Who is my risk?

In the last week or two I’ve worked with a company where people presented a real risk and heard about a friend who was approached by their current employer in an effort to manage people risk. There’s an irony in the fact that as much as people often present the biggest threat to our business, they are also often cited as a business’ biggest asset (of course with that trust comes risk in itself, but that’s a whole other topic and not what I want to get into today).

The first situation was a company with a number of staff who had been around for a long time. A new senior leader had been appointed and they were, naturally, wanting to make their mark and introduce change. They found some of the older staff to be quite resistant to some of their changes. They saw them as belligerent, almost as troublemakers. Where the new leader was trying to introduce efficiency and streamline processes, they doggedly hung on to redundant calculations and reporting.

I don’t think this is an uncommon position for many businesses, particularly in situations where there has been a reasonable turnover in senior management and new people come in.

The problem became quite severe, to the point where the older staff were, not threatened (I don’t think that’s fair), but tensions were rising in the direction of disciplinary conversations. After a few conversations it turned out that with the high turnover in the senior leadership of the business, some understanding of context had been lost. The processes that those staff were hanging onto were inefficient and redundant, yes, but they were being done because of an earlier agreement with the regulator, whereby the regulator required that process to be undertaken.

Because so many of the senior team were new, they were not aware of this and whilst they felt they had listened to the protests of the staff, they hadn’t understood the severity of stopping the process. Whilst the actions of those staff had seemed stubborn and difficult, they had actually been protecting the company from a breach and a possible fight with the regulator. Subsequently those processes could be raised with the regulator and renegotiated. The point here is that the staff who had seemed like a risk were actually saving the business.

It’s all well and good to bring new people in – fresh ideas, fresh thinking, etc – particularly when there has been some oversight or problem that has resulted in the incumbent leadership leaving and creating the space for new people. But it’s often a mistake to think that those who have longevity with the business are “part of the problem”. Tarring an entire staff with the mistakes of one or two former leaders is usually a mistake in itself.

The second scenario related to a staff member in a, frankly, bloated and to some extent inefficient team where leadership didn’t really grasp the detail of the work being done. A number of key staff had recently left, and the staff member was one of the few people left who had the background and understanding of what needed to be done to keep the team running…but he was about to take extended parental leave. He received a phone call from a member of the organisation’s C-suite to check he was okay and to ensure he intended to return and to ask what they could do to look after him.

Ultimately, he said nothing, and all was okay – except it wasn’t. The staff member was unhappy. He was unhappy that the leadership wasn’t as strong or as knowledgeable as it had been, but he had seen how they had undermined and mistreated the competent leadership before it had departed (or been restructured out). So, what did he tell the C-suite executive? He told them it was all fine and he was happy and would be back – when in actual fact, he didn’t really want to return, but didn’t have options at the time.

So, now the C-suite is happy thinking they are secure with that staff member, and still blissfully unaware (or not caring) that the current leadership in that space remains alienating to staff (and frankly may not be that competent) all because of historical mistreatment of competent leadership when it had been in place.

So in this case, the staff member’s longevity is working against the business – they appear compliant, but really the things they’ve seen and heard leave them mistrustful and potentially a departure risk where the organisation now believes it is secure.

So, it’s not just about asking a question, but taking the time to listen – really listen. Leaders like to lead, to be in charge and to be seen or perceived to have the answers, but this can be quite alienating and, in the end, the staff you thought were being stubborn and resistant, may have been saving your bacon and the staff you thought were secure actually afraid to speak out.

What you do and say matters and staff have long memories.

Do you have key people with key knowledge in your business? People who perhaps have a deep understanding of why things are done – not just that this is how it’s done? People who have survived extensive and multiple changes in the organisation.

How do you manage key person risks in your business? Not just the risk that they may leave, and their knowledge goes with them, but the risk that they have knowledge that isn’t documented and may get lost in the mists of time. The why is often even more important than the what and the how.

Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.

Where is risk?

My wife and I visited a local coffee shop the other day and while we were sitting there enjoying the coffee, and the novelty of being able to go out and support the hospitality sector again, it got me thinking about the types of risks in their business. Obviously, the recent pandemic came to mind, but who could ever have predicted that. COVID in the multiple forms it took is (hopefully) a once in a lifetime event. It’s what we in the risk fraternity would refer to as a “black swan” event (I don’t know why – black swans aren’t all that rare – especially if you look around the central lakes of the north island). In fact, it’s the sort of event we try to imagine and plan for when “stress testing” our disaster or risk scenarios – that is we look at the scenario and let our pessimistic minds run wild to guess just how bad it could get. In saying that, I doubt many of us in any of our scenarios got quite as complex as COVID – we probably considered people dying or being off work, but the complexities of lockdowns, isolation, MIQ, labour shortages, etc, likely struggled to make it into those scenarios.

This is where the idea of thinking about risk for those businesses became particularly interesting. Most businesses look at risk and they think of an immediate event that has an immediate impact. In the case of hospitality, this could be something like, what do I do if one of my fridges breaks down? Where do I keep the food cold? How can I source another one? Or, based on historical experience in Auckland, what happens if there’s an extended power outage? You might even consider, what happens if the building I operate from is condemned or requires extensive repairs? Most of these are what we call “Business Continuity” Risk scenarios. They absolutely are risks, but they’re usually short term and unpredictable. Most often they would either be accompanied by some form of civil remedy (which, yes, could take ages to eventuate through the Courts) or would be accompanied by some form of Government assistance. In the case of COVID, certainly the government support was woefully inadequate – so what could those businesses have done.

Building risk scenarios is an important part of managing risk and building resilience in your business, so that when an event does occur, it doesn’t mean you aren’t affected, but it gives you peace of mind that you are protected, and the impact is contained to within an acceptable standard of risk. This containment is in the form of controls. You might have some offsite cold storage, or an emergency back up generator, or a shipping container or food caravan you can operate from instead. All of these are controls that don’t pretend to allow your business to operate at the same level as previously but give you peace of mind to know that they are there and will mitigate the impact should an event occur.

Understanding your business’ vulnerability and testing whether you have controls in place can give you peace of mind to know that you have some protection. It also means you’re putting mechanisms in place to protect your business rather than having to make knee jerk decisions under pressure that might have unintended consequences or may not deliver the best or most efficient outcomes for your business. It also means you’re thinking about your business and ensuring you have appropriate mechanisms in place to alert you to problems early – again for example regular monitoring of fridge temperature could tell you a fridge needs to be replaced which is a much better indicator than coming in one morning and discovering a fridge full of soiled product.

Would this process have predicted the COVID impact or response for many of these businesses? I doubt it. But we are learning all the time and we use our experience from the past to better prepare us for the future. I can bet you almost certainly that there won’t be many risk scenarios developed in the next twenty years, that won’t include some form of pandemic assessment and won’t use the experience of the last 3 years as a basis for evaluating the impacts of that scenario on any business. Few scenarios up until now would have included a line saying: “What if the government says we can’t operate for the next four to six months?”, but I bet from now on they will.

Remember, risk management isn’t about stopping events from happening – or saying that somehow they won’t impact you. It’s about doing your best to estimate what the event would look like and how it would impact you (and reassessing this year on year as you learn more) and then thinking about what you can do to manage it, to contain it within an appetite.

Is it feasible to bring all your customers into your ‘bubble’? Or to have all your staff and their families in your ‘bubble’ so you can continue to operate? No (although I do know of some businesses that did this), but it might give you pause to think of alternate distribution mechanisms – if your customers can’t come to you – how can you take your product to them?

When it comes to risk management “wait and see” and “hope for the best” are rarely ever the best strategies.

Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.