If you are a parent, you may be familiar with the fact that there’s a big difference between telling your kid who is climbing dangerously on a high tree: “This is very dangerous! Careful, or you will fall down and break a leg”, and saying: “Wow, you are very high up, but if you are careful and watch where you are putting your hands and feet, I trust that you are going to do great. I am here watching you and can guide you if you need me. But I trust you to do just great your own.” (See: Steve Biddulph’s book “The Secret of Happy Children”)
If your kid actually falls down and gets some bruises, in the first case, you will say: “I told you so. But you never listen to me. Luckily it is not worse. You could have been dead falling from this height. Or you could have broken a leg, missed some weeks at school, failed to get sufficient grades to go to the good high school we picked for you, not be able to go to university and study… you never think of the consequences. Why were you so reckless to climb that tree in the first place. ” The result is that in addition to the hurt from the fall, your child will build a memory of loss of self-confidence, additional humiliation by the parent, and become generally risk-averse. Next time she won’t climb that tree. Your child might actually choose to become a risk manager or an auditor.
Now, in the second case, after your child fell down, you might say: “Ouch! But look, it’s not too bad. And you must have had a great view from up there. Next time, be more careful; and now try again. I’ll be watching and giving you an extra pair of eyes when you need them. Or even better, let’s climb the tree together and both enjoy the view.” In this case, your child may go on to become an entrepreneur eventually.
Of course, neither children’s education nor real life and career choices are so simplistic. But I am trying to illustrate with this example how our language and our attitude, thoughts and perceptions of risk are interlinked.
How we talk about risk
The Austrian-British philosopher Ludwig Wittgenstein wrote:
“The limits of my language mean the limits of my world.” (In other translations: “… of my mind.”)
I firmly believe that language, the way we are talking about things, the words and expressions we use to convey our thoughts in communication with others, is not only key to understanding many of the problematic issues we are currently seeing in the management of risks in organizations; but that language is also key to beginning to solve them.
Changing our risk language – the terms in which we talk about risks – means changing the way we think about risks, the way we perceive risks and feel about risks and the way we will then make decisions with risks in mind, a.k.a. risk management.
I think the recent discussion on the need for more integration of risk management into strategic decision making, and in the process linking risk management more strongly with business objectives – as it has for instance found expression explicitly in the COSO ERM overhaul of 2017 – shows quite clearly that we have arrived at a crossroads.
The traditional, risk-and-control-centric approach to risk management is deficient and has led to an estrangement of risk management and internal auditing from business management. Two different paradigms, talking two different languages. Often, the “risk functions” actually view and behave towards operational management like the parents in my example above towards their kids.
The dysfunctional Three-Lines-of-Defense Model (3LoD) actually contributes to this divisive situation: the “first line” is taking and owning risks with oversight (in the best case: support) by the second line “risk management” functions (who are actually not managing any risk but just monitoring and reporting) and the “big brother” function of internal audit, who stays independent and objectives, knows everything better than the first two lines and will “tell the parents” if the smaller kids don’t behave. It fits this picture very well when internal auditors think of themselves as “superheroes”.
In recent years a growing need has been expressed for these functions to become business partners, trusted advisors. Every year, there are surveys showing how boards and senior management are less and less satisfiedz with the value contribution by internal audit and traditional risk functions.
Management’s view: achieving objectives
In the current situation, there is a mutual, bi-polar misunderstanding – not only but also because of language.
On the one side, we have management who want to achieve or exceed business objectives and be successful. Management plans, organizes, executes, oversees, controls and directs activities aimed at achieving the business objectives.
- Management tends to have an objectives- and success-focused perspective.
- What do we want to achieve?
- How can we do that in the best (efficient, effective) way?
- What will be the ideal way and outcome, how do we stay on track on the way?
- And what needs to go right at crucial points?
So, management is focused on achieving business objectives – and rightfully so; they should be! And of course they are considering risks and scenarios and put their attention on some; and focus less on others. Prioritizing in light of limited time and resources is an important management task.
This is risk management in its most essential form. Implicit, sometimes maybe unconscious management of risks, taking decisions, weighing costs and benefits, prioritizing, managing limited resources – like we all do in our daily lives.
The traditional controls & risk view
On the other side: the multiple risk and governance functions, second and third line of defense. The main proponents of this party are Risk Managers and Internal Auditors; but you can also include other functions like Compliance here.
These functions are focused by definition on risks and by tradition and historical development on downside risks or even crisis-prevention (“doom scenarios”). The guiding question is: “What could go wrong?”, and it is seen as management’s task to keep all possible failure possibilities in mind at all times, including keeping an eye on emerging ones. Otherwise, there will always be risks that aren’t managed “adequately”, meaning where the likelihood or impact can possibly be minimized further. Regardless of the cost of risk reduction including opportunity cost of spending these resources for business.
When wor(l)ds collide
Now, when the auditor or risk manager talks to management, the two different paradigms collide.
The auditor thinks: „How can they neglect all these risks that I see; am I the only one taking my job and responsibility seriously? This is irresponsible behavior. They need more controls and documentation!“ (I have observed many times, actually experienced myself, what I have come to call “auditor depression”; being overwhelmed by all the bad things which no one else sees and understands and takes seriously.)
The manager thinks: „Why is this guy exaggerating so much? I am doing my job and I am doing it well. I am achieving and exceeding my objectives, I am ‘in control’ of my business, I know my risks, but they are completely different from what this guy is thinking.”
The auditor feels her view is not being sufficiently appreciated and decides to up the ante and get more of the deserved attention. So she starts drawing a “what can go wrong”-doom scenario, focusing the discussion on the worst case outcome and most catastrophic impacts – without considering normal or best cases, compensating controls and often without a lot of technical knowledge of either processes or systems. Also without considering cost of controls recommended and resources needed or opportunity costs.
This “huffing and puffing” takes first place in discussions with subject matter experts, then with management and finally finds expression in the audit (or risk management, or compliance monitoring…) report. After all, the more remote you are from line management in the second or third defense line, the more independent and objective you are; meaning you freely state your opinion and get some of the deserved attention for your report.
… and back to management
Management now of course feels unfairly treated by overly critical nay-sayers who do not understand the whole picture, don’t have a clue of the realities if daily business.
The audit recommendations are grudgingly accepted but implemented only half-heartedly, because no one believes in their usefulness and they have been essentially enforced by virtue of the reporting structure.
And so the gaping chasm between auditor/risk manager and operational management widens and the mutual appreciation further deteriorates.
The new paradigm: success management, smart risk taking and learning from failure
A different paradigm is needed. One that recognizes the primacy of objectives an organization wants to achieve and sees risks as the effect of ever present uncertainty on those objectives on the way to achieving success.
And after more than 10 years in audit, risk management and compliance, I think it is the risk functions who have to adapt their language and thinking more to business and management. It is not (primarily) management who needs to be educated more about (downside) risks and formal, heuristic risk “management tools”, periodic review of risk registers and dots on heat maps.
The new paradigm is focused on achieving objectives, on success of the organization. That’s what management and risk functions have in common.
“Risk Management” is then not about the management of objectives we call “risks”. It is about making well-informed business decisions with uncertainties in mind. About taking the right amount of the right risks, and taking these risks in a smart way.
As Norman Marks has expressed in a blog post I found very inspiring, it’s possible to have a fruitful risk discussion with management without using the word “risk” a single time, building instead on questions like:
- What are the objectives you want to achieve?
- What needs to go right?
- Where do you pay special attention?
- Where else may it make sense to do something in addition (or different) to ensure things go right?
- Where could we do even less to maybe achieve an even better outcome?
- And is all of this sustainable?
And if something fails, what can we learn from it and do better next time? (Not: who’s to blame, this should never have happened; let’s fire someone to make sure everyone understands that this cannot happen again. )
A Risk Manager, Compliance Officer, Auditor working within this paradigm can rightfully be called a business partner and will become a true trusted advisor to management; based on mutual appreciation, visible relevance of advice for business and common overall objectives.
But when we ever truly arrive there, we will finally also need a new name for this kind of advisor. Removing both the problematic word “risk” and the wrong term “management.
What about “success advisor”, “decisions coach”…?
(By the way, many auditors are not aware of the linguistic roots of the name of their profession. It comes from Latin audire – to listen.)
Michael Kuckein – Sandoz TR, Ethics and Compliance Director, CIA, CISA, CCSA, CRISC, CRMA
The author contributed to this article in his personal capacity. The views expressed are his/her own and do not necessarily represent the views of TEİD.