (almost) too late. In this case, risk maps therefore remain of limited relevance for company management and should be complemented with powerful instruments. The risk management function needs to be more closely aligned with operations.

You worked in the energy sector for a long time. Why is digitalisation so important in this industry?

A detailed answer would go beyond the scope of this interview. The energy sector is increasingly depending on the use of IT, just like other sectors. In the energy industry, for example, lines that were previously plotted on maps in analogue form are now recorded digitally. This forms an important basis for predictive maintenance, for instance. But this is just one of many areas. Digitalisation is also opening up new opportunities in risk management, with a shift towards integrated and near-real-time management of risks. Companies in the energy sector often operate critical infrastructure and need to ‘go the extra mile’ in risk management, as in high-tech Switzerland a functioning power supply is essential. I would like to emphasise, however, that risk management at companies in other sectors – even those that do not operate any critical infrastructure – can benefit hugely from digitalisation.

What kind of risk management is needed in a company that is essential for a country’s infrastructure? How can risks be detected early on and prevented?

On the one hand, there are natural disasters such as earthquakes, which are difficult to predict. On the other hand, there are man-made disasters, which in most cases could have been prevented – Fukushima, BP Deep Horizon and the Deutsche Bahn train crash in Eschede, for instance. In order to learn from these kinds of disasters and prevent them from happening in future, scientific research shows it is important to focus upon a handful of risk incubators. Finding these, though, is like searching for a needle in a haystack. The search requires ‘sensors’ within the company. One possible solution is ‘RiskTalk’, which enables employees to provide feedback on a continuous basis. This feedback is systematically analysed and adequate action is triggered. For example, following the ICE train crash in Eschede, it emerged that critical voices had been raised during the construction phase of the ICE train. Signals such as these need to be taken seriously. The flaws were detected before the disaster, but no adequate action was taken. The feedback therefore needs to be brought to the attention of the right people. And ‘talk’ – needs to be followed by ‘action’.

How do companies collect and evaluate their employees’ feedback?

Reporting systems exist in many companies, but they rarely work well. Whistleblowing often has legal consequences and therefore represents a major obstacle for many employees. A reporting system only works reliably if designed as a low-threshold service. One method which has met with a positive response is when people are able to provide feedback using an app on their smartphone. Such a feedback tool is always at hand. Empirically we have learned that an excellent user experience is important, and therefore it makes sense to reduce the user interface to the max. Nobody wants to fill in a long questionnaire. After digital feedback is recorded, the data are evaluated and classified and appropriate action is initiated. Are there any departments that hardly ever provide feedback? What are the reasons? Are the incentive systems misguiding? What’s more, employees should be kept continually informed about progress. Nobody will take the time to provide feedback if it is going to disappear in the ‘digital orbit’. If employees notice that their feedback brings about changes, they remain motivated to provide further feedback.

Does this mean you recommend getting employees more involved?

Absolutely. Such near-real-time data not only help the assurance functions, but also provide management with reliable insights. With the above-described bottom-up approach where employees provide feedback using an app, companies can create new transparency – although this needs to be welcomed. In one example, this kind of app helped to break down cultural barriers in a company and consequently triggered lots of micro innovations.

Ideally, digitalisation is driven top-down. It is essential that management fosters a feedback culture and creates an environment where all ideas and observations as well as errors and ‘near accidents’ can be reported and analysed. The financial crisis showed what can happen when critical voices are not heard. The focus was on shareholder value, a single-dimension value scheme. For risk management that is focused on increasing value in the long term, it is advisable to take all stakeholders into consideration. When investments are made in security, profits decline in the short term, for example. If a value system is embedded and understood within a company, this supports aligned decision-making. This is where companies’ codes of conduct come in. They define which values are important. But are they also understood and adopted by employees? This is difficult to ascertain. Surveys are a useful tool, although they do have a tendency to fizzle out. Thanks to technology, we are now able to establish whether and to what extent the values are adopted. For example, in one particular case management declared that security was the number one priority. Later they were very surprised when they found out that security was being neglected by employees because they had false incentives. Employees were so preoccupied with meeting deadlines that security took a back seat.

What role does risk management play in a company’s digital journey?

In general, risk management and assurance are often poorly integrated into digitalisation initiatives. They are sometimes seen as an obstacle, and there is sometimes a lack of ‘digital’ skills. Warnings are reported afterwards, when it is too late – this creates an image that does not fit well with a forward-looking digitalisation initiative. Furthermore, risk management is sometimes too far removed from the management team. Risks are identified too late or not at all. It is more helpful for risk managers to act as enablers rather than objectors. This is where PwC comes in. As a thought leader, PwC can demonstrate how departments can work together better and how risk management can be integrated meaningfully into important initiatives. In the digital era, it is essential that assurance functions (internal audit, risk and compliance, security, safety, etc.) harmonise their systems and exchange relevant data.

Is a digital approach vital for new start-ups in order to be successful?

Most start-ups harness the benefits of digitalisation from the very outset. Many of them are born with a digital idea, and many operate internationally. When virtually all assets are digital, it is easier to collaborate efficiently across international borders. In my experience, I know that digital tools help start-ups by enabling them to be better organised, but also by allowing them to be more focused on partners and customers. Most start-ups are founded by people for whom working in a digitalised environment is second nature. Those who don’t harness the benefits of the digital age will inevitably be at a disadvantage.

In your experience, who is the most important driver of digitalisation?

Ideally, the executive board and the supervisory board are the ones driving digitalisation. It is extremely helpful to create an environment that encourages such initiatives. An open culture and a lived values system are helpful too. From a pragmatic viewpoint, time and time again we see that simple digitalisation tasks have not been implemented because key people are overloaded, although in most cases these digitalised tasks would make their work much simpler. Risk managers should contribute more actively to digitalisation initiatives, or even initiate and lead them.