How to make risk management work really well throughout the organisation? The following six steps will take the CEO and the company to an advanced level of effective risk management.
Step One: Give permission to talk about bad things. Whilst this sounds quite simple it can be complex to achieve for many reasons, often cultural. The simple first step is to ensure that the message goes out from the CEO as an individual. Whether employees believe it or not is another matter. This will depend on the attitude and approach of the CEO when ‘bad things’ come up. If the response is balanced then there is a chance of cascading similar behavior down the organization. Never miss an opportunity to ask your managers and team “and what are the top risks associated with that?”.
Step Two: Passion yes, emotion no. It’s tough getting to the top of an organization and sustaining delivery. Successful leaders are highly passionate about what they do and inspire their employees accordingly. When things go wrong or imminent risks are identified it can feel like a personal affront. It’s tempting for the CEO or senior manager to lash out at the employee communicating or identifying the issue. Please don’t. The gossip of ‘who got it from the boss today’ goes round the company like wildfire and damages the chance of learning about future problems until they become obvious and perhaps deadly.
Step Three: It’s ok if the CEO is not Superman all the time. If the CEO looks permanently invulnerable and never makes a mistake then this behavior will be reflected by managers and employees. It’s good for the CEO to show, within reason, they are not omnipotent. Even if you do wear your underpants on the outside of your clothing find ways to draw out the knowledge of your team particularly in areas where you perceive increased risk. Don’t expect or supply instant solutions but allow time for debate. Of course, the CEO must ultimately be the accountable decision maker but it is useful for good risk management to make that decision at the end of a conversation rather than at the start.
Step Four: It’s ok to be wrong – in the right way. When an employee identifies a problem or mistake there needs to be a carefully thought through reaction. If it’s the messenger who gets fired that’s indicative of a “Blame” based culture. This is a difficult culture for risk management to thrive in. If employees are scared to talk perhaps the CEO won’t find out about the company killer risk until it’s too late. The other extreme and equally unsatisfying is a “No Blame” culture. Just because an employee stands up and identifies a problem doesn’t mean they can expect to be exonerated, particularly if they are responsible for the mistake or error themselves.
As an example, if an employee were to admit a fraud and demonstrates the loophole, it doesn’t mean they should get ‘no blame’ for the fraud. This would be unfair and send the wrong message to other employees. In aviation the leading employers have introduced the concept of a “Just” culture. For pilots it is quite easy for them to cover up or not mention a near miss or similar event, particularly if it’s not reflected in the data files. The airline really wants to capture these issues so that there isn’t an accident next time. Therefore, they encourage the pilot to report, even though he may feel some of his decisions could be questioned. Rather than being disciplined or let off, the actions taken are reviewed and judged by a group of fellow pilots. If the peer group feels they may also have had difficulty in that same situation, the pilot is let off or even rewarded for raising the risk issue. If the peer group considers that the pilot’s actions were rash or negligent then he still becomes subject to the disciplinary process. Without getting too bureaucratic about it this thoughtful type of ‘middle path’ approach can be helpful for the CEO faced with mistakes that contain similar complexity.
Step Five: In depth risk awareness. Everyone in the company (and usually beyond in the supply chain) has a role to play in risk management. It’s not enough for the board and the C-suite alone to understand the importance of risk management. Raising risk awareness and accountability throughout the organisation is a long journey. The language of risk can and should be added to many of the normal management structures: departmental meetings, budgeting, strategy etc. In some companies risk measures are added to key performance indicators and even measures for personal bonuses. It is important to remember that unlike “opportunities” which everyone wants to be associated with; “risks” may remain unspoken without a systematic approach. Penetrating risk management culture to junior levels of management and front line employees can be particularly difficult in large organisations. Make sure risk briefings are added to induction talks, which capture new employees. For existing employees, computer or app based training can be very useful too. It is important that such training is tailored and focused. Old fashioned flash media slide shows may still be ok for middle and senior management. There are particular challenges connecting with Gen Z. Some companies address this by using cartoons, sometimes with high quality animation and manga story lines, to get the message over effectively.
Step Six: Skeletons in the cupboard and elephants in the room. When a good risk manager starts to get under the skin of an organization he will be identifying some really tricky issues. These can be politically sensitive and may blow up in the risk managers’ face if not handled appropriately. The CEO can advise and mentor the risk manager on how these topics can be addressed. Though sometimes in Asia, it turns out that the CEO themselves is one of the most significant unmitigated risks. Micro-management by the CEO and key person dependency on the same person remain very common issues, even in some large and highly successful Asian corporations.
The CEOs worst nightmare? The corporate killer everyone is aware of but are too scared or don’t care enough about telling the boss. As well as getting fired and going bust, if this risk eventuates it leaves the CEO looking really, really dumb. A big risk event will trigger a big crisis.
The next article deals with the relationship between crisis management and risk in detail. I look forward to sharing more details with you then.