Risk Insider: Elizabeth Carmichael

Saying ‘No’ to a Risk

By: | March 24, 2016

Elizabeth Carmichael is president of Carmichael Associates LLC. She formerly was director of compliance and risk management for Five Colleges Inc. She can be reached at [email protected].

Being the person who directly says “no” to a risk can be somewhat perilous for a risk manager. As most of us know, the risk manager’s job is more about helping the organization to make an informed decision than being the arbiter of all risk-taking.

It is tempting to support an administrator who has asked for a risk assessment on a proposal that they don’t want to undertake by letting the administrator “blame risk management” for the negative decision, i.e., “Risk Management says we can’t do it.”

All I can say is, don’t do this. Don’t let administrators ever “blame” risk management for a decision unless you actually had the responsibility and authority in your office to make the decision and did so.

This pattern typically exists in organizations where administrators have little or no authority to make decisions, or in organizations where customers (students or parents in higher ed) have easy access to the president or other senior managers who overturn lower managers’ decisions without all the facts at hand.

All I can say is, don’t do this. Don’t let administrators ever “blame” risk management for a decision unless you actually had the responsibility and authority in your office to make the decision and did so.

In performing the risk assessment, be sure to consider the upside of the project, activity or event. Even brainstorm them so that you get a comprehensive list. Then consider the downside, the risks associated with the project, activity or event, and what risk mitigation would be needed for those risks.

Do your best to identify time and money costs to the mitigation efforts. This will give your decision-making administrators the documented ability to say, “We have completed a thorough risk assessment and mitigation analysis on this proposal and collectively determined that the return or reward on the project is insufficient to offset financial or other risks and the administrative costs of mitigating the risks that would be associated with the project. We regret that we cannot undertake this project at this time.”

Rather than allowing your decision-makers to “blame” risk management, empower them to communicate their educated and well-thought-out decision to stakeholders personally. (They may also surprise you and choose to do it!)

The role of risk management should be to conduct and facilitate risk assessments, and then educate our stakeholders on the outcomes of those assessments. So even if your current administration is comfortable with risk management being seen as the decision-maker, future administrations may not, and you and your department may be seen in a negative light that is difficult to shake, including being labeled as overreaching, lazy (it’s easier to say “no”), and simple nay-sayers, even if that’s not true.

Rather than allowing your decision makers to “blame” risk management, empower them to communicate their educated and well- thought-out decision to stake holders personally. (They may also surprise you and choose to do it!)

Therefore, especially for those of you whose organizations are somewhat dysfunctional, prepare your risk assessment and mitigation plans with the expectation that the president or a future president may be reading it.

Encourage the administrators that you are working with to share the proposal and risk assessment as high up the ladder as possible, and be seen as a positive, helpful force for good management in your organization.

More from Risk & Insurance