RIsk management doesn’t have to be dismal governance

If economics is the ‘dismal science’ then risk management wears the crown of ‘dismal governance’.

Like economics, risk management policies and frameworks are often poorly explained and focus too much on ‘rationality’, technicality and process. The result is lots of technical jargon, pretty diagrams, heat maps and lines of defence, but not much understanding or adoption in day to day decision making.

The best evidence I have of this is the initial look on the faces of people entering a training room for a few hours of risk management training – utterly underwhelmed and slightly terrified.. You’d think they were required to learn the manual for a nuclear reactor in ten minutes or less and have to decide whether to cut the blue or red wire to avoid a nuclear meltdown..

However, risk management can be made (slightly) less dismal by adopting the following approach:

1. Acknowledging that a key element of risk management involves the ‘human element’ within organisations (culture, leadership and behaviour), which includes acceptance of the likelihood of failure, human inconsistency and aberrant behaviour.

2. Building a risk management framework around five pillars: simplicity, useability, effectiveness, sustainability and communication.

The human element

It is culture, leadership and behaviour that are the dominant drivers and influencers of good (and bad) risk management. I know it’s trite to say it, but if you don’t satisfactorily tackle these factors, it doesn’t matter how good your risk policy is, there will be limited (or no) improvement in how risks are tackled within your organisation. As Royal Commissioner Ken Hayne QC said[1]

Good culture and proper governance cannot be implemented by passing a law. Culture and governance are affected by rules, systems and practices but in the end they depend upon people applying the right standards and doing their jobs properly.

One of the first places to look in relation to culture is the way decisions are made within organisations. Amy Edmondson’s book, The fearless organisation[2] dissects this issue very well, using case studies from the government, private and NFP sectors. According to Edmondson:

“For knowledge work to flourish, the workplace must be one where people feel able to share their knowledge!”

This requires a workplace to be ‘psychologically safe’, so that interpersonal fear is minimised in order to maximise team/organisational performance. As to what this entails, among the many good ideas in Edmondson’s book, two ideas relevant to most organisations are ‘voice-silence asymmetry’ and how failure is dealt with.

In relation to 'voice silence asymmetry' if an employee is aware of a problem or issue:

• keeping silent provides an immediate benefit to that person, in the sense that they do not 'out' themselves as a 'troublemaker' and the certainty of this benefit is high

• raising the concern/issue does not have the same certainty of benefit and the timing of any benefit, for that person, or the organisation, is unknown.

Secondly, getting leaders to encourage ‘failure’ is not easy for a number of reasons and requires a change of mindset. As Edmondson points out, leaders need to destigmatise failure as a natural by-product of experimentation, learning and sharing as well as recognising and responding differently to three types of failure – preventable failure, complex failure and intelligent failure.

• Preventable failure: Training; Retraining; Process improvement; System redesign; Sanctions if repeated or other blameworthy actions are found

• Complex failure: Failure analysis from diverse perspectives; Identification of risk factors to address; and System improvement.

• Intelligent failure: Thoughtful analysis of results to understand implications; · Brainstorming new hypotheses; and Design of next steps or additional experiments.

Recent discussions about failure in the public service context include the Thodey/Alexander review of the Commonwealth PGPA Act[3], the Review into the Australian Public Service [4] and the Australian Public Service Commission's State of the Service Reports (SoSR).

As the 2018-19 SoSR noted at page 32:  

One key element for promoting innovation is organisational culture—how organisations treat risk, and whether employees feel empowered to experiment and learn from their experiences. If staff are afraid to fail, they are unlikely to take calculated risks and be innovative. Similarly, if an organisation is unclear about its risk tolerance, it cannot expect innovation...

Robin Ryde (ANZSOG Executive Fellows Program Co-director) in an article published in the Mandarin on 6 June 2018 referred to the APS review and said:

… we need leaders to loosen their grip on command and control models dependent on positional power, and learn to raise their game in engagement, in co-design with employees and with communities.

How these ‘human’ issues play out in organisations provides an indication of the prevalent ‘culture’ and enables more targeted training/facilitation aimed at more collaborative risk management/decision making. However, these sorts of cultural issues can't be adequately addressed through just workshops and/or an improved risk framework. Other necessary cultural drivers include the right leadership behaviours at the highest levels, performance agreements, positive incentives/rewards for reporting risks and transparent disincentives (sacking/suspension etc) for inappropriate behaviour.

Building the right framework

In working with organisations to review/revise their risk management frameworks, I am continually faced with trying to convert a plethora of documents full of ‘risk-techno-speak’ into language and concepts that are readily understood and, maybe, on a good day, even used. There are five ‘golden rules’ that I use:  

1. Simplicity – the framework should be relatively easy to find within an organisation’s intranet, should seamlessly link to other strategic and planning documents, should be understandable and not require expert technical knowledge or extensive training.

2. Useable – the framework should be simple (as possible) to use, without a raft of templates, diagrams, registers and other risk paraphernalia. The aim is to have a process that enables decision making, not gets in the way of it.

3. Effective – the framework effectively identifies and addresses what a risk is, how it can be assessed, how it should be reported and when it should be reviewed.

4. Sustainable – the framework is able to be maintained over time despite staff turnover and without significant pre-existing knowledge.

5. Communication (and consultation) – ongoing information sharing is critical to the entire process.

Too often the creators of risk management frameworks forget that the framework is just a tool to aid decision making. Frameworks should inform and enable discussions about risk, so that it is the discussions that are critical not how they are recorded, written up and reported. Written records are important, but the emphasis on them is sometimes too strong compared to the need to actually have conversations about risk.

So if you want risk management to become less dismal (let’s face it, it will never become sexy) and more used, then firstly focus on a more collaborative approach to decision making, and then secondly on a more user-friendly collection of words, images and practices.