All too often it’s one of those exercises that leaders have to go through. The FD presents the risk register to the top team or to the board, people nod wisely, publicly recognising its importance; they talk a bit about whether one risks needs to be rephrased or moved up or down the register and then get on to other business.
I found as a CEO or chair that we had the most meaningful conversations (and by meaningful I mean that we either left confident we really were doing enough or we made plans to do something more) when we looked only at the front page of the register and talked about the overlap between the top few risks listed and what people were really concerned about. That was often productive and stimulated action: doubly valuable if replicated down through the organisation.
With all risks that you recognise, you can act to reduce the likelihood of it happening and you can prepare so that it’s impact is minimised if it should happen. This is part and parcel of good management that most of us do almost without thinking. It can and does make a real difference. But what about the risks that you and your most senior colleagues don’t recognise? These may be external but will often be where weaknesses in the management chain mean you don’t know what you don’t know. The greater the management hierarchy the greater the risk as this isn’t something that only directors need to consider. Perhaps we need more creative forms of dialogue where, long before it gets to formal whistleblowing, we are regularly asking staff and the people we work with, what their concerns or insights are, and doing this outside of as well as through the management chain.
And then there is the response when a risk does materialise. As Mike Tyson said, everyone has a plan till they get smacked in the mouth! In 2017/18 I knew that Oxfam needed to improve our safeguarding staffing and practice. It was work in progress. I also knew that a newspaper was planning to write a story about historic events. We had ourselves gone public on the events in 2011 and felt we had handled them appropriately. I had no idea how the two elements of past and present would come together and create a storm that challenged the very future of the organisation. It certainly wouldn’t have been on the front page of our risk register. With hindsight there were of course things we should have done differently.
Through this experience, and indeed many more less spectacular ones, some successfully averted, some managed, I’ve learnt hard lessons about leadership, planning, transparency, resourcing and media relations. It’s these I’ll seek to share at the CFG's Risk Conference in December.
« Back to all blog posts