June 7, 2016

Download

Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Risk Management: Own the Problem and the Solution Will Manage Itself

 I have a close friend – let’s call her Pauline – who was a key player in the development of a business continuity plan (BCP) for the large organisation where she worked.

Shortly after its completion she was promoted to a senior role in another part of the company.

Some months later Pauline received a phone call from her successor, a very confident individual who had not seen fit to consult her about her previous role, challenges or workload much beyond a courtesy handover and “thanks for the whiteboard pens” type of conversation at the time.

In what appeared to be no more than a friendly catch-up he was able to tell her how well things were going, all the things he had improved and why a brave new world was just around the corner.

While Pauline was delighted to take time out of her busy day to hear all this she was a little quizzical as she knew that the business was, at that time, facing a major IT issue. Inadvertently someone had introduced a virus into the computer system and it was now wreaking havoc across all departments.

She herself had been forced to dedicate significant departmental resources to combat its effects at a local level and she was sure that, horror of horrors, it must have reached headquarters by now. However, she was assured that the IT gurus were onto it and that everything would be sorted out in a couple of days.

Relieved to hear this, Pauline thanked her erstwhile colleague for his call and wished him well, but she really did need to go now to prepare for a meeting. “No problem, good to catch up,” came the reply. “We must do this again sometime. Oh, just one thing: when you did the BC plan, you didn’t happen to run off a couple of hard copies did you…..?”

The adversary of risk management: human nature

This true story reveals an aspect of organisations which is not atypical of the way in which risk is managed. Significant investment in time and resources had rightly gone into the BCP with a roll out across the organisation and a slick presentation to the board.

It featured prominently on the internal web and was a sign that here was a business that took its responsibilities seriously and recognised the importance of corporate risk in all its forms. Unfortunately, like all organisations, this one was staffed (exclusively as it turns out) by people. Consequently, we come across our old adversary, human nature.

Human nature generally tends towards liking the new, the interesting, the latest craze. As a species we have evolved to our current dominance by never being satisfied, pushing the boundaries and looking to see how we can make things better.

There is nothing wrong with that in principle; indeed, no business can survive by standing still. Progress demands individuals and groups who are willing to take leaps of faith. And so, the once shiny new BCP becomes yesterday’s news, something we did last year to keep bad spirits at bay.

A senior police officer with whom I once attended a seminar noted from his morning paper that his force was hosting a large press event to celebrate the launch of a new initiative. “That’s great,” he mused, “but sometimes I think we should have major press events to celebrate actually completing something!”

His tongue was firmly in his cheek but his point outlines a major challenge for all organisations in getting the right balance between moving forward and keeping an eye on the risks, not only to that progress but potentially our very existence.

Organisations are like car engines: tinker too much and you upset the fine balance which has taken years of expertise to develop; but ignore the important aspects of maintenance at your peril. “When did you first notice the grinding noise coming from the engine, sir?” “Just after I turned the radio off”.

Preventing enthusiastic senior management leading us over a legal cliff

Of course, it is easy to sit at a keyboard and pontificate about the importance of risk management when one isn’t faced with the host of corporate challenges every company director faces. In practice, it is a much more difficult nettle to grasp.

In a previous existence I headed Strathclyde Fire Brigade’s Risk Management Unit. This small team comprised a dedicated group of safety practitioners together with a small legal team.

We were affectionately known by some as the department of ‘Don’t Say I Didn’t Warn You’ because the team spent considerable time and effort having to prevent enthusiastic senior management (including me) from leading us lemming-like over a legal cliff edge in pursuit of the latest, albeit laudable, aim.

And there were, occasionally, tensions. Motivated directors wanted to see progress and often had little appetite for the delays which might be encountered in effectively mitigating risk.

Meanwhile, equally motivated people were intent on protecting the organisation by pointing out the possible while dealing with the probable.

In larger organisations, this full time juggling act is often shared between departments while in SME’s it is usually one director who is responsible for striking the balance between risk and reward. Consultants will often provide a useful solution, whether by taking on the duties required under legislation or assisting the organisation towards some form of certification.

The advantages of this are that, with a little bit of effort, you can get someone who has an up-to-date knowledge of a specific aspect of risk management and legislation at the end of the phone for a fixed rate. The disadvantage is that, all too often, top management’s eye is taken off the ball by assuming that delegating risk is the same as managing it.

As my friend’s colleague discovered to his cost, the fact that we once had an effective policy doesn’t mean that we can just pull it out of the drawer, blow the dust off and expect it to work. The issue, the problem has to be owned and considered as part of day-to-day business if unpleasant surprises are to be avoided.

Lack of proper ownership of risk by senior management at best results in a failure to include all risk factors in strategic management, at worst leads to head in the sand and blame cultures.

Ironically, most management systems designed to maximise profit, promote efficiency and elicit customer satisfaction dovetail neatly into the same integrated management systems essential to mitigate risk in all its forms. The Deming cycle of Plan, Do, Check and Act has become ubiquitous across international standards and is as appropriate to reducing near misses and environmental risk as it is for maximising customer satisfaction, reducing staff turnover and growing profits.

Yes, there has to be an increased emphasis placed on the ‘risk’ end of the spectrum but proportionately this is small while the potential pay-off is significantly greater. By making a few simple modifications to the way an organisation is led and managed risk can be minimised at the same time as profits are increased.

Ownership and balance

But, no matter how well structured and integrated the management system is, it will fail unless it is fully owned at the highest level of the organisation. If the aim is simply to gain a certificate or a ‘tick’ to hang on the boardroom wall, then it is doomed to failure.

Recently I heard of a major fine being handed out by the courts to a large corporation following a case brought by the Health and Safety Executive. On checking their website, I read that they have been ISO 9001 compliant for nearly 30 years. They follow a pattern of internal and third-party audits to maintain their quality management certification. I am quite simply baffled as I can see no way of fully complying with the requirements of ISO 9001 while not adequately managing organisational risk.

Ultimately it is a matter of balance: between allocating finite resources across the risk-profit spectrum. Good leaders and good management do get it right and do so time after time.

There is no silver bullet to pull this off but, in the author’s opinion, all organisations which continue to be successful over the long term have one thing in common: they take sufficient ownership of risks at the highest level to ensure that, when they materialise, their impact is such that they do not create a disproportional distraction from the prime purpose and organisational objectives. Consequently, the solution is implemented with the same degree of ceremony as changing a product label.

Hear more from Andy Shuttleworth at FIREX International 2016. He will take part in the panel discussion, ‘Educating the engineers of tomorrow’, along with Ben Bradford, president of the Chartered Association of Building Engineers and Kathryn O’Brien, lecturer at the University of Central Lancashire.

The three panelists will discuss the future of engineering in society and influencing globally responsible engineers.

The panel debate will take place on 21 June, 15.50-16.20 in the Expertise & Guidance Theatre in ExCel London. Register for your ticket here.

 

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

man reading a tablet, probably the IFSEC Global newsletter

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments