I was reading a risk management blog today and was very impressed with the technical article covering various aspects of solvency and valuation of insurance industry. As I was reading it, my mind analyzed the information with respect to various laws, sections, cases etc. After finishing reading it, I took a breath and thought- “I actually felt like referring to various books to understand the article, will a regular business operation employee actually understand it?” This resulted in a depressing thought- “I do the same, to show my knowledge; I mention sections and case laws of various acts which leave business people stumped.” Well, in my defense I will say it gives a heightened sense of satisfaction and success. The adjacent picture truly depicts my emotions after such a discussion.
Somewhere I feel risk managers are having their cake and eating it to. The primary responsibility of managing risks is of business operation team. The risk manager’s role is of a support function, a facilitator to the business. The business managers are not being provided with the necessary information, knowledge and tools to proactively manage their risks. Let me explain why I am making this statement.
The risk managers in their role as auditors are focused on what went wrong in the past rather than equip the business managers to how to deal with the future. It is a feedback rather than feed-forward system working. The other aspect is that risk managers in their role as advisors issue guidelines and policies without the complete involvement of the business people.
Scenario 1: Let me take a scenario here of implementation of information assurance policies. The risk manager will discuss the overall requirement with the business managers, prepare the policy, take feedback regarding it and then issue the final policy. Then they will ask the business users to implement it. Since in quite a few areas implementation may not be possible, exceptions will be granted to the business users. In nutshell, around 75% of the policy only will be implemented.
In both these roles the involvement of business operations team is minimal at the commencement of the project. They are expected to implement the recommendations.
Considering the abovementioned short comings in the risk management approach, I wished to explore the concept of collective intelligence and its applicability to risk management functions.
As a first step, let us understand the nature of information and intelligence which risk managers require to conduct their jobs:
1) Organizational Intelligence– Information regarding processes, structure, culture and technology. These they normally get from the business managers through interviews and review of standard operating procedures.
2) Commercial Intelligence– Information regarding the external environment- customers, suppliers and competitors. This information they obtain from interviews with business managers, customers and suppliers. Other sources are various media and research reports published.
3) Technical Intelligence – Information regarding the various laws, acts, methodologies and tools applicable for risk management. Risk managers have the knowledge on how to conduct the risk management while using this information appropriately.
As can be seen business managers have more information and knowledge on two of the three intelligence capabilities required for conducting risk management. In a more collaborative approach the risk managers should be able to impart their skill specialization to the business managers effectively.
The question is how can this collaborative model work? Let me take the example again of preparing information assurance policies.
Scenario 2: In this scenario the risk manager puts up the objectives of preparing and implementing information assurance policies along with a table of contents and broad outline on the intranet. Now it is open to the employees to contribute and decide how it should be developed and implemented. The employees comment on what is applicable, how the process works, what are the bottlenecks and challenges, who should review it, how it should be implemented etc. The risk manager identifies the major contributors and meets them up to interview them. Based on the web interactions and meetings, the risk manager prepares a draft policy document and uploads it on the intranet. Again the employees are invited to review the same and provide feedback. After incorporating the feedback, the risk manager proceeds to obtain approval of the senior managers.
In this approach the risk manager has the buy in of the employees before the finalization of the policy. Hence, implementation will be easier since employees feel a sense of collective ownership and responsibility. This will enable adoption of information assurance polices as part of organization culture.
To further delve on the approach, I am adding the example which I read in “Collective Intelligence- Creating a Prosperous World of Peace” fore-worded by Yoachai Benkler and remixed by Hassam Masum. I have adapted the example “Three ways to storytelling” to the risk management function.
Three Ways of Story Telling- Risk Management Adaption
Let us formulate three societies for risk management: Red, Blue and Green. Each society has specific procedures on how to conduct and discuss risk management activities.
Red: In Red society hierarchical top down approach is followed. All the risk management issues can be reported by the risk management department to the CXO’s. Business operation manager is required to go to their respective risk managers to discuss their issues. A business process team member has to route their risk management issue/ query through the business operation manager to the respective risk manager.
The senior management issues risk management guidelines, policies and reports to the business operation team. The business operation team members hear regarding the issues only from the senior management and implement accordingly. In this case, an employee’s understanding of risk management issues is at an overall level controlled by the senior management. An employee’s perceptions and knowledge are based on the information provided to him/her by the seniors.
Blue: In Blue society again hierarchical top down approach is followed however with a slight difference. Here the business operation manager can bring up the risk management issues directly to the CXO’s attention. Then the risk management department and business operation manager work in collaboration to address the issue. In this case, a change agent from business operation team can be nominated to address the risk management issue.
In this scenario, the business operation team members hear about the risks which senior managers, risk managers and their elected change agents inform them about. The employee’s perception, knowledge and awareness on risk management issues are governed by this select group. Though information is not controlled as in the completely top down approach of Red, it is controlled by the major key players in the business operation team.
Green: In Green society the approach adopted towards risk management is of collective intelligence. Business operation team members can put all their concerns, suggestions and problems regarding risk management on the intranet. The other team members including the risk managers would discuss the same on intranet and meetings, to suggest a solution to the issue and mitigate the risk.
In this scenario, the business operation team members discuss the issues which concern them. There is no control from a senior manager regarding the topics to be discussed, and no permission is required for the same. The flow of information regarding risk management is through multiple channels- team members, business managers, risk managers and CXO’s. The information which an employee has is extensive and he/she is well informed regarding the subject. The perceptions and awareness is built through multiple sources of information.
The problem with the collective intelligence approach can be that employees have extensive information and on what basis will they decide the relevance and applicability of the information. How will the risk management function operate? The adjacent diagram depicts the steps for using collective intelligence in risk management activities.
The main advantages of this approach are:
1) Risk management department generally faces the challenge of adoption of risk management practices by the business operation team. There are enough people who commence the process, but for implementation a significantly higher number need to be knowledgeable about the issue. This requires focused efforts of building awareness and training. The cost of training and implementation is subsequently quite high. With collective intelligence approach a significant mass of people are already aware and knowledgeable about the issue. Hence, cost and time of implementation is lower.
2) Whistle blowing is the only option which is allowed to employees to bring a critical issue to light. This has a lot of negative repercussions on the employee, management and organization. With open communication, the employees will be able to discuss the smallest issue of corruption, illegality and unethical behavior without hesitation. Risk of exposure will also inhibit employees from indulging in such practices.
3) The other aspect is that this approach fulfills the psychological needs of the employees. The approach provides a sense of ownership to the business operation team and this motivates them to implement risk management solutions. The risk managers are adopting feed-forward system by guiding the business operation team into doing what is right in the future. Rather than focusing on providing a critique on what has been done wrong in the past.
4) This approach encourages innovation and adoption of new ideas. Employees are encouraged to do their own research and revert back with their feedback. They are not told on what they should research on. The diversity in thinking works effectively in providing better solutions.
5) Last but not the least, a sense of collaboration and cooperation exists between all the departments. It breaks down the walls which managers construct to work in silos.
Do you think this approach is worth adopting for risk management function? Presently, most organizations are adopting the Red and Blue society approaches to risk management. What according to you would be the inhibiting factors for applying collective intelligence for risk management of Green society?
Another point not to be missed is which I think might be the unconscious agenda when I started exploring this concept. It significantly reduces the work and responsibility of risk managers. They can chill!
Welcome your comments on the topic.