When Every Employee Is a Risk Manager

When

Most companies consider their primary risk management tools to be compliance programs, internal controls, and internal and external audits. While reducing the incidence of ethical, reporting, and compliance violations is important,such a narrow focus prevents the risk-management function from helping their companies manage a much larger and ever-widening universe of risks.

This author team has introduced and documented how Swissgrid, the reliable electricity network operator for Switzerland, introduced two parallel risk management processes in its enterprise-wide system to identify and mitigate strategy risks, external risks, and, even, novel risks.  First, it convenes recurring and highly interactive risk workshops for each business unit, for the executive team, and for the board. At the workshops, participants review previously identified risks, as well as newly identified ones. They appraise each risk, using well-structured scales, and set priorities among them for resources and actions that reduce their likelihood and impact

Second, Swissgrid supplements these meetings with a low-threshold issue-reporting app (called RiskTalk, co-created by Kurt Meyer and Anette Mikes) that all employees carry in their pockets or handbags. RiskTalk makes it easy for employees to report, anonymously if they wish, any issue or hindrance that could adversely affect a corporate strategic or operational priority such as safety. The tool channels employees’ observations and concerns up to a triage team of a dozen Swissgrid managers who function as the firm’s de facto chief worry officers, ensuring that no emerging issue remains unnoticed, unanalyzed, or unaddressed.

These two risk management processes have been embraced and sustained by Swissgrid senior management even after their founder, the first chief risk officer, left the organization. Several key features explain their success.

Make efficient use of everyone’s time.

Each risk process and tool in Swissgrid’s ERM system is designed to minimize the time required of senior line managers. Risk officers, embedded within each business unit, decide on the frequency of workshops for their units. Most business units run semi-annual workshops, but the central (corporate) unit runs only an annual workshop since most corporate risks, such as legal and regulatory matters, evolve slowly over time. The embedded risk officers continually update their risk assessments though face-to-face discussions with managers in their unit, and by the issues percolating upwards from front-line employees using their RiskTalk app.

RiskTalk itself was designed to minimize users’ time. Employees, in less than a minute, can submit a message that is geo-tagged, date-stamped, and with an option to attach a photograph of a potentially dangerous situation. Employees can use natural language, not risk management jargon, and are not required to classify or set a priority for the problems they report. The triage team performs the meta-analysis to assess the reported risk’s priority and potential impact.

Focus managers on risks most relevant to them.

Risk officers listen to all concerns, whether voiced by executives in risk workshops or reported via RiskTalk. They follow up with the risk reporter on particularly vexing issues. Occasionally, they convene special risk workshops, with an expert from within or outside the organization, to discuss an emerging but poorly understood matter. Line executives willingly attend these workshops because they perceive them as opportunities to learn. One noted that the workshop “was a great example how the risk management function added value. [They] helped us identify an important risk that we hadn’t thought about before. This particular risk puzzled me the first time I heard about it and my first reaction was, ‘I have no freaking idea what you are talking about.’”

RiskTalk’s design featured issues most relevant for the firm’s operational and strategic priorities, including safety, service delivery, process excellence, and cost efficiency. The app prompts users to tag the reported issue with the priority most likely to be affected. With the priorities tagged, executives and board members can see how many issues related to a certain priority remain outstanding, prompting a follow-up question, such as, “If safety is our number-one priority, why have three safety-related issues gone unresolved for six months?” The subsequent responses combat the pathology most feared by risk managers, which they describe as “risk incubation,” though more vividly pictured as allowing sleeping dogs to become fire-breathing dragons.

The deployment of the RiskTalk app and an associated triage team was motivated by extensive academic research about man-made disasters. Those caused by a single human error are rare; most can be attributed to organizational risk management failures, including risk incubation, normalization of deviance, and group think. The issues reported in RiskTalk are sometimes so inconspicuous, even trivial, that many managers instinctively overlook or ignore them. Swissgrid compensates for humans’ behavioral biases to underestimate the likelihood and consequences of unusual events by asking its dedicated multi-disciplinary triage team to be deliberately worried, even paranoid, about all possible downstream consequences from any reported event. The triage team is encouraged to connect the dots between seemingly isolated events to imagine the root causes of anomalies that in isolation look like independent failures. Swissgrid managers frequently quote, “We don’t have operator failures, only organizational failures.”

Create psychological safety for risk discussions.

Psychological safety around risk reporting is, as a solid body of research indicates, essential to the speak-up culture that is the oxygen of risk management. Before the two risk management processes were introduced, Swissgrid was prone to the natural organizational tendency of “shooting the messenger” of bad news. The risk processes helped to change the culture and make it safe for front-line employees and middle managers to raise risk concerns. Since their introduction, no manager or frontline employee has been chastised or punished for reporting a problem, fault or mistake.

Enable resources to be allocated to where they are most needed.

Information from risk workshops and RiskTalk enable line managers, the ultimate owners of Swissgrid’s risks, to get the resources they need for risk mitigation. Risk-management workshops conclude with agreements about risk prioritization, risk mitigation actions, risk ownership, and resource allocation. Risks that cut across various functions are evaluated from the perspective of each unit, generating transparency about its role in risk mitigation and its consequent need for resources.

The back-office triage team addresses issues revealed by the RiskTalk app from a resource perspective. If the skill set and financial resources are already available to address a particular risk, the team mobilizes an immediate response. Issues that require higher-level authorization or additional training and resources are placed on the agenda of upcoming departmental or executive-level risk management workshops.

Establish the tone at the top for risk visibility and accountability.

The chief risk officer convenes and facilitates a semi-annual executive risk workshop for business unit heads and the CEO. At the workshop, each executive makes a presentation about his or her unit’s risk profile, followed by challenges and requests for clarifications. The meetings create visibility about when a risk reported by one business unit might also be experienced by others, sometimes in unexpected ways. Requiring busy executives to spend two days discussing risks sends a powerful signal about the importance of risk management—and line executives’ ownership and accountability for risks. After each executive risk workshop, the chief risk officer prepares a report for the audit committee of the supervisory board, which it then shares and discusses with the entire board.

Identifying and managing strategic and emerging risks is very different from managing the audit and compliance functions. Risk identification, assessment, and mitigation requires a continuous flow of information and monitoring by managers up, down, and across the organization. Thanks to its new approach Swissgrid has successfully transformed its risk management function from an exercise in checking boxes to a bona fide management process that employees, managers, and executives all embrace as part of their everyday lives.

https://hbr.org/2021/01/when-every-employee-is-a-risk-manager

Proposer une offre de job : https://graces.community/recruteurs/

Consulter les offres qui vous correspondent : https://job.graces.community/login

Partagez l’article sur les réseaux !

Articles récents :

fr_FRFrançais