Unfortunately for some organizations, “management” represents one of the greatest risks identified in a risk management process. If executive management fails to see value in an organization’s approach to risk oversight, there are a number of challenges that risk champions in the organization must skillfully navigate. A recent article in Disaster Recovery Journal identifies three categories of “risky management” and offers related examples and outcomes of them.
Management that ignores reasoned words
This first category refers to when a risk practitioner makes sound recommendations that are ultimately ignored by upper management. The author noted an example of this from working for the vice president of management information systems (VP/MIS) of his company. The goal at hand was to develop a business continuity plan for the North American operations. Instead of focusing the plan from a process-level as recommended by the author, the VP insisted on his own interests and created the plan from a much higher level. The VP overlooked critical aspects of the operations process and the result was a lack of effective planning that allowed a hurricane to put the company out of business for several days.
Management that works against others efforts
This category deals with situations where upper management acts against efforts made to help a company attain its goals. The example noted in the article was from Société Générale, in which management decided to remove certain safeguards and to ignore emails warning of the trader’s over-the-limits trades with imaginary counter-parties. Unfortunately, situations like this leave a risk practitioner wondering what could have been done to prevent this, which further empathizes how risky management can be to a company.
Management that is nonexistent
This final category noted in the article deals with a lack of decision makers in the execution of a plan. The example provided referred to an engagement the author was involved in with a major East Coast retail merchant. The client asked for a documented plan to move the company’s critical IT resources from its Virginia headquarters to a temporary location several states to the south and back after the event. While meetings were held almost weekly for a month, none of the three decision makers ever showed up at a meeting. This resulted in much discussion about what should be done to create and document the process, but never receiving the go-ahead on anything.
The author stated the following lessons from his experience with risky management:
- Unless the most senior executive is clearly supportive of the organization’s risk management efforts, those efforts are likely doomed before they start.
- A packaged approach of risk management simply does not work, leave the binder at home. Risk oversight has to fit the culture of the organization. Look for ways to leverage risk management considerations into other successful initiatives and processes.
- All organizations have budgetary constraints, but risk practitioners need to make every effort to explore low-cost options and be prepared to present them side-by-side with the expensive alternatives.
- Be patient and focus on education. Don’t try to force too much, too soon. Instead, try to help inform executives about the benefits and need for more explicit risk considerations.
- Focus on risk opportunities in addition to risk threats.