The New Grail
by Rosie Harrison
The Arthurian grail legend tells of a king sending an elite band of knights to comb the world for the grail - a vessel of great power, able to heal and cure all ills in his kingdom.
Modern business leaders have much in common with Arthur. They will often appoint a ‘champion’ to go forth and bring the latest management initiative to the workforce in an effort to cure it of its current ills. Risk management may be in danger of going down the same path.
The latest cure all or grail seems to be the mantra ‘we’re all risk managers now’ with the underlying assumption that these managers are somehow created by installing an embedded risk management process.
Knights and champions both then and now know that it is neither that easy nor that simple. You can’t just go along to your local magical emporium or software supplier and pick something off the shelf.
Our modern knights have an additional problem, not only do they need the grail - the embedded process - but they have to make sure that everyone knows how and when to use it.
Is it truly rational to expect an instant solution, some kind of technological silver bullet?
My own experience is that it is not.
Having spent 8 years in business risk management working with a wide variety of managers some totally risk averse and some almost breathtakingly risk dense (wouldn’t recognise a risk if it bit them!). I can say with conviction that it’s not so much the process that counts but the people who use it that matter most.
And also spending the last two years convincing managers to use our embedded processes I was not surprised to find that when the embedded process provided documentation and compliance information they were mainly used at the regular review periods. But now that we are extending the range and scope of the embedded process and linking it to change and configuration processes we are finding that it is becoming used more regularly.
Some things never change - managers will only use tools when the time and effort of using the tool produces positive gains over not using the tool and experiencing negative consequences.
So do I believe that an embedded process is some kind of grail that will provide a magic cure?
Absolutely not! There is no substitute for hard work, competence and sustained commitment from every person in the organisation.
If the processes are to be anything more than a superficial quick fix they need to become part and parcel of the way that managers and staff perform their day to day jobs. This could entail changing their working habits and competencies.
Not an easy option by a long way but one that has beneficial effects and is worth the effort.
To make life even more complicated the modern trend towards outsourcing business services means that the managers whose risk behaviours you want to change aren’t in your kingdom following your practices.
As a major business service provider my company runs business operations on behalf of private and public sector clients and we believe that we have a major requirement to be able to demonstrate our risk management capabilities.
Not only do we have to take our business risks into account we have to take our clients’ business risks into account - after all, their customers and their reputation is largely in our hands and we want to get it right for them - and to be able to demonstrate that to them.
So, how can you be sure that third party outsourcing companies are not taking unacceptable (to you not them!) risks with your reputation and your customers? Is it enough that they have embedded risk processes, risk champions and formal committees?
For me the answer is no - you need to go deeper but to a large extent it depends on the level of assurance that you want or need for your business and your shareholders.
There are things that you can look for to find out if service providers’ risk processes are skin deep or really embedded into their corporate culture.
First things First
Ask about their risk management principles and practices; what does the policy statement say, how is their risk work focused and validated, who is involved, how long have they been working in this way?
Do their risk principles:
shareholder value by giving focus to risk mitigation strategies?
a decision support mechanism to explore potential consequences both positive and
create shared values and agreed appetite for risk with partners and clients?
· demonstrate corporate responsibility?
So far so good; and going a little deeper. Are the principles supported by a robust process and are their people, knights and squires competent to use the processes and apply them to your business?
The process itself needs to be adaptable to suit the needs of your business and your risks and it needs to be integrated with the service provider’s other business mechanisms such as change management, process improvement and configuration management.
a minimum, the process should cover:
Identification and assessment
The aim here is to identify the risks that you face and the two key words are relevance and completeness. One of the easiest ways to ensure that identified risks are rel evant is to use your business objectives as a filter. The objective could come from the organisation’s balanced scorecard or corporate business plan but they do need to be well defined.
I often encounter objectives that say things like ‘Produce statements each month’. Certainly not clear enough for identifying relevant risks. You need to know how many statements count as successful, all , half? For objectives to be useful they have to be specific, measurable, attainable, resourced and time bonded i.e. SMART.
Clarifying objectives serves two functions. It increases the manager’s awareness of your business requirements and sensitivities and it enables them to identify relevant risks. Each manager should be able to ask themselves ‘if this risk materialises which of my objectives is compromised?’
Completeness can be confirmed by looking across the objectives to ensure coherence with corporate objectives.
The aim here is to assess the level of damage that would be sustained when the risk materialises. Are managers making the right estimates of how bad the risk will be when it materialises and about how often it could occur? Managers should be using a standard corporate wide set of assessment scales to ensure consistency and comparability across different operational units.
Do the assessment scales take into account your organisational sensitivities or those of the service providers. Ideally you should be able to specify the categories that you want yours risks assessed against. And you should be able to specify the values for the assessment scales. After all, you both may not wish to operate at the same level of risk tolerance or risk appetite.
This is decision time. Do you live with a specific risk and its potential consequences or do you do something about it. Who decides that a risk is too big to live with or small enough to be accepted? Do you get consulted or does your service provider make these decisions? At the very least you should be satisfied that the process has good rules and is consistently applied by all managers.
A key area to ask about is escalation procedures. Can an individual manager accept all your risks - regardless of their potential impact on your business? Or are there delegated levels for risk acceptance leading to escalation of the acceptance decision to partnership relationship managers or joint boards.
The aim here is to establish what should be done about unacceptable risks. Do you even know what the mitigation actions are? Are you happy that the mitigation actions chosen reduce the risk to an acceptable level, and are beneficial to your business practices?
Insurance covering the outsourcing companies financial loss does nothing for your reputation if it all goes horribly wrong. Do you have any say? At the very least you should have access to enable your experts to give an independent assurance about their suitability.
So far so good. Relevant risks have been identified and we know which ones we need to mitigate and how we plan to do it. ut good intentions are not enough - have the planned mitigation actions actually been implemented? Deployment of internal resources in the service providers organisation may mean that planned mitigation actions are waiting in a queue to be developed. You may not be aware of how long it will take for them to be operational.
At the very least you need to have some kind of delivery and sign off strategy and you should expect to see a process for monitoring and escalation to ensure that agreed mitigation strategies are implemented within an agreed timescale.
And finally, does the process provide you with evidence that it is being applied widely and consistently across your business processes? Will it supply you with evidence that supports your corporate governance requirements?
you can tell.
And last but by no means least, the people who operate the process and use it to support decisions they make about delivering your business services. How good are they. Are they good enough to be knights at your round table?
In my view much of business risk management is not so much a pure science more a black art because a large part of it is down to the subjective outlook of the individual using the process.
To some extent these individual perceptions can be altered by formal training where examples can be used to explore and establish shared values about risk taking behaviour and the company’s appetite for risk.
But there can be problems where the service provider is a greater risk taker than your culture caters for. Misunderstanding of this cultural divide can lead to charges of ‘negligence, cavalier attitude’ coming from one side and ‘stuffy , risk averse, old women’ on the other. And that is just the polite stuff!
Creating standardised assessment scales and agreeing business objectives can bring a degree of shared discipline and objectivity to the process which should develop greater understanding between the parties.
So now we know that knights are good guys and well trained in their duties. But times change and even knightly duties need to be reviewed and benchmarked. There is still a role for the risk specialist - Merlin as advisor to the court - to ensure that best practices are cultivated and developed.
Rosie Harrison is an ex Systems Analyst, Strategic Risk Manager and trainer, and corporate business manager. Currently she is working as a life coach and business mentor. She also teaches Tai Chi.