Risk frameworks without more are straw men
Working with organisations over many years in risk and compliance management it is clear that building a compliance framework is not the biggest challenge. However solid that structure looks, however long it might have taken to build, in the end it is just a straw man.
If risk is the wolf at your door, then a straw man wont protect you. Just ask the three little pigs..
Kind of obvious, you might say… But far too often, the fact of having a system remains the goal or end-point, the ‘proof of the compliance pudding’ for C-suiters and others in management. Look what a pretty thing we’ve built! Cue the lovely smiling faces of the senior exec team all exhorting fellow workers to comply with the guidelines in the pages that follow..
In an earlier article, I noted this in relation to recent risk management maturity benchmarking results of the Australian Public Service. The results were, in my view, far too focused on creating a risk management policy and framework, and not focused enough on whether such guidance actually translates into improved organisational behaviour and risk maturity.
Risk management is not a ‘thing’ that you build or do per se. Risk management is simpler than that – it is just about making better informed day to day decisions, effectively and efficiently weighing up competing choices in the process.
For a risk management system to better enable decision making, and not get in the way of it, it is necessary to first have the right structure (the thing you build) and include two other aspects, clear communication about the framework, and the right organisational culture to support the use of the framework.
Structure
Frameworks need to be more guideline and principle focused and less like an instruction manual. If it looks and feels like a flight instruction manual, then you will only get qualified pilots off the ground. No-one other than a risk professional is likely to have the interest, time or energy to dive deeply into such a document, then try to remember and apply it in a day-to-day context.
The idea is to change the way teams think, discuss and act about risk. To respond dynamically to changing events, not search frantically through the manual for what to do when things go bad around them. For larger organisations, the idea is not to hide behind briefings and committee meetings that move decisions further and further up the chain of command, diluting accountability, disenfranchising decision makers at the coalface, slowing down decision making and killing innovation. To use a more catastrophic example, one of the reasons that the crew on the Deepwater Horizon oil rig initially failed to shut down the exploding well head (11 dead and 5 million barrels of oil spilt) was due to the over-detailed emergency manual which couldn’t be accessed and understood during the precious seconds they had. And these people were experts in what they did..
Most organisations do not have to make such difficult choices, but the goals are the same – teaching people to think differently about decision making, not teaching them to rote learn terminology or wait for someone higher up to make a ruling. In workshops I have facilitated, breaking down risk frameworks to these sorts of issues enables people to better understand how risk management relates to whatever job they have. No they don’t internalise the whole policy in two hours, but that is not the goal. Rather, they start to think about risk and their roles differently, particularly as a more interactive relationship with their work and with other stakeholders.
Communication
The best framework in the world isn’t much use if no-one knows it exists, has trouble finding it or can’t ask anyone about it. Too often, even if useful corporate risk management material exists, it is buried deep within intranet sites, or withering on the vine and losing relevance due to lack of ongoing maintenance and upkeep. Drafters and document owners move on, interest in risk management wanes and corporate knowledge is lost.
More commonely, broken intranet links, misplaced spreadsheets and poor or non-existent linkages to other key corporate documents, like strategic plans, business plans or risk registers, all disincentivise staff from even looking for risk material, let alone understanding or using it.
But the most important aspect of communication is the need for staff to at least acknowledge the concept that risks exist, and should be talked about regularly with others in order to manage those risks. It is far better to have a minimalistic risk policy and have staff discuss risk than have a ‘Rolls Royce’ written version which is so detailed staff are inhibited from even looking at it, let alone discussing it.
Culture
Getting organisations to invest sufficiently to create policies and frameworks which are reasonably understandable and accessible is a big ask, but the last issue, culture, will always determine whether the effort was worth it.
How decisions are made every day and the organisational dynamic behind it will either fan the flames of good risk management practices or totally suck the oxygen from it. How organisations deal with the questions below are some of the indicators of how culture impacts risk management:
Do managers involve or listen to their teams on projects?
Is there is a willingness to constructively challenge superiors, to ask the ‘dumb’ question?
Are all types of failure to be avoided at all costs, or is failure destigmatised to include failure as a natural by-product of experimentation?
Is there an operative and trusted whistle-blower policy or hotline?
Do staff feel they can honestly answer staff surveys or performance appraisals without fear of retribution?
Do staff understand how risk management fits into their daily routine?
Is risk listed on meeting agendas?
How many staff undergo risk training?
Do managers undertake scenario planning or test systems?
More recently, in relation to Canberra organisations, which of them urgently reviewed their business continuity plans during or after the January 2020 shut down for weeks due to smoke pollution? And then, did any of them apply those learnings for the benefit of their staff during the current COVID-19 shutdown?
These questions also involve thinking about the values behind decision making, such as Should we do this? or Is this ethically or morally appropriate? rather than Is this within our (biased) interpretation of the rules? or Can we/the organisation get away with it?
To ignore these questions and maintain a focus on policy ‘shrines’ and feelgood ‘heat maps’ or ‘risk bowties’ is to deny how decisions are actually made every day, and particularly under pressure.
So don’t rely on straw men, build a stronger foundation based on effective communication and a supportive culture that empowers decision makers at all levels of your organisation..Risk frameworks without more are straw men