More Risk Assessment Danger
When I was setting up ERM for Business Objects S.A., I was surprised by the reaction of the General Counsel, David.
I had already met with the CEO and his other direct reports. Now David and I were meeting so I could get his insights on the more significant sources of risk to the company and its objectives.
“I’m not going to answer your questions about risk.”
I was shocked and asked him why, since both the board and his boss, the CEO, wanted this done.
Even though I told him that his insights were critical, he politely but firmly told me he would not share what he thought the likelihoods were of each of the events and situations most likely to cause a significant problem for Business Objects.
He went further, saying he would not provide any assessment of risk relating to legal actions by or against the company that would be documented by me.
David believed, with some justification, that documenting his (and the company’s) assessment of risks could itself create an unacceptable level of risk.
Why is there danger in risk assessment? (Beyond the risk of getting the risk assessment wrong, leading to bad business decisions, as discussed in my last post.)
Consider safety risk: the possibility that an individual might sustain serious harm while on our premises or when using our products. The company may publish a risk appetite statement that declares it has zero appetite or tolerance for safety risk. Yet, it continues to operate – meaning it is actually accepting some level of risk.
Now consider that management performs a risk assessment and (correctly) assesses that there is a low level of safety risk. For the sake of argument, let’s say it determines that the likelihood of loss of life is 0.5%, of serious injury 2.5%, and of minor injuries 3.75%. Relying on that, management decides not to upgrade some of their equipment using the argument that the cost would be prohibitive and the benefit (including the reduction in safety risk) minimal.
Then there is an incident with loss of life and other serious injuries to personnel, including both employees and contractors.
A lawsuit surfaces the risk assessment and management’s decision to accept the risk.
The union and the press blame the company for accepting the likelihood of death and injury for the sake of profit.
A similar situation can arise with compliance risk.
In theory, and probably in public, no company will accept any level of compliance risk.
In practice, they must if they are to be in business.
So when they decide not to hire additional compliance personnel because the cost exceeds the benefit, and they then violate data privacy laws or anti-money-laundering regulations, significant penalties and business disruption may ensue.
Taking this to a practical example, I have been working with a nonprofit that helps refugees in the Ukraine and many other nations around the world.
The chair of the audit committee would like to know what its risk appetite is, meaning the total amount of risk the organization is willing to take in pursuit of its objectives.
But how do you set an acceptable level of risk when people’s lives are at risk? It can’t be zero, because taking risk is necessary if you are going to send employees and others into a dangerous area to rescue people.
My point is this. The risk practitioner should understand where and when a formal, documented risk assessment or statement of risk appetite might be a source of risk should it become public.
I am certainly not saying that there is no need for or value in a risk assessment for compliance and safety risk. There is value, especially when allocating resources to areas of greatest compliance risk.
What I am saying is that we have to be careful how we quantify, document, and report it. At Business Objects, I found a way to perform the analysis “at direction of counsel” to provide some level of safety.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
As sad as it makes me feel, very real problem, I had my fair share of secret documents, hidden folders and encrypted emails and even exchanging risk info on paper to be burned after review :))
In my humble opinion, this process unto itself is a bigger problem than performing a less than ideal risk assessment.
A mindset like this worries me more than making a weak assessment.
Such an approach, as it relates to ESG – in several industries this is happening now and it is making a mockery of efforts to be more conscious of the range of risks.
This approach could benefit from being updated and transparent.
Dragica, could you help us understand what you mean by “this process”?
To know of a risk and do something about it is one thing. To know of a risk and do nothing about it (not even sharing the description of the risk) is something else again.
Different risks are very different. Working for a chemical company for a couple of decades taught me about safety risk. But we also had FCPA and other notable compliance risks. Them pile on a wide variety of risks related to product pricing, market share, supply chain, etc. We approached safety risk differently than other risks, for many of the reasons this post explains. This is one reason why I find little to no value trying to combine all types of risks into a single metric (or two-dimensional metric) operating under a single “defined” risk appetite. Addressing risk in most organizations is complicated and I believe is best approached differently for different types of risk.
