WHAT IS versus WHAT IF thinking, don’t employ ‘WHAT IS’ risk managers.
It has been an age since the definition of risk in Australia has been ‘the effect of UNCERTAINTY on objectives’, after all it was in 2009 that the Australian definition became the recognised international definition. 2009 - that is 12 years.
And yet, time after time I find the people chosen to manage the risk process in an organisation to be effectively FRIGHTENED BY UNCERTAINTY. Unable to process AMBIGUITY. Defined by PROTOCOL and PROCESS. Quite simply UNABLE TO SEE OUTSIDE THE BOX. And it’s not their fault, they’re simply being asked to be someone they are not. They are WHAT IS people being forced to be WHAT IF. If you’re restructuring support roles in your business consider this:
Never combine into one role important tasks that require differing mindsets
How often do we see ‘Risk and Audit’ or ‘Risk and Compliance’ together? Presumably this happens because the end users of these processes may be the same - ie. their output may be going to the same committee. And yet, the roles could not be more different.
In an Audit/Compliance Manager I want - 1. objectivity, 2. fact seeking, 3. determination, 4. meaning making. I want an Audit/Compliance Manager to accurately report WHAT IS. They are not required, nor should they be forced to extrapolate what could be, what may be. Any such speculation effectively dilutes the data they have collected. Great people for these roles have the emotional intelligence to extricate the TRUTH, and GREAT AUDITORS also have the objective reasoning skills to make meaning from data. Then offer solutions. But the bare minimum is the determination and fortitude to report only WHAT IS actually found and demonstrated.
A risk manager who reports WHAT IS, is a compliance manager. Risk Managers answer the question, but what might be and WHAT IF? They operate in the blank space, where data does not exist. A compliance manager will tell you which of the processes you’ve designed are actually being done. An auditor could offer which processes exist in similar businesses and not yours, and provide a wider knowledge base to inform the WHAT IS of missing processes. But a risk manager needs to extract from the greatest minds in your business what might be coming, what that might mean and what we should do about it. Nothing a risk manager writes is certain or known, their output should be the most valuable ‘FICTION’ in the business.
How could you possibly expect a wonderful, unshakeable WHAT IS operator to create for you a WHAT IF risk paper? The personalities are naturally mutually exclusive.
A risk manager and a compliance manager ought to provide very different value to the business
A risk manager is a strategic tool for the business, and should be providing value that changes and directs strategy. If your risk manager is only able to collect information on the progress of risk based tasks, they are operating in a space of compliance. A valuable risk manager will extricate from external and internal sources the ‘scent in the wind’ of your organisation’s next big jump. These very early indicators can stop you walling yourself in strategically, and as that scent becomes stronger you may invest in researching potential enablers/controls, and then as some of the predicted risks move from UNCERTAINTY into CERTAINTY you’ll find yourself ahead of the competition.
What is the value of a person who is equipped to collect information from your biggest internal minds? Seek uncertainty in the external environment? And can bring together the ‘hunches’ of multiple business groups and find you patterns to act upon?
How do you therefore remunerate a Risk and Compliance Manager? Are you paying too much for the Compliance function?
Also, structurally, where do you need to position a Risk Manager to operate at the greatest level of value? In which position will they be trusted and respected to have those important strategic conversations?
As your business matures the value of compliance/audit DECREASES and risk INCREASES
The longer you’ve carried out the activities you’re engaged in, the more embedded your processes become then the less oversight you should need to be seeking through a WHAT IS team (whether this is combined Audit/Compliance etc). It’s always valuable to engage with Audit as a method of gaining insight into competitive processes and ensuring you’re keeping up with changing regulations. However, as a process matures you should find that deviations requiring Compliance attention become RARE towards NON-EXISTENT. This changes the role into one that can be a developmental opportunity for less experienced persons, provided they have the important characteristics of a WHAT IS employee.
However, the longer you’ve been in a game the more vulnerable you become to environmental changes, you become much less agile and therefore must find that ‘scent in the wind’ much earlier. You’ve also got much more skin in the game, a percentage drop in market share starts to become a very much bigger problem. You can and should therefore invest much more heavily in your risk function.
Full-time versus tailored support
I always find it interesting that businesses often ditch their internal WHAT IS employees in the name of saving money and yet keep a WHAT IF risk person in the structure (probably also lumbering them with managing external agents for Audit and Compliance functions). I think this is completely upside down. I recognise that most of us are operating under guidelines that require ‘ADEQUATE RISK RESOURCES’ to be demonstrated. However, you’re asking for trouble to have the business knowing exactly when the WHAT IS ‘police force’ will be showing up. For 10 months of the year processes are not followed, but coming up to audit season it’s all cleaned up? Please, why do the processes at all.
If money is an issue. Employ a very good risk manager, sporadically. Your greatest internal minds are unlikely to have some interesting uncertainty to discuss with a risk manager every week. Match the risk processes with the speed of your internal and external change.
For more on interview questions to ask that are more likely to find your very good risk manager, check back on the Risk Resilient blog later.