Looking at the people side of risk

I was reading the McKinsey article by Alexis Krivkovich and Cindy Levy called ”managing the people side of Risk” which promote the argument that a strong risk culture can mitigate risk and maximize opportunities for business development. The idea seems appealing, that with the right leadership it is possible to implement the right type of risk culture and thereby enabling companies to “[acquire] new businesses, entering new markets, and investing in organic growth”.  However, this functionalist, positivistic idea of culture and risk does leave a lot of questions unanswered and possible constitute a risk in itself. Their main arguments can be split into three headlines.

Culture as a static entity

Is a risk culture something you can implement? Well, I will let it be up to you but from my almost 20 years in private an public organisations I can’t come up with just one example where a risk culture or any other culture have been implemented by management. I have seen many attempts, but never a successful one. The reason is that a risk culture can only be identified retrospectively. You only know that you have a successful risk culture if risk does not materialize into issues and tangible threats, on the other hand it could be that no issues arise because that issues and threats are simply not there. So the question is then, who can identify the culture if you have a strong risk culture if it is impossible to measure? Maybe it takes a McKinsey consultant…

People is the problem not the solution

Management rule their organisations like kings who can choose how individuals think and act in the world around them, or at least this is the claim of McKinsey. In their paper it is the idea that management have in-depth insight and knowledge about all the actions of their employees and that successful companies are the ones that have as much (mind)-control over their employees as possible. However, while we might strive for improved control and efficiency of organisational processes it’s only a few (feebleminded) who will claim that they have total control of employee’s actions. I think that we should count ourselves lucky that we do not have this type of control as adversity fuels organisations ability to innovate and develop and that striving for increased control on the magnitude indicated by the authors will only lead to organisational demise. So instead of perceiving people as the problem organisations should look upon people as the solution to mitigation of risk, not the cause.

Risk is universal

The claim is that successful organisations are the ones that hold people accountable for mistakes made – “To make aspirations for the culture operational, managers must translate them into as many as 20 specific process changes around the organisation, deliberately intervening where it will make a difference in order to signal the right behaviour.” It is not my claim that individuals should not be held accountable for their actions, but it should only be the extent that they actually have control. As risk is universal (fuelled by human actions and decisions) it cannot be one role or person sole responsibility to identify and mitigate risk. It would be impossible for one person to process just a fraction of the information on possible outcomes that organisations produce every day. Rather organisations should empower and disperse decision making to all individuals and groups in the organisation and hold them accountable for their own decisions and its consequences. The role of management becomes one of encouragement and support rather than control and punishment. They are there to ensure that people with right type of training and personal competencies are invited to participate in the continued development of the organisation so that they are equipped to handle mitigate or take advantage of the operational risks that they are facade with.

Mckinsey_MoF46_Managing people risk_

Mapping the components of Social Risk

There is no doubt that companies are faced a level of scrutiny that the world have never seen before. Almost on a daily basis are companies being exposed as fraudsters, environmental culprits, tax evaders or child labour abusers. No company can know what or who will be next to be exposed in the media as the biggest unethical corporate abuser of the worlds resources.

One side effect of this trend have been the numerous standards and quality management systems that focuses on different approaches to reducing the risk of poor decision making and unethical corporate behaviour. There is no doubt that companies need a systematic approach in order to keep their managers and decision makers on a leach. However, there are limits to how comprehensive a given system can be and still be relative effective. Just think of the Sarbanes-Oxley or BASEL 2 frameworks, which did little to prevent the biggest financial downturn with an epicentre in the very industry that they were put in place to regulate.

As I see it is traditional risk management programs such as the above mentioned narrowly focused on operational and compliance risks and consist of short-term point solutions. Which are narrowed down to mitigation actions specific to particular sources or impacts of risk. But what happens when risks are rising from multiple sources and places within all the corporate entities? Point solutions can work well for pinpointed risk areas, where the main objective of the risk management effort is to avoid or prepare for a particular event and in so doing reduce the associated cost. However, focusing on one point or case cannot work for strategic risks, where complex origins demand an integrated management approach across entities, borders and levels of authority.

