I read the article “Peacetime CEO/ Wartime CEO” on Ben’s Blog authored by Ben Horowitz describing the different attitudes and approaches required from a CEO during peacetime and wartime. It got me thinking whether this applies to risk managers too. Do risk managers need to have different traits and approaches during wartime and peacetime?
Then I read the post “How to scope an audit of thingamajigs” on IIA Marks on Governance blog where Norman Marks is saying even in complex situations the regular approach to an assurance project can be applied. I beg to differ on it. In my view, a wartime risk manager needs to think differently.
Now the first question is do risk managers really face wartime situations? A definite yes, let us consider the Satyam example. The company was doing fine, until one day the CEO disclosed that he had defrauded the company to the tune of Rs 7000 crore or more. Now this is definitely a wartime situation for a risk manager to manage.
In normal course, a risk manager in an assurance or advisory role has the time to plan for an assignment, go in depth and then issue a report with findings. However, let us approach it from a fraud investigators viewpoint. Let us say, the fraud team discovered a one million dollar fraud and it suspects employee involvement. Now the approach of fraud investigator will be to determine the modus operandi of the fraud and identify suspects. As a prevention measure, the investigator needs to involve management to suspend the suspected employees. This is to ensure that suspected employees do not commit further frauds or destroy evidence. Simultaneously, the investigator needs to assess whether the fraud loss money can be recovered. These first three actions response time is 24-48 hours of discovering a fraud. After reporting preliminary investigation findings to management, the investigator has some time to do the detailed investigation, assess legal way forward and determine reputation damage when the case gets media attention.
A million dollar fraud in a large organization can start a small fire; however, the sky is not falling. Let us envisage a situation where roof is crashing over the heads of senior management then what does the risk manager do. As written by Ben Horowitz “In wartime, a company is fending off an imminent existential threat”. In such a situation, the wartime CEO is looking for support from risk managers to deal with the threats. Quoting Mr. Horowitz again -“Wartime CEO is too busy fighting the enemy to read management books written by consultants who have never managed a fruit stand.” The point is in wartime CEOs are not interested in long drawn out reports, hence the risk managers need to be action oriented. Risk managers need to change their stance from recommendatory staff role to a leading line command role to manage risks.
Let us take here a scenario where the organization is in wartime and risk managers role becomes frontline. A CEO of a large multinational discovered that in one business unit extensive fraudulent activities are occurring. The business unit heads have established a deviant organization culture and are taking bribes, kickbacks and misappropriating funds. The value of fraud is not known and the CEO suspects that nearly 200 employees are involved in it. In such a case what advise should risk managers give to the CEO to manage this forest fire?
In my opinion, the following are some key aspects, which a risk manager should consider to manage the crises:
1. If 200 employees are involved including senior members, can they be simultaneously suspended or terminated without affecting the business? Should the short-term replacements be from other business units or external temporary hires? Does the management have the political will and support to pull off this level of terminations? It is not a good idea to move the culprits in another part of the organization since they will contaminate the good units with destructive management practices.
2. As frauds are occurring in the business unit, is it single or multi locations? If multi-locations, is it worthwhile to depute separate fraud investigation teams at different locations? These teams can simultaneously assess damage at multiple locations and defuse the situation. Investigating one location at a time may prolong the period, provide suspects to damage evidence and stress out the organization.
3. Formulate a strategy for recovering the money from suspects or third parties beneficiaries of the fraud payments. Does the organization have a leverage to recover money from the suspected employees?
4. Obtain a legal opinion on how law enforcement agencies can help the organization and the process of pursuing criminal case legally against the suspects. The organization might need to pay a heavy price for taking a legal course of action; however, a tough stance will act as a future deterrent to existing employees. The organization should also envisage that as a number of employees are involved they might put up a dirty fight to browbeat the organization into submission. The organization should look for ways to distance itself from criminal and illegal behavior quickly.
5. Develop a communications plan for internal circulation to employees and addressing the media. The employees’ morale will be negatively impacted and needs to be carefully managed to ensure minimum resignations. Secondly, external reputation damage from media coverage should be assessed.
6. The organization should simultaneously start working towards establishing good corporate governance, business ethics and risk management practices. This will send out positive messages in the staff and customers and prevent a repeat occurrence. If whistle-blowing process is not working, this should be re-established promptly. Start focusing on building a constructive organization culture immediately to heal the organizational wounds.
In such wartime situations, sometimes management and risk managers are as the deer trapped in front of the headlights of a car. One is frozen in fear and indecision, not knowing which direction to move. However, this is dangerous since the cost of not doing anything is higher to the organization than the cost of legal actions and reputation damage. The following verse by Abe Gubegna, Ethopia, circa 1974, aptly describes the wartime situation:
Every day in Africa a gazelle wakes up.
It knows it must run faster than the fastest lion or it will be killed.
Every morning a lion wakes up. It knows that it must outrun the slowest gazelle or it will starve to death.
It doesn’t matter whether you are a lion or a gazelle.
When the sun comes up, you better be running.
Coming back to the beginning. Do you think that wartime risk managers require a different skill set to address organization risks?