Common Mistakes In The Attempted Management Of Risk
Ignoring Frontline Insights
This is a pretty obvious one - if you don't involve the people who do the work and experience the risks on a daily basis, then you'll never gain the benefit of their knowledge in order to be able to fully evaluate the risks and correctly identify the required controls. Equally, if you don't give them at least some basic training in the principles of risk management, you can leave them floundering, and not get the best from their knowledge and experience of the work you are considering.
Why It Matters: Frontline employees possess invaluable firsthand knowledge of the risks inherent in their tasks. By not involving them, organizations miss out on critical insights that could inform more accurate risk assessments and improve effectiveness of mitigation strategies.
Recommendation: Companies should actively involve frontline workers in the risk assessment process. This can be achieved by:
Providing basic risk management training to enhance their understanding and ability to identify risks.
Either directly involving them in the risk assessment workshops and / or establishing clear channels for impacted personnel to provide feedback on their observations, concerns or opportunities to improve.
Ensuring their input is valued and given equal consideration in decision-making processes.
Misusing Risk Matrices
How many of you out there are using a 5x5 risk matrix with red, yellow and green squares and X & Y axes are something along lines of “Almost Certain I Likely I Possible I Unlikely I Rare” and “Negligible I Minor I Moderate I Major I Catastrophic”. Perhaps the squares have numbers in them from 1-25 based on multiplying the Likelihood v the Consequence. No doubt some of you will be more sophisticated and put descriptors in the squares and give some guidance around the criteria for the X & Y axes. The point here is the weaker the definition of the criteria for a risk assessment matrix the weaker and less reliable the output will be.
A tendency I’ve often seen is for people to gravitate to the middle (yellow) or the green and really hesitate to arrive at a decision which puts a risk in the red zone - they almost do the risk assessment backward by first finding their target on the matrix and then choosing X & Y criteria to suit their decision which they then hold dear to. Decisions on frequency and consequence should, as far as possible, be based on hard data from both internal and external sources. Proper preparation (e.g. data gathering), group dynamics and the skills and experience of the person leading the risk assessment play an important part in outcome quality - more on that in a bit.
Why It Matters: A poorly defined risk matrix can result in significant risks being underestimated or overlooked entirely. This can lead to inadequate preparation and response strategies, ultimately compromising safety and operational continuity. In essence, you can't take poorly defined risk criteria multiplied by weak, possibly very weak, input data (or just strongly held opinions) and then claim you've really got to grips on where your risk sits.
Recommendation: To mitigate this issue, organizations should:
Clearly define the terms and criteria used in the matrix, with examples or guidelines to ensure consistency.
Use quantitative data where available to inform the probability and impact assessments.
Train risk assessment teams on the limitations of risk matrices and how to use them effectively as part of a broader risk management approach.
Using A Risk Assessment To Justify A Decision Already Made
This is an issue I’ve seen quite often in operational areas. It either arises in conversation during accident investigations “But we did a risk assessment and it was OK” or leadership teams convincing themselves (or others) a poor decision is still safe to proceed because “We did a risk assessment and it’s in the yellow which means we can go ahead as long as we’re careful” - and yes I’m being as bit facetious but essentially that’s what they say.
Why It Matters: When risk assessments are used as post-hoc justifications or to rubber-stamp determined decisions, it diminishes the value and credibility of the risk management process and can create a false sense of security with potentially catastrophic consequences. It suggests that risk assessments are not being used to genuinely evaluate and mitigate risks but as a bureaucratic step to justify preconceived decisions.
Recommendation: Organizations should:
Provide continuous education and training on risk management principles for all levels of staff, especially decision-makers. Emphasize that the goal of risk management is to make well-informed decisions, not to justify them after the fact.
Ensure risk assessments are conducted at the earliest stages of decision-making so informed decisions are made which genuinely take into account the identified risks and their mitigation strategies.
Use risk assessments as a tool, not a crutch and treat risk assessments for what they are — tools to aid in understanding and mitigating risks.
Focusing On The Noise Not The Silence
In this regard I'm probably a bit of a heretic since I have a view that organizations which commit to Zero Harm are less likely to achieve it, are more likely to ignore low probability / high consequence risks and may have a culture of underreporting due to fear of breaking a record of zero whatever goal has been nominated. It's also rather a self undermining goal since every time it's not achieved it only serves to show it can't be.
Organizations often expend tremendous leadership energy (and cost) on attempting to manage prevention of more frequent, lower-impact, risks (e.g. near miss reporting and TRIs) at the expense of rare but potentially catastrophic events. This skewed focus can leave businesses vulnerable to material events that, while unlikely, could be devastating.
