“Why” can be the most important question we ask when assessing something we are going to do. Paying close attention the answer can help guide us.
My parents took my brother and me to a resort on the Adriatic Coast of Italy for our summer vacations several years in a row.
The young son of the hotel owner followed us around all the time.
While my father spoke Italian at an acceptable level, young Mario knew only a few words in English.
But he knew a very important one: “Why?”
If my mother said to go inside to change our clothes, he would ask “Why?”
If my father told us to get ready to leave in 15 minutes, Mario would ask why.
If I said I had played enough table tennis and wanted to go for a swim…….
All of us should use that word much more often than we do, and then pay close attention to the answer.
The board member should ask, “Why is this the best strategy?” The director should listen carefully to the answer and not accept “Because that was my judgment” or “It was recommended by the consultants”.
The director should also ask, “Why have you set performance targets here?” Sometimes, it’s not the answer itself that is the questioner’s goal: it’s assurance that the individual has a rational reason that reflects careful study, stands up to examination, and can be explained clearly.
Questions like these, when answered well, provide the board with confidence in management.
The board should ask several people, including the CEO (first), CRO (next), and the CAE, “Why do you believe management is addressing the risks that matter to our success, the things that might happen to affect the achievement of objectives?”
If the CEO or CFO presents a forecast for the next quarter and year, they should be asked “Why are these the numbers?” and “What confidence do you have in them?”
Similarly, the CRO should ask the executive “Why have you assessed this risk at this level?”
The CAE should ask “Why are you performing this control?” and “Why did you select this vendor?”
Too often, people do things without asking themselves why they are doing them. It may be because that is what they have always done, what somebody told them to do, or because they read about it in a book or standard.
If they don’t understand the “why”:
- It may be the wrong thing to do
- It may be unnecessary
- They may be doing it wrong (including too often or not often or not)
- They may be missing an opportunity to improve their practices
Just as we should ask others “Why”, we should ask ourselves “Why are we doing this?”
- Why am I giving this report to the board?
- Why am I including this in my report to management?
- Why am I reviewing this work?
- Why am I spending so much time documenting the work I am doing?
- Why am I attending this meeting? Why is the meeting necessary at all?
- Why am I accepting management’s proposal?
- Why am I here?
- Why am I doing this?
Do you ask this question often enough?
I welcome your comments.
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023