What are the signs of an organization at risk for crises?
For some organizations, a crisis is the only catalyst for change.
Sharing a few thoughts on recognizing the signs of an organization at risk for crises. I have not performed a thorough analysis; however, I have a few reoccurring observations. I have observed three (3) common corporate attributes that lead to big corporate crises, which can be used to justify investments into our risk management programs—beyond credit, liquidity, and market risk:
- Incidents and near misses
- Targets and spending
- Incentives and self-regulation
Incidents and Near Misses
When it comes to fraud, you follow the money. When it comes to crises, you follow the incidents.
Big corporate crises typically have a trail of incidents, which means the organization had a poor incident management process and risk management authority. The power law curve for natural and accidental threats tells us that large incidents come from small incidents. The frequency and magnitude are inversely related. They act as our organization’s internal and external risk radar by telling us where we are strong and weak, illustrating how and where risk is transforming, and demonstrating our capability to manage and respond. Our incident and near-miss report is much like our medical record—it tells us where we are and what we need to work on. Organizations need a system to recognize patterns and interpret information. We need to learn vital signs and recognize changing conditions. Organizations that do not have proper systems in place to scan, detect, monitor, report, learn, and change from incidents and near misses lack an essential element for resiliency. Incidents and near misses are the bedrock of resiliency engineering. We need to see, understand, believe, and act on risks to prohibit the big crisis from happening.
Targets and Spending
Hyper-focusing on narrow targets contributes to vision- and attention-tunneling.
When an organization hyper-focuses on a couple of specific items such as revenue (top line, sales) or net income (bottom line, cost cutting), risk management can be left out of the equation. The situation creates a vacuum where leaders are unable to see and hear the risk signals and warnings. Everyone’s attention and concentration is on a few specific numbers. Closely tied to narrow targets is confidence. The marketplace graciously rewards confidence—heck, we even prefer over-confidence. Leaders of the organization control the targets, and are often over-confident in their decision-making capabilities and expertise. With over-confidence comes egocentric thinking, and a tendency to see life only through our own eyes and allocate credit and blame in self-serving ways. It lets us easily justify our decisions, such as cutting risk management budgets or postponing training, by saying we have more important things to do. Over-confidence and egocentric thinking leads us to undervalue risk. In addition to undervaluing risk, we overly discount the future for more immediate and short-term needs. This reduces our willingness to invest now for a postponed, ambiguous, and uncertain benefit in the future. All these ingredients come together to make what Max Bazerman calls a “predictable surprise.”
Linked to narrow targets are proper risk management spending and resources allocation. What is the right amount? Appropriate levels are difficult to put a number on—which is why the number is easily manipulated or dismissed. How healthy do we want to be? Risk management is similar to our immune system; to be healthy and have longevity takes work. When we evaluate the case studies and our own experience, we see that decreasing spending in risk management is a warning sign to dig deeper. There is a need to clearly understand why spending cuts were made—sometimes it’s low incident and crisis rates, sometimes it’s because people believe, “We are good in a crisis. Our people know what to do and do it well.” I’ve had people tell me, “We’ve been lucky. I can’t remember or heard of anything bad happening in years!” (This thinking is a warning in itself, by the way.) In these situations, there’s a commonly held false belief that risk has no cost to it; that is, a belief that risk management spending is the only cost. This erroneous belief is why some companies reduce their risk management budgets without balancing the cost of risk.
Incentives and Self-Regulation
At the end of the day, people will ask themselves, “What is going to put more money in my pocket?”
Have you ever received a bonus or an award for something that has not happened? The answer is no.
Performance incentives are usually concrete, tangible metrics that are tied to top line (revenue) or bottom line (cost cutting). When if comes to big crises, the risk management incentives are limited. When evaluating performance and rewards, risk management is not a key factor. In this environment, it only makes sense (meaning: it’s incentivized) to take risk, not reduce it. (Sub)consciously, we evaluate our behavior and actions (norms) against the organization’s culture. If everyone else is doing it (e.g., taking risks, but not managing risk), then it will be difficult to go against the grain. With turnover and executive mobility, people in some organizations only stay in a position for a few years before moving on. In these situations, there is a large residual risk that continues to be passed on to the new person without properly accounting for it.
Linked to incentives are decentralized risk management and self-regulation. Both are warning signs. Of course, risk management is part of everyone’s job, but what I’m referring to here is what happens when our business units, segments, or sites are individually determining minimum levels of risk management. First, while risk management is a part of everyone’s job, it’s not their day job, and companies do not have a dedicated risk manager at every site. This makes assigning accountability and responsibility for risk management down to the lowest level very challenging, and ultimately impractical; conversely, organizations provide centralized functions for shared services, and prevent people from running into some of the common pitfalls, like having competing and even conflicting goals. Self-regulation leads to weak oversight, which can have serve consequences if people are not prudent risk managers. Because second, people see the world according to their own unique goals and purview. They’re not in a position to see the forest. Risk management benefits from centralize funding.
Keeping these three (3) warning signs in mind can help advocate for more (or at very least not less) risk management capabilities at the executive and board level. Risk management can be difficult for people and organizations as it deals with the future. It can be difficult for executives to spend scarce resources on a postponed, delayed, or ambiguous benefit. Risk managers can benefit by understanding hidden risks in their organization’s thinking and cost cutting. Don’t accept cost cutting or reduced authority. Prepare a case for why budgets can’t be cut before someone even gets the chance to cut your budget.
◻ Use the above characteristics of big corporate crises to develop your case against cutting your risk management budget.
◻ Advocate for proper checks and balances.
◻ Illustrate your point. (We have helped organizations develop specific case studies and learning to present to their executive management. Case studies—storytelling—bring the effects of bad risk management practices and beliefs to life, if you need advice.)
◻ Perform a site analysis, and document the current risk and resiliency health of the organization. Provide a dashboard (scorecard) and graphics that illustrate the importance of the risk.
◻ Ensure risk management is on the table for all strategic decisions, as most reputation crises come with a change in strategy. We found it beneficial to perform pre-mortems, concept plans, and branches and sequels with executives. It helps prepare the team and organization as well as ensure risk is balanced with cost and decision-making.