7
WHO Needs to Be Involved?
“We all were part of the problem. Yes, we made a severe error in judgement, but our real sin was not communicating with one another.” Mason P.
Everyone fears a wildfire, but it is of greatest concern for people who live in a desert environment. The fire’s fuel—trees and plants—are the perfect fodder because of the dryness. Desert winds can turn a small fire into a disaster because of its ability to quickly spread out of control. The worse the fire, the greater the risk.
The air in Phoenix, Arizona, that day was so pungent my nose hurt. The sun was hidden by a hazy greyness because of a wildfire burning many kilometres away that was currently under control. Despite the smell and artificial darkness, I now had another analogy to explain enterprise risk management (ERM), which I used to start the session.
“Do any of you recall the Smokey the Bear public service announcements?” Several hands went up. For those who were not familiar with the Smokey the Bear PSAs, I explained that the long-running ad campaign in the United States features the iconic, hat-wearing Smokey Bear. He advocates for the prevention of wildfires through personal responsibility and the slogan, “Remember ...only YOU can prevent forest fires.”
As a child I did not understand Smokey’s message. I wondered how I could prevent something beyond my control. That’s the fireman’s job. With more wisdom I understood his real message. Smokey was reminding me that I needed to do things to ensure that I did not start a fire or contribute to one getting out of control. Smokey’s advice applied to me when using fire on a camping trip and when performing activities that could spark a fire, like using a chainsaw or riding a motorcycle.
Smokey’s advice and caution is what risk management must do: remind employees that each of them has a responsibility to lessen or avoid the high cost of unnecessary or unwarranted risk.
As a child I thought only fire professionals were accountable for preventing forest fires. Similarly most of your employees currently believe the leaders are the ones accountable to preventing risk. In ERM every employee is accountable for preventing wildfires. Your company’s motto, clearly communicated to every employee, is only you can prevent costly or harmful risk.
As before I will share with you a story of a client, “Mason,” whose wildfire relates to what you will experience today.
Charlie, Ollie and Mason believe they have the perfect partnership: inCOM Solutions. As consultants to the software development industry, each partner plays a specific role in the organisation. Charlie is the nuts and bolts planner because he has the ability to get past the distracting code and develop or find the appropriate driver for their clients’ products.
Ollie is the visual expert of the team. Because many technology solutions are using visual devices, such as the smartphone and portable tablet, their clients needed an easy-to-use and very colourful interface. He knows how to make the hidden code turn into a powerful interface that relies on Charlie’s driver.
Mason is the visionary of the team. He can listen to the client’s very complex problem and, within a few hours or days, create a crystal clear one-page recap of what the software is supposed to accomplish. Mason can quickly see past the fog of data and hone in on one salient area that would become the focal point for the client’s software objective.
With rapid growth over the last seven years, each partner got busier and busier, leading many diverse project teams, as well as preparing proposals and wooing potential clients. Despite their record of achievement and client list made up of the who’s who in technology, their perfect partnership severely stumbled. It all started when inCOM hired employee “K.” They needed a code writer and systems tester immediately, and this urgency caused them to shortcut their normal hiring process. These two skills are difficult to locate in one person, so there was not a large pool of qualified candidates. Once the word got out, an out-of-town recruiter contacted Mason and described K’s qualifications. Because of their desperate need, Mason conducted the first two interviews: one over the phone and the second using Skype.
Because he is a big-picture person, Mason did not delve into K’s background and qualifications, assuming that Charlie or Ollie would do that. The candidate seemed to be who they needed, so Mason scheduled K to fly in for an interview with Charlie and Ollie. It was very difficult to find an opening in their hectic schedules, so Ollie and Charlie separately met with K. In their haste neither one took the time to check K’s portfolio and background or communicate with Mason. During the rushed interviews with K, each one spent most of the time extolling inCOM’s accomplishments and successful projects. Before K returned home Mason made K an offer that K accepted the next day.
Although there were specific warnings signs that K was not working out, no one noticed. The three partners rarely took the time to meet and discuss the big picture of their firm.
Mason was the first to learn of the problem when a long-term client cancelled its ongoing retainer engagement. Next Charlie was fired by another long-term client who complained, “You guys have lost your way. Your quality isn’t what it used to be.” Ollie was dismayed when one of his clients threatened to sue if inCOM did not refund fees already paid on a very large project.
One Saturday morning, when they found themselves together in the office, each owner started to complain about his client problems. After tossing this problem about, they looked for common factors and ended up with only one: K. The three projects in jeopardy were ones they handed over to K without any oversight. Needing to get to the heart of the matter, Charlie (the detail guy) spent the next three days finding out what K had or had not done and obtaining client comments and concerns.
By Thursday of that week, Charlie presented his findings to the partners. According to multiple sources K was
verbally abusing the client’s employees.
arrogantly ignoring the client’s advice and feedback.
unskilled in many of the areas in which he claimed to be knowledgeable.
blaming client personnel for his own obvious mistakes.
K was terminated the next day, but it would take some time to repair the damage to inCOM’s reputation because word spreads fast in the networked community of software development.
Mason asked me during a coaching session right after he fired this employee, “What did I miss? Why did we get into this mess?”
I responded, “Each of you saw only a small aspect of the whole within the scope of your very narrow roles. In risk management everyone must play a key and interdependent role. When you as a company chose to seize an opportunity in the form of hiring K, an unknown quantity, you and your company incurred a normal-sized risk that quickly grew out of control. Each of you was unaware of the abnormal risk and its consequences because you were focused on your work and desperate for help. As a result you missed or ignored the warning signs that K was not the solution you wished for.”
Risk Management Is a Team Effort
Your mom probably warned you, “Don’t put your nose where it doesn’t belong.” That quaint adage does not apply to managing risk. As the story about Mason’s problem employee showed, when it comes to detecting and then managing a potential problem, it requires many noses. Risk is everywhere and arises from all around you. Because you are not omnipotent or omnipresent, you need other responsible, trained people to poke their noses into the visible and invisible potholes and pitfalls.
Murphy’s Law of Risk Accountability
The more people involved in solving the problem, the worse the outcome. The fewer people involved in solving the problem, the longer it takes to create a solution.
ERM establishes a suggested structure of specific risk managers who report to the ERM executive (chief risk officer [CRO]) and provide risk-based information to the ERM committee. As previously discussed a horizontal view of risk is not available with the traditional “silo” approach in which you rely on specialists and insurance to address your daily risks. You need many noses sniffing for risk because typically
internal audit employees only deal with control risks.
finance employees only look after accounting-related risks.
operational employees only deal with day-to-day business risks.
asset managers are only concerned with property risks.
executives mostly deal with strategy risks.
sales management only looks at market and customer risks.
quality employees only watch over product risks.
treasury employees solely handle monetary risks.
