A collective reconsideration
Marinus de Pooter | 2015
For those who listen in various sectors, the picture quickly emerges that risk management is not successful in practice. And that despite all the investments made and the energy that has been put into it in recent years. If risk management does indeed bring so much good (as is usually claimed), how is it possible that line managers do not flock to training and conferences? Why don’t they queue up to learn more about all those wonderful concepts and tools (including the many impressive software applications)? As a management system, has it sold so badly or can it simply not deliver what is promised? Perhaps it is a combination of both. It’s time for something better. As far as I am concerned, the end of conventional risk management is near. I refer to the instrumental approach from a separate staff function. The limited enthusiasm for this usual setup is due to several factors. I will mention a number of observations from the consultancy practice.
Usually, risk management is invested in a separate function or in different specialised functions such as Security, Quality and Safety, et cetera. This easily leads to responses from line managers along the lines of: “We hired you to take care of those (information security) risks!” Regulators have devised the creation of a separate Risk Management department (or even a separate CRO function) as a counterbalance to the overthrown ambitions of line managers. However, just because of the differences in personalities, its effectiveness can only be limited. If you do something about risk management, because your supervisor requires it or because the head office requires it from you, it will not easily be embedded in your day-to-day operations. If you use it as an accountability tool, it will at most help to give supervisors a sense of (false) security.
As the backbone of their risk management systems, many organisations have built extensive management frameworks, for example for their financial reporting, information security, business continuity, etc. These frameworks, whether or not coordinated with each other, fit perfectly into a planning & control way of thinking. However, the unruly reality appears to only want to adapt to these frameworks moderately. Not least because of important disruptive factors such as people of flesh and blood. The “control frameworks” fit within the philosophy that the world can be made. If your goals are clear, you estimate your risks properly, you design, implement and implement appropriate measures, then you have reasonable assurance that reality will unfold as you did at the ‘P’ of your PDCA cycle (Plan-Do-Check-Act). In practice, this is considerably more nuanced.
The future is immensely complex, making simple predictions illusions. Some operational cause-effect relationships in a conditioned environment may be evident, but others (especially strategic ones) are difficult to determine. Many approaches conveniently ignore the limitations of our human capacities, such as estimating probabilities. If you imagine the world as an endless chain of causes and effects, then it is impossible to get a full picture of the future variants (scenarios). However, this relativity often remains unexplained, such as when determining resistive capacities.
It is also difficult that opportunities and risks are not tangible or identifiable. They are conceptual representations of future events or circumstances, which can be different for everyone. This realisation is suppressed in the more instrumental approach to risk management. Common tools such as risk registers and risk profiles can be very misleading. For example, they provide little insight into the mutual dependencies of the risk categories and the extent to which the organisational objectives will be achieved according to expectations. Moreover, the (dark red) top corner in risk diagrams (the well-known ‘heat maps’) is unrealistic: no organisation goes bankrupt (high probability) on a daily basis (high impact).
Structured thinking about the future is negatively used in conventional risk management. If you only focus on things that can go wrong, you are not holistic about the future. If you use separate risk reports with “key risk indicators”, then you give the signal that controlling threats (risk management) is separate from exploiting opportunities (performance management). You miss the connection with most directors and managers if you look at risks in isolation from opportunities. In the real world, they always go hand in hand: if you want to rule out personnel fraud completely, then as a manager you have to do everything yourself (and of course be honest as an employee).
When things go wrong, the media eagerly responds to sensational incidents. Don’t we think it’s all spectacular when a few large cranes fall on houses in Alphen aan den Rijn? However, thinking in a structured way about possible errors in advance turns out to be much less popular, because it is quickly associated with failure. For example, in an environment dominated by engineers, confidence in one’s own (technical) capabilities is nurtured. Even if the management team is primarily action-oriented, the structured improvement of the internal organisation can become subordinate to the “real work”. Not enough time is taken for reflection. The hustle and bustle of everyday life, such as putting out all kinds of fires, then determines the agenda.
Functional compartmentalisation quickly develops, especially in larger organisations. This makes it difficult for the management of the organisation to obtain and maintain a total overview of the operational management. The directing function is often less developed. And this while integrated opportunity and risk management is one major coordination issue to focus the separate disciplines and areas of knowledge on jointly achieving the formulated organisational objectives.
The above observations do not lead to great joy. It is therefore time for a rethink. Our brainpower and resources can be better spent. In my opinion, answering the main question for each management team should be central: do we manage our organisation in such a way that we meet the expectations of our most important stakeholders?
Below I give a number of point-by-point suggestions on how to achieve this in practice. In essence, they boil down to the removal of separate risk management functions. The focus should be on training decision-makers to make balanced decisions based on the agreed core values and the best available information. This requires intensive cooperation and a heavy directing role for the management of the organisation.
- With a holistic approach you always look at opportunities and risks together. A project manager is alert to future circumstances that could promote (opportunities) or hinder (risks) the realisation of his or her objectives. It is about the integral performance that you achieve as an organisation. In that context, we should no longer use ‘risk management’ as an umbrella term. After all, most people associate that designation with things you shouldn’t have. Therefore, just use terms such as ‘(integral) management’ or ‘organise’.
- Many successful large SMEs do not have a separate risk management function. Of course, those management teams do manage their risks, although perhaps less explicitly than in conventional risk management. Transfer the compartmentalised risk management activities to other departments, such as Strategy & policy, Planning & control, Information provision, et cetera, and at P&O for training skills. Make sure that there is a coordination function high up in the organisation for the essential directing role.
- What makes integral opportunity and risk management especially challenging is that it is about the future. And that is simply uncertain. For example, no one knows whether Bitcoin will be the currency of the future or the next bubble. Realise that, as a team or individual, you can at most make the best possible move, making use of the available information.
- Probability and risk management is actually ‘expectation management’. Avoid unrealistic expectations. As humans, we are simply subject to many limitations. Consider the quality (timeliness, correctness, completeness, etc.) of our available information and the limitations of our human mind to make effective estimates. Be sure to also be alert to the temptations that can cause people to make wrong choices.
- In an environment steeped in planning and control, vigorous leadership is welcomed. “Yes, we can!” is associated with piloting the organisation’s ship through the turbulent waves. However, you must admit that you do not know exactly how it will all turn out. It is not that strange when the future is by definition uncertain.
- Management is about making decisions to create and maintain the intended value for your important stakeholders. The real added value of integrated management of opportunities and risks lies in the contribution to that decision-making. You need good information for good decision-making. Therefore, fully commit to knowledge management and big data, which will play an increasingly important role.
- Opportunity and risk management focuses on realizing the explicit and implicit objectives. The interests of specific stakeholders are decisive for these objectives. There are always interests involved when making decisions. See through that game. If you don’t understand what interests are in the background, you can never perform effective analyses of opportunities and threats.
- When you talk about creating and protecting value, the first question is of course what you understand by ‘value’. All too often it turns out to be about euros or dollars. But is money the end or the means? The answer depends on what your key stakeholders expect from your organisation. As a management team, first discuss what you really value. Only then does it make sense to talk about opportunities and risks.
- When organizing your (civil service) company to deliver and retain value for your important stakeholders, your vision is guiding. It must be clear to every employee in the organisation what you want to achieve together. That includes being clear about what you don’t want to achieve. Then the discussion automatically arises, which again was the intention of the organisation. Invest in developing and propagating that clear vision.
- Thinking together about opportunities and risks can best be done with daily activities as the basis. Your colleagues have to make their decisions there. Whether it concerns management, primary or supporting processes. They can make mistakes when carrying out any of the activities. They must also seize the opportunities there. Provide an integrated overview of what the important players within your organisation are doing. Without this overview it is difficult to see the interrelationships and to prioritize the desired improvements.
- Integrated opportunity and risk management is always about options for human action. Then you cannot avoid talking about ethics. If you reason from a “the-end-justifies-the-means” principle, you may be able to get away with inadequate legislation or enforcement. However, remember that there is more that you should not do beyond what is explicitly prohibited.
- In order to be able to make good judgments, you need clear core values in addition to sound information. For example, to judge an investment that pays off nicely, but is ethically questionable. Core values determine which stakeholders (and their interests) are dominant, what weighs most heavily in thorny issues and what behavior is expected of employees. They also play a key role in operationalising the tricky concept of ‘risk appetite’ (and its counterpart ‘chance greed’). Make sure your core values are clear to all involved.
- The attitude of the people you have on board is decisive for a successful internal organisation. The CEO of a major international real estate investor recently told me that his chief risk manager is the Human Resources Director. Analyze the risk attitude of your managers. Select strictly at the gate on the moral compass and mentality of possible new colleagues. Also, as soon as possible, put people outside the gate who do not fit the intended core values of your organisation.