One dimension of social risk’s complexity is that it is often a function of strategic or operational decisions companies have made that affect issues that stakeholders care about. So instead of being a “one system fits all”-approach it encompass a wide range of areas which overlap and are integrated into each others systems in order to create a fine masked network which enables organisations to catch issues as they arise and before they become a crisis.

In the coming weeks and months I will try to explore the different parts of the Social Risk wheel that I have developed in order to better understand the organisational impact these individual elements might have on the positive developments of corporations in a global context.


CSR as (Social) Risk Management

Some thoughts on CSR and Risk management

Effective risk management has almost from the start of CSR been part of the reasons for engagement with stakeholders (Bebbington et al, 2007). Many companies have had NGO raise problems which companies did not even know existed or had any plan for how to tackle. In other cases the companies where attacked for business practices, which where part of their core business such as when City bank was under attack for lending money to project that lead to deforestation in Latin-America (Baron et al, 2004). Here stakeholder engagement becomes essential in order to keep the brand name undamaged and most important in keeping the trust that customers has put into the company intact. There are no single success formula on how to communicate effectively with stakeholder or which ones that should be heard or which can be ignored. What is important is that companies and organisations take a stand on how to make this communication work in practice; otherwise the risks can remain unseen for long periods until the day where it becomes unmanageable for the company and turns into a real crisis. As I have described have companies like Nike implemented systems that enable them to get a feeling for what is happening in the world and how there brand is perceived, and hopefully this system will give them some warning on cases soon to emerge.

Adopting a strategy of transparency have over time proven the best assurance for companies to manage their CSR risks and more and more companies are trying to create systems so that their stakeholders can see what they are doing. By looking at the growing number of members of GC it is clear that transnational companies from around the world are using transparency or at least what appears as transparent to manage social risk issues.

Boundaries of CSR

One of the concrete slabs that marks the borde...

Border between North and South Korea

Sustainability seems to be an all-encompassing concept with no limits to its practical usage. Numerous times we have discussed the problems related to issue that we do not really have a good workable definition of CSR. But in my mind we should at least have some kind of framework that will enable us to differentiate between what is and what is not CSR.

I have compiled a few pointers as to areas that could help to guide professionals in their work and to some extend myself as well.


Not all the activities of the HR department is related to CSR even though they do deal on a daily basis with some of the most important organisational stakeholders such as employees, unions, management, etc. However, just because one department has contact with key stakeholders it does not mean that they practice CSR. One border that can be used to make the distinction could be the concept of law (or rules) and voluntarism. The rules that the HR department works under are normally well defined, either through the law, negotiations with the unions or internal procedures that shapes the day-to-day work. In this context CSR would be activities, which are outside the law that the department (and thereby the organisation as a whole) take upon themselves on a voluntary basis. This could be the creation of stakeholder networks outside the organisation itself, development and education of employees that enables them to be qualified for jobs that are not directly linked to the activities of the organisation or invite stakeholder groups which are affected by the activities of employees, unions and management that are under normal circumstances not invited to engage. So while the boundary is hard to define it is clear that not everything that the HR department does can be viewed as CSR some things are just processes, organisational development and tactical decision making.

CSR -> Marketing

For many who do not know much about CSR is the marketing aspect always being put forward as the most prominent reason why companies engage in the activity. However, for most companies the marketing approach is far from what is core to CSR activities. If one look at the costs of social audits, greening the supply chain, effective risk management systems, training and education alone, you can be sure that any marketing professional would tell you that from budget perspective ends does simply not meet. So thinking of CSR as good advertising would simply be too narrow a view. There are elements within CSR that marketing can use such as environmental branding or fair-trade labelling, but the concept of CSR is much more complex than just a way to sell more products. When one defines the border between the two one could look upon CSR as a concept that marketing can use elements of, but which does not constitute the whole of the organisational effort to be sustainable. A good illustration would be that if the organisation only thought of CSR as a way to promote products it would only cater limited number of stakeholders and they would soon realise that there are many more powerful and influential groups out there.

