Blogs

What are the signs of an organization at risk for crises?

For some organizations a crisis is the only catalyst for change. 

Sharing a few thoughts on the signs of an organization at risk for crises. I have not performed a thorough analysis; however, I have a few reoccurring observations. If anyone has metrics on such information, please share. Keeping these warning signs in mind can help advocate for more (or at very least not less) risk management capabilities at the executive and board level. Risk management can be difficult for people and organizations as it deals with the future. It can be difficult for executives to spend scarce resources on a postponed, delayed, or ambiguous benefit. Risk managers can benefit by understanding hidden risks in their organization’s thinking and cost cutting. Don’t accept cost cutting or reduced authority. Before someone cuts your budget, prepare a case for why budgets can’t be cut. I have observed three (3) common corporate attributes that lead to big corporate crises that can be used to justify investments into our risk management programs [excluding credit, liquidity, and market risk]: 

1. Incidents
2. Targets
3. Incentives

The first variables are incidents and near misses.

Big corporate crises typically have a trail of incidents, which means the organization had a poor incident management process and risk management authority. Power law curve for natural and accidental threats tells us that large incidents come from small incidents. The frequency and magnitude are inversely related. When it comes to fraud, you follow the money. When it comes to crises, you follow the incidents. They act as an organization’s internal and external risk radar by telling us where we are strong and weak, illustrating how and where risk is transforming, and demonstrating our capability to manage and respond. Our incident and near miss report is much like our medical record. It tells us where we are and what we need to work on. Organizations need a system to recognize patterns and interpret information. We need to learn vital signs and recognize changing conditions. Organizations that do not have proper system in place to scan, detect, monitor, report, learn, and change from incidents and near misses lack an essential element for resiliency. Incidents and near misses are the bedrock of resiliency engineering. We need to see, understand, believe, and act on risks to prohibit the big crisis from happening.

The second variables are targets and spending.

Hyper focusing on narrow targets contributes to vision and attention tunneling. When an organization hyper focuses on a couple of specific items such as revenue (top line - sales) or net income (bottom line – cost cutting), risk management can be left out of the equation. The situation creates a vacuum where leaders are unable to see and hear the risk signals and warnings. Everyone’s attention and concentration is on a few specific numbers. Closely tied to narrow targets is confidence. Those that control the targets are the leaders of the organization. Leaders have confidence in their decision-making capabilities and expertise. The marketplace graciously rewards confidence; heck, we prefer over confidence. With over confidence comes egocentric thinking, which means we tend to see life through our own eyes and allocate credit and blame in self-serving ways. We can easily justify our decisions, such as cutting risk management budgets or postponing training, by saying we have more important things to do. Over confidence and egocentric thinking leads us undervalue risk. In addition to undervaluing risk, we overly discount the future for more immediate and short-term needs. This reduces our willingness to invest now for a postponed, ambiguous, and uncertain benefit in the future. All these ingredients come together to make what Max Bazerman calls a Predictable Surprise.

Linked to narrow targets are proper risk management spending and resources allocation. Appropriate levels are difficult to put a number on. What is the right amount? The answer is it depends, which is why the number is easily manipulated or dismissed. The answer depends on how healthy we want to be. Risk management is similar to our immune system. To be healthy and have longevity takes work. When we evaluate the case studies and in our own experiences, decrease spending in the risk management is a warning sign to dig deeper. There is a need to clearly understand why spending cuts. People can falsely interpret low incident and crisis rates as a sign to cut spending. Another excuse I have heard before is, “We are good in a crisis. Our people know what to do and do it well.” Or I have heard, “We have been lucky. I can’t remember or heard of anything bad happening in years.” This thinking in itself is a warning. In these situations, there seems to be a common false belief that risk has no cost to it; that is, belief that risk management spending is the only cost. This erroneous belief is why some companies reduce their risk management budgets without balancing the cost of risk.

The third variables are incentives and self-regulation.

When evaluating performance and rewards, risk management is not a key factor. In this environment it only makes sense (incentivized) to take risk, not reduce it. At the end of the day people will asked themselves what is going to put more money in my pocket. (Sub)consciously, we evaluate our behavior and actions [norms] against the organization’s culture. If everyone else is doing it (e.g., taking risk, not managing risk), then it will be difficult to go against the grain. With turnover and executive mobility, people in some organizations only stay in a position for a few years before moving on. In these situations, there is a large residual risk that continues to be passed on to the new person without properly accounting for it. Have you ever received a bonus or an award for something that has not happened? The answer is no. Performance incentives are usually concrete, tangible, metrics that are tied to top line (revenue) or bottom line (cost cutting). When if comes to big crises there are limited risk management incentives.

Linked to incentives are decentralized risk management and self-regulation. Both are warning signs. Of course, risk management is part of everyone’s job, but what we are referring to is letting the business units, segments or sites determine minimum levels of risk management. Assigning accountability and responsibility for risk management to the lowest level is challenging. First, companies do not have a dedicated risk manager at every site. Risk management is a part of everyone’s job but not their day job. People run into competing and even conflicting goals. Expecting risk experts at the lowest level is not practical. Organizations provide centralized functions for shared services. Second, people see the world according to their goals and purview. They are not in a position to see the forest. Risk management benefits from centralize funding. Self-regulation leads to weak oversight, which can have serve consequences if people are not prudent risk managers.

Use the above characteristics of big corporate crises to illustrate your point. Advocate for proper checks and balances. We have helped organizations develop specific case studies and learning to present to their executive management. Case studies (i.e., storytelling) bring the effects of bad risk management practices and beliefs to life. A current state analysis is helpful - document the current risk and resiliency health of the organization. Provide dashboard (scorecard) and graphics that illustrate the importance of the risk. Another solution is to ensure risk management is at the table for all strategic decision as most reputation crises come a change in strategy. We found it beneficial to perform pre-mortems, concept plans, and branches and sequels with executives. It helps prepare the team and organization as well as ensure risk is balanced with cost and decision-making.

Best - Sean