This specialist method of addressing risk separates accountability from solution, and it also hampers open dialogue about risk, the sharing of best practices and spotting broad trends.
Yet someone in your organisation needs to have the ultimate responsibility for ERM, with a team of employees supporting him or her. This vital role is your CRO who reports to both the CEO and board.
The CRO is the senior-level employee who is in charge of the risk management team and focuses on risks that could affect the bottom line and firm’s future existence. The CRO’s team is empowered with deciding what is and is not risky.
The ERM committee is an employee group who seeks out areas where the payoffs for risk are overstated or the costs of risk are understated. They examine documentation, test transactions and review specific decisions. They also highlight external areas of concern. The CRO, though the work of the ERM committee, gives the CEO assurance that risk is being managed and that the firm’s checks and balances are working, so the CEO can sleep well at night.
Throughout the entire risk management process, your organisation must retain a strategic focus, and although a senior-level executive must be the champion of your risk management efforts, other groups of people can be established to support ERM.
How many employees in your organisation
have a 10,000-metre view of risk?
According to Henry Ristuccia, a partner with Deloitte & Touche and U.S. leader of its governance and risk management practice, “While more companies are now appointing chief risk officers, many don’t have that position, and therefore responsibility for risk management ends up with the board and the CFO.”
Justin asked, “What is the best way to oversee the management of risk? Who needs to be part of the risk management team?”
I answered, “There are two approaches: one for big organisations and another for small ones. The requirements of each one are the same, and this will be where I start to answer this question.”
CRO
Experts in risk management agree that organisations need to shift the focus of their risk assessment efforts away from specialists to a broader base of employees who are led by a high-level person, such as a senior executive who is accountable for global risk oversight. This person needs a much broader field of vision if he or she hopes to successfully see what’s raining down upon the organisation in the form of unforeseen risk. This is hard for the executive who specialises in one discipline, such as sales, production, marketing or research; therefore, choosing the right individual is crucial to the success of your ERM programme.
Companies That Understand the Importance of Risk Management
These organisations recently created a new position of CRO: AXIS Capital Holdings;Eutelsat Communications; Navistar International Corporation; Pepco Holdings, Inc.; State Street Corporation; Synovus; Walgreens; and Webster.
Arcelor Mittal, the world’s largest steelmaker, recently announced it added a risk committee to its board.
CalPERS, the largest pension fund in the United States, formed an ad hoc board-level risk committee.
Every risk management programme, regardless of whether it is based on ERM, requires an executive-level champion who must be able to assemble a multidisciplinary or cross-functional team that can effectively discuss the risk and its related business issues your organisation faces and then share his or her findings with the entire organisation. Your designated champion and his or her team must understand why your company has succeeded in the past and is currently succeeding or not succeeding.
Risk Management Team
The risk management team takes a 360° perspective that broadens the typical “I don’t want to worry” focus to include less tangible assets, specific exposures and the links among them. By understanding the broad risks facing your firm and how they are interrelated, you are able to better manage them and create a sustainable strategic advantage and, hopefully, the firm’s value.
ERM requires that all members of the risk management oversight group (ERM committee) work together to pinpoint and measure the critical risks confronting your organisation and then develop a systematic approach to manage the risk portfolio.
As shown in the risk management oversight chart in Figure 7-1, there are many participants. This team’s membership consists of the controller and key decision makers (DMs) from every part of your organisation, from human resources to sales and from operations to treasury. The team’s centre point is the CRO.
I recommend that the CFO not be a member of the ERM committee as a way to strengthen the checks and balances that the CFO is accountable for.
The members of this team, other than your controller and director of internal audit, need to be responsible DMs charged with accountability for the quality of decisions and processes within the department they represent. However in larger organisations, this responsibility could be assigned to someone other than the manager as a way of building the competence and confidence of future leaders.
The employees who the CRO directly supervises can be described as change agents because that title reflects more of their ultimate goal, rather than their responsibilities. The change agents in your oversight group
delve into certain areas that are or will be affected by risk taking.
assist in implementing the changes that the oversight group recommends.
train employees on how to use the risk management tools.
report to management using a balanced set of risk-oriented metrics.
You could assign different titles to these change agents, but giving the employee a title, such as analyst, auditor or risk assessor, does not communicate to others how the employee is benefiting the organisation and could be confusing if you have other employees with similar titles.
The Tipping Point on Wall Street
James Lam, president of James Lam & Associates, a risk management consulting firm, recently commented about what he is seeing in large organisations. Almost 90% of global organisations with more than $1 billion in revenue are either putting ERM into place or have an ERM programme up and running. Of the S&P 500 companies his firm studied, 58% said their audit committees were responsible for risk management.
Board of Directors
Of course risk management efforts must have the support of your board of directors because your risk oversight group requires representation from all across the company. They need to create stronger ties between the global overview of risk and the application of the tools and mitigation of those risks. The champion for your programme must have the confidence of the board and be comfortable reporting to them.
The last person you want in this ultimate oversight role is the CEO or president who, through his or her automatic mantle of authority, can easily override the findings of the oversight group and ignore the board’s concerns about risks. Putting the CEO in charge of the risk management function is like putting the fox in charge of the chicken coop.
Murphy’s Law of Risk Oversight
The more complicated your control system, the easier it is for someone to circumvent it.
Oversight Group in Small Organisations
No Tipping Point on Main Street
Toby J. Bishop, director of Deloitte Financial Advisory Services, reports, “There’s often no single entity for oversight. Many companies have no compliance or risk management at all.”
In smaller organisations, usually, not enough decisions makers are available for them to devote large amounts of time to the discussion and analysis of risk. Therefore it becomes the responsibility of your line managers and a few administrative managers to identify, classify, monitor and control operational risks. They form the oversight group who reports to a senior executive. Holistic analysis of risk requires cross-functional participation.
In this simplified structure you expand every manager’s job scope to include identifying these everyday risks and preparing for them if the perils worsen. This identification duty applies to opportunities your managers should already be attuned to. In the scope of their daily work, your managers face many other sorts of risks that are less visible and that unfortunately get ignored. Yet these risks also need to be monitored, measured and managed. It is an extension of your supervisor’s or manager’s vital role, not a duty or task you add on.
