This article is an excerpt from the new book At Your Own Risk: How the Risk-Conscious Culture Meets the Challenge of Business Change, published by John Wiley & Sons. The book is available through Amazon and Barnes & Noble.
Do executive officers and directors actually think about mitigation of risk? When they outsourced major components of their value chains, do they assume that the external party is responsible for managing risk? For that matter, do the rank and file and other stakeholders ever pause to ponder risk-related questions? Or does our culture - dependent on audit compliance and stock price performance - accept the notion that if something has not yet happened, it is just fine to not think about or plan for it? Since the culture is set and behavior themes have generated at the top, this is where an effective risk management program evolves as well. In a litigious society, executives and directors that fail to exercise due care could lose their reputation, job and their freedom.
"I am always surprised and amazed to discover that so many top executives live in total denial about their organization's risks."This modern-day culture too often overlooks or is unaware of the very real risks we live with. As a result, I promote the cause of risk consciousness, which I define simply as the basic awareness of risk itself - by all stakeholders in today's extended value chain (those that add value beyond our direct control). So many organizations and people refuse to acknowledge that risk exists, or just assume it is someone else's problem. But at the very least, a key issue we all need to address is the premise that we need to know the extent of risks beyond our direct control. An enlightened point of view acknowledges that as a first step, everyone has to ask the question, "What risks are present and what has to be done to mitigate the impact of those risks?" In other words, risk consciousness has to be created as a first step.
I am always surprised and amazed to discover that so many top executives live in total denial about their organization's risks. If the topic even comes up, it is usually dismissed as someone else's problem or just an over-zealous worker making something out of nothing. Even worse, when an executive discusses risk with other stakeholders, a phenomenon of "mutual denial" often dominates, and the core issue is - once again - swept aside.
The big question is: Who owns the problem? The answer: We all do. Risk doesn't acknowledge job titles and organizational charts, and this is why risk management must be a priority throughout the organization and the extended value chain. The approach to managing risk must be comprehensive while also being flexible enough to allow the business to continue to focus on goals, gauge the opportunity and pursue the strategy within their risk tolerance.
Who Is Responsible and Accountable?
The starting point for anyone with a broad view and an executive mindset has to be, Who owns the risk problem?
"The actions of the outsourced supplier are now considered the responsibility of the organization facing the public."Managers and directors are now more than ever, required to understand and manage the risk in their extended value chains. As we have witnessed recently in the area of labor practices, environmental safety, and product quality, the actions of the outsourced supplier are now considered the responsibility of the organization facing the public. This comes at a time when critical people are being released and the "Corporate memory" erased as the result of outsourcing. The corporate memory represents hundreds of years of knowledge - those that can sense change and risk intuitively and are pro-active in the way they react and respond to risk. Therefore risk consciousness must be pervasive throughout the value chain; upstream (origination/source) or downstream (ultimate destination). If your organization benefits from the products/services that move through the value chain then the senior leaders of your organization must propagate a risk consciousness.
The result - it is totally unacceptable for executive managers and directors to ignore risk issues by denying they exist, assuming that an outsourcer or partner is addressing the issues or worst yet by burying/concealing them in a remote geography. Even if the legal framework or financial incentives do not currently exist, the adverse impacts on the organization's reputation/brand have become so great that action is no longer considered discretionary but rather mandatory. The rules of the game have changed!
This leads to the beginnings of solutions, but it is a difficult hurdle to overcome, especially when few believe that risk planning is their responsibility and the scope of planning limited to the four walls of their organization. In fact, there is no simple fix; the process can take enormous effort, focus and financial resources. But there must be a starting point.
Those familiar with process-based improvement programs such as Six Sigma know that there must be a generating force to cause action - such as beginning with a design structured with the customer in mind and an organizational commitment to create and maintain that force. The same approach is required to address the risk question with the exception of regulated mandates such as those that are in the interest of national security, health or safety.
The problem today in most organizations is that ownership of risk is often vague or undefined and therefore seldom structured or consistently implemented. The motivation or incentive to resolve risk issues is weak at best. Everyone knows that risk exists, but few take ownership - especially in horizontally or network aligned value chains where there are significant interdependencies, multiple points of control (many ownership "gaps").
Gary Lynch is a 30-year veteran and Global Leader of Marsh's Supply Chain Risk Management Practice. He previously served in senior positions at Booz-Allen, Chase (now JP Morgan Chase), Prudential, Ernst & Young, and Gartner Group.
Timely, incisive articles delivered directly to your inbox.