Why Risk Management Needs To Go Beyond Compliance
Back in 2007, when Tony Hayward became CEO of BP, he pledged to build a company culture with a “laser focus on safety” . Three years later, despite the introduction of a rigorous compliance program, a BP oil rig exploded in the Gulf of Mexico, causing one of the worst man-made environmental disasters in history. Investigators blamed the inability of BP employees to “identify the risks they faced and to properly evaluate, communicate, and address them .” In other words, compliance was simply not enough.
The Difference Between Compliance And Risk Management
Compliance is clearly important. Businesses must be able to prove adherence to industry regulations and address any breaches promptly. Failure to establish and monitor compliance programs can result in director mismanagement and an absence of business oversight, producing situations like the collapse of Enron.
However, as the Financial Times points out, actions taken to improve compliance in the financial industry after the Enron fiasco have had some paradoxical consequences: “The attempt to legislate and regulate people into good behavior has spawned a compliance culture rather than an ethical culture .”
To truly manage risk, businesses need employees who make ethical decisions for ethical reasons, not simply to comply with regulations. Leadership must put more emphasis on educating people to understand underlying risks, rather than trying to dictate precise rules that will invariably lead to unintended consequences.
Risk management is far broader than mere compliance. Reducing business risk involves delving into all the areas in which individuals can reduce or increase business risk, from staffing to communications, from operations to marketing, and from regulatory compliance to long-term business strategy. A strong L&D program is the ideal way to develop and reinforce a risk-aware business culture.
The Consequences Of Poor Risk Management
A comprehensive risk management strategy is not a “nice to have.” As many CEOs are learning—to their cost—in 2020, the lack of strong risk management can have devastating and permanent consequences for businesses and employees alike.
Even without a global financial meltdown, failing to implement a proactive risk management plan can have serious consequences such as:
- Heavy fines
- High employee turnover
- Profit loss
- Project failure
- Loss of customers
Addressing and mitigating risk is not merely an issue of complying with industry and legal regulations, it’s also just common sense.
Types Of Business Risk
Of course, not all business risk is created equal. Professors Kaplan and Mikes have proposed a framework for business risk that groups risks into three categories: preventable risk, strategic risk, and external risk . Preventable risks are internal and under the company’s control. These risks result from incorrect or unauthorized actions by employees, such as incorrectly using dangerous machinery, failing to follow safety procedures, or making illegal trades.
Strategic risks are those risks that businesses undertake intentionally in the hopes of securing a greater return on their strategy. An example might be investing in research and development even though the outcome is uncertain. Finally, external risks result from the environment in which the company operates. These cannot be prevented by the company and must therefore be adapted to. Examples include natural disasters or global crises like the current COVID-19 pandemic.
While each of these risk categories requires a different approach, we’d argue that L&D has a key role to play—especially when it comes to preventable and external risks.
The Role Of L&D In Managing Preventable Risk
When it comes to preventable risk, the need for L&D is clear. Employees must be aware of how to do their jobs correctly, ethically, and safely. Many companies rely on a top-down Learning Management System (LMS) to ensure that all employees have completed all obligatory training.
However, an LMS-only learning program may not be enough to build a truly risk-aware workforce. After all, companies can’t anticipate every situation or conflict of interest that individuals can face. Employees need rules of thumb to help make decisions in non-standard situations. L&D could help here by providing a solid onboarding experience that ingrains the company’s mission and values into every employee, as well as educating employees on the company code of conduct.
A more flexible approach to L&D that allows employees to customize their learning pathways can also help employees to identify and address areas where they don’t feel as confident when making decisions.
An easily accessible next-gen learning platform will also make sure employees have best practice guidelines on hand at the moment when they need them, rather than drawing on their memories of official training programs. Checklists, training videos, and helpful tips can be shared with a more flexible Learner Experience Platform (LXP) format.
Company culture is also a key factor in reducing preventable risk. Company leadership must model regulatory compliance and risk-aware behavior.
