Stakeholder consultation in risk management

/

One of the elements COSO-ERM does not thoroughly address is stakeholder consultation in risk management. Sure, there is the required communication capping stone on top of the COSO pyramid, but the activities described therein fails to adequately address the needs and complexity of interacting with your stakeholders on a regular basis in the context of risk management.
ISO 31000, born out of the ISO practices of often and frequent consultations, does not fail to address it. Consultatin is a part of the quality cycles. Inspired by AS/NZS 4360, it gives consultation and communication a key position in the entire process. Just look at this visualization.

But how would you go about consulting your stakeholders in the risk management process? And more importantly, what can they contribute to your risk management?

Stakeholders as sources for the unknown unknowns

As Donald Rumsfeld put it, the most challenging elements in any situation are the so called unknown unknowns. The problems we aren’t even aware of we have. The exposure we don’t know exist. It was an unknown unknown that made Challenger explode, that sunk the Titanic … And it’s likely to be an unknown unknown which will result in you failing to reach your objectives. More on that in another post.
However, stakeholders a great sources for unknown unknowns. Because they look at our activities, operations, actions from a different vantage point, because they come to the table with different objectives, they often see issues where we see none.

Any organization which fails to recognize that it needs to comply with or at least listen to and validate concerns of an important stakeholder, fails to understand that this stakeholder, through his actions or inactions, can revoke its license to operate, killing any chance of the organization reaching its objectives. For those familiar with history, the initial “hearts and minds” strategy the United States followed in Vietnam was a recognition of this essential element. Without support from the villages and villagers, the conflict was bound to go against the US. The abandonment of this strategy influenced the outcome, as there was no longer an implicit license to operate. (the matter is mo complex, but this was an important contributing factor)

Gathering the information

Gathering the information is as simple as asking the question. Asking the question is however not the challenge. What is the challenge is creating an initial environment of trust where stakeholders do not feel exploited of used for the greater good of the organization which may adversely affect their lives. So you will need to establish real trust. And establishing real trust takes time. You cannot buy that trust, you need to earn it. Which basically means that you can throw any ideas of window dressing out of the, well, window.
I believe that an important step to building real trust can be achieved by transparent information sharing. Communication needs to precede consultation, as it builds rapport and it shows the intent to share. You want the information, you need to initiate, you need to cross the bridge first.
What I would not share upfront is the risk analysis conducted inside of the organization. Not because you don’t want to share that information, but rather to avoid influencing the risks identified by the stakeholders. After all, just like you, they can be influenced in their view on the subject matter. Better to get their information without prior contamination.

First open, then closed questions

The stakeholder risk identification needs to be as broad as possible. Remember, we’re mainly looking for the unknown unknowns.
I would start off with interviews which aim to identify their objectives with respect to the organization (remember, no risks without objectives) and the threats they see to these objectives, as well as the current confidence they have in the organizations ability to deal with these issues and achieve the objectives.
A number of risks will likely be similar. Another set of risks will new. As in a traditional ISO 31000 approach, you need to not only identify, but analyze and then assess these newly identified risks. D’uring the first or if necessary a second open interview, each of the risks needs to be revisited for further clarification. We try to ensure we clearly understand how the stakeholder perceives the risk. In a second or third interview, or by means of an online voting approach, the risks are then evaluated (current level of risk management, probability of occurrence, consequences).

Visualization, interpretation and treatment

As to visualization, a good visual representation of an analysis, if it is done in an objective manner, provides a good basis for discussion. I would use different colors to look at different scoring of the same risk. This will take some time to develop (although you could probably automate it) but discussing a clean visualization brings a lot more to the conversation than a cluttered whole.

First, you are likely to find risks which score can be compared to the scoring by the organization. This can be interpreted as a validation of the internal risk assessment.
Second, you will find risks which were not identified in the internal assessment. These risks need to be reassessed by the internal responsibles. If they turn out to be considered to be a real risk, they need to be included in the risk assessment (risk update) and treated.
Third, in case their scores are significantly different from the internal assessments, there is at least an interpretation difference, which needs to be managed.

Let’s imagine for a minute a situation in which the organization fails to deal with a risk it considers minor, but the stakeholder considers very important. If the stakeholder is not adequately recognized in his concerns and the time is invested in explaining why the risk treatment is done the way it is, this may lead to stakeholder protests and eventually the revocation of the license to operate.

Throughout the entire risk analysis there needs to be a continuous communication with the relevant stakeholders. Failing to do this properly may create the most significant threat to the achievement of organizational objectives ever.

Let's talk about risk

/

The importance of consultation and communication in risk management

ISO 31000 refers to consultation and communication with stakeholders as a key activity in a well implemented risk management methodology. Let’s examine why these elements are important.