- The owners of the objectives (and therefore of the processes required to achieve those objectives) must constantly make trade-offs. Namely what value they want to create and protect for which stakeholders. Make sure they have the necessary specialist help in realizing their objectives, for example because legislation and regulations (such as collective labor agreements) are complex, because technologies change quickly, et cetera.
- The added value of risk managers, controllers, compliance officers and similar functions lies in supporting those who serve the customers (citizens, tenants, patients, students, etc.). Require all staff positions to be of service to their colleagues who serve customers in the primary processes. They always have to make difficult decisions when using the available resources and can use valuable input from specialists in support departments.
- Taking advantage of opportunities is also a consideration process. Innovation implies uncertainty. New materials or methods can have great advantages, but the long-term effects will only become known afterwards. So it means daring to let go and being honest about possible disadvantages. Opportunities must also be prioritised. As a team, keep the focus on your strategy and prevent your colleagues from jumping on every passing train.
- Every issue related to internal organisation is about how much freedom you leave to the person who has to make the decisions. Do you trust the competences of the professional or is it better to record? Do you give freedom or are you going to standardise? Do you draw up tight schedules or do you count on the ability to improvise? As a management team, make conscious choices with regard to the frameworks.
- The underlying question in the integral management of opportunities and risks is: are you as an organisation resilient and agile enough to deal effectively with what is coming your way in the future? Keep in mind that the system world of planning and control has major limitations. Focus more on improving the agility of your organisation to respond to change (s) in circumstances.
- The future is inherently uncertain. It is advisable to put more effort into making forecasts (looking through the windshield of your car) than comparing with budgets (looking through the rear window). When making your decisions, therefore, do not primarily focus on whether there is a budget for it. More relevant is the question which action is wise in the light of the given (changed) circumstances.
- Making decisions is always optimising under preconditions. If you are responsible for something, but your options are too limited, then it is important to bring that up. Consider the situation where you cannot choose your own staff. “Competence is not a criterion here” recently sighed the controller of an Environmental Service during a reorganisation of the organisation. Apparently there was a balance between the interests of the employees and the trade unions on the one hand and the service and its ‘customers’ on the other. As a team, realise that the quality of the people you have in-house determines the ultimate effectiveness of your organisation.
- Ambition levels that are too high in a political environment demand solid guarantees. Like with that visionary mayor who saw an obvious regional function for his village. Supported by research reports from an expensive consultancy firm, he energetically focused on expanding retail capacity. It is not only due to increased internet sales that a significant portion of the store base is now empty. Be vigilant about controlling dominant personalities. Otherwise there can be no balanced decisions.
- Contracts are suitable instruments for making agreements about mutual rights and obligations. Design, construction, financing, maintenance and management are integrated in ‘DBFMO’ contracts. They can concern large interests for longer periods. Invest risks as much as possible with the contracting parties that can influence them the most, such as uncertainties with regard to permits.
- Dealing integrally with opportunities and risks is mainly about constantly discussing the considerations you make. In practice, it comes down to a critical look at the assumptions for submitted (investment) plans. Conduct ‘pre-mortem’ reviews. Raise it up if the substantiation in a business case is buttery soft and wafer-thin.
- If raising the subject of ‘accountability’ is already perceived as threatening in your organisation, there is still a lot to be done. Make those responsible for achieving the organisational objectives also responsible for exploiting the opportunities and managing the risks. Provide clarity about their ownership.
- If you ask me, the hardest part of dealing with opportunities and risks remains courage. If everyone yells ‘hosanna’ and ‘hallelujah’ about a possible collaboration or merger, do you, as a controller, dare to spoil the upcoming party, if you think the risks are too great? With that action you place yourself (partly) outside the group. And that remains difficult for everyone to do. Remember that good leaders value opposition. A culture of fear is not in the interest of an organisation.
- Being allowed to make mistakes is an indispensable condition for becoming a “High Reliability Organisation”. However, developing the learning capacity demands quite a bit from the attitude of the managers and stakeholders. After all, everyone really wants his or her treating doctors to work flawlessly. Train your people to make their decisions as professional as possible. And above all ensure exemplary behavior as a manager.
In this contribution, I have come to far-reaching conclusions regarding conventional risk management. I also touched on enriching options for adaptation with regard to integral (opportunity and risk) management. I would like to invite you to think further about its further application in daily practice. Send your suggestions to firstname.lastname@example.org. Thank you very much for that.
This essay is part of the web-book Public Risk Canon