Risk management, both as a profession and as a discipline, has experienced an accelerated pace of evolution since the beginning of the 21st century, largely due to the sudden request for additional security in all stakeholder segments. Physical security became high priority after the terrorist attacks in the US and has remained so following the repeat attacks in Madrid and London. Financial security has been highlighted since the Enron and Worldcom debacles, not to mention Parmelat in Italy.
Food and health are a continuing problem, with issues such as the AIDS pandemic in Africa, the OGN debate and the famines in so many developing countries.
Many governments have beefed up security, specifically in airports and other entry points to their national territories and have enacted legislation to improve accounting transparency. This includes the Sarbanes-Oxley Act in the US, the LSF (loi sur la securite financiere) in France, and even the inclusion of the 'general principle of precaution' in the French constitution.
Even the security of future generations is at stake with the new buzz expression: sustainable development.
Beyond this increased visibility of risk management, on university campuses as well as in boardrooms, what strikes both practitioners and academics is the expansion of the fields covered by this emerging managerial skill.
For more than 40 years, risk management has been a technical job, mainly focusing on financing the negative consequences of threats, ie buying insurance covers. It is now blossoming into a discipline on par with finance or marketing, to become the overall management of uncertainties. This requires the development of a sound conceptual framework, including those scientific elements required to quantify the various impacts of uncertain events. Risks are becoming what they should always have been: both opportunities and threats, and risk management now implies the inclusion of a proper hedging of the costs and benefits of risks in all decision-making processes.
The explosion of risk management has had far reaching consequences for organisations' structure, with a growing awareness of the need to manage risks at all levels. Board members, pushed by the evolving legal environment, as well as by the growing interest of rating agencies, are becoming increasingly conscious of the importance of developing decision processes in which they can clearly identify how risks have been assessed and taken into account when making strategic choices. Furthermore, they understand that this issue must be monitored through appropriate control mechanisms throughout the organisation. It appears more and more essential that uncertainties are also factored into decision-making, at both operational and tactical levels. The resilience of the overall organisation, for which the board is accountable, will be satisfactory only if all staff and partners are 'sure'. This necessity is commonly called risk appropriation by all risk owners: ie the operational managers who are at the source of many risks that can be best controlled at their level.
While this evolution is taking place, there is a concurrent phenomenon: the explosion of information, both through global networks and private channels such as websites and blogs. These provide new pathways for the rapid spreading of rumour, sometimes with ill intentions, sometimes with none. They create open forums where the average citizen, not necessarily properly informed or educated, can express his or her perception of risks, which may be far removed from an objective measure developed by qualified experts. The irony is that specialists have initiated research to tackle the difficult task of quantifying and assessing risk, using new methodologies made possible by recent scientific developments - 'bringing order to chaos and complexity' (see John Gribbin Deep Simplicity). Financial institutions, banks complying with Basel 2, and insurance and reinsurance companies battling with Solvency 2, have even found ways to get round the absence of historical data in operational risks, thanks to expert opinions and the use of Bayesian networks.
Social acceptability of projects and innovation is greatly enhanced if the public is made aware of what is at stake, understands the medium and long term benefits, and is convinced that those in charge are doing their best to reduce the possible negative impact. Even the famous NIMBY (not in my back yard) stage can be defused by using proper communication. But this will require a true and honest effort to engage stakeholders in managing their initial perception of risk and to gain their trust, so that they are ready at best to engage in the project, or at least to tolerate it in their back yard, whatever the yard may be.
This brief introduction to the environment of risk leads to an essential conclusion: communication about risks and risk management efforts is becoming an integral part of any efficient global risk management, whatever the organisation involved, state, public, private, or healthcare.
Conditions and objectives
Too often communication is the domain of a so-called public relations specialist, whose understanding of the mission is limited to polishing press releases or massaging radio or television interviews, so that the organisation, and sometimes chiefly its CEO, will appear in the best possible light. At best, the PR specialist will engage in some exchanges with stockholders and the financial community. But the process calls for a genuine dialogue, in this case by establishing a continuous process of exchanges with all the stakeholders in a given project or risk. The Australian Risk Management Guidelines Handbook (HB 436/2004) appropriately states: 'Communication is an interactive process of exchanges of information and opinion involving multiple messages about the nature of risk and risk management.'
Such communication clearly calls for a two way vertical movement of information and action: There must be a risk champion in the executive team, so that managing risks is clearly understood to be a boardroom mandate. But the information about risks must be consolidated, so that risks are managed according to what is called in the EU the principle of 'subsidiarity'.
Even if all the risks must be entered into the risk register, the board must not be inundated with information about those risks that can be easily handled at the operational level. The consolidation process sends to higher echelons only those risks that cannot be efficiently treated at a lower level, for lack of perspective or means. Thus the board receives a risk register limited to the exposures that are strategic at the company level.
