Our attempts to improve our organization’s risk management effectiveness might not be working

It is one of the few facts that everyone in the business world agrees on: there is nothing more certain than uncertainty. It can be difficult to know what the future will look like but, anticipating what might happen in the future has become increasingly important in a so-called VUCA world (Volatility, Uncertainty, Complexity and Ambiguity if the expression is new to you). We are all reduced to dealing with uncertainty. So, the question is, what can we do about it? 

Well, in an ideal world, every organization develops its own activities and processes for dealing with uncertainty. Uncertainty is always present whenever we want to go in a direction from A to B, change the way we do things, innovate and develop something new, grow or achieve something we state as a goal. 

When it comes to dealing with the uncertainties of business objectives, organizations most often turn to risk management.

Through anticipation and better preparation, they can buy a little more time to adapt and respond appropriately. Over the past two decades, great strides have been made in the development of effective risk management tools and techniques. It’s now expected that the risks an organization faces must be addressed rather than ignored, and various standards, frameworks, approaches and best practices have been developed to help address these issues in a systematic and comprehensive manner.  Of course, there is no one-size-fits-all methodology for risk management and some degree of customization is always required.

Despite these advances, we continually see examples of how challenging it can be, to integrate risk management into an organization to the point that it makes a reliable difference: 

  • Fluxys (Energy – 2004): high-pressure natural gas pipeline explosion
  • Deepwater Horizon (Oil – 2010): largest marine oil spill in history
  • Volkswagen “dieselgate” (Car manufacturer – 2015): conspiracy to defraud
  • Belgium Air-traffic control (Air navigation – 2015): total power loss during UPS test at peak air-traffic
  • BNP Paribas (Bank – 2015): $9Bn fine for money laundering during the period 2004-2012
  • Good Food Chain deaths (Food retailer – 2019): Listeria outbreak cover-up leads to bankruptcy

These examples reveal that risk management failures can take many forms and strike any organization in any industry. When such spectacular failures occur, be it an operational incident, a fraudulent conspiracy, a strategic catastrophe, the question is often asked “Where was the risk management?”, when all of these companies and industries used risk management either through commercial practices or regulatory enforcement. Obviously, the results can be different than expected.  

Major failures almost always come at a surprising time

Consider the example of the Deepwater Horizon. The management responsible for the Deepwater Horizon had every confidence that tripping hazards had been properly dealt with and all staff on the vessel were aware of such dangers. Contrast that fact with findings in the subsequent incident report:

“Absent major crises, and given the remarkable financial returns available from deepwater (oil) reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency…There are recurring themes of missed warning signals, failure to share information and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down”.

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling 2011 Report to the President

Major failures almost always come at a surprising time, even if they are half-expected. Is there a common thread in these cases? Absolutely yes. They clearly show that focusing on methodological or tactical risk management steps and processes is not thorough enough. There is something more foundational to consider. Those who attempt to use risk management in ways that really make a difference, face the ultimate challenge: getting people to think deeper about what risks are really like. 

Interested to find out more? Please visit www.riskcultureweek.com or watch the first of our related video segments (3 minutes) here: