The Risk is in the Mirror (updated!)

At the risk (pun intended) of being pilloried as the Grinch Who Stole Christmas, I’ve been brimming over with comments about some of the articles on business risk that I’ve been reading. Not sure which is a greater hazard, the one writing or those of us reading.

Let’s take this topper from “Mike” at big-accounting-firm-with-two-letters-separated-by-an-ampersand:

…community expectations around factors such as the environment, safety performance, and sustainable community investment are changing at such a rate that it is making it difficult for companies around the world to stay ahead of the game.

Puh-lease! That’s approaching the barf factor I reserve for “thought leader,” a 2010-phrase which should be banned along with mentions of various nubile movie stars who are famous mainly for being famous.

If the vast majority can’t stay ahead of the game, then we have defacto redefined the game. An athletic version of this is the amusing movie “Stick It” where the gymnasts themselves defined who won. (Of course if you have resources, but lack the will to win, that’s a different story, for its own post.)

In a revealing Allianz survey, 97% of those surveyed in middle management and 99% of those in the C-suite didn’t even consider internal risks in their top ten!

That is how you get blind-sided. The most advanced software in the world depends on the inputs to produce relevant outputs.

Hmmm… There are 150+ ERM tools on the market, according to Thompson-Reuters. From my research (and I would be thrilled to be corrected), without exception, they are competing on the strength of their analytics engine and how many places to the right of the decimal point they deliver. Oh, and they bring new acronyms to pepper their flavour-du-jour Neuschmuck: vaguely hip, always glib and rarely precise.

What’s the value of an extremely precise report based on bad inputs? Hmmm…If you only remember one thing from this post, remember this:

Culture trumps all but when culture encounters physics, physics wins.

What happens to most risk reports? They sit on a page in a report that sits on a notebook on a shelf, until either the next risk drill or a local disaster actually strikes. In either case, it’s too late to find that the inputs are invalid, you’re either in deep weeds from a getting-graded standpoint, or your formerly imposing edifice is literally swept away.

Reasonable People Rarely Prevent Disasters, Change History—or Sing on Key.

Transformational Risk Management is unreasonable, impractical and in many cases down-right scary, which is why people rarely do it!

As Brad Moore recently told me, “Every executive knows ‘From the top down, I need to be innovative in the way I approach every aspect of my business,’ yet risk management gets left behind because the existing approaches to risk don’t ask the right questions.”

Your insurance doesn’t matter much if your plant, ship, pipeline, data warehouse, etc. just became a memory moments ago. In fact, if your insurance audit is a risk checklist, derived from a governance, risk and compliance (GRC) standard, the very exercise can actually increase incident probabilities, by inducing both false economic incentives and a false sense of reduced hazard!

Every leader either addresses risk up-front or pays for it later. A web search on risk management turns up hundreds of hits for insurance. Most carriers themselves treat insurance as “load shedding” not risk management and certainly not risk or hazard mitigation.

Unless you get to the point where you’re willing to look at risk through the same lens as you look at your Marketing, Ops, HR, Sales and Accounting/Finance functions, you’re going to be stuck delivering the status quo.

So we need time to make decisions

Life is what happens when you’re busy making other plans. Time management is beyond the scope of this post, yet anyone whose read or attended Covey training knows the distinction between the urgent and the vital. Risk Management is vital, but almost by definition it is not urgent, it’s something done before you need it, otherwise it’s not risk management, it’s triage.

A way to gain time is to stratify decision-making. Great leaders already know and do this, many instinctively, not really understanding the five whys, but for other, more far-reaching reasons: the only way we become better decision makers is by observing the results of our decisions, under mentorship of those who’ve made mistakes before us.

When my company introduced Systemkey™, the XML-compliant language standard powering our governance, risk and compliance suite, RedSky™ 1.6, we introduced a process capable of structurally addressing residual risk, because Risk Solutions powered by Systemkey™ dramatically extend your organization’s capacity for risk discovery.

By giving people at every level of the organization both the permission to and the process for constructively and creatively asking inconvenient, ridiculous and irrational questions, we equip them to discover the herald events (also known as signal or messenger events) embedded in day-to-day conversations that foretell the potential for minor flaws to cascade into major disasters.

Because other industry tools collapse reality (eliminate or neglect detail) to match the tool, the results obtained have the same lack of fidelity to reality as the inputs.

While we think RedSky™ 1.6 is news, the fiction-producing, financially-successful risk software market is not news. Henry Mintzberg said this more than thirty years ago in his pivotal article on “Direct Research.”

As always, Carpe Diem!


Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.