The elements

ISO talks about consultation and communication with stakeholders. So we need to explain why:

  • consultation
  • communication
  • stakeholders

are important. We’ll start with the whom, then discuss the two interactions.

Stakeholders

“A stakeholder is a person with an interest or a concern in something, especially a business.”

A stakeholder is therefore influenced by the objectives of an organization and whether or not it achieves these objectives. Note I’m not saying that every stakeholder is necessarily aiming for the organization to reach (all of its) objectives. On the contrary, a stakeholder may be defined as a stakeholder because his or her interest runs counter to the objectives of the organization.
Not recaptured in the definition is that stakeholders have many means at their disposal to influence whether or not and how or at what price an organization can reach its objectives. A voter, for example, may have interests aligned with a political party. If that party does not achieve its stated objectives, it’s entirely possible the voter will take his or her vote elsewhere, and impede the party from realizing all its objectives.
A political party and its voters are relevant as an example of the diversity of stakeholder interests in another sense as well. A political party has a programme, often a concensus of the diverse needs of its intended voters and its political objectives. Not every voter is as interested in the party achieving the entirety of its programme. On the contrary, quite often there may well be conflicting interests within a party programme. It all depends on the weight of the stakeholders in the decision making process.
Lastly, note that not all stakeholders are external to an organization. Your employees are stakeholders as well. And believe me that you should not automatically assume that they are aligned with each and every aspect of your strategic intent. Because they are not.
Let’s be clear, stakeholders are a force to be reconned with. I’ll come back to that later.

Consultation

“the action or process of formally consulting or discussing”

When we’re defining consulation, we need to define the verb “to consult”.

“have discussions or confer with (someone), typically before undertaking a course of action”

Consultation is all about exchanging information and ideas with someone, preferrably an expert or a party involved and with a particular view on an aspect of what you’re dealing with, prior to an action.
Lots of issues or problems or elements on the road to achieving objectives benefit from being examined from different angles. I’m not suggesting to adopt an overly committee like approach where decisions are postponed and killed in committee. However, quite often problems are only looked at from an extremely narrow point of view. This ivory tower mentality has led to significant mistakes in decision making because certain aspects of a problem where never recognized as such.
In programming, there is a dictum that states “Given enough eyeballs, all bugs are shallow” (Eric Raymond). The same goes for issue management. If enough people involved in the problem look at it from their particular point of view, bringing together all these elements will result in a best possible view on the issue.
However, there is a difficulty with this approach: sometimes the time between potential risk detection and that risk becoming a reality is too short to allow for a full consultation. It pays to have a consultation group of stakeholders with different points of view at the ready to allow for quick consultation.

At BTC, we established a consultation committee on integrity. Representatives from all divisions of the organisation gather on a regular basis to discuss integrity related issues and advice my team on how to approach certain integrity related issues. As stakeholders, they have an expertise which my team members, acting as the integrity bureau, does not necessarily have. This committee can be called together on short notice to discuss concrete issues.

Through consultation, you bring to bear all competence within the stakeholder group on a specific problem you are being faced with. You recognize the value these stakeholders have to you, and by doing that, you recognize their value.
However, and that is essential, by no means to you transfer responsibility or accountability for the decisions taken to deal with issues, problems or risks. That remains the sole responsibility of the organization.

Communication

“the imparting or exchanging of information or news”

Consultation is not enough. In consultation, you gather additional perceptions and information to make better decisions. Once those decisions are taken you need to communicate to all stakeholders. In essence, you want to communicate:

  • What: you decribe what the outcome of the consultations and the integration of the information learned into the decision making process;
  • Why: you describe, wherever possible and not counter to any commercial objectives, why you’ve decided to do what you do;
  • How: to those impacted, you explain how the what will be realized. What can they expect to happen to them or around them in what timeframe;
  • Outcome and corrections: once a decision is implemented, it leads (hopefully) to results. These results need to be communicated as well. Based on the outcomes, certain corrections may be chosen. These and their impact and the what, why and how need to be communicated as well.

Bringing it together

One well placed, misinformed stakeholder can bring an entire strategy down.
When dealing with any time of activity of an organization, enhanced stakeholder involvement is important to gain perspective but also to develop acceptance of actions that need to be taken. Inviting your stakeholders to the dance is an important means of gathering the necessary support for implementation or of timely identifying key blocking factors.
When dealing with risks and risk management, this need is amplified. After all, you are investing time and means in avoiding the occurrence of certain situations. But just as with Y2K, a risk avoided is something that did not happen. Clearly involving your stakeholders to get a realistic view on the issues and gathering ideas to deal with the issues in the most effective way possible is a sound business tactic. Moreover, it shows diligence where diligence is due.
By making communication and consultation with stakeholders one of the first elements of risk management, ISO has clearly stated that no risk management approach can be successful without the proper support of the relevant stakeholders.