Every time you breathe, you take a risk. But, usually, the potential for harm is greater if you don’t breathe. (There are exceptions, such as when your head is under water without a breathing mask.) Every time you make a decision, you take a risk; we take risk all the time, in pretty much every facet of our personal and professional lives.
But, when faced with the same situation, people will act differently from one another. A person may assess the risk differently from someone else. He may make a different decision regarding whether the risk is acceptable and which fork in the road he should take to address it.
In risk management, it’s fine to have defined risk criteria or appetite statements, but these rarely cover every decision a manager has to make. So, the manager has to make a decision based on what she thinks is best.
A number of experts will point to risk culture as the answer to this variance in decision-making. The experts seem to believe that some organizations are more risk-averse than others. But organizations are composed of people—different people in leadership roles with different backgrounds, experiences and biases. Organizations are not homogeneous. In fact, sections of an organization are not staffed with people who are identical in their attitude toward risk.
For example, on whether to select vendor A, B, C or a combination of the three, different people are likely to make different decisions. Manager X may have had a bad experience at another company with vendor A, while Manager Y used to work for that vendor. Manager Z may have lived through a disastrous experience where a sole-source vendor failed, so she will opt for a combination of two or more vendors. Manager Y may have just suffered a loss on the stock market that affects his desire to take risk, while Manager X has just heard he is a grandparent again. Even something such as a state of mind can influence a risk decision.
It’s not only that different people make different decisions in the same situation but that each person may make different decisions at different times. This is important because, as risk professionals, we want decision-makers to only take the level of risk that top management and the board desires.
To have consistent decisions on risk, we need to know the temperature and overall health of the organization and its decision-makers. We need to answer these questions:
- Who are we relying on to take the risks that matter most to the organization’s success?
- How can we obtain assurance that they understand the desired level of risk?
- How can we obtain assurance that they will act as we desire?
- How will we know when their risk attitude changes?
A survey will, perhaps, give you a moment-in-time view. However, people change. Managers and executives leave, new ones join and people’s perspective and desire to take risk changes, especially if they see their compensation or termination is likely to be affected by their decision.
This is a complex issue that risk professionals need to understand and assess within, and across, their organization.
Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com.
In the meantime, how do you address this variability? How do you know that your decision-makers will take the desired level of risk?