Horizon scanning is about widening our perspectives – so why do we generally limit our scanning to risks and threats?
We should also scan for novel and emerging practices that can complement, or even replace, our current Good and Best Practices.
Consider this story, a new CEO is appointed to a large multi-national company that has had some recent problems with large incidents, fires and explosions. He vows to make safety his top priority. Surely this is the type of Executive many Risk Management practitioners want to work for? In conjunction with his Risk Management folks this CEO enacted a range of new rules that covered issues such as employees using lids on coffee cups while walking and no texting while driving.
He created a culture we can all learn from, how not to do it, for this was Tony Hayward’s BP. Three years into Hayward’s ‘priority on safety’ culture, the Deepwater Horizon oil rig exploded in the Gulf of Mexico.
“A U.S. investigation commission attributed the disaster to management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.””1
Kaplan and Mikes use this story at the beginning of their Harvard Business Review article. The article sets out a new framework for categorisation of risk. This framework underscores a lot of the WEF Global Risks report discussed in the previous post in this series.
Their premise is that all risks cannot be managed by rules-based, compliance approaches – a point highlighted by the BP experience. The authors argue that risks fall into three categories;
- Preventable Risks
- Which are always internal risks
- They are controllable and should be eliminated or avoided as their is no advantage to be gained by taking these risks
- Examples include
- Illegal, unethical or incorrect actions taken by staff
- Generally flow from a breakdown in routine operating procedures
- Strategy Risks
- Being those we accept because of the potential upside to be gained from the activity.
- External Risks
- Which arise outside the organisation and are beyond our control (e.g. natural Disasters
- We cannot prevent these, so need to focus on early detection and mitigation of impact
The authors strongly promote an approach to managing risk that is appropriate to your organisations context – they clearly reject the one size fits all regime.
Some of the techniques they describe for managing strategic risk include;
- Independent Experts, the example of a “Risk Review Board”.
- In this example the risk board members play the part of devil’s advocates and a “culture of intellectual confrontation” is promoted.
- Compare this to the fake collegiality encouraged in most organisation where dissent is frowned upon.
- Facilitators, where an active central risk unit collects and cross pollinates awareness of risk across silos.
- This method stresses the priority of dialogue rather than rules, it is not the “normal” model we see in use where the central risk unit simply promote a policy and process.
- In this model staff are empowered to voice and debate risk perceptions in workshops.
- Embedded Experts, which is a very common technique used in financial services, risk practitioners embedded in the business unit, with dual reporting lines.
- this strategy is for a context in which there is a need to continuously monitor and influence the business risk profile.
- the main threat to this strategy is that the “embedded expert” may ‘go native’ – become captured by the culture and thinking of the unit they are embedded in.
- To counter this threat you need a strong and active Senior Risk Officer.
This new framework recognises a number of individual and organisational cultural biases that often lead to us not being able to correctly perceive risk. It recognises that there is an art to risk, and that it must be a management discipline, practised by professional managers rather than process administrators.
Effective risk management is not just a process to be followed, but it needs to be able to counteract the biases – that promotes challenge and discussion, rather than inhibiting it as is often the case with a checklist and compliance culture.
To a large extent this applies to BCM also.
Can any readers share their experience of a culture that promoted “intellectual confrontation” as a risk management strategy?
What alternative practices have you discovered lately?