There is a justifiable significant focus on risk management in organisations, in particular in highly regulated or safety critical environments. However, we could make risk management even more effective than it currently is by moving from just focusing on risk management as a specific area of action in its own right to ensuring it is perceived as part of an inspiring bigger picture for employees. That is not what happens in the majority of organisations but, with some simple actions, it could be.
I have seen risk management in practice within organisations as diverse as the Army, London Underground, UK National Health Service, construction, HSBC, UBS, and other professional service firms so have experienced both the safety critical approach to risk and the regulatory approach, as well as a more general approach. It’s an understandable, necessary, but to some degree, lowest common denominator approach. It may keep things safe but will probably never deliver optimum organisational performance as in the majority of organisations there is no linkage made between risk management activities and optimising performance. Both are often treated as unconnected and dealt with by separate teams. What I have seen in practice suggests that just focusing on risk management in a way unconnected to wider agendas and enabling optimum performance actually delivers worse risk management than where it is.
The disconnect between much risk management and delivering success runs contrary to the way organisations work and think, as holistic communities, and the way employees perceive what is important by taking in all the messages they hear from different parts on the organisation.
The employees ability to perceive differences between the messages they hear or between words and actions is rapid and immediately impacts performance. A risk related example comes to mind “We want you to manage risk as laid down but you must deliver your financial targets no matter what.” Such statements are often seen as conflicting and not reflective of reality. This creates confusion, or worse, perceived hypocrisy, leading to lack of motivation and grudging compliance with risk requirements. According to various studies it also makes employees over 50% more likely to look for a new job.
The way employees perceive risk management within different environments is also subject to significant variation. Within the safety driven approach, risk management has often been a long standing part of the culture of the organisation, is seen as both an individuals responsibility to themselves and others and driven by the powerful realisation that failure to manage risk could lead to serious injury or death. Risk management via health and safety is often a key part of initial training, assessed independently internally and also externally and is generally effective. Thus the message on risk management for safety is accepted and proactively adopted by employees as part of their everyday working, part of a “we not me” culture to keep everyone safe. The realisation that the consequences of getting it wrong are so serious and real means it is “lived” every day as an integral part of delivering success. Employees view their own well being as a benefit from proactive adoption and so believe in the process.
Within the regulatory risk environment the perception of the majority of employees is different. Here the application of risk management is rarely seen as a critical part of delivering success. Rather many see it as something to be tolerated to do the job or even an obstruction to delivering success. Whilst our approach to regulatory, rather than safety risk management, is focused on getting employees to proactively implement it often fails to achieve genuine adoption by individuals on a day to day basis. This is due to the way it is presented as something that is done to them, or required of them, by the organisation which they don’t see adds benefit to them. Often a “tick box” exercise that they must do to be able to do their jobs rather than one they want to do as an integral part of being successful. This creates both a conscious and sub conscious mindset which reduces the importance and value of risk management to them and their incentive to genuinely embrace it.
But often senior leaders perspectives don’t help either. When asked what the highest purpose of the risk function is within their organisation many leaders say it’s to manage risk, few add that it is to make the organisation successful by so doing. In fairness if you ask IT, HR or Finance leaders the replies are similar so there is a narrow perspective of purpose in the minds of most leaders in support functions. They assume they are there to deliver their technical outcomes but not overtly to make the organisation more successful.
Within some sectors with regulatory risk requirements, eg financial services, much work has been done to create greater responsibility. For example the “senior managers regime” has been imposed on financial services leaders to set out responsibilities and conduct requirements including the requirement to ensure that people in their areas of responsibility act as they should. However, that is fundamentally not a process or regulatory issue, it is a trust issue. This is the critical challenge that regulatory risk faces in genuine adoption by all. Employees will only deliver their best if their leaders are worthy of trust. Trust is often lacking but could, with the right intervention, be significantly improved.
My experience has always been that if an organisation focuses only on stopping people doing things they shouldn’t then its performance never reaches its full potential. Yes people need to clearly know what they should not do and implement processes which mitigate risk but these won’t maximise their performance. There is clear evidence that if employees are inspired by their leaders to give their best to help the organisation succeed then those employees are more likely to take on a personal sense of responsibility for outcomes, including managing risk. This is because they believe in the organisation and will proactively try to make it successful and avoid actions which may threaten this. In this environment risk management is taken on by every employee willingly as part of their day to day lives not just left to systems and the risk function. Thus it is then more spread, embedded and able to identify problems earlier.
The psychology is simple and effective – rather than telling employees what they must not do the adoption of an approach that inspires super performance will get employees to proactively want to undertake risk activities to protect the success of themselves and the organisation they believe in. At its most basic people need to feel good about how risk management can help them so they want to apply it enthusiastically.
Risk, like anything else, must be presented in a way that delivers a positive value to employees to get proactive engagement and implementation. Bad presentation of risk management, via just compulsion, creates a negative mindset which blocks real engagement. This video shows that this effect is real and more powerful than we realise.
Taking this further, not getting the best from people is a risk in itself, underperformance creating the risk of lost potential profit or performance. But this is an issue few organisations have even considered as they fail to realise they are underperforming their potential probably by 10 -15%. Thus creating an environment where effective leadership inspires people to give their best will, combined with a simple risk framework focused on enabling success, get genuine proactive adoption of day to day risk management and maximum performance at the same time where compulsion won’t.
Once individual ownership is present it also starts to address the issues of “team” responsibility for risk. In this environment a “social” approach to risk builds such that any team member seen breaking the groups rules will be called out and expected to stop engaging in activity that breaches those rules. This will apply to risk management as much as anything else.
Thus the secret to optimising risk management lies in leaders inspiring employees to give their best for the organisation first and then applying simple risk management systems that deliver the required outcomes presented in a way that the employee perceives them as something which enables them to deliver success rather than making it more difficult. This is simple and achievable if the right approach is taken with implementing and presenting risk management.
For more in depth perspectives on risk, ethics and delivering success, see my article for the Journal of Financial Perspectives. This is financial services focused but much of the content and data applies to any organisation: Risk, Ethics and The Holy Grail
So what really is the driver of higher risk: Bad people? Bad process? Bad communication? Bad leadership? Of all of these it’s least likely to be bad people. The success of the rest lies in the hands of the organisations senior leaders, so if it all goes wrong they have only themselves to blame.