There must be a balance found between the need to prevent lower tier events and the need to prevent catastrophes. Organizations which allow themselves to pay scant attention to high materiality events, perhaps because of where they sit on a risk matrix due to their low probability, place themselves at significant risk. Best practice is to identify those events which could be material to the business, ignore the probability, and ensure as much attention is paid to the quality and effectiveness of controls to prevent them as for those lower tier events which create more daily 'noise'.
Why It Matters: Neglecting low probability, high impact risks can have dire consequences, including significant financial loss, reputational damage, and in the worst cases, loss of life.
Recommendation: Businesses should ensure their risk management framework includes a mechanism for identifying and addressing these high impact risks by:
Conducting thorough scenario planning and analysis to uncover potential catastrophic risks.
Allocating resources to mitigate these risks, even if they seem unlikely.
Regularly reviewing and updating risk assessments to account for changes in the operating environment.
Falling Prey to Groupthink
Groupthink can severely undermine the risk assessment process. This phenomenon occurs when the desire for harmony or conformity in a group results in an irrational or dysfunctional decision-making outcome. It's particularly dangerous when strong personalities dominate the conversation, stifling diverse viewpoints and critical analysis. It might be the presence of a senior leader with a powerful personality who other employees feel intimidated by or uncomfortable in challenging for whatever reason. Another could be one or two employees who are the loudest voices in the room.
Either type can heavily sway the conversation, the thinking and the outcome. It takes all the skill of the person leading the risk assessment to help balance those group dynamics and ensure every person in the room has a voice that is listened to equally, and their views given fair consideration.
Why It Matters: Effective risk management depends on a comprehensive understanding of potential risks, which requires input from a variety of perspectives. Groupthink can lead to significant oversights and flawed risk assessments.
Recommendation: To counteract groupthink, organizations should:
Foster an inclusive environment where all participants feel empowered to share their insights and concerns.
Appoint a competent independent facilitator with sufficient authority to oversee risk assessment meetings, ensuring all voices are heard.
Encourage a culture of critical thinking and respectful challenge, where questioning and scrutiny are valued.
Underestimating the Full Spectrum of Consequences
Risk assessments often focus narrowly on the immediate or direct consequences of risks, overlooking broader implications. This can lead to a misunderstanding of the true impact a risk may have on an organization, including indirect effects like reputational damage, financial loss, legal and regulatory penalties.
As an example, I once saw a risk assessment which identified the consequences of an event being significant pollution. The assessment was ranked according to the impacts and duration of harm on flora and fauna without any real consideration given to the cost of the cleanup, operational disruption, any community compensation, investor confidence, impact on share price, fines arising or any consequence of future license to operate in the area of operation and potentially in other areas of operation outside of the country impacted. Once the risk was reevaluated it significantly changed the assessment of materiality to the business.
Why It Matters: A comprehensive understanding of all potential consequences is essential for effective risk mitigation. Without this, organizations may be ill-prepared for the fallout of a risk event, resulting in greater damage than anticipated.
Recommendation: Expand the scope of risk assessments to consider a wide range of consequences, including:
Health
Safety
Environmental impact
Community relations
Consequences of operational disruption
Finance (including investor sentiment)
Reputation
Regulatory (including existing and future license to operate)
Legal
Inadequate Definition And Review Of Controls
A common oversight in risk management is the confusion between controls and procedures, along with a failure to define which controls are critical. This confusion can dilute the effectiveness of the risk management process, leading to vulnerabilities. Controls need to be sufficiently well defined they can be assessed and audited against with a high degree of confidence as to their repeated effectiveness.
What is critical here is to make sure that controls are not so broad and poorly defined you can't actually go out and measure whether or not they're being complied with - if you can’t accurately, repeatedly and reliably audit a control to give a level of ‘reasonable assurance’ then it’s not a control.
Why It Matters: Controls are specific measures put in place to mitigate risks. Without clear definitions, it's challenging to assess their effectiveness or ensure their proper implementation. Critical controls, which have a direct impact on preventing or mitigating risks, require particular attention to clarity on expectations for compliance.
Recommendation: Enhance control clarity and effectiveness by:
Clearly distinguishing between controls (measures to mitigate risk) and procedures (steps to execute tasks).
Identifying and labeling critical controls within your risk management framework.
Regularly reviewing and testing controls for their effectiveness, especially after an incident or significant near miss, to ensure they remain fit for purpose and implemented correctly.
