Every time you breathe, you are taking a risk – but usually, the potential for harm is greater if you don’t breathe. (There are exceptions, such as when your head is under water without a breathing mask.)
Every time you make a decision, you are taking a risk – creating or modifying the level of a risk.
So we are taking risk all the time, in pretty much every facet of our personal and professional lives.
But, I think we all know that when faced with the same situation, some will act one way and others another way.
They may have assessed the risk differently (if they go through that process). They may have made different decisions as to whether the risk is acceptable, and also which fork in the road they should take to address it.
Yes, it’s fine to have defined risk criteria or appetite statements, but they rarely cover every decision or action that a manager has to take. So the manager has to make the decision based on what he or she thinks best. Again, different people will make different decisions.
A number of experts will point to risk culture as the answer. They seem to believe that some organizations are more risk averse than others.
But organizations are composed of people: different people in leadership roles, with different backgrounds, experiences, and bias. Organizations are not homogeneous. In fact, sections of an organization are not staffed with people who are identical in their attitude towards risk.
For example, if a decision has to be made whether to select vendor A, B, or C, or a combination of the three, different people are likely to make different decisions. Manager X may have had a bad experience at another company with vendor A, while Manager Y used to work for them. Manager Z may have lived through a disastrous experience where the sole source vendor failed, so he will opt for a combination of two or more vendors.
Manager Z may have suffered a loss on the stock market that affects his desire to take risk, while Manager X has just heard he is a grandparent again. Their state of mind can influence their risk decision.
It’s not only that different people will make different decisions in the same situation, but each one may make different decisions at different times.
This is important, because as risk professionals we want to obtain a level of assurance that decision-makers will take the level of risk that top management and the board desire.
It’s not just that we want to ensure people don’t take too much risk; we want them to take a desired level of risk. If managers don’t take risk, the organization will die.
We need to know the temperature and overall health of the organization and its decision-makers.
- Who are we relying on to take the risks that matter most to the organization’s success?
- How can we obtain assurance that they understand the desired level of risk?
- How can we obtain assurance that they will act as we desire?
- How will we know when their risk attitude changes?
A periodic survey will, perhaps, give you a moment-in-time view. But, people change. Managers and executives leave; new ones join; people’s perspective and desire to take risk changes – especially if they see their compensation or termination likely to be affected by their decision.
This is a complex issue that risk professionals need to understand and then assess within and across their organization.
Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com.
In the meantime, how do you address this?
How do you know that your decision-makers will take the desired level of risk?
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
- ChatGPT and charity law in Canada - February 28, 2023
- New qualifying disbursement rules add directed donations anti-avoidance provisions complicate charity regulation - February 6, 2023
- Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023