5.1.1 Risks Perception and Reality: Communication of Risks

Risk management, both as a profession and as a discipline, has experienced an accelerated pace of evolution since the beginning of the twenty-first century due to the sudden request for additional “security” in all stakeholders segments. Physical security was brought to high priority since the terrorist attacks in the USA on 9/11/01 and maintained thereafter by the repeats in Madrid and London. It seems that since the tsunamis at the end of 2004, natural disasters have increased in visibility, if not in frequency and intensity, and are even more devastating in poor countries or neighborhoods. In addition, financial security has been highlighted since the Enron and WorldCom debacles, not to mention Parmalat in Italy.

Food and health security are a continuing problem with issues like the AIDS pandemic in Africa, the GM (genetically modified organisms) debate and the famine in so many “emerging” countries; and more recently in Europe, the horse meat sold as beef. Many governments have beefed up security, specifically in airports and entry points to their national territories. Western governments have enacted legislation to improve accounting transparency, for example, the Sarbanes-Oxley Act in the USA, and LSF (loi sur la sécurité financière) in France. There has even been a revision made to the French constitution to introduce a “general principle of precaution”. Even the security of future generations is at stake with the new buzz expression: “sustainable development”.

For more than four decades, risk management has been a technical job mainly focusing on financing the negative consequences of threats to the organization. It is now blossoming into a discipline on par with finance or marketing as the “management of uncertainties”, which requires the development of a sound conceptual framework including the scientific skills needed to quantify the various impacts of uncertain events. Risks are both opportunities and threats, and risk management should ensure that risks are included and identified for analysis and treatment in all decision-making processes, at the strategic, tactical, and operational levels. This necessity is commonly called “risk appropriation by all risk owners”, i.e. the operational managers who are at the source of many risks that can be best controlled at their level.

The explosion of information through both global networks and private channels based on computers, like websites and “blogs”, provides new pathways for the rapid spreading of rumors, sometimes with ill intentions, sometimes not. Social media also creates open forums where the average citizen, not necessarily properly informed or educated, can express his/her perception of risks rather than an objective measure developed by qualified “experts”. The irony is that specialists have initiated research to tackle the difficult task of quantifying and assessing risks through new methodologies made possible by the recent scientific developments, like the chaos theory, “bringing order to chaos and complexity”.¹ Financial institutions, banks complying with Basel 2, and insurance and reinsurance companies battling with Solvency 2 have even found ways to get round the absence of historical data in operational risks thanks to expert opinions and the use of Bayesian networks.

Social acceptability of projects and innovation is greatly enhanced if the public is made aware of what is at stake, understands the medium- and long-term benefits and is convinced that those in charge try their best to reduce the possible negative impact. Even the famous NIMBY (not in my back yard) position can be mitigated with proper communication. But this will require a true and honest effort of engaging the stakeholders to manage their initial perception of risks and gain their trust so that they are ready at best to engage in the project, at least to tolerate it in their “back yard”.

This brief introduction to the environment of risks leads to an essential conclusion: communication on risks and risk management efforts is becoming an integral part of any efficient global risk management, whatever the organization involved, state, public, private, or healthcare. As a matter of fact the experts who developed the ISO 31000:2009 standard on risk management were so aware of the need for interaction with the stakeholders that they call for “communication and consultation” with key stakeholders throughout the risk management process.

5.1.2 Conditions and Objectives of the Communication of Risks

Too often communication on risk is left to “public relations specialists” whose understanding of the mission is limited to polishing communiqués, at best radio or television interviews, for internal or external audiences so that the organization, and sometimes mostly its CEO, will appear in the best possible light. Public relations specialists may engage in exchanges with stockholders and the financial community, but for most of them it is a one-way street. However, the Latin root of communication, “to share” should remind the managers that the process calls for a two-way street, in this case establishing a continuous process of exchanges and dialogue with all the stakeholders in a given project or risk. The Australian Risk Management Guidelines Handbook (HB 436/2004) appropriately stated: “Communication is an interactive process of exchanges of information and opinion involving multiple messages about the nature of risk and risk management.”

This communication clearly calls for a two-way vertical movement of information and action:

• First, top down, there must be a “risk champion” in the executive team so that managing risks is clearly understood as a boardroom mandate.
• Second, bottom up, the information on risks must be consolidated so that risks are managed according to what is called in the EU the principle of “subsidiarity” to provide the board with the “reasonable assurance” that all risks are managed at the appropriate level.

However, while all the risks must be entered into the risk register, the board must not be inundated with information on risks that should be handled at the operational level. The consolidation process sends to higher echelons only those risks that cannot be efficiently treated at a lower level, because of lack of perspective or means. Thus, the board receives a risk register limited to the exposures that may have strategic implications at the company level.

The risk management process developed at all levels in the organization allows the board, the CEO, the CFO and the audit committee to sign off on documents that ensure stakeholders that the objectives or mission of the organization will be met in as economically efficient and socially acceptable a fashion as possible.

It follows that the executive team must maintain a good connection with all stakeholders, both internal and external. One key element to build and protect their trust is to prove that those in command are able to conduct the necessary modifications and remain ahead of the change process even in time of accelerated evolution in the context of the organization that could result in rupture. In most cases, it is only in the time of turbulences that this capacity can be really tested, but it would be preferable to be able to assess the organization's resilience in quiet times. And it is precisely the board's and executives' understanding that uncertainties, threats as well as opportunities, must be taken into account in all decision processes within the organization that builds the trust of all stakeholders that the organizations is “responsible”. Thus all who have a stake in the organization gain the assurance that their varied and sometimes conflicting interests are assessed and valued; it is that trust and confidence that builds and maintains an organization's reputation.

Good communication on risk management can only rest on effective sound risk management throughout the organization. Indeed, the task is to “nest” risk management in all staff and management as a result of an ongoing learning process whereby all concerned acquire an automatic sense of risks that may stem from their activities. In a complex system, where components are intertwined, it falls on each unit and operational manager to be the risk manager of the entity he/she is in charge of. Risk management is no longer some esoteric process at headquarters with stressing demands adding to the daily workload; it has become an essential part of the daily routine of any manager, indeed any employee. This new reality must now be reflected in the job description of all in managerial positions, and bonuses should also take into account the risk management performance of all.

However, good “in house” risk management is not enough anymore. The complex system itself is hooked to an increasingly complex web of relationships with outside partners, both upstream (sub-contractors and suppliers) and downstream (customers). Therefore, good risk management practices must be embedded in all economic partners. In the case of a public entity, in some instances, the whole population leaving or working in the area must be engaged in the learning process. For instance, in the case of a hospital or any healthcare provider, clearly patients as well as relatives and visitors are essential stakeholders that must be actively involved in the risk management process.

Fulfiling the conditions stipulated above is necessary if the organization's leadership wants to be able to face any situation and react rapidly not only to pre-identify risks but also when unexpected developments take place, the unknown-unknowns. Indeed, stakeholders demand that the executives prove they are able to cope when confronted with surprises, unpleasant as they may be. The leader is expected to set the example that will ensure the organization's survival.

The question any decision maker will ask at this stage concerns the benefits that the organization can draw from sound communication on risk management. This really means: Shall we get our money's worth? The eight benefits here are derived from those mentioned for reputation management:

• Creates an environment more favorable for investments, with better access to capital markets as potential investors are reassured, especially pensions funds and other institutional investors.
• Improves trust and confidence in dealing with stockholders and other stakeholders.
• Facilitates recruitment and retention of talented staff whose ethics and values agree with those expressed and practiced within the organization.
• Attracts the best possible economic partners.
• Upstream (reputation with sub-contractors and suppliers).
• Downstream (reputation with customers).
• Lowers barriers to entry into new markets, especially those where the public is actively involved in policy making.
• Commands premium prices for goods or services as the organization offers a higher level of procurement safety (especially in case of “just in time” and project management) and/or more sustainable development (“green” and equitable markets).
• Limits threats of legal proceedings or more stringent regulations (sometimes this will require a collective effort at the industry level).
• Limits the potential for crisis, in part thanks to the efficient communication tools developed in time of peace.

5.1.3 Basic Principles for Efficient Communication on Risks

Whereas sound risk management practices are a prerequisite for good communication, it is not enough and some rules must be followed to ensure the efficiency of the communication on risk management:

• Promote a sense of “specificity” in all stakeholders' minds (concerted efforts to take into account all perspectives on risks).
• Focus on a “central” theme (the mind is set to ensure security and safety for all).
• Ensure “coherence” in all communication (all concerned segments of the public receive the information they need within a coherent framework).
• Stick to “integrity and authenticity” in all dealings (in particular in the exchange process with the different stakeholders).
• Commit to “transparency” (it is the foundation of all financial and social performance sustainable in the long run through constructive dialogue, win-win situation, with the stakeholders).
• Be cautious when perceptions are based on impressions as opposed to the knowledge and understanding of the issues in a particular situation.
• Develop in contacts a conscience of danger without creating an anxiety prone society.
• Avoid approaching risk management on a “good feelings” basis as this will not give a real sense of direction to the activity deployed by the organization.
• Be specific in the description on modes and criteria of decision making and arbitraging options.
• Avoid jargon or unnecessary esoteric language, without losing track of the need for precise vocabulary.
• Develop validation instruments to measure the adhesion of the different stakeholders to choices made by the organization.
• Transcend individual interests to promote a “collective or societal” evaluation of risks.
• Use ordinary risk situations, confronted and managed by most, especially when communicating with large segments of the population (risk in the daily life of any household, purchasing insurance for the family, etc.).

All this can be summarized simply; it is all about conducting an adult dialogue with stakeholders on the key questions:

• What is at stake (opportunities and threats)?
• What is the proper balance between individual and collective interests?
• Can there be a licence to operate at best until the dialogue can reach the proper level of balance (between “consenting adults”)?

In any event, the different risk communication tools are to be used to propose solutions and not to be an additional source of problems and fears for the many targets (stakeholders). This can be achieved so long as for each of those target stakeholder groups the organization strives to:

• Analyze their problems when confronted with uncertainties or necessary changes:
  • Avoid generating additional problems for them.
  • Enter an empathy mode to understand their way of thinking.
  • Decipher the challenges they are to meet.
  • Evaluate whether they are in survival mode or still in a fighting mood.
• Make sure to be seen as a provider of solutions:
  • Be perceived as a resource.
  • Share all possible solutions.
  • Help them see the benefits for them through the risks.
• Speak their language:
  • Understand and use stakeholders' own specific language, or vocabulary, for each “customer” segment when addressing them.
  • Listen to the “targets” (listening quality is essential).
  • Refer to key words in their vocabulary.
  • Cultivate empathy more than intrinsic content.
• Take into account their expectations through clear and transparent rules for dialogue:
  • Purpose of the meeting with the “contact group”.
  • Modus operandi.
  • Timetable.
  • Negotiation points.
  • Methods to overcome difficulties and dead ends.
  • Beware of ambiguities (in case of “agreement” do not hesitate to interpret more in favor of the stakeholders).
  • Develop a critical approach to the fears expressed as well as to any proposed solution.
  • Informal conversations may prove useful to enhance trust.
  • Transparency means expressing things as they are (not always only to please the spectator).
  • All critiques must offer a proposal (no negative comments without a counter-offer).
  • Feed a dynamic dialogue.

The suggestions listed here could be applied to communication on any subject. However, communication on risk and the way it is mitigated has a very significant specificity: it must be efficient, particularly in times of turbulence. Therefore, it is essential to distinguish clearly communication:

• Under normal circumstances, both within and without the organization.
• In a time of a crisis, or immediately thereafter.

5.1.4 Which Stakeholders Need to Be Informed of Risks?

It would be cumbersome to try to provide an all-encompassing list that would include all stakeholders for any type of organization worldwide. However, the list below summarizes the main groups to be informed on risks under most circumstances, and practical tips are included in Section 5.1.5 for dealing with each of them.

5.1.5 Tips for Communicating Risks to the Major Group of Stakeholders

One key to effective risk communication is to focus on the expectation and fears of each given group: they are not all expecting the same level of detail and they may not have the same right to inside information. However, it is essential for long-term credibility that all the communications are consistent and transparent as the different targets may have interaction, for example, through social media. The tips that follow take into account these considerations to help design the proper risk communication grid and follow the usual pattern of questioning that a journalist follows when writing an article for a newspaper.

• Communication with the board of directors:
  • When – keep channels of communication open at all times, regular RM report (no less than quarterly).
  • Who – the risk manager, or his/her boss if he/she does not have access to the board.
  • Content – strategic exposures only and progress on cost of risk and risk mapping exercises. Non-executive members will be mostly interested in governance issues and long-term resilience.
  • Format – one or two page presentation with two or three slides to draw attention.
• Communication with stockholders (if public corporation is subject to disclosure rules):
  • When – annual report and occasional if needed (profit warning).
  • Who – the CEO, prepared by the risk manager.
  • Content – major trends and strategic exposures and impact on the profit + communication on pending claims – check local and international legal requirements. Special stress on resilience and continued growth.
  • Format – depending on countries format may be 1 to 3 pages on the annual report. Messages may be needed in case of major events happening between reports.
• Communication with operational managers (risk owners):
  • When – ongoing and specifically for risk mapping and continuity planning.
  • Who – risk manager and his team and correspondent in the business units.
  • Content – assistance throughout the implementation of the risk-mapping exercise and risk-control measures (specifically BIA (business impact analysis) and BCP (business continuity planning)).
  • Format – notes, email, Internet and training session, coaching.
• Communication with personnel:
  • When – channels of communication should be open at all times, but there must at least be regularly scheduled RM reports to establish and maintain risk culture.
  • Who – RM professionals relayed by “risk owners” for reinforcement and human resources department.
  • Content – explanations on potential impact on work site, working conditions and own life, including “job safety”.
  • Format – Internet, intranet, posters, training, etc.
• Communication with economic partners:
  • When – special emphasis at the initial stage of cooperation and follow-up through the contractual life.
  • Who – risk management team, purchase and procurement, marketing and sales, and communication department (PR).
  • Content – all shared exposures with the given partner, including resilience of relationship. Special attentions when consumer goods delivered to public.
  • Format – (will vary depending on the information needed to address the partner's concern directly, but it should be short and to the point).
• Communication with local authorities:
  • When – keep channels of communication open at all times to ensure proper interaction in time of need.
  • Who – RM professionals and compliance officer (when appropriate), PR personnel and local risk owners (plant managers).
  • Content – special emphasis on public health and safety issues and sustainable development commitment.
  • Format – filing official compulsory forms and requirements, and personal contact with elected officials and civil servants.
• Communication with media:
  • When – maintain regular contact (line of communication should be open at all times).
  • Who – PR personnel or executives with the assistance of RM professional and risk-owners.
  • Content – mostly health and safety issues, CSR (corporate social responsibility) challenges, but do not forget “financial press” as this is really addressed to the stockholders.
  • Format – press releases and interviews depending on nature – see further for time of crisis.
• Communication with pressure groups:
  • When – selectively when necessary, if group interest at stake, but need to be proactive.
  • Who – PR personnel and/or executives, with RM professional support.
  • Content – stress exposures and risk control on areas of interest to the group.
  • Format – communication will include visits and discussion groups to get members feedback and “subjective perception of risks”.
• Communication with the general public:
  • When – keep channels of communication open at all times to reassure and respond to preoccupation (beware of social media).
  • Who – PR personnel and/or executives, with RM professional support.
  • Content – stress exposures and risk control on areas of interest to the public (health and safety, environment, sustainability, etc.).
  • Format – communication will include visits and discussion groups to get members' feedback and “subjective perception of risks”, especially for “high risk” units.