Failing to Act On New And Emerging Risks
Risks are not static; they evolve over time. Grey Rhino risks abound and a significant mistake in risk management is to discount them until it’s too late to react leaving organizations exposed to threats that could have been anticipated and mitigated.
Why It Matters: The business environment is dynamic, influenced by technological advancements, regulatory changes, societal shifts, and global events. New risks can emerge rapidly, and existing risks can evolve, increasing in severity or likelihood.
Recommendation: Stay ahead of potential threats through:
Encouraging innovative thinking and the deliberate and regular exploration of "what if" scenarios to identify potential new risks.
Reviewing and updating risk assessments and mitigation strategies regularly to reflect the changing risk landscape.
Not Seeking Worker Feedback On Control Effectiveness
Frontline personnel who deal with risks daily are a valuable source of insights into what's working and what isn’t. Good risk management will have ensured their engagement in control design and the control matches with how the work is both planned and then actually done. It is essential control effectiveness is regularly tested by having the right discussions with those doing the task and stepping back to see if the control can be improved from a Human Factors and risk reduction standpoint.
Why It Matters: Without feedback, there's a risk of persisting with ineffective controls or missing opportunities to improve risk management practices. Engaging with employees can reveal practical, on-the-ground insights that may not be apparent from a management perspective. Organizations which do this well ensure work is planned and executed in a consistently safe fashion because those doing the task understand the risks and had a voice in how to best control them in a way which makes sense.
Recommendation: Improve control effectiveness and employee engagement by:
Establishing regular feedback mechanisms which personnel undertaking the task to share their experiences with risk controls and how they can be improved.
Actively involving employees in any planned review and refinement of risk controls.
Incorporate Human Factors / Human Performance Optimization into control design & modification
Recognizing and acting on feedback to continually enhance the risk management framework.
Lack of Regular Risk Process Reviews At Senior Levels
A strategic oversight often seen in organizations is the absence of regular, structured reviews of the risk management process by senior leadership. This lack of engagement can result in a disconnect between strategic objectives and risk management efforts.
When I look back on my career, one of the things I am most proud of is when I and my line manager were able to gain the support of the CEO of one of the world’s largest extractive companies in introducing metrics for the management of material risk on the senior leadership performance scorecard. The old adage “What interests my boss fascinates me” was reflected by a swift and dramatic change in senior leadership engagement and improvements in our management of material risk.
What had historically been a 6 month exercise largely done by the Risk team to prepare reports for the Risk and Audit Committee of the Board almost overnight became a series of meaningful conversations which cascaded to the roots of the organization. It took several years for this to have the desired effect, but the legacy was an organization capable and willing to discuss risk at every level on a daily basis.
Why It Matters: Senior leadership's involvement ensures risk management is aligned with the organization's strategic direction and priorities. Their oversight can also foster a culture that values and prioritizes effective risk management. Including risk management outcomes in senior leaders annual compensation considerations can have a significant impact on improving the quality of engagement and support.
Recommendation: Enhance senior leadership engagement by:
Integrating risk management metrics and reviews into senior leadership meetings and scorecards.
Encouraging senior leaders to champion risk management initiatives and provide visible support.
Linking risk management performance with senior leadership remuneration to underscore its importance.
Overlooking Lessons From Incident Investigations
One of the real strengths of well-developed controls, and in particular critical controls, is when you have an incident it becomes much easier to determine whether or not you have a gap in personnel following the controls (and why) or whether the controls themselves are inadequate (or both). In either case not incorporating findings from incident investigations into the review of control effectiveness is a critical error since every incident provides a learning opportunity to prevent future occurrences.
Why It Matters: Effective incident investigation can reveal weaknesses in control effectiveness, between ‘work as planned’ v ‘work as done’. Overlooking these lessons can result in repeated incidents, potentially with escalating consequences.
Recommendation: Strengthen risk management by:
Systematically incorporating the findings from incident investigations into the risk management process.
Reviewing and adjusting risk controls based on investigation outcomes to close gaps and enhance effectiveness.
Sharing lessons learned across the organization to prevent similar incidents elsewhere.
Not Scanning The Horizon Or Acting On The Insights
Identifying new and emerging risks without taking appropriate action is akin to recognizing a storm on the horizon but not preparing for it. It's crucial not only to identify these risks but also to evaluate and implement mitigation strategies proactively. Horizon scanning should not only be far but wide. A good and topical example is climate change, and yes I know it's become a bit (very?) politicized in some countries.