Employees should feel comfortable to ask questions and avoid "group think." Decision meetings should be documented and made available to all employees, to ensure on-going oversight and improve decision-making over time.
L&D And External Risk
The COVID-19 pandemic is a classic example of an external risk. Businesses can hardly be blamed for not predicting the massive, sweeping consequences of a global health crisis, it caught everyone on the hop. However, while most companies were left scrambling by a crisis that seemed to come out of nowhere, some were able to respond more quickly and decisively than others . In the words of Warren Buffet, “Only when the tide goes out do you see who’s been swimming naked.”
Businesses with a culture of fast, responsive action were able to move more quickly to protect themselves. Digitally ready companies made a more seamless shift to remote working. Finally, companies with a responsive and flexible approach to Learning and Development were able to help employees get up to speed much more quickly by sourcing, distributing, and collaborating on learning resources to cover everything from new online operations to the challenges of working from home.
Again, mitigating external risk is far more a question of risk awareness than compliance. Facing external risks takes a working culture which asks questions and looks ahead, the operational capacity to pivot quickly in response to market changes, and a flexible approach to L&D.
Applications Of L&D In Risk Management
L&D has a key role to play across all aspects of long-term risk management. For instance:
Basic cybersecurity training is critical if you want to protect important company data. Human error is responsible for 90% of cybersecurity breaches .
Protecting your company from IT risk involves ongoing training for all employees on the basics of cybersecurity, different types of phishing attacks and how to avoid them, and best-practice password storage.
Health And safety
Obviously, L&D can provide standardized training to employees on correct procedures to maintain a safe working environment; in fact, Tony Hayward himself blamed part of the oil rig explosion on an administrative error which resulted in employees failing to complete mandatory training . However, in the current pandemic, L&D also has a more proactive role to play in helping employees manage stress and adapt to working from home.
Easily accessible educational resources are key to giving employees the knowledge they need to succeed in today’s stressful working environment. Again, tools that offer both LMS and LXP functionality are key for making sure that employees have the resources they need to remain safe and well at work.
While we may tend to think of risk as financial or operational, in a hyperconnected digital world, poorly worded communications can do untold damage to a company’s reputation and brand. One classic example, Malaysian Airline’s unbelievably poor decision to tweet “Want to go somewhere but don’t know where?” the same year one of their planes disappeared.
To mitigate communications risk, you could consider nominating an employee as a “risk reviewer” for all corporate communications, but L&D also has a role to play, for instance, offering a “words that matter” course that educates employees about terms to avoid .
How To Incentivize Risk-Related Learning
Motivating employees to engage with risk-related learning content is vital to making changes that stick. There are two main aspects to this:
Make Risk Awareness A Part Of The Cultural Fabric
Leadership must model risk-aware and legally compliant behavior at all times. Businesses should communicate frequently with employees about risks that are non-standard and may be harder to see. You need to promote a culture of transparency and accountability, reinforced both in company communications and in day-to-day employee interactions, so that risk sensitivity, ethical behavior, and employee well-being and safety are just “how we do things.”
Think Carefully About What You Reward
In many companies, the "star performers" are those who do "whatever it takes to get the job done." This can be dangerous if employees see those that cut corners and take risks getting more rewards, behaviors can quickly spiral. Instead, make sure to include risk-aware behavior as a success indicator in your performance appraisals.
Provide learning resources to ensure that all employees are able to distinguish between appropriate, strategic risk and preventable risk that places the company, or other employees, in jeopardy.
Putting together a holistic risk management program requires careful strategic thought. Risk awareness needs to be built into the company culture from the top down and reinforced by Learning and Development initiatives.
To harness L&D to improve risk management, you’ll need a combination of comprehensive compliance training managed by a central LMS, and easily accessible learning materials provided via a more flexible and agile LXP system—or a NextGen learning platform which combines both types of approach.