Avoiding The Most Dangerous Mistake

February 2008 Issue

By Diana Del Bel Belluz, M.A.Sc., P.Eng.

"If you do not make any mistakes, you may not be taking enough risk, but failing to take any risks at all may be the most dangerous type of mistake that a business can make."

Robert E. Mittelstaedt, Jr., author of Will Your Next Mistake Be Fatal? Avoiding the Chain of Mistakes That Can Destroy Your Organization

Many of us in the risk management field are risk averse by nature. In my own case, I started my career in risk doing quantitative assessments on issues of public safety. And a safety mindset is all about preventing incidents. I’ve noticed that people who come to the field of risk management from an audit background also bring a mindset of control. They typically see their role as one of preventing deviation from approved processes and procedures.

The downside of this prevention mindset is that many of us risk managers are not comfortable with innovation and experimentation.
It feels too risky! So we try to design out any potential for mistakes in our risk management programs and implementation processes.

As risk managers, we should know that risk aversion is the most dangerous type of mistake we can make. Over the years, I’ve identified three common but faulty strategies that risk managers use as they aim for total control to protect themselves and their organizations from making mistakes. I’ve also found some simple antidotes.

MYTH #1: If I offer the ultimate risk management framework, everyone in my organization will embrace it.

I like to call this the ‘If you build it, they will come’ theory. In reality, this doesn’t work. Any new or improved management approach, no matter how elegant, never inspired anyone to change their behaviours and practices by the beauty of its design alone. People need a compelling reason to embrace change.

If you want your people to adopt change, you always need to be thinking "What’s in it for them?"
Or to put it another way, before embarking on any new risk management initiative, always ask yourself "What value does this provide for my people?" For more on this topic, see the feature article in the December issue.

I know of no case where a risk management framework, tool or program was ‘unveiled’ and then spontaneously adopted by a significant portion of the organization. The reason is that people need to work out for themselves how risk management can improve their decision-making and ultimately produce better results.

You can help them on this journey of self discovery by asking powerful questions
that will help them to connect the dots between the potential of the tools you are offering and the ultimate results they are seeking. Here are some examples of questions you can ask:

  • How can you leverage the risk management tools and training the organization is providing to achieve better outcomes?
  • How can you apply the new risk training to bring more balance and transparency to your decision-making processes?
  • How can the new risk assessment tools help you to address the uncertainties which influence your ability to achieve your objectives?

And most importantly, give your people the incentives, time and encouragement they need to cement their risk management learning into strong habits.

MYTH #2: I will introduce a comprehensive framework that covers all risks and involves everyone in the organization so that we manage risk perfectly all the time.

I like to call this the ‘Big Bang’ theory because it implies that a fully mature risk management program and culture can be introduced in one instant step. As the old saying goes, you can’t eat an elephant in one bite! I have seen more risk management programs fail to get off the ground or stall completely because the risk manager was aiming for a perfect and mature program right away. This is a recipe for failure.

Every successful enterprise risk management program I know of started with a modest initiative
and then built on that initial success, one small, incremental step at a time. There’s no magic starting point. Rather, it is a question of being opportunistic. The book ‘Risk Management for Dummies’ by Beaumont Vance and Joanna Makomaski does a great job of defining some basic and practical steps to get you started.

The key thing is to act
. As I like to tell my clients, you already know everything you need to know to take the next step towards enhancing risk management in your organization. You can conquer your fear of making a mistake by developing the action habit.

What is the action habit? Think about the single thing you can do today that will move your risk management program forward. Then do it. If that action is something that will also build your risk management capability and capacity over the long term, that’s a bonus because you’re acting strategically not just tactically. Strategic steps get you closer to your goals faster.

For example, if your organization is considering the introduction of a new product or service, offer to facilitate a risk assessment workshop. Use the workshop as an opportunity to train some key people in risk assessment techniques and to illustrate how risk management enhances their existing management strengths. You will have immediately expanded the organization’s capacity to conduct risk assessments. Then invite wider use of the techniques by asking the workshop participants how they might systematically address risk in their own decision-making processes. The next time you need to do a risk assessment, involve some of your previous ‘trainees’ to reinforce their learning. If you can get opinion leaders involved in teaching others, it will generate more buy-in for risk management.

The important thing is to take your best shot. Think in terms of small but meaningful steps. If your small step fails, learn from that and take your next step. Keep taking small, opportunistic steps. Pretty soon, you’ll have built up a strong risk management infrastructure and culture in your organization.

MYTH #3: If I plan carefully, the implementation phase will be mistake-free.

Avoiding mistakes can paralyze you. Many risk managers I meet are so afraid to make a mis-step that they never actually implement their programs. Instead they spend a lot of time coming up to speed on what systematic risk management is, then researching what other organizations have done, then cocooning for the planning stages while trying to come up with a comprehensive and mature program, only to move onto another position or career. Then, the risk management implementation task is handed over to a successor, and the cycle is repeated.

If this sounds familiar to you, take heart. You can break the cycle of paralysis by abandoning your attempts to plan the perfect program and instead focus on learning, i.e., continually adapting your plan so that it will move you closer to your risk management implementation goals. Notice that I am defining learning as adapting, not as an intellectual pursuit of acquiring knowledge. To convert knowledge to learning, you need to actually apply the new knowledge, and that means changing your behaviour.

In reality, all successful risk management programs evolve through a significant amount of trial and error. Yes you need an implementation plan. But keep in mind that a plan is only a guide. You will have to be creative to deal with the unanticipated opportunities and roadblocks that will inevitably occur once you begin implementation.

At The Conference Board of Canada’s International Risk Management Conference held last month, Larry A. Warner, Staff Officer of Risk Management at Mars, Inc. presented a great case study of the journey his organization has taken to establish Enterprise Risk Management. What struck me most about his presentation, was the number of times he made statements such as ‘we tried that and it didn’t work’ or ‘we used to do it a different way, but have found something that is simpler’. It was clear that Mars’ ability to adapt and adjust their approach was a key factor in successfully integrating enterprise risk management into their business practices.

The key thing to remember is that your organization is unique. Your organization’s strategic intent, its culture, and its distinctive mix of capabilities and competencies are all unique to your organization. As a consequence, your approach to risk management must be custom designed to suit your particular risks, management strengths and business environment.

As with anything that is custom-designed, there will be a certain amount of adjustment needed. As one of my clients, Harry Diemer, Chief Executive Officer of the British Columbia Safety Authority, said recently, "every situation is different. Don’t be risk averse because it will cut off your ability to innovate and be creative."

*

The Risk Wise bottom line…

To break the risk aversion habit
, form two new habits: action and learning. At the start of each day decide on a single small step you will take to move your risk management program forward. And then take action. If things don’t go exactly as planned, do not waste time and energy beating yourself up over it.

Instead, think of each day’s outcomes (successes and ‘mistakes’) as a source of new insights. At the end of the day, reflect on the opportunities for improvement and decide how you will adapt your risk management implementation plan to make it more effective.

This discipline of decide-act-reflect-adapt can be applied to your daily activities as well as to initiatives that have a longer timeline. The bottom line is that these action and learning habits will help you to avoid the most dangerous mistake -- taking no risk at all.

*

Tell me your risk management action stories.

  • What was your initial step?
  • How have you learned from your ‘mistakes’?
  • How have you evolved your risk management program and culture?

I appreciate receiving emails with your tips and success stories at diana.belluz @ riskwise.ca

Follow the links to:

Current Special Offers for Subscribers

The code to access the following special offer has been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL OFFER: $460 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Resilience 2017 to be held on April 24-26, 2017 in Edmonton, AB. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

  • SPECIAL OFFER: $150 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Canadian Privacy Summit 2017 to be held on May 2-3, 2017 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood

FREE DOWNLOAD

Moving Beyond the Risk Map to Operational Vigilance

Read more about the Risk Management Made Simple Advisory.

"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation

Jump Start your risk management program.

Receive personalized advice from Risk Wise

See Details

Diana's Pick

Neuroscience and the Nonprofit Manager (written by Andy  Segedin and published in the NonProfit Times) shares some of the tips on how to counteract common biases and habits that impede effective decisions.

The article is based on a workshop that Diana Del Bel Belluz of Risk Wise presented at the 2015 Risk Summit organized by the Nonprofit Risk Management Center.