You are here:
Edicts and the Letter and Spirit of Risk-Process Implementation
In closing the previous article - #7 in this series - I addressed the critical aspect of gaining support from upper management for implementation of any risk assessment/management process. Although such endorsement is essential, this is truly a case of "beware of what you ask for.
"THOU SHALT..."
Much of the material upon which I draw to write these articles emanates from personal experience. The alignment of upper-management support is no exception.
Years ago, I served as a research scientist at a large technology center. Toward the later stages of my tenure at that institution, I was primarily focused on the development of risk-based technologies and their implementation in the corporation. By happenstance, I was friendly with the President of the company who, as luck would have it, also took an interest in things risk. He arranged for me to have two audiences with the C.E.O.
At the second of those presentations to the highest of management, the C.E.O. said (and I paraphrase, here): "OK, you convinced me that we should implement risk-based processes in the company. So, why don't I just issue an edict indicating we will start doing so?" I immediately tumbled to the realization that I had gotten what I wanted, and now understood that it was not what I wanted!
I was fully cognizant of the challenges and barriers associated with injecting risk-based processes into the everyday work stream of most disciplines. I knew that if the C.E.O. issued an edict such as: "Thou shalt do risk assessment and risk management" we would be in big trouble.
Why trouble? Well, first, it was a big company. Just about 100% of the risk expertise and resource upon which the company could draw was standing in front of the C.E.O. - that is, me. If, suddenly, all departments in the organization felt compelled to do something related to risk, how would they know what to do? How would they get the critical information, training, and support it surely would take to bring risk-based processes into their part of the business?
One answer to this mainly rhetorical question is that they look outside the company for consultants who claim to know something about risk. Unlike chemistry, physics, English literature, accounting, and other courses of study at most universities, there is - at the time of this writing - no "risk" major that is recognized and accredited. So, anyone who wishes to call themselves a "risk expert" can do so - and they do! It is absolutely true that any company is better off not employing risk-based processes than having the mosaic of disjoint and questionable-quality risk processes that will result from opening the corporate doors to anyone (and some are real snake-oil salesmen!) who can make a buck in trying to "help" your company.
At that presentation to the C.E.O., I was quite embarrassed to have to back-peddle and do what I could to convince him that a "Thou shalt" edict was absolutely not in the best interest of the company. Following the presentation, I was forced to ask myself: "OK, if I didn't want the C.E.O. to issue an edict, just what did I really want?"
Turns out that implementation of risk-based processes in any organization is a delicate dance and a chicken-and-egg situation. As the risk-process proponent (RPR), you certainly need upper-management support for the roll-out of risk applications. However, before asking for such high-level support, you have to have in place the resources, materials, and expertise that will be necessary when you, hopefully, get the "go ahead" from the upper echelon. Without such support to begin with, however, how do you garner the money, resources, and time it takes to prepare for the onslaught that will surely come when upper management gets behind the idea?
The only resolution to this dilemma is to make sure that when attempting to convince upper management that such risk-processes are necessary, you emphasize that much time, money, and resources will be necessary to build an organization and technologies that will be necessary to handle the rigors and demands of implementation. I learned this lesson the hard way. I hope from these few paragraphs, I have saved you from attending the school of hard knocks! Examples of such implementations can be seen in the book Risk Modeling for Determining Value and Decision Making and much more about the problems and related solutions related to process implementation can be found in the book Modern Corporate Risk Management - A Blueprint for Positive Change and Effectiveness.
THE LETTER, BUT NOT THE SPIRIT
OK, suppose you have successfully navigated the minefield of obtaining management support, building your support group, and developing all of the training and implementation materials that will be needed for a successful roll-out of the risk-based processes (whew!). One other way this thing can backfire on you is that those in the company upon which the risk processes are foisted comply with the "letter of the law" but not with the spirit.
For example, I have often observed that minimum requirements of a risk-based process are (at least):
1. Hold a risk-identification event (at which threats and opportunities are identified and roughly ranked)
2. Generate a risk register that lists all of the threats and opportunities.
3. Create and record in the risk register threat-mitigation and opportunity-capture plans along with due dates, risk owners (names), etc.
4. Assign a Risk Process Proponent who will "ride herd" on the entire process (make sure those responsible for taking actions actually do so).
While these are necessary steps, unless such steps are combined with, at least, some aspect of risk monetization (see previous articles in this series for much more on the risk monetization process), you can actually be doing the organization a disservice by promoting the steps listed above.
If the "letter of the law" is followed and not also the spirit, implementation of risk-based processes can be a significant waste of time, money, and resources. I have often observed parts of organizations that, for example, implement the 4 items listed above. Long lists of risks are created (the risk register) and for each risk, mitigation or capture actions are defined and those people responsible for executing the mitigation/capture plans are identified. This often results in many folks expending much effort in trying to carry out their tasks. This might seem, again, like what you would want, would it not?
Without integrating, just for example, even a fledgling risk monetization process (the spirit of the law) with the risk-register process, many of the risks that are addressed are those that are of minor-impact that likely should have been ignored. Without someone, such as a skilled risk-monetization expert, coming along to determine the actual value impact of each risk in the register, it is not necessarily possible to determine just which risks should be addressed and which risks should have no effort put into related mitigation/capture plans.
Having everyone running around attempting to "fix" every risk is, unquestionably, a significant waste of corporate resources. The lesson to be learned here is that it is not enough to identify risks and associated responsible parties and mitigation/capture plans. If such steps are not linked with value-impacting processes and a high-level ranking of risks based on value, implementation of risk processes can actually be a step backward rather than a forward stride. The technologies utilized to implement such processes are detailed in the book Risk Assessment and Decision Making in Business and Industry, A Practical Guide: 2nd Edition.
In the next and 9th article, I will focus more on how to practically implement remedies to many of the problems I have outlined in previous articles. Ah, finally a focus on the solutions rather than the problems!
References:
Koller, G. R., Modern Corporate Risk Management - A Blueprint for Positive Change and Effectiveness, J. Ross Publishing, Ft. Lauderdale, FL, 2007.
Koller, G. R., Risk Assessment and Decision Making in Business and Industry, A Practical Guide: 2nd Edition, Chapman & Hall/CRC Press, Boca Raton, FL, 2005.
Koller, G. R., Risk Modeling for Determining Value and Decision Making, Chapman & Hall/CRC Press, Boca Raton, FL, 2000.
Comments
There are no comments for this entry yet.
Commenting is not available in this section entry.