It’s been another challenging week fighting the “who owns your risk?” battle, trying to persuade a senior manager to take ownership of their risks.
First thing on Tuesday morning I found myself sat with the newly appointed Head of Security. It didn’t start well as he muttered the immortal phrase, “So, you can manage my risks for me then?”
Years ago I might have been ruffled by this, but I’ve heard it so many times now that I just respond by laughing politely as though we are obviously sharing a joke. I continued laughing whilst informing him that,
“Our primary responsibility as part of a second line function is that the risk framework works well and embeds in the organisation’s philosophy – we’re not responsible for owning or managing your risks… sorry!”
“But I can help you manage your own risks and feel comfortable...” I suggested when he, like many before him looked a little crestfallen.
I have had worse meetings. The one where a senior IT manager repeatedly tried to convince me that there were no risks at all in his department springs to mind.
He wasn’t even sophisticated enough in his arguments to try to convince me that this eradication of all IT operational risk had happened because his controls were wonderfully well designed and operating like a dream. Nope, just a straightforward, fingers in ears, denial. "No risks here..."
To be brutal, anyone who is employed as a manager and believes they have no risks to manage, has either an entirely pointless job, or has completely failed to grasp their purpose in the organisation. Or possibly both!
But to be less brutal - and in the interests of staying happily employed in risk, it is probably better to say to that person,
“OK then. Let’s talk about your objectives at work and some of the things that could prevent you meeting them.”
There is perceived to be an inherent danger in the word “risk”. Many people immediately go on the defensive when its mentioned as though my team are about to expose them for doing a terrible job.
These conversations, whilst often hugely frustrating, can act as a useful barometer as to how much the organisation needs risk training. In my experience, this can usually be measured on a scale from “fairly urgently required” to “desperately required”. All of which is good news if you’re a risk professional seeking to manage your personal risk of unemployment.
What this experience also brings to mind is how a good risk culture can be built - and maintained - in an environment where there are inevitable changes in staff. Risk training programmes can build some capability in an organisation and even act as a salient reminder to colleagues.
However, it might be more effective to screen potential new recruits for their existing understanding of risk management and use this as a consideration in the hiring process. Every risk-aware person leaving the organisation dilutes the risk culture slightly. Whilst these people can’t be prevented from leaving, it must be possible to prevent the culture diluting further when senior replacements are brought in who just don’t “get it”.
Who is the Secret Risk Manager?
The Secret Risk Manager is a senior risk professional working in the City. Over the years, they’ve seen a variety of risk practices - good, bad and ugly - across a variety of industries.
Like many risk professionals, the Secret Risk Manager’s CV has a large unspoken element. They are called upon to be in turns, therapist, coach, detective, mediator, behavioural scientist, parent, mind reader, futurologist, story-teller, philosopher and diplomat.
These articles do not pretend to constitute advice, but only to provide a frank and hopefully thought provoking look into the often frustrating world of those people who help organisations manage their risks. The subject matter is experience based, but fictional.
Any resemblance to actual incidents or persons living or dead is purely coincidental. But let’s face it, there’s not much new under the sun so you’ve probably seen it before.