Posted by Colin Weatherby 480 words
Have you ever wondered who has the formal delegation to accept risk on behalf of the organisation? I know that you probably spend most of your time dealing with systems that seek to reduce or eliminate risk, but what happens when risks must be taken? How do you assess and accept those risks?
My bet is that there is no system to accept risk and that your organisation has little understanding of the risks that are being taken by managers each day. I think that the absence of a system to formally assess and accept risks is the reason there are endless systems to get rid of it. I am not talking about the Risk Register and the big strategic or operational risks that are obvious to everyone. I am talking about the daily risks that arise when something hasn’t worked out the way you would like it to but work must go on.
An example is when the services of a company are procured through a compliant process (a risk elimination system) and then someone in the contracts team objects to the person who has signed the contract on behalf of the company. Even though there is a letter from the board of the company authorising the signatory, it doesn’t meet the standard that contracts requires (another risk elimination system) to ensure that the contract is legally enforceable in the event of a dispute. The problem you have is that you can’t stop scheduled works to sort out the signatory issue without risking a lengthy delay before works are rescheduled. Do you go ahead? Who decides if it is OK to proceed?
Of course, the easy solution is to avoid any contractual risk and delay the works. After all, no one would blame you for playing safe. The fact that there is reputational risk if a service hasn’t been delivered to the community on time as promised is less of a consideration. Maybe your community doesn’t even expect you to meet your commitments.
I am not sure what the right answer is in this situation. In the absence of any organisational guidance the matter will be sent ‘upstairs’ for a decision. How long this takes will depend on the risk threshold of your group manager or the risk appetite of the Executive. I was once at a presentation on a risk strategy where the risk officer said that under the strategy risk could be increased. A member of the Executive asked under what circumstances that might happen. Their only experience had been to eliminate risk.
The idea that you need to accept or increase risk in order for services to be delivered is commonplace in the business world. Often, the more risk you take, the greater the returns. Companies take these risks in order to create unique value that satisfies their customers. It is what their customers pay them to do.
What are our customers paying us to do?