However, the risk management process developed at all levels allows the board, the CEO, the CFO and the audit committee to sign off documents that assure stakeholders that the objectives of the organisation are as safe, economically and socially, as possible.
It follows that the executive team must maintain a good connection with all stakeholders, both internal and external, at all times. One key element to build and protect their trust is to prove that those in command are able to conduct necessary changes and remain ahead of the change process, even in times of accelerated movements that could result in rupture. The proof of that capacity is usually shown in 'nominal' circumstances, outside any crisis or rupture. It is precisely stakeholders' understanding that uncertainties, threats as well as opportunities, are taken into account in all decision processes within the organisation that leads to their adoption of a rational perception of risk. That perception, by all who have a stake in an organisation, that their varied and sometimes conflicting interests are assessed and valued is what builds and maintains its reputation.
Good communication about risk management must naturally rest on effective risk management throughout the organisation. Indeed, the task is to instill risk management in all staff thanks to a learning process whereby all concerned acquire an automatic sense for risks that may stem from their activities. In a complex system - and any organisation is a complex system - it falls to each operational manager to be the risk manager of the entity of which he/she is in charge. Risk management is no longer some esoteric process at headquarters; it is becoming an essential part of daily routine of any manager, indeed any staff. This new reality must now be reflected in the job description of all in managerial positions, and bonuses should also take into account the risk management performance of all.
However, good in-house risk management is no longer enough. The complex system itself is hooked to an increasingly complex web of relationships with outside partners, both upstream (sub-contractors and suppliers) and downstream (customers). Therefore, good risk management practices must be embedded in all economic partners. In the case of a public entity, in some instances, the whole population living or working in the area must be engaged in the learning process. For example, in the case of a hospital, clearly patients as well as relatives and visitors must be actively involved.
The fulfilment of these conditions is necessary if those in charge want to be able to face any situation and react rapidly, not only to pre-identified risks but also when unexpected developments take place. Stakeholders demand that executives prove able to cope when confronted with surprises, unpleasant as they may be. The chief is expected to set the example that will ensure the organisation's survival.
The question any decision maker will ask at this stage concerns the benefits that the organisation can draw from sound communication about risk management.
Do we get our money's worth? The eight benefits here are derived from those mentioned for reputation management.
- Create an environment more favourable for investment, with better access to capital markets, as potential investors, especially institutional investors, are reassured.
- Improve trust and confidence in dealing with stockholders and other stakeholders.
- Facilitate recruitment and retain talented staff whose ethics and values agree with those expressed and practised within the organisation.
- Attract the best possible economic partners
- upstream (sub-contractors and suppliers)
- downstream (customers).
- Lower barriers to entry into new markets, especially those where the public is actively involved in policy making.
- Command premium prices for goods or services, as the organisation offers a higher level of procurement safety (especially in case of 'just in time' and project management) and/or more sustainable development.
- Limit threats of legal proceedings or more stringent regulations (sometimes this will require a collective effort at the industry level).
- Limit the potential for crisis, in part thanks to the efficient communication tools developed in time of peace.
Principles of good communication
Whereas sound risk management practices are a prerequisite for good communication, they are not enough. Some rules must be followed to ensure efficient communication about risk management.
- Promote a sense of specificity in all stakeholders' minds (our concerted efforts to take into account all perspectives on risks).
- Focus on a central theme (our mind is set to ensure security and safety for all).
- Ensure coherence in all communication (all concerned segments of the public receive the information they need within a coherent framework).
- Stick to integrity and authenticity in all dealings.
- Commit to transparency (it is the foundation of all financial and social performance sustainable in the long run).
- Be wary of perception based on impressions, as opposed to the knowledge and understanding of the issues in a particular situation.
- Develop in our contacts a consciousness of danger, without creating an anxiety-prone society
- Avoid approaching risk management on a 'good feeling' basis, as this will not give a real sense of direction to the activity deployed by the organisation.
- Be specific in the description of modes and criteria decision making and arbitraging options.
- Avoid jargon or unnecessary esoteric language.
- Develop validation instruments to measure the agreement of different stakeholders to the choices made by the organisation.
- Transcend individual interests to promote a collective or societal evaluation of risks.
- Use ordinary risk situations, confronted and managed by most, especially when communicating with large segments of the population (risk in the daily life of any household, purchasing insurance for the family, etc).
All this can be summarised simply. It is all about conducting an adult dialogue on the key questions:
- What is at stake (opportunities and threats)?
- What is the proper balance between individual and collective interests?
- Can there be a licence to operate at best until the dialogue can reach the proper level of balance?
