Risk: when the board doesn't buy it
Each year, Safer Edge works with dozens of organisations to review their overall risk management systems and the story heard is often the same. Security, or risk management, offices are frustrated by the lack of support and ‘buy-in’ from senior officials. The ultimate decision makers within a company or organisation aren’t on the same page in terms of what the organisation needs. The head of risk management, or security, wants robust systems – including an overarching security policy and plan, staff training, and crisis management – the employees are convinced of it, even middle management is often convinced. But, the CEO, Managing Director, COO and board remain unconvinced.
Without the support of these key stakeholders the best laid plans gather dust on the shelf. Money isn’t budgeted for learning, systems are never tested, and risk grows without being properly managed. What practical steps can someone responsible for day-to-day risk management to change this right now?
Talk to the decision maker
Many organisations have never clearly articulated who holds responsibility for risk and which risks. There is a vague sense that it is the head of the organisation (or maybe the board? or maybe project managers?). Those responsible for day-to-day risk management often don’t know who to talk to when they feel something should be enhanced or changed. When they do find the ‘right person’ that decision maker can be unaware that they hold the responsibility. As the person responsible for risk make sure you know who is finally responsible in our organisation and have a conversation with them about that – even before you’re asking for anything.
What motivates – and constrains - the decision maker?
Different decision makers are motivated and constrained by different things. Identifying and addressing these in any conversation about risk will be critical to moving the conversation forward.
The bottom line: Many decision makers feel an enormous amount of pressure to keep the organisation afloat financially. This means they’re lying awake nights thinking about sales, projects, programmes, bids, tenders and how to keep everyone paid on time and the bank account in the black. If presented with a litany of needs to address risk, this decision maker’s first question is going to be: “How much will it cost?”
Time: People at the top of organisations are incredibly busy. It can be difficult to get a meeting with them much less have a long conversation about the ins and outs of risk management.
Organisational Liability: Organisations carry liability for actions they take. This is especially true when it comes to actions that could be deemed negligent. Almost all organisations have been, or will be, sued, suffer a major fraud, have employees be injured or die, or be the victim of hacking or theft. These things happen daily but because no one talks about them – and because organisations try to keep them as quiet as possible – decision makers assume that they don’t happen often and the odds are that they won’t happen to them.
Personal Liability: Few decision makers understand how liable they are, both professionally and personally, when it comes to risk. Many decision makers feel they are protected by working for a limited company or charity. The organisation is separate from themselves and therefore the company might get sued or be held liable but they themselves won’t suffer damages. This is not entirely true. In the case of corporate manslaughter in the UK, someone from the company is could be arrested and go to jail – even for a short period of time. This creates a criminal record for that person. The issue could be picked up by the media with the decision maker’s name mentioned. Both of these will impact that person’s ability to continue in their role and could hurt their professional and personal lives going forward.
Employees and Team: Boards and CEOs can be viewed as the heartless ‘suits’ at the top when, in fact, they are usually incredibly caring people who are working hard to make sure the organisation is one where employees are treated, and compensated, well. They want their organisation to be successful and recognise that this lies in valuing the entire team.
Tailor your message to the decision maker
If a decision maker is very focused on finance, walk into a meeting with a prioritised budget. What is the most important thing that the organisation needs to do immediately to address risk and what is the cost of that? What is the second most important thing and the cost of that, and so on. Make the highest priority items the biggest wins for the organisation in terms of risk. Make sure that you have fully costed the items. The decision maker needs to win too and they might do that by giving you one item but not five.
If a decision maker is motivated by time, then make sure you are specific in your request for a meeting and have a clear, and rational, plan to present to them. Before you go to the meeting, make sure they know why you want the meeting and what decisions you’ll be asking them for. If they’re unable to make those decisions in the meeting ensure that you have agreement on when those decisions will be made later. Keep your meeting to the time allocated to convey to the decision maker that you value the time they have given you.
If a decision maker is motivated by organisational, or personal, reputation and liability then make sure they are aware of what these are. Use examples from recent court cases and media to highlight the impact of ignoring risk management. Take them through what has, or could, happen if a certain threat came to pass with the system in its current state. Then, paint a clear picture of how the changes you recommend could positively impact the outcome.
If the decision maker is motivated by care for their colleagues and employees then tailor your message to be about staff care and how risk management systems will improve productivity, trust in the organisation and employee motivation.
In truth, most decision makers are motivated, and constrained, to varying degrees by all these things mentioned. However, knowing their primary motivations and constraints will help you tailor your message in a way that will most likely be heard.
Unfortunately, this is not always a guarantee that you will see change. It is a sad fact that some organisations learn only by experience and it is not until there is a crisis – business shutdown, employee injury, death or kidnap, or lawsuit – that decision makers will act. If this is the case, make sure that you have protected yourself by keeping careful note of when you raised issues about risk, to whom, and the outcome. Risk realised can sink an organisation. Make sure you don’t go down with it.