The managers who comprise the oversight team need to learn how to take risks, as well as watch for them. These two intentions can be seen as contradictory, even though they aren’t. The thought process for taking risks and managing risks is the same. To effectively take risks, your manager needs to anticipate the possible and probable impacts of their actions and then make a conscious effort in deciding to
move forward.
not move forward.
move forward in a way that reduces any negative consequences.
When your managers learn to take risks, they automatically become more conscious about the risk management requirement of their job. As each decision maker improves his or her ability to identify then mitigate a potential business risk, he or she gains confidence when taking innovative and creative leaps of faith.
Every manager who makes critical decisions for your organisation needs to be trained on risk management, so that it becomes part of his or her daily activity. This qualifies the manager to be the de facto member of the oversight team. In this hands-on training, you help each manager understand the concepts, principles, tools and techniques for considering and managing uncertainty. This training optimises their abilities to achieve both individual and corporate goals.
Without a formal risk management programme, most small organisations assign the risk management role to either a contracted professional risk manager or their CFO. Either choice leads to the “silo” approach of risk management. Finally the role that is often neglected or under emphasised in small organisations is that of the primary risk executive or CRO. This person still needs access to, and authority over, employees who have a responsibility to do the follow-up work necessary after a solution has been put into action. In a smaller organisation the team’s change agent who supports your risk executive could be a department head or supervisor or technical expert.
Your executive team, consulting with the board, must decide who best in your organisation can take on this role. He or she is given the authority and budget to form your firm’s risk oversight group. The structure for the smaller organisation is shown in Figure 7-2:
Finance’s Role in ERM
The organisation’s finance team is the group best equipped to support and assist the organisation’s leaders in their efforts to globally manage risks, but taking the lead on risk management is not your finance department’s responsibility. Your accounting employees play a pivotal role in management of risk in several areas.
Selecting Metrics
ERM requires that the oversight group have access to a set of metrics known as key performance indicators (KPIs) and leading indicators. Finance, which has access to a wide variety of pulse points, can assist the ERM team in determining the methods of tracking and the meaning of each measurement. It can also assist in defining, measuring and monitoring key risk indicators (KRIs) that serve as early warning signals about impending problems.
Providing Feedback
Your risk management programme requires a reporting mechanism for it to work as designed: to decrease rash or unwarranted risk taking. In ERM this consists of a dashboard of the KRIs and KPIs made available to the risk committee and executives. Because ERM suggests the development of alternative financial plans and forecasts using different selected scenarios, finance is in a position to provide information on the status of those plans in its reports.
Recommending Policy Updates
Because finance usually serves as the “sheriff” for errors, omissions and unethical conduct, it can advise leaders on where policies need updating or strengthening.
Testing Transparency
ERM requires that leaders display transparency in their decisions, goals and actions. Through their reports finance can serve as the ones who analyse and test the efforts for transparency. Because leaders of the effort must ensure transparency in the risk management process, finance has an obligation to connect the risk management programme to the organisation’s system of internal controls.
Scenario Planning
With its skills in analysis, finance can project the financial implications of alternative strategies and test the sensitivity of key assumptions, financial measures and variables under different scenarios.
Process Improvement
Although not a primary source of hidden risk, all operational processes can contribute to the creation of rash or irrational decisions and the acceptance of unwarranted risk. Complex processes are often used to cover up fraud, embezzlement and waste. Finance can be the group that leads the plan to improve all major processes, with the intention of reducing waste, improving decision making and removing hidden agendas.
Return on Risk Measurements
As shown earlier in this chapter, the acceptance of ERM hinges on proving the programme pays for itself. Although cost avoidance can lower overall risk, finance can assist the oversight team in creating a scorecard that compares the implementation costs to the benefits received. This will require agreement on a complete set of assumptions on how the organisation and its stakeholders benefit when employees are actively detecting and mitigating risk.
You will discover more ways that your finance employees are able to make your ERM programme a success, as long as they are considered assets to the process but are not the group burdened with implementing or overseeing it.
CFOs Weigh In
CFO Research Services and Liberty Mutual Insurance Company reported in June 2010 the results of a survey of senior financial executives on the state of risk management in their organisations. The report started, “Although research suggests that many companies would benefit from a more-forward looking approach to managing risk, 25% of the financial executives say that systematically identifying risk exposure is ‘very challenging’ at their companies.” However they added that justifying an investment in risk management is a challenge because of the difficulty in determining a viable return on risk management spending.
Insurance’s Role in Risk Management
Buying insurance serves to provide your firm with funds whenever a covered risk costs you money, such as a fire, lawsuit or currency exchange loss. Insurance coverage is a commodity that has to be purchased to protect the financial resources of your organisation. Your leaders cannot fall into the trap of only looking at the cost of the insurance for the cost of running a risk management programme. Buying insurance is only one exposure reduction tactic and must not be your firm’s entire risk management programme, a philosophy used by many small and mid-sized organisations. In ERM, not insurance acquisition, is where you get to examine the scope of the risk vulnerability of the entire enterprise.
Insurance Does Not Always Reduce Exposure
In an attempt to manage their risks, both large and small companies mostly focus on insurable risks and ignore such things as operational and strategic risks. In the event that a risk needs insurance coverage, your company needs to take a fresh approach. When adopting specialised insurance coverage your organisation still needs to create long-term mitigation solutions. For example a risk to your firm’s brand might be easily mitigated through insurance coverage today, but in the long run it could have a significant negative impact on future sales and profits if the causes of your exposure go unaddressed. Brand risk is an example of an exposure that may not be covered by your current insurance coverage. This is why your creative exposure reduction efforts are critical to the successful implementation of ERM.
The balance between insuring yourself and managing risk without expensive coverage will depend on your firm’s risk management philosophy. A smaller company has a desire to protect itself and yet can have a large risk appetite. However that philosophy is risky because, quite often, the company lacks the infrastructure or leadership to support good risk management practices and, therefore, over-relies on costly specialised insurance to reduce its exposure. A more profitable philosophy would be to spend the same amount of money implementing aspects of ERM, which can reduce losses and operating costs.
Jeff Burchill, the CFO of FM Global, a commercial property insurer warns, “I think a lot of [executives] think of insurance as a commodity that they buy, and that all insurance is created equal. It’s not until you have an event that you find out that it is not created equal” (http://www.cfo.com/article.cfm/14570123/2/c_2984346?f=archives). The most common mistake companies make when purchasing insurance is that “once you’ve transferred the risk you don’t have to manage it. That’s not true at all.”