In any event, the different risk communication tools should be used to propose solutions, not to be an additional source of problems and fear for stakeholders. This can be achieved, so long as for each stakeholder group, the organisation strives to:
- analyse their problems when confronted with uncertainties or necessary changes
- avoid generating additional problems for them
- enter an empathy mode to understand their way of thinking
- decipher the challenges they are to meet
- evaluate whether they are in survival mode or still in a fighting mood
- make sure it is seen as a provider of solutions
- be perceived as a resource
- share all possible solutions
- help them see the benefits
- speak their language
- remember, this may differ with each stakeholder
- listen as well as communicate
- use words with which they are familiar
- make sure that they will empathise with your intrinsic message
- take into account their expectations through clear and transparent rules for dialogue, eg
- purpose of the meeting with the contact group
- modus operandi
- negotiation points
- methods to overcome difficulties and dead ends
- beware of ambiguities
- develop a critical approach to the fears expressed as well as to any proposed solution
- transparency means expressing things as they are
- all criticism must offer a proposal (no negative comments without a counter offer)
- feed a dynamic dialogue.
The suggestions here could be applied to communication on any subject.
However, communication about risk and the way it is mitigated has a very significant specificity: it must be most efficient in times of turbulence.
Therefore, it is essential to distinguish communication:
- under normal circumstances
- in a time of a crisis, or immediately thereafter.
Who do you communicate to?
The list below summarises the main groups who need to be informed about risks.
INSIDE THE ORGANISATION
- board of directors (beware of the specific needs of non executive or 'independent' board members)
evaluation of risk impact on stakeholders' trust
crisis management and strategic redeployment options
- members of the executive team
same as board members
evaluation of their performance by the board!
- unit and operational managers
exposures within their control
- floor managers and all staff members
personal safety issues
responsibility for individual risks
understanding of the extent of their risk management mission
OUTSIDE THE ORGANISATION
- For external stakeholders, it will be matter of providing answers to their fears and worries, while fulfiling their expectations. Who are they?
- economic partners (up and downstream)
- elected officials in local authorities
central (federal) government representatives
local associations and special interest groups
media (press, television and radio)
- environment protection groups.
Jean-Paul Louisot is professor of risk management, Universite Paris, Tel: 33 (0)1 43 74 11 37, E-mail: JPLOUISOT@aol.com
GUIDE TO COMMUNICATING ABOUT RISKS WITH MAJOR TARGETS
BOARD OF DIRECTORS
When? Contact at all times, regular risk management report no less than quarterly
Who? The risk manager himself or his boss if he/she does not have access to the board
Content? Strategic exposures only and progress on cost of risk and risk mapping exercises. Non-executive members will be mostly interested in governance issues and long term resilience
Format? One or two page presentation with two or three slides to draw attention.
When? Annual report and occasional additional communications if needed
Who? The CEO prepared by the risk manager
Content? Major trends and strategic exposures and impact on the profit plus communication on pending claims - check local and international legal requirements. Special stress on resilience and continued growth. Include reputation issues
Format? Depending on the countries concerned, the format may be one to three pages in the annual report. Messages may be needed in case of major events in the interim.
Who? The risk manager, his team and correspondents in the business units
Content? Assistance through the implementation of the risk mapping exercise and risk control measures, specifically business continuity planning
Format? Notes, e-mail, internet and training
When? Contact at all times to create and maintain risk culture
Who? Risk management professions relayed by 'risk owners' for reinforcement and human resources department
Content? Explanations about potential impact on work site, working conditions and own life, including job safety
Format? Internet, intranet, posters, training
When? Special emphasis at the initial stage of cooperation and follow-up through the contractual life
Who? Risk management team, purchase and procurement and communications department
Content? All shared exposures with the given partner, including resilience of relationship. Special attention given when consumer goods delivered to public
Format? Include in dealing with all stakeholders, specifically in communications.
When? Keep in touch at all times to ensure proper interaction in time of need
Who? Risk management professionals and compliance officer (when appropriate), PR personnel and local risk owners
Content? Special emphasis on public health and safety issues and sustainable development commitment
Format? Filing official compulsory forms and requirements and personal contacts with elected officials and civil servants.
When?Maintain regular contact
Who? PR personnel or executives with the assistance of risk management professionals and risk-owners
Content? Mostly health and safety issues but do not forget the financial press for shareholder interests
Format? Press releases and interviews depending on the nature of communication
When? Only when necessary if group interests are at stake
Who? PR personnel and/or executives with risk management professional support
Content? Stress exposures and risk control on areas of interest to the group
Format? Communication will include visits and discussion groups to get members' feedback and subjective perception of risks.
PUBLIC AT LARGE
When? Keep in touch at all times to reassure
Who? PR personnel and/or executives with professional risk management support
Content? Stress exposures and risk control in areas of interest to the public (health and safety, environment, etc)
Format? Communication will include visits and discussion groups to get members' feedback and subjective perception of risks, especially for 'high risk' units.