Guest Post by Patrick Ow (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Organisations that promote formalised and standardised risk management practices can create a risk culture where their employees view risk management as a compliance and tick-the-box exercise.
In comparison, organisations that intentionally promote a more informal environment where risk discussions and information sharing naturally occur as part of the broader organisational culture when making decisions can experience a positive risk culture.
Too much formalised risk management can hurt the organisation, according to research on Risk Culture and Risk Management in the Australian Public Sector. This is counter-intuitive but real.
The implication of this insightful research impacts how organisations approach risk management and the balance they need to find to create a positive risk culture that does not focus solely on compliance. The unintended consequences of formalisation and standardising risk management can have a negative impact on the organisation’s risk maturity and culture.
Case in point – financial industry
Banking regulators have increased their risk management requirements on financial institutions in the wake of unprecedented bank failures.
At the same time, these regulators want financial institutions to “set aside the requisite space, time and permission for quality reflection, introspection, and learning”. (Source – Commonwealth Bank of Australia (CBA) had to provide Court Enforceable Undertakings in May 2018 to the Australian Prudential Regulation Authority (APRA)).
Within such a highly regulated sector, APRA concluded after they reviewed CBA that “risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA’s reputation. The consequences of this slowness were not grasped.”
APRA found a widespread sense of complacency, a reactive stance in dealing with risks, being insular and not learning from experiences and mistakes, and an overly collegial and collaborative working environment which lessened the opportunity for constructive criticism, timely decision-making, and a focus on outcomes. And all these occurred within the context of increased regulations and oversight by APRA and other regulators.
Trying too hard can backfire
Let us go back to the fundamentals.
When something is important to you, it’s natural to tighten up and try harder. But sometimes, that approach can only lead to failure.
This phenomenon is called “ironic process theory.” It explains why trying to relax makes people more stressed, why trying to stay awake gets insomniacs to fall asleep, and why it’s more likely someone will believe something when they try not to.
Likewise, working too hard can hurt your career and well-being. Researchers have found that working extra hard has no positive effect on you getting ahead in your career and can backfire.
Simplify and don’t over-engineering things, including risk management
Most things in life are simpler than they appear. We don’t always see this because our brain concludes that it can’t be that simple. Therefore, we make it much more complicated than it needs to be.
When this occurs, we demand more risk managements requirements for government agencies and more regulations for banks. More compliance and regulations are good – so it seems.
As a result, many organisations implement ‘cumbersome’ or over-engineered management practices including risk management.
Over-formalising or over-engineering your risk management practices can lead to risk management being viewed as a compliance exercise.
This is an unfortunate outcome, given that simplifying your risk management practices can lead to better decision making and positive risk culture.
Risk management as a compliance activity
The corporate world has known this for decades – the primary reason for risk management is compliance.
Additionally, organisations constantly look for ‘what could go wrong’, rather than ‘what can go right’ to increase the likelihood and extent of organisational success, which is the heart and purpose of risk management.
Risk management has been used for preventing undesirable events and avoiding risky activities rather than seeking out opportunities to succeed and taking the business risk to improve outcomes.
Strong controlling of risk management leads to negative outcomes
What we have seen in organisations is that a strong controlling environment with a standard set of formal mechanisms have resulted in risk management for compliance and the focus on downsides.
Such controlling risk cultural environment includes hierarchy, formalisation, standardisation, structure, conformity to rules and policies, predictability and safe decision-making aimed at stability and dependable delivery.
Focus instead on the informal mechanisms for managing risks
What is less known is the fact that organisations with a collaborative environment and informal mechanisms that include sharing knowledge, openness, trust, participation, and customisation have seamlessly integrated risk management into their decision-making, which has led to better outcomes that goes beyond compliance.
When this occurs, risk management is supported by other people and team management practices in an integrated manner. We know that risk management as a management function can’t exist in isolation.
These organisations have experienced the positive effects of informal risk management where there is innovative and goal-oriented risk cultural environments. They may not be aware that they are doing risk management because it has been seamlessly integrated and embedded in their culture, daily activities, and decision-making processes.
Simplicity and informality matter.
This is an ideal state for many organisations. People in these organisations are unconsciously doing risk management without knowing it!
Focus on performance outcomes, not on the risk management process
We know that musicians who focused on sounds that their instruments are producing, rather than their finger movements, have better performances. And speakers who focused on their physical environments or the audience performed better than those who focused on themselves.
Likewise, your organisational performance will be better when you focus on the outcomes you want to achieve rather than on the process to get there. The outcome you want to achieve is to increase the likelihood and extent of your organisational success.
Focusing on the process of risk management instead of the outcome of risk management can be detrimental for risk management and organisational success.
Integrate your performance reporting with risk information
This is where your performance can be further enhanced when you integrate your performance information with your risk information. Risk management information must be contextualised for decision-making and action-taking.
Merely reporting on the risk matrix without any contextualised performance information would not drive better decision-making.
When performance is on track and even better, have a higher rated risk profile can be a good thing. It shows risk taking is paying off through better performance.
Therefore, when you are achieving good performance and have a few critical risks on your risk register, this could be a good sign. You can be taking the right risks or opportunities to get a better outcome.
Reviewing your risk information (i.e., through your risk matrix) in isolation of your performance (i.e., how well you are doing) can be like applying a handbrake to a moving car (i.e., whereby too much risk management can hurt your organisation especially applied at the wrong time). There is a likelihood that you implement unnecessary risk controls that can negatively disrupt your good performance.
When you use your performance information to guide your risk management activities, gently tapping on your brake pedal as required will enable you to reach your destination safely without receiving a speeding fine. Applying the right amount of brake pedals at the right time can only give you the best outcome.
Professional bio
As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.
He is also the co-founder of Skillsand.org, an organisation dedicated to helping people acquire in-demand job skills and preparing them for the future of work. The goal is to create a convenient learning experience that’s as easy as making any other purchase on Amazon.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution.
Good article
Thanks. We’ll share it with the author.