Insurance’s Inadequacy
One area where your organisation has tremendous exposure is in its use of technology and the Internet for e-commerce. Yet you cannot always rely on insurance coverage to protect your exposures. The insurance industry is only now beginning to address and work with its clients to deal with the risks in today’s electronic world. Every day insurers are finding different exposures that they have not encountered before. The first deficiency with insurers is the lack of historical data because they use history to determine both the size of the risk and its statistical probability. From this data the insurer sets a rate to charge its clients. This information must be reliable yet always arrives years after the risk is identified. The phenomenal growth in electronic business, or e-commerce, is another major and hard-to-quantify risk in business today. Although awareness to this risk is rising, the second deficiency is that some insurance companies still have a hard time getting their senior insurance executives to recognise that this exposure requires a new strategy or approach.
In today’s e-commerce a lot of risks are unquantifiable. For example your business model requires a heavy dependency on a contract manufacturer. You are unaware that the contract manufacturer also consults with your competitor, thus causing your business harm. The contract manufacturer failed to disclose this relationship to you. You now have to find and engage another contractor. You ask your insurance company for compensation, and it asks you, “What are your economic losses? ” You are unable to show specific out-of-pocket costs, other than some travel and legal fees. You demand compensation for the damage to your reputation, for the work to quickly find an alternative supplier and for lost future earnings. Because this is a contractual relationship and one not addressed in your policy, the chances are high that your insurance company will only reimburse for your out-of-pocket costs.
This example demonstrates a modern risk faced by every business that relies on strategic partnerships. In a panel discussion with top insurance experts sponsored by the Risk and Insurance Management Society, this specific shortcoming came up. Both the representatives from the insurance industry and their clients expressed concerns that the insurance industry has been slow to see the need to assess and underwrite risk differently from its traditional methods.
As exposures grow in our global, around-the-clock, interconnected and outsourced world, I predict that the major insurance companies will require their clients to provide proof that they have a risk management protocol in place in order for them to receive affordable coverage.
ERM Step Four: Minimise Exposure to Risk
There are two relationships regarding risk in a culture. The first is the one you know well: the symbiotic relationship between risk and reward. The second one is of equal importance: the symbiotic relationship between risk and awareness. What undermines a company is not necessarily the risk itself but the ignorance about the potential consequences of each viable risk. If managers are aware of the risk, along with the source, nature and magnitude, they can take appropriate steps to avoid or mitigate the hidden pitfalls. This ability is critical in the operational areas or front lines of an organisation. The more your people know where and why risk hides in the organisation, the quicker they can respond and react.
This is why Step four is necessary. Although most organisations that currently use ERM initially identify 50-100 or more specific risks, the key is to pare the list down to the top five or 10 risks that are significant enough to warrant quantifying and analysing. Once a company has identified its key risks among those top 10, it has to quantify the magnitude of those risks. Quantification helps the leaders decide whether to control, prevent, finance, ensure or avoid the risk altogether. One person alone cannot stay on top of that many risks.
The essence of Step four is to minimise your organisation’s risk exposure or, better yet, inspire actions to lower the cost of failure. The biggest challenge of a risk management programme is to bring your organisation to a point where it can
identify the risks that are the greatest threat to its continued growth and success.
quantify the size of those risks.
finally take steps to manage or mitigate them.
Once you have convinced people in your organisation that multiple threats need to be taken seriously, Step four starts you moving towards taking action and placing tools in the hands of employees, so they make smarter decisions and manage the perils. An old saying is, “Fully warned is fully armed.”
Rarely do executives identify a particular operational risk because they are tuned into strategic risk or faulty assumptions in the business plan. It is almost always an employee doing the work and dealing with the situation who recognises a cost you cannot afford and is willing to find one or two solutions. As leader your job is to help the employees at the lowest levels define the seriousness of the problems, so they can take action. The rest of this chapter provides insight into where to look for your vulnerabilities, along with the methods and tools to minimise your exposure.
Look for Risk during Times of Success
First Paradox of Business Success
Enjoy and capitalise on the good times, and in the good times you must look for impending dangers.
In the good times it is easy to forget about risk, yet it is during the upswings when you are most vulnerable and when your executives need to be most watchful for the signs of impending danger. In aggressive “can do” or “grow at all cost” strategies when bold initiatives are underway, and customers are streaming in the door, it is quite common to silence or shoot the messenger who carries bad news or concerns.
Success and limitless opportunity should make leaders nervous because those conditions identify an increase in the level of internal risk exposure. As you know not every risk is bad, and in order to survive and make progress today, you must take risks. Yet those of you at the top of the organisation are less aware of risk exposure than those closer to the trenches. Likewise your people closer to the operations are aware of the risks that affect their area but are blind to, or underestimate the exposure impact on, other parts of the organisation. Therefore understanding the positive conditions, such as upswings and fast growth, that create unnecessary levels of risk allows you to prevent exposures while taking advantage of opportunities.
A business cannot survive over the long term or prosper without entrepreneurial risk taking that leads to innovation and creativity. However success can give some risk takers, especially CEOs, so much confidence that they harm the company’s assets and reputation, all in the pursuit of greater gains. This is an irresistible urge in organisations experiencing meteoric success. Often, in a successful firm that has never experienced a loss, employees accept excessively risky deals, forge alliances with others who do not have the ability to honour their contracts or make promises to customers that are impossible to fulfil. The catalyst for this type of behaviour usually is the rewards and incentives built into your cultural norms. Rewards can be overt or hidden. As your incentives for entrepreneurial behaviour grow, so does your risk exposure. As a leader you must also reward rational decision making using risk evaluation and mitigation.
Banking’s Weakness Continues
A 2009 report from the Senior Supervisors Group, made up of financial regulators in seven countries, explained that despite some recent progress, financial institutions continue to overestimate the quality of their risk management systems.
Source: http://www.newyorkfed.org/newsevents/news/banking/2009/SSG_report.pdf
Look for Risk in Your Vulnerable and Hidden Areas
For an executive the scariest aspect of managing is not knowing; therefore, ERM is designed to make the invisible visible. The process of risk management allows you to fly over the organisation and regularly dialogue with the employees on the ground about problems and opportunities. Very soon there will be little that escapes your attention.
ERM creates an awareness of where your plans and dreams are vulnerable through tools like the strengths, limitations, opportunities and threats analysis and culture assessment. Both the risk oversight team and executives monitor those areas using metrics and feedback and through ongoing communications with the employee who is responsible for managing the vulnerability.
