"I've been doing risk management for 5 years, and I maintain that Diana is the only one who knows how to explain it clearly!"
Sylvie Moreau, Office of Integrated Risk Management, Health Canada
If you have risk management systems but your people still haven’t embraced it, you are not alone.
In a May 2008 issue of RatingsDirect, Standard & Poor’s commented that enterprise risk management (ERM) remains “underfunded and underintegrated. At most firms it’s tucked away into silos with little top-level integration or silo-to-silo communication. ... Truly effective ERM requires not just a high-level manager - such as a chief risk officer - to oversee risk but also a companywide commitment to incorporate ERM into the firm’s strategy, governance, and culture.”
The challenge of adopting a culture of risk management extends to all sectors. A survey Risk Wise conducted earlier this year revealed that many government departments have not yet fully embedded risk management into their business practices. This is true despite having put in place frameworks and processes for integrated risk management.
Have your risk management efforts stalled when it comes to making risk management come alive in your business practices? If so, here are four catalysts that will help you to embed a risk management culture.
Be explicit about what needs to be accomplished, how, by when, and who is responsible for what.
In a recent Globe and Mail interview, Rick Hillier, Canada’s former Chief of the Defence Staff, listed the things that need to be in place for success. “A strategic vision of what we’re trying to achieve, articulate that, andarticulate some of the milestones that would let us know when we’ve achieved that, then articulate the strategic road to get to it.”
The concept of having a strategic goal and measurable objectives is fundamental to risk management. You can’t begin to identify success and risk factors until you know what it is you need to achieve your objectives. In many public and private sector organizations, strategic objectives are more like a list of hopes and dreams than they are meaningful and measurable targets that both inspire and hold people to account.
ASK YOURSELF: Does my organization have clear strategic objectives with explicit measurable milestones? If people don’t know what they are working towards or how and by when they are expected to achieve their objectives, risk management cannot come to life in your organization.
These are the criteria for decision-making and they need to be determined before embarking on the process of assessing and weighing decision alternatives.
Author Peter Drucker said “a decision is a judgment. It is a choice between alternatives… Executives who make effective decisions know that one does not start with facts. One starts with opinions. These are, of course, nothing but untested hypotheses and, as such, worthless unless tested against reality. To determine what is a fact requires first a decision on the criteria of relevance, especially on the appropriate measurement. This is the hinge of the effective decision, and usually its most controversial aspect.”
Articulating risk appetite and tolerance sets the goal posts for risk-informed decision-making. Without decision criteria, it is easy to start with the conclusion and then look for the facts to support it.
ASK YOURSELF: Has my organization articulated its risk appetite and tolerance? If people don’t know what the criteria are for decisions, risk management cannot come to life in your organization.
If we define risk as events or conditions that create uncertainty around the achievement of objectives, then clearly, risk and performance are linked. To systematically manage performance requires developing an understanding of the relationship between the drivers of performance and risk, including the development of measures to track risk factors and quantify their impact on performance.
For example, imagine ‘knowledgeable staff’ is a key performance driver for a specific objective and the associated risk factors are the ability to hire and train staff to the required level of knowledge. If we notice a downward trend in the knowledge level of new recruits or that people are completing our training programs without achieving the level of knowledge required, we can intervene in a timely manner. But if we don’t know about or own up to the facts of reality, performance will inevitably suffer.
ASK YOURSELF: Has my organization linked its risk and performance indicators? If you don’t understand how risk can affect your objectives and don’t establish and track risk indicators, risk management cannot come to life in your organization.
Business guru Peter Drucker advises that the kind of decisions the executive has to make “are made well only if based on the clash of conflicting views, the dialogue between different points of view, the choice between different judgments.”
In his book Why Great Leaders Don’t Take Yes for an Answer, Michael Roberto explains that decision-makers need to foster conflict and dissent to ensure
that the course of action selected enables the organization to achieve its performance objectives in a way that optimizes resources and balances risk better than all other plausible alternatives.
The risk discipline provides a range of methods to assess the alternative courses of action among which the executive must decide. This includes estimating the potential likelihood and impact on outcomes of each alternative and characterizing the underlying uncertainties and assumptions.
For a risk assessment process to be effective, it must bring to the surface all critical information for the decision at hand. This can’t be achieved if the organization has a culture of silence in which people are afraid to speak the truth. In the research for his book Good to Great, Jim Collins discovered that ‘great’ companies continually refine the path to greatness by confronting the brutal facts of reality. (Read this month’s Bonus Resource article to learn more.)
One of the biggest contributions you can make is toquestion how well your organization’s risk estimates reflect its particular reality. This includes distinguishing between the beliefs, opinions, and facts that go into any estimate of risk and ensuring that together they present an accurate and meaningful picture of reality. And it requires fostering a culture of inquiry in which frank and open discussion occurs about those beliefs, opinions, and facts.
Initial assessments of risks may have to be based on opinion, particularly when a decision takes you into unchartered waters about which you have little data or experience. However, to ensure that the risk discipline provides relevant information, risk estimates must be transitioned as quickly as possible to evidence-based measures. It is only through a commitment to uncovering the brutal truth of reality that one can distinguish between valid and invalid assumptions and guard against willful blindness.
ASK YOURSELF: Does my organization foster dissent and inquiry in its strategic decision-making? If the truth can’t be heard, risk management cannot come to life in your organization.
The Risk Wise bottom line…
These 4 catalysts are the fundamentals of effective decision-making espoused by successful executives and essential mechanisms to equip and motivate your people to adopt a risk wise management culture.
Follow the links to:
Moving Beyond the Risk Map to Operational Vigilance
Read more about the Risk Management Made Simple Advisory.
"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Kinross Gold Corporation
Defining Your Taste for Risk (written by Rob Quail of Hydro One Inc. and published in Corporate Risk Canada magazine) is a 'must read' for any leader who is serious about applying risk appetite concepts.
The article presents a pragmatic approach for ensuring risk appetite informs decisions that involve defining or executing strategic objectives.
It's an excellent contribution to the literature on this important, yet often misunderstood topic.