Question: Getting consensus on risk, and driving compliance to company policies

I am the CFO of a major (local) manufacturing and retail company, approaching our annual planning sessions. I need your advice on how to position the key idea around risk, that I want to drive home to all senior managers in the company.

We had a poor risk culture in our company, which led to a major audit issue about 5 years back. We then hired an local consultant to put controls, prepare manuals & help us with training.

Unfortunately, I think the detailed nature of our manuals have slowly made our issues even worse than they were earlier (when our documentation was simplistic, and led to a false sense of security). Now, they are seen as cumbersome, and simply bypassed, by an average employee. Driving compliance is also very difficult.

I think they will get my point, but would not know what to do about it. How can I make it easy for them to take action when they go back to their teams?

3 Expert Insights

The problem is not with risk or with compliance. Both are symptoms of a broader underlying issue - which becomes visible as aversion to risk. That issue is one of overcoming fragility in capability for corporate evolution.

Fragility, in its simplest terms, refers to a situation where, on average, more negatives than positives result from the emergence of random events. All companies face random events in complex marketplaces. Not all companies survive or thrive in the face of such random events - which are bound to happen given the evolutionary nature of complex systems such as markets.

Any change must be directed through this lens of reducing fragility - and increasing internal capability for corporate evolution.

This reminds me of Drucker's statement (which many erroneously attribute to Bennis): "Management is doing things right; leadership is doing the right things."

Controls are critical to ensure the proper functioning of an organization, and from you have said, you previously didn't have many in place until you hired a consultant.   Perhaps the consultant put too many in place, and people are bypassing / ignoring them which puts the organization at risk again, but the key issue isn't controls as much as it is an understanding of risk.

Controls are important, but they must be balanced with risk, common sense and operational need.  

If I were in your shoes (and I have been before), I would have conversations with your top managers so that they understand what is important and what isn't, the level of risk tolerance in the company, etc.   Then, you might consider another look at your controls to see what is needed and what is extraneous / not necessary.  

It comes down to leadership vs. management with a side serving of ethics and common sense thrown in.

I start my response with a few questions in my mind about your situation.

1. How big your definition of Risk that you want to avoid?

2. Are you just interested in avoiding accounting error risks or are you also interested in addressing other possible areas of organizational risks that can impact customer expectations and financial performance?  

I recently wrote the lead article for the QHSE magazine titled "Identifying Cascade Effect Risks in Organizations". My 12 page article uses gamification and a unique deck of cards I created to teach professionals how to identify organizational cascade effect risks potentially present in any organization.

All forms of risk are linked in organizations with 5 hierarchical waves of interactions that are described in my article, which was the result of 9 years of personal research on the topic of "Why do bad things happen in organizations?". My article is a primer in understanding risk linkages, negative outcomes and what to do about it. I hope it helps you look at risk from a different perspective and maybe give you some different ways to address your risk. I am also holding a 2 1/2 hour workshop on this topic at the upcoming American Society for Quality (ASQ) World Conference in May, 2014 in Dallas, Texas.