Look for Risk in Your Timelines
In the hubbub of activity that goes on each day in your company, it is easy to take on too much, thus adding to the chaos. Because you will regularly be flying over things at 10,000 metres, you will be encouraged to pay attention to the timelines of your various action plans and goals. The employees involved with them will become more vocal when they see conflicts about the timing and deliverables you expect from them. Because timeline or deadline conflict creates vulnerability that leads to more risk, ERM is designed to prevent this or create awareness that your managers notice these conflicts in scheduling and promises.
Integrate ERM Goals into Existing Infrastructure
As you implement the infrastructure for risk management, expect to invest plenty of time and effort for its creation because it is not something that can be accomplished in one week or even one month. A large investment of time will be in taking your existing management systems and instilling an aspect of ERM into each one. Your most vital processes that you integrate first are the
budgeting process.
reporting and feedback process.
goals and measurements system.
prioritisation process.
project development and funding process.
Budgeting Process
As you discovered in a prior chapter, your budget is an integral part of your risk management programme. Reason one is that taking risks affects aspects of your budget, such as increased sales, larger investments in assets, acquiring lines of business, expanding operations and hiring talent. Reason two is because the mitigation and prevention of risk requires resources to accomplish. As you implement your ERM processes, you will see the need to revise your insurance coverage, train employees and hire experts. Each of these will consume precious resources and must be reflected in your organisation’s three budgets for insurance, training and consultants.
This is why an immediate integration of your current budget methodology into the rollout of your risk management programme is a priority.
Reporting and Feedback Process
In order for your executives and the risk oversight group to know if their efforts are paying off, they need feedback in the form of specific metrics, improved scorecards and tailored reports. As a direct result your organisation will need to immediately examine its existing reporting processes, methods and tools and then integrate them into the ERM programme. This is also a top priority during ERM implementation.
In the same way that a shift in cultural norms can help foster the attitude of risk awareness, a modest improvement in your firm’s information system can provide an improvement to risk management efforts. You simply integrate risk management reporting into your regular reports, so that you foster increased awareness about what everyone is doing or supposed to be doing.
Goals and Measurements System
As you begin implementing ERM you do not start over with new goals. Instead, as each goal is examined during your normal progress reviews, you begin to fold aspects of risk management into your action plans.
If you have a formal goal-setting protocol in your organisation, you already require the person responsible for achieving the goal to provide information about its progress and obstacles. Because this is an important aspect of ERM, integrating these existing goals into your risk management programme will be easy to accomplish.
However there may be some inherent risk or unnecessary peril in your current goals. Therefore one way you can test for risk in a goal is to ask a series of questions about the goal to determine if you should be concerned about it:
Do the employees involved see a difference between a stretch goal and an unrealistic goal?
Are the employees involved required to explain the means used to achieve each goal?
Are the employees accomplishing this goal held accountable for how they achieve their goals or just for achieving them?
Prioritisation Process
A challenge every large and small organisation faces is that there are more priorities than time and money available. As you implement your ERM protocols you will need to pay close attention to what are deemed your top priorities, both as an organisation and within each business unit and administrative department. Because ERM is designed to help you detect risks and perils in both high-level and operational goals, the holistic approach to managing the organisation will automatically bring to the forefront priorities that are causing problems or consuming more resources than expected.
As you integrate ERM into what you are doing, be sure to pay special attention to, and keep track of, everyone’s top priorities for the month, quarter and year. Apply some of the risk management tools when you notice a conflict in priorities.
Project Development and Funding Process
Similar to goals, throughout your organisation, employees are working on specific projects. As you conduct a budget and progress review of each project, it is in your best interest to start analysing the pitfalls and downsides in each one. Then have the project’s champion determine what additional action items must be included in the project tasks in order to reduce any inherent risk.
Your monthly review of projects in process will be a good place for your executives to sit down with the project’s managers to discuss what they need to do differently or improve to reduce any exposures inherent in the scope of their project.
Minimise Internal Risk of Unethical Employee Behaviour
We like to blame Mr Murphy when things go wrong. Yes, randomness and chaos exist around us, but the truth is many of your risks are instigated by the people around you. Understanding the human element or X factor will enable you to reduce exposure or the cost you cannot afford. Your lesson starts with the allure of the path of least resistance (POLR).
Risk and POLR
POLR is the principle that energy moves where it is easiest for it to go. It is reality that a person will almost always take the course that is the most convenient or least painful.
To address the human side of ERM, start by understanding the POLR principle. To detect vulnerabilities study employee behaviours and be on constant watch for places where POLR exists. By discovering the path that leads to undesirable behaviours that create unwarranted risk for your organisation, you can easily shape employee’s behaviours. Here are a few truisms about POLR:
Twelfth, Thirteenth, and Fourteenth Principles of Risk Management:
When I display a behaviour that increases risk, it is usually because my behaviour is the path of least resistance. There is some sort of payoff for my actions.
Temptations to take the path of least resistance come in many forms, most of which you are not aware of.
If you choose to shape someone’s behaviour, you must alter the existing path of least resistance.
Setting the Expectation for Ethical Behaviours
Organisations keep chaos at bay by adopting rules and standards that derive from your corporate values. Yet even in these rules and standards you run a risk for unethical behaviours. Once the standards are established you set the expectation that everyone must live up to the standards. Without this expectation anyone can find reasons for not living up to the standards. To have an ERM programme based on ethical practices, your standards and expectations must be
defined.
based upon positive outcomes.
beneficial to all stakeholders.
clarified.
measurable.
promulgated.
visible.
practised.
rewarded.
In risk management, as in leadership, there needs to be some flexibility and discretion in your policies and rules. Rules and laws cannot cover every situation. Because you want your employees to use good judgement and think for themselves, your high expectations are really their guide for what is and is not appropriate. That is why the standards you establish, clarify and widely communicate become the touchstones of behaviour you want employees to display in your risk management efforts.
Temptations for your employees to take POLR exist all the time, and the only thing that prevents them from succumbing to the urge to be less ethical is not the fear of getting caught or the desire to do the right thing. When your employee believes he or she is respected, treated fairly and has influence, he or she will resist POLR. When employees take the high road your risks go down.
That is why culture is such a key cornerstone of your ERM programme. If your culture story lifts employees’ spirits through trust, empowerment and enrichment, they will stay aware of risks and do their best to reduce your exposure.
Let us explore how your policies, expectations and rewards increase exposure to risk because of POLR.
Unreasonable Policies Increase Ethics Risk
The risk of leading a culture without a commitment to high ethics is not just dangerous for the company, it makes you as a leader personally vulnerable. We now live in a society and environment where any business owner or executive can be sued for pretty much anything.
