Guest Post by Patrick Ow (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Effective leaders provide their employees with a heartfelt portrayal of the WHY, a deep-rooted purpose, before defining the WHAT, the product or service, and then finally, the freedom on the HOW, which is the process.
First, understand the WHY of your solution. This gives you the line of thinking needed to decide HOW you can provide this solution in a way that is better than your competitors and more efficient for your customer.
From the perspective of risk management, effective leaders, with the help of risk officers and the risk function, should also start with the WHY of doing risk management in the organisation.
Thereafter, determine WHAT risk framework is required to deliver the WHY. And finally, after knowing the WHY and WHAT as the motivating factors and drivers of risk management in your organisation, give your employees the freedom on HOW they take risks and seek opportunities.
When employees want to do risk management, rather than have to do risk management, there is risk culture maturity in the organisation as risk management is done unconsciously as part of management practices.
So, WHY do risk management in the first place?
The purpose of risk management is to enable the organisation to take the right level of risk and seek out opportunities so that it can increase the likelihood and/or extent of organisational success.
We do risk management because we want individuals and organisations to be successful. People can make better decisions, solve the right problems, and find the right solutions to serve and deliver better outcomes for our customers and stakeholders.
In essence, my job as a risk professional is to make my stakeholders look good!
Success can only be achieved by focusing on the outcome that we want to achieve, not on the process of being successful.
“What is my target”
In golf, the outcome is to play a ball from the teeing ground into the hole on the putting green in the fewest possible number of strokes. If you are not asking yourself, “What is my target?” before every shot, you are not giving yourself the best chances to shoot the lowest scores.
Looking back from 2000 to 2005 when Tiger Woods was winning nearly every week, he focuses on the target and gets into the zone.
When trying to recount some of his victories and specific shots, Tiger says that he oftentimes has no memory of them whatsoever because he’s so focused on the outcome of that shot. He isn’t thinking about taking the club inside or clearing his hips on the way down.
It is all about focusing on the WHY of the game (i.e., hitting the ball into the hole), rather than the HOW (i.e., the swing and position of the body).
Dave Stockton, the author of Unconscious Putting, sums it up perfectly. He said, “When you drive a car you aren’t thinking about all of the mechanical things necessary to safely get your vehicle from point A to point B. You aren’t thinking about how hard to pump the brakes, or how many degrees to rotate the wheel to make a left turn.”
For Tiger, “I have these blackout moments. I know I was there but I don’t remember hitting the actual shot. It’s like my subconscious mind just takes over.”
Our aim is to get into the zone of doing risk management unconsciously where our subconscious mind just takes over.
Formal vs informal risk management
So, how do we get into the zone of doing risk management unconsciously?
The answer lies with informal risk management and knowing the WHY of the business and knowing the WHY of doing risk management.
While risk managers are fond of frameworks and tools that look good on paper, effective risk management requires the use of complementary formal and informal risk management mechanisms.
Formal risk management covers the use of risk registers, control assessments, internal audits, and risk reports. It provides a visible platform on which risk management can operate throughout the business. And it satisfies regulatory requirements as evidence of compliance.
This formal risk management approach must be contrasted with the informal risk management approach, which includes social networking and influencing techniques.
It is the informal mechanisms that are vital for making the formal mechanisms work in real life.
The design and format of a formal tool like a risk register are less important than the informal mechanisms that are used to populate the risk register through honest and open conversations about risks and opportunities.
Simple behaviours such as picking up the phone to somebody who might help you solve a problem work more effectively.
These one-to-one conversations are more effective than complex or over-engineered documentation or reporting tools that are often used to embed and mature risk management.
Not surprisingly, a risk officer who cannot build effective trustworthy relationships and interactions, and creates a web of informal conversations across an organisation will not be able to embed effective risk management and increase risk maturity.
Avoid hiring a compliance type person for the job!
My ex-colleague reported that when her organisation onboarded a new Chief Risk Officer, the very first question she got from him was, “What must we do to comply with the risk management requirements?”
This formalised or compliance approach to risk management is just killing the essence of why we do risk management in the first place. And we wonder why risk management is not working in organisations!
This is because we usually hired the wrong person for the job.
It is easier to focus on the HOW of risk management
The International Organization for Standardization (ISO) website states that ISO standards “provide a strong basis for the development of national and international regulation”.
This applies to the international risk standard, ISO 31000, which is interestingly the first non-certifiable ‘standard’.
The unintended consequence of this ‘risk standard’ is that many governments, regulators, and even risk management associations have been quick to prescribe the HOW of risk management, focusing mainly on formal risk management.
The reality is that it is much easier to focus on formal risk management rather than informalrisk management. It is tangible and easier to document a risk register or show a heat map.
It is also easier to show compliance to auditors and regulators.
And unfortunately, we get too consumed in doing formal over-engineered risk management that we missed doing informal risk management. The reality is that informal risk management will be the key to giving you the best bang for your money.
Too much formal risk management can hurt the organisation
Too much formal risk management can hurt the organisation, according to research on Risk Culture and Risk Management in the Australian Public Sector.
If formal risk management is seen primarily as a compliance exercise to satisfy internal and external requirements, then informal risk management will not occur naturally and effectively. And when informal risk management is weak, so will be the organisation’s risk management maturity and risk culture.
The implication of this insightful research impacts how organisations approach risk management and the balance they must find to create a positive risk culture (i.e., I want todo risk management) that does not focus solely on compliance (i.e., I have to do risk management).
This is the unintended consequence of formalisation and standardising risk management.
The WHY of business and risk management
While the formal frameworks and mechanisms will exist in organisations, these tended to work best if they were not specifically badged as risk management tools. Getting away from technical jargon is important when dealing with front-line employees.
This is where risk managers can talk to front-line staff about how to become more efficient, customer-focused, or simply about behaviours and attitudes instead, which is the focus is on informal risk management.
McKinsey has said that “risk functions need to move beyond the formal views of the administration, control, and governance, as well as the formal processes for risk assessment.” There is a call for risk professionals “to come out of the ivory towers and into the marketplace.”
Informal risk management can only thrive when people know the WHY of the business and the WHY of doing risk management in the organisation. Giving these WHY visions are vital for sustainable organisational success.
When people know the WHYs, they are more internally self-motivated to get into the zone where their subconscious mind just takes over. No external push factor is required especially through the need to comply with standards and regulations.
Positive risk culture can only be driven when people want to do risk management, rather than when they have to do risk management.
People’s want to motivation comes primarily from knowing the WHYs of business and risk management, something that leaders and managers do badly!
Professional bio
As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.
He is also the co-founder of Skillsand.org, an organisation dedicated to helping people acquire in-demand job skills and preparing them for the future of work. The goal is to create a convenient learning experience that’s as easy as making any other purchase on Amazon.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution.
Leave a Reply