AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
AuditNet
Mailing Lists
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
AuditNet
Home Page
How to Sell Risk Management Internally
Is risk management "embedded" in your organization? It's a common goal and frequently claimed as achieved. The answer depends on what you mean by "embedded".
If "embedded" means "the forms and meetings involve lots of people, at least quarterly, and it's a routine they are used to now - and we've put requirements for risk assessments and mitigation in the business case format and bid procedures" then many companies have now achieved "embedding", so the answer is "Yes".
If "embedded" means "most of our managers consciously and skillfully manage risk in everything they do, and even use the same techniques to help plan their own lives, building projects, holidays and so on" then the answer is surely "No". The battle for hearts and minds has not been won.
Most companies still suffer from a culture of uncertainty suppression in which people feel pressured to appear more certain than they really are and to fix their minds on one future outcome. Downside risks are suppressed by people wanting approval or funding. Upside risks are suppressed for fear of being set higher targets. Many people view risk management professionals as negative, restricting people, who hinder rather than help them move the business forward.
Formal risk management events and procedures organized under Enterprise Risk Management programs and to comply with regulations like the Sarbanes-Oxley Act (s302 and s404) and the Turnbull guidance have helped by providing special occasions when it is OK to talk about uncertainties and risks. But there's still a lot that can be done.
How? How can we, as risk management professionals, reach out to our colleagues in other areas and involve them in a more meaningful way?
Motivation theory
Expectancy theory is one of the less well known theories of motivation, but it is simple, logical, and can help us rethink our approach to promoting risk management. Expectancy theory says that people are motivated to do things where:
-
they believe what they are doing will bring desired results;
-
those results will be rewarded; and
-
the rewards will be what they want.
Fail on any one of these three beliefs and the chain of motivation is broken. Also, it is obvious that the more difficult something is to do the more motivation is usually required before people will do it.
Here's how the characteristics of typical programs today affect the motivation of participating managers:
-
"This will not bring results." Most programs are formal organizational programs with workshops and reporting processes. Risk management gets grouped mentally with other corporate programs involving forced attendance and a drawn out process with rules and databases. Many are technically flawed. For example, when a workshop team is asked to rate the likelihood of a risk described as "Health and safety" and then to rate it for impact if it happened everyone in the room (except perhaps the facilitator) knows instinctively that something has gone wrong!
-
"Not much link with rewards." "Would we ever say our controls are weak?" thinks the manager. Many naturally feel that they are going through the motions so the organization can make the expected statements. "Besides, if it mattered wouldn't we be doing it more than quarterly?"
-
"The rewards are not relevant to me." The reasons for doing it are mainly organizational ones - shareholder value, compliance with regulations, comfort for the CEO and CFO. Not much there for the manager whose precious time is being taken up by forms and workshops.
Taking risk management personally
If we are to take Risk Management to the next level it is time to engage our colleagues in a more personal way and make more of the risk management that is already embedded in everyday decision making. We must make every effort to make the processes slick and easy, and eliminate any technical flaws. We must emphasize the personal benefits of good risk management and get top management to recognize and reward excellent risk management and openness about uncertainty.
Details matter, and we need to see things from the point of view of the people we are trying to influence.Imagine you are a line manager with a challenging job, under pressure to get results. You receive an email explaining that you are required to participate in a risk management meeting to review internal controls and to fill in some forms and sign them. The email points out that it is "your responsibility" to manage risk and that you are required to make your submission by a certain date. There may even be penalties if you fail to do this. The meeting is part of a corporate program devised by some staff function. The email points out that this is necessary for compliance and continued trading, and contributes to shareholder value. It even points out that this is "good practice you should already be doing" informally and that you personally will benefit.
If you think this line manager will be happy with that request, imagine it wasn't a risk management exercise, but perhaps something else, such as a complicated staff appraisal process, or training in the new expenses system, or mandatory training in "the transitional arrangements for inter-territory cost transfers".