Yet you often teach your employees to cheat or embezzle based upon your company policies because the rules and their enforcement can drive employee behaviour in ways you never expected. According to the POLR principle, your employees’ tendency to take advantage of you by accepting unwarranted risk or defrauding you can be described on a normal distribution curve:
Your employees will never do anything unethical or undesirable (5-10%).
Your employees are always looking for ways to take advantage of you (5-10%).
Your employees will commit situational fraud or take unwarranted risk when it is to their advantage (80-90%).
James works really hard, putting in extra time, including weekends, to meet an impossible deadline you gave him. James completes the project for you on time and asks for a couple days off to recuperate and replace the time he missed with his family. You point out to James that your firm’s policy reads, “Employees can only have paid time off work for illness, maternity leave, vacation, jury duty or a death in the immediate family.” If you were in James’s shoes what would you do? Get mad? Suck it up? Get back to work?
Guess what James and approximately 80% of your employees would do? James will either take time off, claiming he is sick (even though he isn’t), or he will come to the office but not get much accomplished for several days, leaving early and arriving late.
You probably believe that James should be fired for this unprofessional behaviour, but remember this: because you chose to stay rigid on your policy and not give James any consideration for the extraordinary effort he put into your project, you placed James in a no-win situation in which he chooses to default to his own ethical values.
Unfortunately you cannot expect ethical behaviour from your employees unless you and all the leaders display ethical behaviour. Each of you must walk the walk and talk the talk in fairness, equity and equality every day. Unless you all live up to the highest levels of professionalism that are demanded from your employees, you will be unable to expect this behaviour of anyone else.
Unreasonable Expectations Increase Ethics Risk
Managing risks to your organisation’s reputation requires a sustained dialogue with each stakeholder, including employees. All too often executives set goals and expectations based upon what they want or what is demanded by stakeholders, such as specific earnings per share. Because they are not the ones doing the work, executives fail to see the goal is impractical or impossible.
You tell your sales employee, Marcus, “You need to increase your sales by 10% before the end of the year.” So he aggressively markets and issues a proposal to a potential customer who is choosing between your company and a competitor.
Your sales personnel are empowered to set terms, provided the gross margin is above 20%. Marcus gets the new client to sign a long-term contract that states if the clients buys all it promises to buy, your company will pay the client a 5% incentive. Your company lacks a clear policy on contract rebates or special incentives.
Marcus presents you with the agreement, which you approve. Before the order is entered your CFO, who must signoff on all new clients and all special terms, nixes the deal. She refuses to accept the order and issues you a memo that reads, “The special incentive, when exercised, reduces the contract’s gross margin to under our 20% standard.”
However if you don’t include Marcus’s order in this quarter, you miss your team’s quota, get called on the carpet and lose your performance bonus. You inform Marcus that he must get his prospect to agree to new terms. He responds, “Unless they receive the terms they requested, they will buy from our competition.” You remind him, “Your job is to get that order, so make it happen!”
You just nudged Marcus towards POLR with your unreasonable expectation. An employee not committed to high ethical standards my take an action that creates risk for your company, and the risk arises from two naturally occurring conditions that exist in most organisations:
Rules are often vague and written without clear behaviour standards.
Rules often conflict with the goals and self-interests of both the individual and organisation.
The overall solution for reducing your risk for unethical behaviours and practices is for you to use reasonable expectations in order to alter POLR. These truisms point out you must also set the expectation for ethical conduct and not just say, “Read the policy.”
Incentives Increase Ethics Risk
Rewards as Incentives
The behaviours and decisions that leaders reward tell employees what is most important. People pay attention to who is rewarded and why. If employees are rewarded for the wrong behaviours, other people see this and model those same behaviours. If a negative or risky behaviour is displayed by an employee, and the action is either ignored or condoned, other employees see this and model the behaviour.
Risk in Your Static Rewards
Behaviour never remains static. As a leader you must be willing to alter your invisible and visible rewards and compensation system whenever employees show behaviours that put your organisation at risk. Change your compensation system, and employees automatically will change their behaviour. Your job is to drive desired behaviour by establishing the right rewards for the right reasons.
To seek out the perils in your existing and proposed incentives, use these questions as your guide:
Why do we have or need this particular reward?
What behaviour is the employee being rewarded for?
What form do our formal rewards take?
What form do our informal or invisible rewards take?
What sorts of messages do the formal rewards send?
How are our positive-aimed rewards being subverted?
Internal Pressures Increase Ethics Risk
Pressure has the same impact on taking risks as rewards. Your employees are almost always under some pressure to perform or produce, which is normal. The greater the urgency for your firm to take risks and the higher the reward you set for being innovative, the greater the likelihood that undue pressure will be placed on employees to achieve certain results. This is where your vulnerability hides.
There is a delicate balance between the incentive to achieve something and the pressure to perform. Applying pressure on someone to achieve can be a positive thing, yet it is often misused or subverted.
Your CEO requests that the sales group provide her with stretch numbers for the sales forecast. Ignoring their data she sets a target much higher than what they believe is possible. She promises your sales team incentives in the form of cash rewards and a vacation in Hawaii if they can reach her high number, but this incentive creates exposure when intense pressure is placed on them to achieve the unrealistic target. What is worse is your employees are not given the tools or means to achieve the higher target. Employees are put at a disadvantage when she penalises them for achieving the original target, the one based on what they knew was possible. To earn their incentive some of your employees may take POLR.
Here are some questions to ask yourself as you look for inherent risk around pressures to produce targets and goals:
Could someone who is in a position of power get away with a detrimental behaviour by exerting undue influence?
Where do pressures to perform or achieve a specific result come from, and why do they exist?
How do our employees normally respond to performance pressures?
How do our employees respond if the pressure is excessive or if the goal is unrealistic?
How do we want our employees to respond?
Risk from Fraud and Employee Abuses
The overall loss from fraud is estimated to be over $660 billion, or 6% of turnover. Fraud and abuse of employer assets translate into $9 per day per employee. How many employees work in your organisation? Multiply that number by $9 then by 365. This figure will give you a compelling reason to be concerned about your exposure to fraud! Two of the most common forms of fraud are kickbacks and conflicts of interest involving employees and others. Other forms of business fraud include
fraudulent disbursements.
skimming (cash stolen before the company has recorded it).
larceny (cash stolen after the company has recorded it).
fraudulent billings to fictitious companies or for fictitious goods or services.
employees making false claims for compensation.
employees requesting reimbursement for fictitious or inflated expenses.
