Let's talk about risk

/

The importance of consultation and communication in risk management

ISO 31000 refers to consultation and communication with stakeholders as a key activity in a well implemented risk management methodology. Let’s examine why these elements are important.

The elements

ISO talks about consultation and communication with stakeholders. So we need to explain why:

  • consultation
  • communication
  • stakeholders

are important. We’ll start with the whom, then discuss the two interactions.

Stakeholders

“A stakeholder is a person with an interest or a concern in something, especially a business.”

A stakeholder is therefore influenced by the objectives of an organization and whether or not it achieves these objectives. Note I’m not saying that every stakeholder is necessarily aiming for the organization to reach (all of its) objectives. On the contrary, a stakeholder may be defined as a stakeholder because his or her interest runs counter to the objectives of the organization.
Not recaptured in the definition is that stakeholders have many means at their disposal to influence whether or not and how or at what price an organization can reach its objectives. A voter, for example, may have interests aligned with a political party. If that party does not achieve its stated objectives, it’s entirely possible the voter will take his or her vote elsewhere, and impede the party from realizing all its objectives.
A political party and its voters are relevant as an example of the diversity of stakeholder interests in another sense as well. A political party has a programme, often a concensus of the diverse needs of its intended voters and its political objectives. Not every voter is as interested in the party achieving the entirety of its programme. On the contrary, quite often there may well be conflicting interests within a party programme. It all depends on the weight of the stakeholders in the decision making process.
Lastly, note that not all stakeholders are external to an organization. Your employees are stakeholders as well. And believe me that you should not automatically assume that they are aligned with each and every aspect of your strategic intent. Because they are not.
Let’s be clear, stakeholders are a force to be reconned with. I’ll come back to that later.

Consultation

“the action or process of formally consulting or discussing”

When we’re defining consulation, we need to define the verb “to consult”.

“have discussions or confer with (someone), typically before undertaking a course of action”

Consultation is all about exchanging information and ideas with someone, preferrably an expert or a party involved and with a particular view on an aspect of what you’re dealing with, prior to an action.
Lots of issues or problems or elements on the road to achieving objectives benefit from being examined from different angles. I’m not suggesting to adopt an overly committee like approach where decisions are postponed and killed in committee. However, quite often problems are only looked at from an extremely narrow point of view. This ivory tower mentality has led to significant mistakes in decision making because certain aspects of a problem where never recognized as such.
In programming, there is a dictum that states “Given enough eyeballs, all bugs are shallow” (Eric Raymond). The same goes for issue management. If enough people involved in the problem look at it from their particular point of view, bringing together all these elements will result in a best possible view on the issue.
However, there is a difficulty with this approach: sometimes the time between potential risk detection and that risk becoming a reality is too short to allow for a full consultation. It pays to have a consultation group of stakeholders with different points of view at the ready to allow for quick consultation.

At BTC, we established a consultation committee on integrity. Representatives from all divisions of the organisation gather on a regular basis to discuss integrity related issues and advice my team on how to approach certain integrity related issues. As stakeholders, they have an expertise which my team members, acting as the integrity bureau, does not necessarily have. This committee can be called together on short notice to discuss concrete issues.

Through consultation, you bring to bear all competence within the stakeholder group on a specific problem you are being faced with. You recognize the value these stakeholders have to you, and by doing that, you recognize their value.
However, and that is essential, by no means to you transfer responsibility or accountability for the decisions taken to deal with issues, problems or risks. That remains the sole responsibility of the organization.

Communication

“the imparting or exchanging of information or news”

Consultation is not enough. In consultation, you gather additional perceptions and information to make better decisions. Once those decisions are taken you need to communicate to all stakeholders. In essence, you want to communicate:

  • What: you decribe what the outcome of the consultations and the integration of the information learned into the decision making process;
  • Why: you describe, wherever possible and not counter to any commercial objectives, why you’ve decided to do what you do;
  • How: to those impacted, you explain how the what will be realized. What can they expect to happen to them or around them in what timeframe;
  • Outcome and corrections: once a decision is implemented, it leads (hopefully) to results. These results need to be communicated as well. Based on the outcomes, certain corrections may be chosen. These and their impact and the what, why and how need to be communicated as well.

Bringing it together

One well placed, misinformed stakeholder can bring an entire strategy down.
When dealing with any time of activity of an organization, enhanced stakeholder involvement is important to gain perspective but also to develop acceptance of actions that need to be taken. Inviting your stakeholders to the dance is an important means of gathering the necessary support for implementation or of timely identifying key blocking factors.
When dealing with risks and risk management, this need is amplified. After all, you are investing time and means in avoiding the occurrence of certain situations. But just as with Y2K, a risk avoided is something that did not happen. Clearly involving your stakeholders to get a realistic view on the issues and gathering ideas to deal with the issues in the most effective way possible is a sound business tactic. Moreover, it shows diligence where diligence is due.
By making communication and consultation with stakeholders one of the first elements of risk management, ISO has clearly stated that no risk management approach can be successful without the proper support of the relevant stakeholders.

An interesting article on risk management by Matthew Leitch

/

Matthew Leitch has posted an interesting article on what integrated risk management actually means on his site, here. This analysis is based on a survey he executed and I participated in. As usual, his methodology as well as the scope of his analysis is well defined and well executed.

I believe his conclusions are well founded based on his results. You really need to read the entire analysis, including the analysis of responses to each of the 10 scenarios he offered. I have a couple of remarks on his analysis.

Good risk management appears to be integrated

Where an aspect of the scenario, most respondents have chosen those scenarios which allowed for an as broad as possible data set to be available for risk management. They also chose to involve an as large as possible group of collaborators in such an exercise. Clearly, good risk management should not be separate from the organization in which it is being executed.

This is completely in line with the experience we’ve built in the Belgian federal public sector. The more, the merrier, it seems, but the more in a well executed process are involved, the better the information which is used in the risk management process.

Risk related policies are indicative of risk appetite

Matthew refers to BS 31100:2011, the British risk management standard, and its definition of risk appetite. This definition shies away from the limits or thresholds for risks and focuses on policy decisions with respect to risk. I feel this to be a very important distinction. Establishing risk thresholds has always felt as a rather retroactive approach. Once the bells and whistles go off, we’ll decide what to do or how to react. By establishing a clear policy framework on risk, most of the thinking on risk has been done. This is not cast in stone, but at least a lot of the required assessments, which do take time, have been executed. In addition, I believe that the nature of the risk related policies a company adopts is indicative for the risk appetite or risk tolerance of that organization.

Integrated risk management involves a significant initial effort

Reading through the scenarios Matthew offered in his survey, I could not fail to notice that the effort in setting up an integrated risk management system always appears significantly heavier than the effort in going for the less integrated approach. In selling risk management to management, this may be an issue. In order to allow for a full implementation, you will need a strong champion in the organization.

Perception point

One of the main conclusions Matthew draws from his survey is that listing risks is not critical to integrated risk management. I do agree as I am rather allergic to the traditional risk register. However … in the context of risk management, every stakeholder has his or her own way of looking at risks related to their day-to-day activities and environment. This unique way is very much determined by factors which are in turn different for each of the participants. No one position will allow for a complete view on all relevant risks. It’s my experience that developing a Risk Identification Model, a sort of reference or vocabulary of potential risks which as an instrument is alive and can be added to or amended is a good tool for two purposes:

  1. It allows all participants, when browsing the Risk Identification Model prior to a risk assessment exercise, to gain an understanding of the possible risks that may come up during the exercise. It broadens their scope and will ensure they will at least consider the different elements;
  2. It allows for identification of transversal issues which can or should be managed across the entire organization or a part of it.

Conclusion

The survey is a very interesting view on integrated risk management. Matthew Leitch has again done a wonderful job. A good read.