For some organisation it could prove valuable to use an IMC or Integrated Marketing Communication perspective on their CSR activities, in order to create consistency across the may channels that the organisation communicate through. A concept I have written about before.


CSR communication can both be convincing and at the same time create mistrust. If an organisation tells the truth and tries to do better in good times it can find that stakeholders will be more loyal and understanding in times of trouble. Some call this the Teflon or Halo effect of crisis communication. That it would seem the some organisation can get out of all kinds of trouble that others would find close to “life threatening”.

Public Relations s normally set within the communication department or as a division of marketing, dealing mainly with one prominent stakeholder namely the Press. Dealing with the media is like a double-edged sword. If you are able to get their attention during the good times you can be sure that they will be there when things go down hill. Some managers think that they can “manage” the press in the sense that they can decide what journalists write. However, nothing could be further away from the truth. Actually the more an organisation tries to manage the press the more they will feel a counter pressure. As organisations have learned to spin or frame stories in a certain light so has journalists learned not to use only one source on their stories. That is not to say that all journalists will investigate all the claims that an organisation makes about itself, but sometimes they do and if they find that they have been lied to it will be very difficult to gain the trust back. Just think of Nike and Sweatshops, Wall-mart and labour rights in the US, Apple and human rights in China or Shell and oilrig dumping in the North Sea. While all these stories are old, some even over 20 years, they still stick to the brand like tare and are testimonials to bad PR and poor CSR.

CSR -> Finance

Something new to the world of CSR is that the concept gains more and more acceptance within the finance department. Traditional have finance found that the concept of CSR was something for others to deal with looking at the concept as soft or were eve hostile towards it in a Friedmanian way. One could say that the boundary between the two was at the door of the department. But as the CSR have matured and to some extend finance departments as well, we now see the two worlds converge. To just name a few areas one could come up with Responsible Investments that increasingly have become a source of financing for companies that wants to be perceived as sustainable. Lists like the FTSE4GOOD or DowJones sustainability index have made some modern companies realise that there can be real financial benefits of working strategically with the concept of sustainability. The whole area of Risk management has been expanded with the introduction of CSR. Until recently risk management was limited to IT systems, good corporate governance and whistle-blowers, but with the introduction of CSR new elements have been added that have the potential of reducing new areas of risk. More and more companies are introducing social auditing together with the due diligence systems when making investments because they realize that social risk can make or break the long-term profitability of an investment. Companies include stakeholder engagement in their efforts to listen and understand less salient voices such as NGO and other organisations that have a stake but no direct dealings with the organisation. Other area of contact can be within financial reporting. Investors not only like to know about profits and margins, etc but also what the company is up to in relation to the environment, labour and human rights, and what it does in relation to corruption all in order to understand the risks that they can expect on their investments.

So at the moment the boundary between finance and CSR is blurred as finance and CSR people are trying to find out where we should draw the line or where we could get the most good out of the relationship.

Closing remark

These are just some of the boundaries of CSR has with organisations and corporations especially. I’m sure as the concept evolves it will expand even further into everyday operations and how corporations conduct their business. I’m also sure that some of these expansions will be fruitful while others will be dead ends and bring nothing new to the organisations ability to operate other than more complexity. I also believe as we get out of the financial crisis we will experience that companies will try to see how they can use a CSR approach to do improve their business and ability to crate a sustainable business.

CSR and Development Corporation meets

Can development and CSR really meet or are they at odds no matter what you do? I have met many people from the development world who are really aggressive towards CSR and just about everything it stands for. And while I will be the first to admit that CSR is far from a perfect approach for business towards its social responsibilities it is just about the best guess out there on how its done.

So why all this hostility and aggressiveness towards business having a social responsibility, is it not what we all want that business take on more of the social burden that governments cant handle by their own?

Here are some common denominators on what people in development think is wrong with CSR.

  1. It is a branding and communication exercise that has nothing to do with social responsibility.

Well it is true that a lot of companies are actively communicating their CSR activities and that for some of the major companies CSR has become part of the image that we have of the company. For one I think the Abraham Lincoln (attributed) quote “You can fool all the people some of the time and some of the people all the time but you cannot fool all the people all the time” rings true. All communication people know that you can’t lie forever and the same goes for corporate communication. If there were no hint of truth to in the brand it would at some point be exposed as a fake.

  1. It is only exercised to reduce the risk of bad PR.

There is a strong risk element in CSR because it is the only business approach that has some success in confronting social risk. Actually risk management have been one of the primary “business cases” for CSR. But risk is not limited to PR alone it can be many different things that has nothing to do with creating a good or bad image of the organisation. Proper risk management take a holistic approach to the organisation and so does CSR. With this approach on gets an insight into operations of the state, which under normal circumstances would be left out or marginalised.

  1. It is seen as a neoliberal project that is out to exploit the developing world

There seem to be the perception that business somehow has feelings that guide them to do evil. But as far as I know there is no evidence that companies in themselves are either good or evil, they are as far as I know just companies working in a market. But with the market there are structures and mechanisms that can be harmful. The companies might or might not be aware that their actions have a counterproductive result or even harm people who are in contact with its operations. CSR is an effort to confront some of theses impacts in a constructive and systematic way rather than tackling them one by one as they arise.

  1. It will be gone in three years.

The same thing was said three years ago and CSR is still around. In the years I have been involved in CSR there have been shifts in focus from reporting, to communication to governance. At some point either one have been the prevailing issues that have been talked about. I’m convinced that CSR will be around for many years to come because it works from the basic principle that organisations have a responsibility towards its stakeholders. This basic premise have been true always and that we call it CSR is more a construction of the time we live in rather than a shift in basic assumptions about business and society.

I hope and think that CSR professionals and development people can meet on common ground and that the two have something to learn from each other. But there is a strong need to confront some of the stereotypical assumptions about how business operates and how development people think.

The issue of Social risk

I have been working on some material to present at a two day seminar in Sweden later this month. The theme is business and CRS in difficult markets. The mani focus will on my part be on social risk and how to analyse, quantify and confont the potantial problems that companies can expect to be exposed to. According to Kyle & Ruggie (2005)  social risk is defined as

Social Risk arises when organisational behaviour or the actions of others in its operating environment  create vulnerabilities, which stakeholders might identify and apply pressure on in order for it to change its behaviour.”

I have started out with a simpel model which put some structure to what risk is and what it basic components are.

In this model risk is the product of the organisations vulnerabilities and the threats which is exposed to (The overlap area between Vulnerabilities and threats). In order for companies to reduce but totally eliminate risk they adops differentypes of controls such as ISO 9000 for management, ISO14000 for environmental, signed the global compact etc. Or they apply counter meassures such as auditing, PR or lobbying, cause related marketing etc.

The question that remains is related to threats and the threat by whom to what? According to Mitchel (1997) Parent & Deephouse (2007) some stakeholders will ahve more ligitimate claims then others or atleast they will have the power to force their ligitimacy through. I found this matric in the corporate strategy tool box on stakeholder mapping and though it could make good use in a risk assesment context.

In my mind the model serves as a guide for how involved organisations are going to be with their individual stakeholders based on some key facts. How powerfull is the stakeholder and what is the level of interest he/she has in the affairs of the organisation.

In the News

Anja Nordlund from CSR Gender Group got interviewed for the Swedish business magazine Passion for Business. She comments on how working strategically with diversity can strengthen business performance especially within the field of CSR and specifically in relation to effective risk management. You can read the article here.

Toy can read more about the CSR Gender Group at this link.