The Evolution of Risk
The companies included a large well-known communications company, a large highly technical corporation and one very well-known cancer charity, of which we will call company x, y and z respectively.
All three companies have a process in place that roughly mimics the PIMs (Probability/Impact Matrix) model. Company x had the most formally developed model and was seeking ways to be more flexible and provide their employees with the opportunities to allow for individual management of separate projects. Company y has a less formal approach to risk management, but there were still some processes that had been developed to get the message to executive management. Company z, the charity, had the least developed risk management system, yet it still found a way to successfully stay out of trouble. The conclusion? All models seem to work to some extent! So, how what do three very different risk models have in common, that equal success?
This is where the topic of risk almost broaches the science of psychology. If people inherent in a culture are tasked with a project, regardless of the level of formality of their risk model, they will take responsibility to make sure it gets done with a modicum of safety measures. They will protect their own. The only time risk becomes potentially damaging is when those risks are imposed on the environment unbeknownst to the people responsible for its execution. In short, the issue of risk, boiled down to its lowest denominator, is in fact, an issue of communication.
How you facilitate that communication is what is up for debate, and is the area in which best practice effort should be placed.
Risk Management is only as good as its organisation’s communication channels. Generally speaking, as long as executive management is made aware of every risk in the company, they will have control of insuring these risks have mitigation strategies in place. Furthermore, it is the top-down communication, from the executive level down to the divisions, that will enable those divisions to either protect the firm from those identified risks or expose them to dangers. Here is where we encounter a simultaneous need for bottom-up communication – those divisions must be intelligent enough to report the risks that are posed through their activities. If not, the risk can go undetected, leaving the company open for potential threat.
Executive management must also encourage risk management throughout the organisation. Without this expectation on its divisions, even the most risk-savvy in house lawyer will have his hands tied. For example, with one of the companies I interviewed, their executive management did not welcome any input form their divisions but made their own isolated assessment as to what the company’s main risks were. If a particular division thought that one particular risk was worth flagging, they could make the extra effort, but then they themselves risked being put on the spot and perhaps criticised for taking up executive management’s time for something that they thought was important. To me, this is an obviously narrow view and one that can easily cause the company to overlook risks that either pose significant risks or opportunities.
In order to get your divisional input heard at executive level, there must be an identified pathway to counsel them. If a division has to pave its own way and are expected to do so, it is arguably the fault of executive management if something goes wrong. However, let’s not get negative here. One must keep a positive outlook on things. So, if you are part of an organisation that expects you to spoon a tunnel to them, perhaps through gentle coercing you could help them see the need for their efforts as well.
The conclusion to all of this is that communication is a two-way street, it takes two to tango. What goes up must come down. The main tool that is needed to accomplish successful risk symbiosis is language itself – the parties involved in a risk dialogue must be speaking the same language. Has your organisation spent time establishing common parlance for high risk and low risk factors and how to measure or detect them?