Most people recognize this situation. Our natural reaction is to resent the imposition on our time and to be skeptical about the value of the exercise. We know that "it is your responsibility" is a veiled threat, and that "good practice you should already be doing" means nobody cares about the overtime we have to put in to comply with the latest demands of corporate bureaucracy. Our expectations are low and we simply don't believe that the exercise will be helpful to us personally.
So, what would turn people on instead of off? Put yourself in the shoes of our hassled line manager once again, and imagine that this time the request goes something like this:
"Our company faces a great deal of risk and uncertainty these days, and as well as managing them skillfully we need to be able to show that we have done so to comply with listing regulations. We depend on managers like you to make this possible."
"We all know that a lot of key decisions about risk and opportunity are made day by day so a major theme in our risk program this year is to identify and value that activity. Also, through the year we will be doing various things to make it easier for you to be open about risk and uncertainty, and to recognize and appreciate excellent risk and uncertainty management."
"Some aspects of risk management are not straightforward and past experience shows that time-wasting confusion can arise over jargon and level of detail. We will make available educational materials and people to help with some tasks."
"For regulatory compliance purposes it will still be necessary to fill in some forms each quarter, but we are working to make this as simple and quick as possible."
You would still be suspicious, but surely this is less aggravating. It recognizes that you are important and shows that effort is being made to make this easy for you. You will get help but there is no hint that this will be patronizing or brainwashing.
The importance of personal skill
Much depends on the risk management skills of individual managers. Most managers, confronted by a risk management specialist advocating a risk management process, feel that risk management is everyone's job. They often say "I do it all the time". Quite right, and this is very important for their performance as managers and for the organization's performance.
Unfortunately, people are rarely as good at it as they think. Numerous experiments by psychologists have shown our weaknesses. One of the most important is that we tend to have an overly narrow view of the future. This is compounded by pressure from colleagues and others to appear more certain than we are and to focus our minds on one outcome, rather than think more widely. Finally, we are reluctant to start opening our minds to the full range of future outcomes for fear of being overwhelmed by the complex permutations of possibilities. This is because we have not been educated or trained in handling risk and uncertainty and do not have a well developed set of skills for selecting actions quickly but rationally under uncertainty.
The risk management skills of individuals matter a great deal and there is huge scope for improvement.
"Managed Luck" - a new resource to popularize risk management
I have recently launched a new website called "Managed Luck" that is a free resource for anyone who is responsible for improving risk management in an organization. It offers a selection of articles on skills for managing risk and uncertainty at work with the emphasis on convenience and personal benefits. Cutting edge enterprise risk management has been translated into natural, everyday skills. There are true-to-life stories to illustrate the techniques in action.
For example, "How to talk openly about uncertainty at work" shows how we often experience pressure to suppress our uncertainties and to pretend to be more certain of the future than we are and could reasonably be expected to be. It then offers ways to handle that pressure and illustrates them with examples.
I have learned from experience that writing this kind of material is hard work! It is very different from the corporate speak more commonly used for talking about risk management and I have had to be very careful not to slip into our usual jargon.
I hope that internal auditors and risk managers will take advantage of Managed Luck by sending links to the site or to specific papers on it to their colleagues as part of their risk management program. All the articles have been designed to complement formal programs and rarely give specific suggestions about formats or details to minimize technical clashes.
Realistically, formal corporate programs with form filling and special workshops will probably have to continue for some time as they are the generally accepted way of complying with internal control regulations. However, a personal approach aimed at improving everyday risk management skill can complement the formal program. It can make people more receptive to it (though perhaps more critical of any technical flaws) and reduce the incidence of control failures.
More ideas
To see "Managed Luck" visit http://homepage.ntlworld.com/m.leitch1/mluck/.
For a detailed questionnaire searching out the most common technical flaws with risk management programs click here. The questionnaire generates a draft report that you can copy and paste as the first draft of your own report.
Matthew Leitch
Author of "Dynamic Management" and "Managed
Luck"
mailto:matthew@managedluck.co.uk