I was contemplating a scenario earlier today - what if I’m an organization which is a bit ambivalent about climate change risk as it might physically impact our operations. However in 5 I 10 I 20 years what happens if insurers withdraw insurance for housing or raise the rates so much that the cost-of-living and/or mortgage availability becomes prohibitive for the workforce demographic I employ to support a factory critical to our business. As an example, the US Census Bureau shows 276,000 left Florida in 2022 because of rising insurance rates. How might this affect my longer term thinking about that factory?
Why It Matters: Failing to act on the insights gained from horizon scanning can leave organizations exposed to risks that could have been mitigated or avoided. This proactive approach is essential for maintaining resilience in a rapidly changing world.
Recommendation: Ensure responsiveness to emerging risks by:
Undertaking regular horizon scanning where nothing is off the table, look both far and wide
Developing action plans for new risks identified through horizon scanning.
Allocating resources to address these risks promptly.
Regularly reviewing the effectiveness of actions taken to mitigate new risks, adjusting strategies as necessary.
Bridging the Gap Between Risk Planning and Execution
Finally last but by no means least. Despite the comprehensive discussions, meticulous planning, and detailed risk registers that emerge from extensive workshops, a crucial failure point persists: the consistent and effective implementation of these plans on the ground. This gap is not confined to small enterprises or those with immature risk management practices; it pervasively affects even the most sophisticated and sizeable organizations worldwide.
The core of the problem lies in the routine and regular assessment of risk management strategies—specifically, verifying whether the actions, controls, and measures deliberated upon and documented are truly being executed as intended. It's one thing to ideate and document; it's another to actualize these plans reliably and effectively. The challenge is not merely about having experienced personnel but ensuring that every individual involved is educated, understands their role in risk mitigation, and is committed to executing these measures consistently.
A recently read a report on Views on Board Governance - Where Directors and C-Suite Leaders Align and Diverge. Among many insightful findings, of those surveyed, the report identified top priorities for the board were strategic planning and execution at 86% but risk management oversight was only 42%. It worries me if boards are not highly focused on the identification and management of risks (and opportunities), and the quality of the governance process to ensure they are effective, then what is the quality of their strategic planning and execution.
Why It Matters:
Operational Dissonance: A significant dissonance often exists between the theoretical risk management strategies developed and presented in boardrooms and their practical application. This gap can lead to vulnerabilities not being adequately addressed, despite being identified in risk assessments.
Reliability of Controls: The effectiveness of risk management is fundamentally dependent on the reliable execution of identified controls. Without a robust process and regular verification these controls are being implemented and are effective, organizations leave themselves exposed to potential risks being realized.
Emerging Legislation: The new EU Corporate Social Responsibility Directive introduced significant obligations for organizations trading there, including double materiality (internal and external impacts) detailed annual reporting requirements for a range of topics including Scope 1, 2 & 3 carbon emissions and independent assurance or reporting by competent organizations. The ripple effect on reporting to these standards for organizations not obligated under the CSRD but are key suppliers with significant contributions to Scope 3 emissions to organizations which do have to report them could be significant.
Recommendation: Ensure quality information on risks and effectiveness of controls by:
Documenting the organization’s risk appetite which provides clear guidance on the level of risk it is prepared to accept while still pursuing its strategy and objectives
Ensuring governance processes are appropriately trained, suitably independent with direct accountability to the board, adequately resourced and undertake audits in accordance with recognized international standards
Commitment to continuously monitoring and verifying the implementation of their risk management plans. This involves not just periodic reviews but ongoing oversight to ensure that practices are being followed as intended.
Cultivating a culture which prioritizes risk management, supported by a leadership which models and reinforces the importance of effective execution. Leaders should demonstrate commitment by regularly engaging with the risk management process and encouraging a proactive approach to identifying and addressing risks. Senior leadership compensation should include assessment of risk management performance.
Conclusion
The gap between risk management planning and its execution represents a critical vulnerability for organizations of all sizes and sophistications. Closing this gap requires a concerted effort to ensure risk management strategies are not only well-planned but are also effectively implemented and ingrained in the operational fabric of the organization. Through routine assessments, educational initiatives, operational integration, and a supportive culture, organizations can enhance their resilience against potential risks, ensuring that their risk management efforts are as effective in practice as they are on paper.
The single most important questions Senior Leaders and boards should be asking is
'How Do We Know We're In Control'
The above is not meant as a comprehensive list and I’m sure others can identify additional weaknesses organizations should be cognizant of.
If any part of this blog touches a nerve and you think you might want some advice or support, feel free to reach out.
Some additional reading you may find useful:
Comments