White-collar fraud continues to grow. The 2010 Report to the Nations on Occupational Fraud and Abuse from the Association of Certified Fraud Examiners (ACFE) provided an estimate that the highest losses from fraud — 31 %—occur in businesses of fewer than 100 employees. These are the businesses that are less likely to have audits or strong cultures of ethics. Fraud is a crime based on concealment, and many organisations do not know they are being victimised. Occupational fraud ranges from simple stealing of company assets to complex financial manipulation. Most frauds are either never detected or go on for years before they are discovered.
More ACFE findings were
tips are from an anonymous source (1 3%).
all cash frauds come in the form of fraudulent disbursements (66%).
fraud was caught by the firm’s internal controls (14%).
fraud in small business involves a billing scheme (29%).
fraud involves cheque alteration (1 3%).
most fraud cases were asset misappropriation schemes (90%).
The ACFE study reported that for the small businesses included in the study, only 30% had any form of internal audit or fraud examination department.
The 2010 findings show a slight improvement over the 2008 study, but survey participants estimate that the typical organisation loses 5% of its annual revenue to fraud.
Although ERM is designed to detect or deter fraud, small businesses are more vulnerable to unethical employee behaviours due to four factors:
They are less likely to require an audit.
They do not have a hotline for employees to report suspicious activities.
They rarely have adequate internal controls.
They are less likely to do any formal risk management on employee behaviours.
The Sarbanes-Oxley Act of 2002 (SOX) requires audit committees of publicly traded companies to establish procedures for “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” These companies install a hotline run by an independent organisation for people to use if they see questionable or dangerous activity. Unfortunately small businesses, which are not subject to SOX, fail to see the value or importance of this tool to detect fraud or abuse.
When employees and customers have access to a hotline and know their comments and concerns are taken seriously, they are more likely to use it. Each call to a hotline is a potential exposure. Hotlines will not always detect frauds, but they do create a reporting mechanism for employees that allows for the collection of tips on possible wrong doing. Firms that use such a hotline are more likely to be aware of potential fraud with employees but also with customers, vendors and third parties. Firms that utilise employee hotlines or some sort of anonymous and safe reporting mechanism show the greatest decrease in fraud incidents. A key element in almost every discovered fraud is a dishonest employee who had the opportunity to commit the infraction.
Re-read the statistics about employees’ attitudes regarding opportunity in the “Risk and POLR” section.
Murphy’s Law of Risk and Ethics
The person with the loudest voice who knows the least and is the most unethical is always put in charge.
Situations for Exposure to Unethical Behaviours
Employees who are being downsized.
Employees who are bored and looking for excitement.
Employees who find a hole in the company’s internal controls, benefit from it and fail to report the lapse.
Employees who enjoy bending the rules.
Employees who are under personal stress.
Employees who experience personal financial problems or setbacks.
Employees with addictions, such as alcohol or gambling.
Employees who need to be the centre of attention.
Two Tools to Analyse and Reduce Exposure to Ethics Risk
Risk Management Tool Twelve-The Five Whys
This tool, known as the “Five Whys,” allows you to find the root causes of risks that can lead to high exposures. The contributor to the downside of risk taking is rarely in physical things, such as bricks, mortar, technology or tools. Most of the time your operational and strategic perils are generated or caused by the way people think and act or use your assets.
Case Study: The Risk of Special Favours
To understand how this tool works I used an example from PJI’s history in which an empowered employee in the travel department contracted with a major hotel chain to provide rooms at a set price. The Director of Events, Carmen, described a termination that took place a few weeks ago.
“PJI’s culture emphasises to all our employees that they need to use their best judgement when dealing with the vendors, when making purchasing decisions and when obligating the company to contracts. We trust our employees and empower them, so they almost always had the final say. I thought we had clearly defined policies and controls in place but found out that this was a false assumption. One of my employees obligated us for a guaranteed rate that was higher than similar hotels. By contract PJI agreed to use this hotel for a fixed set of nights, and if we did not we had to pay a penalty. I was so mad when I found this out. The employee who I terminated claimed he received several bids, which he showed me, and theirs was the lowest. I have been unable to determine what led to his behaviour.”
“Carmen, I can show you why the employee created this exposure if you allow me to take you through the steps of this tool.”
The “Five Whys” tool has four simple steps, but do not get fooled by its simplicity. It is the questions you keep asking after you obtain your initial answers that generate its power. As a manager or an executive your task is to find the root cause of a problem, which I refer to as a fire. Yet you often waste time on finding and removing the smoke, and you never get to the cause of your fire. This tool allows you to discover what caused the fire, so that we can prevent the fire from starting again.
How to Apply the Five Whys
Step One: State the risk as a problem.
Step Two: Ask: “Why is this happening?” or “Why did this happen?”
Step Three: Continue to ask why until you get to a root cause that you can do something about and, when reduced or eliminated, will change the situation for the better.
Step Four: Summarise your findings, and form a recommendation for change.
Using the “Five Whys” tool, Carmen, who had time to prepare for this, will demonstrate how to find the root causes of the problem that created exposure.
Step One: Statement of problem.
An empowered travel agent obligated us to a service that was not competitive, and we could not cancel.
Step Two: Now that the problem is defined, ask the first question:
Why did this happen?
The employee did not adhere to our policy for contracted services.
Carmen: “I discovered through investigation that the employee did not follow the policy that states, A travel agent may not recommend a service provider whose rates are not competitive.’ And another policy states, A travel agent may not enter into a services contract that is non-cancellable or contains a penalty clause for non-performance on our part.’”
Normally most of us would stop at the first why and fire the employee for violating a policy, as Carmen did. If you only do that, however, all you have accomplished is dealing with the smoke. You failed to search for the cause of the fire. Because you are committed to risk management, you want to prevent the fire or risk from recurring. You keep drilling down into the problem.
Step Three: I asked Carmen again:
Why did this happen?
The employee wanted to impress the hotel’s sales employee.
Carmen: “My ex-employee is a young single man who has a problem finding dates. The hotel’s sales employee is a very beautiful young lady with a friendly personality. I think our agent agreed to this contract based on the personality of the vendor. Maybe she promised him a date, or maybe she appealed to his ego.”
I asked Carmen again:
Why did this happen?
The agent seemed to want something special from this vendor, a perk that he wanted.
Carmen: “I found several instances in my research that this employee has done this before: asking for special conditions in his initial dealings with new vendors. In this instance he was allowed to stay at their hotel in Hawaii at a highly discounted rate.”
