Governing Risk or Governed by It?
Senior executives and boards are learning the hard way that the buck does, in fact, stop with them.
This is painfully true when it comes to risk governance and the reality that in the smoking crater of complex risks such as cyber threats, reputation risk and the erosion of stakeholder trust, they are the ones left to pick up the pieces.
At best, they can endeavor to reassemble their organizations under the discretion and dignity of privacy — a luxury in the era of rampant cyber threats. At worst, they are carted in front of an angry Congressional hearing only to watch their share price and egos take a hit.
Somewhere between these two extremes, the reality that most organizations are governed by risk is revealed. Addressing this risk governance gap is an organizational priority requiring the uncomfortable admission among boards and C-suite executives that they are ill-prepared in their human capital, knowledge, organizational “muscle memory” and general levels of resilience and decision making under duress.
Risk is a surprise event, or better still a process under the adage complex systems fail in complex ways. It does not respect board meeting schedules or when quorum can be formed in the crisis management committee.
Because of this misalignment between the dynamic forces of risk and the static forces of maintaining the semblance of status quo, organizational responses to surprise events are perceivably “clumsy” and all too often they amplify negative consequences, rather than abate them.
Breaking the habit and presumptions of being inured to risk and adverse consequences is the first psychological obstacle to overcome.
Shifting this reality and giving leaders the upper hand — albeit gingerly — enabling them to govern certain risks, they must train and train again. Breaking the habit and presumptions of being inured to risk and adverse consequences is the first psychological obstacle to overcome.
When you look at the personal characteristics, income levels and stature many board members and executives enjoy, their relative personal resilience does not convey to their organizations — and the many millions of employees and stakeholders and trillions in economic value that depend on their ability to suppress hubris, ask the right questions, and motivate information sharing.
Running risk simulations, addressing the knowledge gap and generally stress-testing risk readiness and their organizations is a low-cost, low-consequence way to prepare for the era of man-made risk.
Unlike natural hazards, such as earthquakes and windstorms, which are capricious by design, man-made risks like cyber threats, terrorism and activist shareholders all have agency. This gives man-made risks an incredibly dangerous plotting quality, which makes it difficult to control and even harder to respond to when it rears its ugly head.
Rather than presuming safety and that everything is “covered” by an IT security professional, insurance policy or crisis communication strategy, senior leaders would be well advised to remember that risk favors the prepared. From a platform of healthy respect and continuous risk governance simulations, senior leaders can train their organizations to not only shield themselves from the powerful forces of risk, but to add value by harnessing it.