“The inability to predict outliers implies the inability to predict the course of history.” Nassim Nicholas Taleb, The Black Swan: The Impact of the Highly Improbable
We live in an era of dramatic, improbable events that adversely affect the economy, the environment, the fate of household name companies and people’s welfare and health. Or at least they seem improbable until they hurl themselves violently upon us from the shadows of our agreeable ignorance.
Strangely, with hindsight they often appear inevitable.
Bloated, failed banks that blight the economic landscape, exploding oil rigs that kill crews and devastate ecosystems, and aviation and rail crashes that kill hundreds of passengers.
How did food companies slide into the ethical morass of horsemeat in the lasagna? Did VW’s board of directors really want proscribed levels of nitrogen oxide in the exhaust emissions?
As these calamities pile up on our news desks, one begins to realize that situational awareness must involve a greater effort than many are capable of and often that battle is simply lost.
So what are we doing about corporate carelessness?
Are those businesses that have the potential to wreak devastation on their staff, the public, the economy, the environment and themselves doing anything to change their habits and reduce the likelihood of future calamities? Is there a category of organizations that works harder than others to anticipate and avoid the painful impact of unpredictable situations and events? It seems that there might be. Some, not all but some, organizations are implementing a management style known variously as operational risk, enterprise risk or governance, risk and compliance.
According to research analyst, Gartner, the critical capabilities for risk management are the ability to assess and document risks (preferably in a risk register – a big list of undesirable events, their potential causes and consequences and plans to mitigate them); incident reporting tools that let staff easily raise the alarm at the earliest sign that something is wrong; real-time monitoring of lead indicators (i.e. danger signs) which can be anything from a gearbox vibration level to the fact that an important meeting was skipped; response automation tools that execute pre-planned activities when a risk threshold is breached (for example, software that escalates the gearbox vibration level to the attention of the CEO, grounds the vehicle affected and issues instructions to the maintenance and repair team); and, lastly, the ability to quantify, analyze and report on risk so that the board and senior management has visibility of their risk exposure today (Are all the lights green? If not, why not?)
In other words, the subcategory of organizations that take risk seriously make great efforts to model and simulate the what-ifs, they provide staff with easy tools for raising alarms and expressing concerns, they monitor continuously for early warning signs and they are geared up to automatically respond to trouble. If that sounds like a whole different culture from the one you inhabit in your work, it might well be.
David Hornsby, the CEO of Nottingham-based governance, risk and compliance software specialist Ideagen, provides technology to help organizations behave with greater social and financial responsibility and his customers include the likes of KLM, the UK Rail Safety and Standards Board, Heineken and the NHS.
“We talk about operational maturity,” he says. “I would define that as having a technologically enabled culture of accountability and a more organized approach to ethical behavior overall. In order to behave diligently and ethically, managers and staff need better tools to combat the natural obfuscation of complexity and the pell-mell speed of modern work. Just because you’re not aware of a problem does not mean that it isn’t your responsibility. That’s a different mind-set. We work with those who want to protect the public and their own people as well as their finances and reputations from the threat of unforeseen, improbable yet catastrophic events. The payoff is that doing so makes them more efficient: safety and efficiency are two sides of the same coin. Anyone who’s ever tripped over in an untidy workshop knows that.”
How then do we prevent recurrence of child protection failures in local government, NHS disasters like Mid Staffordshire, and unaccountability and negligence on the part of organizations that can unwittingly inflict harm?
Risk management software and systems may be part of the answer, but certainly the concept of maturity is fundamental: behaving like a grown-up and being responsible for your actions, or lack of action.
Leaders must make the effort to ensure that they have visibility of emerging risks: it’s no longer acceptable to be told about a problem after the fact and respond with public, pious regret.
Leaders must provide simple reporting tools for staff to raise concerns early on the slippery slope, and they need to be proactive in assessing and modelling risks.
Perhaps being proactive about risk means never feeling comfortable again. But then surely that degree of bother is preferable to causing harm and ending up on the front pages or worse? Maybe we all need to grow up a bit and get used to it.