I will pause to review the ethical implications and risks of this situation. As someone who is concerned with the ethical attitude of your employees, you would jump up and down and demand that any employee who did this be fired, but how do you know if this situation is an isolated incident, a trend or a normal practice? I asked Carmen again
Why did this happen?
The employee wanted to earn his large incentive bonus.
Carmen: “I know my employee really wanted to get his large semi-annual bonus. He bragged to co-workers that he had his heart set on a new car.”
We are starting to get to the root cause. By regularly using this “Five Whys” tool, you will find that the root cause is often based around human issues, such as power, emotion, drive, greed or lust. Some human frailty is involved with lingering problems, especially those related to unwarranted risk taking and ethical breaches. I asked Carmen again
Why did this happen? Concentrate your answer on the incentive.
The incentive rewards the employees for holding the line on costs by entering into fixed long-term service contracts.
Carmen: “Unfortunately for us our incentive programme for all travel agents was designed by accounting to convert a variable cost travel into a fixed one. If we know how many rooms we are obligated for, we can coordinate other travel plans, like air fare, so that our travel budget is more manageable. The incentive contains no penalty or downside for when we pay more than the going rate. Whoever designed the incentive wanted to control costs.”
I could stop the why questions here, but intuition tells me there could be another cause for Carmen’s fire. You do not have to stop at five whys. You can persist in asking why as many times as needed to find all the possible sources of your fire. I asked Carmen again
Why did this happen? Focus your answer on the approval of contracts and verification of contractual rates.
The employee knew how to game the system. He worked here long enough to know that no one would check up on him.
Carmen: “This employee knew that no one reviewed service contacts under $10,000. He also knew that no one in my group would notice that the bids from other hotels were different. He had them bid on a higher level of service—bigger room—and selected smaller cities where our employees rarely travel. That is why he had on paper proof that the hotel he wanted us to do business with had the lowest rates.”
“I also found that, contrary to our procedures, contracts for my department go directly to accounting, and we do not retain a copy in our files. Once they are signed by the vendor, we assume the employee will verify the rate charged is the contractual one. No one else on my team is involved in the verification process.”
Step Four: Conclusion and recommendation
Carmen told us, “I can see now that we have several areas that caused the problem. First how we handle contracts and the bidding process created the situation. Second is the way we have split the responsibility for budgeting travels costs between accounting and my department. Third the incentive is skewed, and fourth, even though I trust my employees, I have no way to ensure they are not playing games because our vendors are in a position to offer our agents some nice perks. I need to fix these internal weaknesses ASAP and then, with accounting’s help, verify that no one else is doing what he did.”
Tool’s Lesson
What we discovered in using the “Five Whys” tool is that you split the authority with responsibility. You also created an incentive in the form of a bonus that did not shape the behaviour you wanted. It’s no surprise that this employee followed POLR to get his bonus in whatever way he could. The lesson from this tool is that once you find the root cause for your exposures, you can take quick action to reduce the negative impacts and find solutions to prevent more exposure.
Risk Management Tool Thirteen-Establish Contingency Funds
We will return to your exposure from the recent acquisition of the oil and gas company in Columbia, which was discussed in chapter 2, “The WHAT of Risk Management.” For the next year, as you work to make the company more productive and profitable, you include in your current year’s budget a contingency fund of $500,000. This money can only be spent under three scenarios, should one or more occur:
If the raw crude produced by this drilling company fails to reach the target you set
If the production employees there go on strike or stage a slowdown
If the antiquated equipment there breaks down and slows production.
Only when one of these conditions occurs can some of the funds be expended to upgrade the equipment, pay the employees more, add extra shifts to speed up production or use whatever tactics the general manager needs to use to make the company profitable and productive. This contingency fund cannot be used for any other purposes, such as the general manager awarding himself a bonus, giving pay rises to the supervisors, throwing a party or adding staff to overhead, because if these activities were not planned in the budget, they are not approved.
If these Murphy’s Law events covered by the contingency fund do not happen in the current year, then you carry the fund over to next year. Each year you can maintain or modify the conditions under which the dollars can be spent.
After a certain point of time, when the company meets all its targets-return on investment, production and profitability—the funds can then be returned by reversing the contingency expense, thus adding to the current year’s profits because of good management. This is how to properly handle a contingency fund.
When you take the time to look for pitfalls and then develop contingency plans in advance, you grow in confidence in your ability to face or accept more risk. Better yet you reduce exposure in both the short and long term.
Back to PJI
I gave PJI’s managers another assignment to complete before our next session.
You need to objectively look at the people you supervise, and answer these questions:
Why does POLR show up in your department, company or group?
How does POLR arise when there are no rules or guidelines for your employees regarding risk taking or risks faced?
How does POLR arise when there are specific written rules or guidelines for your employees regarding risk taking or risks faced?
What sort of POLR do employees take that leads to a lingering problem?
Onward
You just experienced the ways you can reduce exposure because you know things never go as planned, and the unexpected happens. Step four creates momentum for taking action and empowering employees with confidence and tools, so they make smarter decisions. ERM makes every decision maker’s job easier because, with the scope of their responsibilities, they are acutely aware of where risk occurs.
I closed with a pearl of wisdom regarding risk management.
“A ship is safe in harbour, but that’s not what ships are for.” William Shedd
Your Action Plan
Step One
If your organisation did implement a risk management programme, who do you think would be the people to serve on the risk committee? List their names or initials, and think about each person’s overall attitude towards risk (using the four categories in chapter 6, “WHERE Do Our Efforts Need to Be?”: risk taking, risk averse, custodian or indifferent).
Step Two
Are expectations placed upon you and your co-workers to be ethical? Are they communicated in the manner described in the “Setting the Expectation for Ethical Behaviours” section? If the expectations are clearly defined, what impact does this have on employee behaviours? If the expectations are not clearly defined, what impact does this have on employee behaviours?
Step Three
Answer the questions posed previously about POLR within your organisation:
Why does POLR show up in your department, company or group?
How does POLR arise when there are no rules or guidelines for your employees regarding risk taking or risks faced?
How does POLR arise when there are specific written rules or guidelines for your employees regarding risk taking or risks faced?
What sort of POLR do employees take that leads to a lingering problem?
Step Four
Think of a lingering problem you or your organisation faces. Use the “Five Whys” tool to discern the real causes. Remember it takes practice to effectively use this tool because it is easy to get lost in the superficial reasons and forget the deeply ingrained ones or those issues no one wants to discuss.