Risk Management Warning Flag 1 – Unadjusted Resourcing of Risk Monitoring Activities
Major projects typically add significant operational, financial, reputational, and regulatory risk to an organization’s overall risk profile. This project risk may by itself exceed the normal level of organizational risk leaders are accustomed to dealing with. Consequently, these strategic projects demand the implementation of risk identification, monitoring, mitigation, and control activities. These risk management activities, however, are often unaccounted for in the project’s budget and instead draw resources away from the organization’s other risk management efforts; diminishing the business’s overall ability to effectively manage its other risks.[wcm_restrict plans=”25541, 25542, 25653″]
Too often, leaders relying on oversight groups to monitor organizational risks do not adjust those groups’ budgets when a major project is undertaken. Consequently, these groups reprioritize their oversight efforts based on the risk-significance of the organization’s activities. New, high-risk initiatives garner the attention of these groups at the expense of the previously mandated oversight of other somewhat lower priority risks. Performance of these now less monitored areas naturally declines over time as the lack of oversight communicates management’s disinterest in these activities. In the longer term, performance in these areas commonly declines to a point when adverse consequences are realized.
Effective risk management requires the dedication of appropriate resources to actively identify, monitor, mitigate, and control the organization’s risks. Furthermore, the amount of applied risk management resources should be adjusted commensurate with changes in organizational risk level. While not all inclusive, the four lists below, Process-Based Warning Flags, Process Execution Warning Flags – Behaviors, Potential, Observable Results, and Potential Causes, are designed to help executives and managers recognize misalignments between their organization’s risk level and oversight coverage. Only after a problem is recognized and its causes identified can the needed action be taken to move the organization toward improved performance.
Process-Based Warning Flags
- Risk management programs do not necessitate the periodic reevaluation of the organization’s overall risk level
- Business planning programs do not drive increased independent monitoring of new and ongoing initiatives commensurate with the risk they pose to the organization
- Project planning programs do not include provisions for increased risk monitoring
- Personnel procedures do not limit the number of transfers out of any group within a specified timeframe
- Oversight organization budgets are relatively fixed and are not adjusted as the organization’s risk profile changes over time
- Oversight organizations do not monitor performance by means other than periodic assessments such as using performance indicator dashboards
Process Execution Warning Flags – Behaviors
- Corporate leaders don’t quantify the value of risk monitoring (see StrategyDriven article, Risk Management Best Practice – Risk Quantification)
- Executives and managers resist independent corporate oversight, particularly increases in oversight
- Executives, managers, and supervisors welcome a decline in oversight
- Executives and managers resist contributing knowledgeable, skilled, and experienced resources to oversight groups
- Managers frequently prompt and/or authorize the transfer of top performing personnel out of oversight groups to strategic initiatives and ongoing operations
- Executives and managers voluntarily freeze and/or reduce oversight budgets in favor of funding operational activities
- Leaders singularly/largely focus on major initiatives and fail to observe and/or react to operational performance issues
Potential, Observable Results
- Decline in productivity, rise in equipment issues, increase in first aid cases / personnel injuries (near-term)
- Heightened number of catastrophic equipment failures, serious injuries, and in the worst cases, fatalities (long-term)
- Increase in the number of non-cited (near-term) and cited (long-term) regulatory violations
- In mass transfer of top performance managers and staff to strategic initiative projects, including from oversight groups
- Oversight organization budgets and staffing are not adjusted commensurate with the existing number of assessment activities necessary to cover strategic initiatives and ongoing operations
- Executives misinterpret or do not perceive the change in organizational risk associated with new initiatives (or the completion of strategic projects)
- Executives and managers tolerate corporate oversight activities as a cost of doing business
- Executives and managers do not value independent corporate oversight because they feel these groups lack the specialty knowledge, skills, and experience to effectively perform risk-based audits regardless of whether those groups have or have acquired the appropriate talent
- Executives and managers do not understand that independent oversight is a key component to verifying the effectiveness of risk mitigation and that without this verification a higher overall corporate risk level is incurred
- Managers prioritize new and ongoing strategic initiatives over ongoing operational risks/activities; including assignment of personnel, financial, and managerial resources
- Executives overly rely on senior managers to ‘do the right thing’ in compensation for the lack of or reduced oversight
- Executives and managers erroneous believe that good past performance indicates a reduced need to monitor high-risk operations in the future
- Executives and managers erroneously equate past mitigated (monitored) risks with now higher inherent (unmonitored) risks
Simply ask the question: Was the corporate oversight budget raised commensurate with the increased number of assessments necessary to cover the company’s new strategic projects? If not, the level of risk-based oversight of the company’s other operations was diminished, thus weakening the defenses designed to prevent erosion of overall performance and the organization’s culture.
This warning flag focuses on the failure to increase oversight commensurate with the increase in organizational risk associated with the pursuit of new major projects. While the completion of strategic initiatives may enable the reduction of oversight activities (assuming a commensurate decline in overall risk), it is not included within this warning flag because too much oversight is unlikely to actively ‘damage’ an organization in the material fashion that too little oversight can.[/wcm_restrict][wcm_nonmember plans=”25541, 25542, 25653″]
Hi there! Gain access to this article with a FREE StrategyDriven Insights Library – Sample Subscription. It’s FREE Forever with No Credit Card Required.
|Sign-up now for your FREE StrategyDriven Insights Library – Sample Subscription
In addition to receiving access to Risk Management Warning Flag 1 – Unadjusted Resourcing of Risk Monitoring Activities, you’ll help advance your career and business programs through anytime, anywhere access to:
Best of all, it’s FREE Forever with No Credit Card Required.
About the Author
Nathan Ives is a StrategyDriven Principal and Host of the StrategyDriven Podcast. For over twenty years, he has served as trusted advisor to executives and managers at dozens of Fortune 500 and smaller companies in the areas of management effectiveness, organizational development, and process improvement. To read Nathan’s complete biography, click here.
Leave a ReplyWant to join the discussion?
Feel free to contribute!