Risk management effectiveness might come from a surprising direction

You’ll rarely hear it said out loud but the primary objective of most organizations is simply survival. This objective can be formulated in many different terms, such as profit, earnings, shareholder value, market positioning etc., but it boils down to one thing: the long-term viability of the company. This struggle to go on is exemplified by General Motors, the world’s biggest company for decades, right through until 1974. Yet in 2009 it filed for Chapter 11 bankruptcy. Survival is affected by uncertainty, which can destabilize every part of a businesses’ activities.  

All organizations must take risks to achieve their goals. Business leaders, with support from risk management practitioners, must examine the portfolio of short- and long-term threats and opportunities before them, to make strategic decisions that give the greatest chance that the business will continue to thrive, despite uncertainties. Some people describe this process of risk-based decision-making as an art, others see it more as a system to be followed.

Regulators have begun cautioning against treating risk management as a purely technocratic exercise of complying with requirements.

Regulation changes often follow several years after something has failed sufficiently badly that it has led to a public outcry and enabled a political reaction to coalesce, in an extended scheme of reaction. Being compliant is not the equivalent of mastering risk outcomes and regulators are recognizing that they have weakened the practice by focusing too narrowly on process and governance. This has meant that the people dimension of risk management – the science of decision-making, behavioural economics, biases and heuristics, have not received the attention and resources that would have led to better handling of uncertainty.  

When corporate failures occur, post-mortem type analysis often draws attention to how the workforce behaved, what shared assumptions they had, the description of activities or behaviours of senior staff that they believed were inviolable, or incapable of failing. It seem like organizations don’t die because of a lack of cash, or ideas or product quality – these are but symptoms, of a much bigger failure to recognize accumulating risks and to take seriously the harsh outcomes that would follow. 

The phrase “Too big to fail” embodies this dissonance and just how commonplace it is that a collective failure to think and act correctly is such a critical factor in the practice of effective risk management.  

The need to align risk management with the organization’s strategy, objectives and culture

At the international level, the ISO31000 risk management standard makes several references to the need to align risk management with the organization’s strategy, objectives and culture (the competing COSO standard says something very similar).

“Human behaviour and culture significantly influence all aspects of risk management at each level and stage”

ISO 2018

Put bluntly, for risk management to work, it can not be a copy-paste job of policies and methodologies. Meaningful integration of risk management must be customized around the needs and culture of the organization. This is discrete and often neglected aspect of the CRO’s work plan (and we speculate that this is because it is so hard to copy the work of others and there are no explicit frameworks for how this should be done). 

Yes, all organizations must take risks to achieve their objectives, but the culture that prevails within an organization can make it significantly better or worse at managing these risks. The problem with culture, as Walker and Soule (2017) suggest, is that:

“It is invisible, yet its effect can be seen and felt. When it is blowing in your direction, it makes for smooth sailing. When it is blowing against you, everything is more difficult”. 

Regulators and academics are urging organizations to consider how people behave in the face of risk and uncertainty, as a critical factor in the long-term survival of businesses. In short, this concept is called “Risk Culture”. ERM teams are responding to these signals and beginning to attempt to determine what the risk culture should be like as a subset of the wider organizational culture.

The concept is gathering momentum, experimental data is being gathered, bodies of knowledge are being formed. If you think your organization could do with some assistance in this area, get in touch with us to start a discussion.Interested to find out more? Please visit www.riskcultureweek.com or watch the second of our related video segments (3 minutes) here: