Promoting Good Management of Risk and Uncertainty

August 2006

How should the risk/control manager proceed, when outnumbered thousands to one by other employees and without line authority with which to insist that things get done right? Getting new procedures, policies, and tools implemented without direct authority is the main problem for such managers.

by Matthew Leitch

In previous articles for IRMI, I have explained how people tend to behave in ways that suppress or just ignore risk and uncertainty, and that tackling this is a key task for risk and internal control managers. For example, see "Embedding Risk Management: Easier, Better, Faster."

In this article I will describe approaches to this problem, including a new intelligence gathering survey tool that can help. I will also explain the results of some online research carried out earlier this year that sheds light on the possible results of using the tool.

The Main Ways Change Is Usually Achieved

Risk/control managers generally persuade others to do things by the following means.

• Borrowed authority: This is when some senior figure or group makes statements about the importance of risk management/control, or authorizes a project, or holds meetings the manager can attend and report to. These give the manager an opportunity to show connection to a source of power.

• Power from regulations: Very often, the power comes from outside the organization in the form of imposed regulations—Sarbanes Oxley, Turnbull, Basle II, and so on.

• Riding other initiatives: In this approach, the manager takes advantage of the impetus behind some other initiative and just ensures that his/her ideas are picked up in the other, perhaps better supported, initiative.

• Using personal charm: Despite the emphasis on regulations and senior support the day-to-day influence of risk/control managers still rests largely on their personal charm and helpfulness.

Results tend to be patchy. Even with scary regulations approaching, continuous senior support, and great personal charm, there will still be detractors, resistance, complaints, delays, people who do not do what they should do or even promised to do, and outright enemies who dig in, hold out, and wait for an opportunity to kick back.

A Strategy Based on How Things Often Work

But there is a happy side. Along with the detractors, there are usually people who are interested, keen to be involved, and eager to try new things. These people sometimes, but not always, have more to gain from the idea than others, as well as more relevant knowledge.

Their involvement is tremendously valuable to the risk/control manager because these enthusiasts will put up with the rough edges of new procedures and tools. They will have suggestions for improvement and a high chance of getting good results. Beneficial changes with these people are more likely to stick.

It usually makes sense to search for such people, deliberately, and work with them first. Experience with these early adopters is a good opportunity to refine the process or tool, and get some results with it that will build the case for wider adoption.

Having achieved some success with the first group, move on to the next most willing group, and so on. Eventually, the only people left will be the diehards, left in a minority, with little to complain about, and facing ample evidence of effectiveness and benefits. Even the longevity of the approach and the growing body of documentation and software lends credibility to it.

Of course, if the process or tool is not effective and doesn’t improve enough from the early trials, then drop it if possible. It may also be that complete rollout is not necessary and that, at some point, the rollout should stop, so that it only includes the people for whom it is beneficial.

How To Find Friends

Starting with "friends" of a project, process, or tool is common sense. How do you find them? Some obvious ways are:

• By trial and error: Try to promote a risk/control program and some people will speak in favor and some against. Those who speak can be classified.

• Guessing from roles: Roles tend to suggest the interests of the people who occupy them. The head of internal audit is likely to be more interested than the head of marketing, for example.

• Guessing from experiences: Recent experiences tend to affect what people are interested in. If a line manager has just been badly burned by a project where risk was mismanaged, he/she is likely to be more interested in related things.

• Following up contacts: Friendly people will often suggest the names of others who are likely to be friendly towards an idea.

Another method is to gain this information as a side benefit of an online survey to understand how risk and uncertainty are currently managed in the organization.

The RUMA Survey Tool

Early in 2006, I developed the first version of a suitable survey—the only one of its kind, as far as I know. It is called the Risk and Uncertainty Management Assessment (RUMA) survey tool. The first version described four scenarios that typify situations managers often face that involve risk and uncertainty. In these situations, there are pressures to ignore the uncertainty, which is what makes reactions to the scenarios so informative.

The respondent is presented with five actions that could be taken in each scenario (not necessarily mutually exclusive) and asked to rate every action on a scale from "Great" to "Awful." (This survey style is much more informative, per scenario, than multiple choice.)

The survey tool also asks for a certainty rating for every action rating. From this it is possible to see where people are confident of their answers, and where they struggle to decide.

Results from Research

In early April 2006, the first version of the RUMA survey was used in an online survey with 90 volunteer respondents. The response to calls for respondents was more than twice that for any previous survey I have promoted in the same way, so it seems many people quite liked tackling the scenarios. The results provide a fascinating insight into how people view these situations and the risk of inappropriate behavior.

Overall, the collective wisdom of respondents was impressive. In almost every case, the most favored actions are also the open, honest, rational, objective ones where uncertainty is dealt with instead of suppressed. However, individual responses were less consistently laudable. Most people favored several actions that were less than ideal, usually giving positive ratings to actions with hidden dangers.

Some people seemed, overall, considerably more inclined to suppress or ignore risk than others. The survey responses were highly revealing. There were also a few actions that people on the whole favored but that have hidden dangers.

An Illustration

In one scenario, the respondent was asked to imagine being a senior government official in charge of a major building project, with builders, surveyors, and architects involved. Everything is going well and to schedule on the project but a row has broken out between a company contracted to prefabricate a complex glass roof section and the other parties. The glass company says the design won’t work. The architects disagree and everyone is blaming someone else. The question is, do you tell your boss about this problem and, if so, how?

The most strongly supported action was to give your boss a full briefing covering all major areas of risk and uncertainty on the project, including the roof worry. However, the next most supported approach, and one approved of by most people, was to find a solution to the problem first, and only then tell the boss. Quite probably you too think this sounds a sensible approach, but read on.

The real life case on which this scenario was loosely based, the Holyrood building project in Scotland, led to a public enquiry to discover why the project had gone 1,000 percent over budget. Among many other failings, it was found that as the architect submitted a series of designs that were more costly than the budget, the officials involved had decided they could not share this cost risk with ministers without having a solution first. However, they never found a solution and so did not share the risk upwards.

Does finding a solution first still seem so attractive?

Uses of RUMA

The main use of RUMA is to understand the overall culture of risk and uncertainty management in an organization. However, as a side benefit, it should be possible to identify people, and groups of people, whose preferences indicate they would be friendly toward risk/control initiatives, and others who perhaps should be involved later on if at all.

Full details are given in "Individual Differences in Risk and Uncertainty Management."

Summary

Getting good things to happen without line authority is the key challenge for risk/control managers. One tactic that can be very useful is to try out new ideas with people in the organization who are in favor and enthusiastic about them, and then roll on from there, either stopping when people stop getting benefit, or rolling on until even the staunchest opposition is included.

The RUMA survey tool is just one way to find the friends needed, and also provides a detailed and fascinating picture of thinking about risk and uncertainty in common management situations.

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.