I was reading the McKinsey article by Alexis Krivkovich and Cindy Levy called ”managing the people side of Risk” which promote the argument that a strong risk culture can mitigate risk and maximize opportunities for business development. The idea seems appealing, that with the right leadership it is possible to implement the right type of risk culture and thereby enabling companies to “[acquire] new businesses, entering new markets, and investing in organic growth”. However, this functionalist, positivistic idea of culture and risk does leave a lot of questions unanswered and possible constitute a risk in itself. Their main arguments can be split into three headlines.
Culture as a static entity
Is a risk culture something you can implement? Well, I will let it be up to you but from my almost 20 years in private an public organisations I can’t come up with just one example where a risk culture or any other culture have been implemented by management. I have seen many attempts, but never a successful one. The reason is that a risk culture can only be identified retrospectively. You only know that you have a successful risk culture if risk does not materialize into issues and tangible threats, on the other hand it could be that no issues arise because that issues and threats are simply not there. So the question is then, who can identify the culture if you have a strong risk culture if it is impossible to measure? Maybe it takes a McKinsey consultant…
People is the problem not the solution
Management rule their organisations like kings who can choose how individuals think and act in the world around them, or at least this is the claim of McKinsey. In their paper it is the idea that management have in-depth insight and knowledge about all the actions of their employees and that successful companies are the ones that have as much (mind)-control over their employees as possible. However, while we might strive for improved control and efficiency of organisational processes it’s only a few (feebleminded) who will claim that they have total control of employee’s actions. I think that we should count ourselves lucky that we do not have this type of control as adversity fuels organisations ability to innovate and develop and that striving for increased control on the magnitude indicated by the authors will only lead to organisational demise. So instead of perceiving people as the problem organisations should look upon people as the solution to mitigation of risk, not the cause.
Risk is universal
The claim is that successful organisations are the ones that hold people accountable for mistakes made – “To make aspirations for the culture operational, managers must translate them into as many as 20 specific process changes around the organisation, deliberately intervening where it will make a difference in order to signal the right behaviour.” It is not my claim that individuals should not be held accountable for their actions, but it should only be the extent that they actually have control. As risk is universal (fuelled by human actions and decisions) it cannot be one role or person sole responsibility to identify and mitigate risk. It would be impossible for one person to process just a fraction of the information on possible outcomes that organisations produce every day. Rather organisations should empower and disperse decision making to all individuals and groups in the organisation and hold them accountable for their own decisions and its consequences. The role of management becomes one of encouragement and support rather than control and punishment. They are there to ensure that people with right type of training and personal competencies are invited to participate in the continued development of the organisation so that they are equipped to handle mitigate or take advantage of the operational risks that they are facade with.
SRI Portfolio Management 