I am reminded of the risk assessment Ford did back when they were anayzing the poorly designed gas tank on the Pinto. The recall would cost more than the anticipated lawsuits, so they accepted the risk. We know the rest of that story. It does seem, though, that the lessons from the past are not always informing decisions in the present.
Thought provoking. A compelling read though but left me in a dilemma. Need to reassess.
Very insightful stuff, Norman. Taking some level of risks is necessary in order to acheive the objectives and this may be needed to explain to the public. If the 0.25% safety risk of human loss gets materialized, for which no action was planned (risk was accepted), then, it should be explained in details to the public later, making a case that, given the circumstances and data the decision back then was the most rational one to take. When US seals, let’s say go on a mission to take terrorists the down, there is always a great risk of collateral damage and loss of lives. Does this restricts the Seals to abandon the mission or keep it secret? In most of the cases, No! So, as long as the chances of benefits of a risk management strategy exceed the adverse consequence of it then there should not be problem to disclose the risk assessment to the public. I understand that its easier said than done but if we really want to increase the transparency and integrity in the financial and other important governance information the managements make public, then this resistance need to be dealt with.
Ammar, transparency won’t survive a fatality. Sorry
I don’t think the public will perceive the decision in the same way the company does.
I used to approach this type of scenario with an overly idealistic viewpoint or question, which was “If the event (or some of the potential range of impacts) occurred, would you take action to prevent it from happening again?” If the response was yes, the followup question would be “Then why wait for it to happen? Why not allocate the resources to prevent it now?”
Of course, not so simple in the real world. If a risk assessment was sufficiently accurate but the event happened anyway, you would assume that you could say “While this poor outcome occurred, our assessment was reasonable, our decision not to take further action was correct, and it continues to be the correct decision”. In practice, there is likely to be pressure, whether from employees, public, shareholders, etc to take action; even if that action takes away resources from other risks (or opportunities) that are not top of mind but might actually be more important to address.
Hello Norman. I read your post. Great topics. I’ll respond to a few of them with my thoughts.
Many people are involved in risk management, coming from different perspectives and experiences. I don’t like the term appetite – never have – and never will. I have no problem engaging in the evaluation and discussion of significant sources of risk. I do have concerns when it comes to numerically quantifying risk, and I would want to evaluate that on an issue-by-issue, or a risk-by-risk, or an uncertainty-by-uncertainty basis. Every risk and uncertainty is different or has certain different factors or qualities.
As a lawyer, to the extent that it is possible I would want the company to have specific risk discussions protected by the attorney client and work product privileges, and I would want the written materials about those topics to be more of a general nature. Unfortunately, yes, written materials can become a roadmap for plaintiff attorneys.
But, of course, a business should (and sometimes legally or perhaps generally must), and it is prudent to, evaluate and discuss risk management, and to have processes in place. Within the context of those processes, I would take each topic, risk and uncertainty by itself and also consider cross-interactions – for example, such as risks or uncertainties relating to product design and manufacturing compliance, reliability, and safety; supply chain reliability; compliance with HR laws; financial, accounting, reporting, disclosure and internal controls; ESG compliance, optics and reputation; processes to protect intellectual property, etc.
Thanks for your discussion. Dave Tate, Esq. (and inactive CPA) http://tateattorney.com
Great post, Norman. I think what your saying is why the “classic” risk responses of “Accept”, “Mitigate”, & “Share” fail us. When compelled to indicate a response to a particular risk, I much prefer using response types of “Manage” (to indicate a risk is emerging and mitigation planning is underway) or “Monitor” (to indicate mitigation plans, guidance, metrics, etc. are already in place). This should help ease the legal liability concern because the company will never have “accepted” a risk for which it new or should have known needed to be addressed.
Thanks
Sometimes a risk is taken that makes sense to the business, but not in hindsight in the eyes of the community.
Perhaps risks that are taken for good reasons but that might be second-guessed in the (hopefully) unlikely event of a loss should be flagged differently?