Communication is an essential element in all aspects of risk management. While it is considered a step in the ERM framework it is one that is articulated with all phases of the risk management process. Without good communication that is relevant to the stakeholder, the understanding of issues and solutions may be muddled, leading to disastrous results. The second important piece of this step of the risk management process is consultation. The risk manager is an internal consultant and coach. The job of the risk manager includes helping those without technical experience in risk management to acquire the expertise necessary for risk owners and others to accomplish their risk optimization goals and objectives.
Jean-Paul Louisot
Formerly Université Paris 1 Panthéon-Sorbonne, Directeur pédagogique du CARM Institute, Paris, France
Risk management, both as a profession and as a discipline, has experienced an accelerated pace of evolution since the beginning of the twenty-first century due to the sudden request for additional “security” in all stakeholders segments. Physical security was brought to high priority since the terrorist attacks in the USA on 9/11/01 and maintained thereafter by the repeats in Madrid and London. It seems that since the tsunamis at the end of 2004, natural disasters have increased in visibility, if not in frequency and intensity, and are even more devastating in poor countries or neighborhoods. In addition, financial security has been highlighted since the Enron and WorldCom debacles, not to mention Parmalat in Italy.
Food and health security are a continuing problem with issues like the AIDS pandemic in Africa, the GM (genetically modified organisms) debate and the famine in so many “emerging” countries; and more recently in Europe, the horse meat sold as beef. Many governments have beefed up security, specifically in airports and entry points to their national territories. Western governments have enacted legislation to improve accounting transparency, for example, the Sarbanes-Oxley Act in the USA, and LSF (loi sur la sécurité financière) in France. There has even been a revision made to the French constitution to introduce a “general principle of precaution”. Even the security of future generations is at stake with the new buzz expression: “sustainable development”.
For more than four decades, risk management has been a technical job mainly focusing on financing the negative consequences of threats to the organization. It is now blossoming into a discipline on par with finance or marketing as the “management of uncertainties”, which requires the development of a sound conceptual framework including the scientific skills needed to quantify the various impacts of uncertain events. Risks are both opportunities and threats, and risk management should ensure that risks are included and identified for analysis and treatment in all decision-making processes, at the strategic, tactical, and operational levels. This necessity is commonly called “risk appropriation by all risk owners”, i.e. the operational managers who are at the source of many risks that can be best controlled at their level.
The explosion of information through both global networks and private channels based on computers, like websites and “blogs”, provides new pathways for the rapid spreading of rumors, sometimes with ill intentions, sometimes not. Social media also creates open forums where the average citizen, not necessarily properly informed or educated, can express his/her perception of risks rather than an objective measure developed by qualified “experts”. The irony is that specialists have initiated research to tackle the difficult task of quantifying and assessing risks through new methodologies made possible by the recent scientific developments, like the chaos theory, “bringing order to chaos and complexity”.1 Financial institutions, banks complying with Basel 2, and insurance and reinsurance companies battling with Solvency 2 have even found ways to get round the absence of historical data in operational risks thanks to expert opinions and the use of Bayesian networks.
Social acceptability of projects and innovation is greatly enhanced if the public is made aware of what is at stake, understands the medium- and long-term benefits and is convinced that those in charge try their best to reduce the possible negative impact. Even the famous NIMBY (not in my back yard) position can be mitigated with proper communication. But this will require a true and honest effort of engaging the stakeholders to manage their initial perception of risks and gain their trust so that they are ready at best to engage in the project, at least to tolerate it in their “back yard”.
This brief introduction to the environment of risks leads to an essential conclusion: communication on risks and risk management efforts is becoming an integral part of any efficient global risk management, whatever the organization involved, state, public, private, or healthcare. As a matter of fact the experts who developed the ISO 31000:2009 standard on risk management were so aware of the need for interaction with the stakeholders that they call for “communication and consultation” with key stakeholders throughout the risk management process.
Too often communication on risk is left to “public relations specialists” whose understanding of the mission is limited to polishing communiqués, at best radio or television interviews, for internal or external audiences so that the organization, and sometimes mostly its CEO, will appear in the best possible light. Public relations specialists may engage in exchanges with stockholders and the financial community, but for most of them it is a one-way street. However, the Latin root of communication, “to share” should remind the managers that the process calls for a two-way street, in this case establishing a continuous process of exchanges and dialogue with all the stakeholders in a given project or risk. The Australian Risk Management Guidelines Handbook (HB 436/2004) appropriately stated: “Communication is an interactive process of exchanges of information and opinion involving multiple messages about the nature of risk and risk management.”
This communication clearly calls for a two-way vertical movement of information and action:
However, while all the risks must be entered into the risk register, the board must not be inundated with information on risks that should be handled at the operational level. The consolidation process sends to higher echelons only those risks that cannot be efficiently treated at a lower level, because of lack of perspective or means. Thus, the board receives a risk register limited to the exposures that may have strategic implications at the company level.
The risk management process developed at all levels in the organization allows the board, the CEO, the CFO and the audit committee to sign off on documents that ensure stakeholders that the objectives or mission of the organization will be met in as economically efficient and socially acceptable a fashion as possible.
It follows that the executive team must maintain a good connection with all stakeholders, both internal and external. One key element to build and protect their trust is to prove that those in command are able to conduct the necessary modifications and remain ahead of the change process even in time of accelerated evolution in the context of the organization that could result in rupture. In most cases, it is only in the time of turbulences that this capacity can be really tested, but it would be preferable to be able to assess the organization's resilience in quiet times. And it is precisely the board's and executives' understanding that uncertainties, threats as well as opportunities, must be taken into account in all decision processes within the organization that builds the trust of all stakeholders that the organizations is “responsible”. Thus all who have a stake in the organization gain the assurance that their varied and sometimes conflicting interests are assessed and valued; it is that trust and confidence that builds and maintains an organization's reputation.
Good communication on risk management can only rest on effective sound risk management throughout the organization. Indeed, the task is to “nest” risk management in all staff and management as a result of an ongoing learning process whereby all concerned acquire an automatic sense of risks that may stem from their activities. In a complex system, where components are intertwined, it falls on each unit and operational manager to be the risk manager of the entity he/she is in charge of. Risk management is no longer some esoteric process at headquarters with stressing demands adding to the daily workload; it has become an essential part of the daily routine of any manager, indeed any employee. This new reality must now be reflected in the job description of all in managerial positions, and bonuses should also take into account the risk management performance of all.
However, good “in house” risk management is not enough anymore. The complex system itself is hooked to an increasingly complex web of relationships with outside partners, both upstream (sub-contractors and suppliers) and downstream (customers). Therefore, good risk management practices must be embedded in all economic partners. In the case of a public entity, in some instances, the whole population leaving or working in the area must be engaged in the learning process. For instance, in the case of a hospital or any healthcare provider, clearly patients as well as relatives and visitors are essential stakeholders that must be actively involved in the risk management process.
Fulfiling the conditions stipulated above is necessary if the organization's leadership wants to be able to face any situation and react rapidly not only to pre-identify risks but also when unexpected developments take place, the unknown-unknowns. Indeed, stakeholders demand that the executives prove they are able to cope when confronted with surprises, unpleasant as they may be. The leader is expected to set the example that will ensure the organization's survival.
The question any decision maker will ask at this stage concerns the benefits that the organization can draw from sound communication on risk management. This really means: Shall we get our money's worth? The eight benefits here are derived from those mentioned for reputation management:
Whereas sound risk management practices are a prerequisite for good communication, it is not enough and some rules must be followed to ensure the efficiency of the communication on risk management:
All this can be summarized simply; it is all about conducting an adult dialogue with stakeholders on the key questions:
In any event, the different risk communication tools are to be used to propose solutions and not to be an additional source of problems and fears for the many targets (stakeholders). This can be achieved so long as for each of those target stakeholder groups the organization strives to:
The suggestions listed here could be applied to communication on any subject. However, communication on risk and the way it is mitigated has a very significant specificity: it must be efficient, particularly in times of turbulence. Therefore, it is essential to distinguish clearly communication:
It would be cumbersome to try to provide an all-encompassing list that would include all stakeholders for any type of organization worldwide. However, the list below summarizes the main groups to be informed on risks under most circumstances, and practical tips are included in Section 5.1.5 for dealing with each of them.
For each of the targets identified, their main centres of interests are listed:
For the external stakeholders, it will be a matter of providing answers to their fears and worries, while fulfiling their expectations. Who are they?
One key to effective risk communication is to focus on the expectation and fears of each given group: they are not all expecting the same level of detail and they may not have the same right to inside information. However, it is essential for long-term credibility that all the communications are consistent and transparent as the different targets may have interaction, for example, through social media. The tips that follow take into account these considerations to help design the proper risk communication grid and follow the usual pattern of questioning that a journalist follows when writing an article for a newspaper.
3.23.92.186