You can’t always get what you want! But if you try (better articulating the risk) sometimes, you get what you need!
I am sure almost all of our ABM Risk Partnership subscribers have experienced the pain of asking for resources and being refused. In some cases, refused again, and again, and again. How many times over the years have you asked for funding, additional resources, or enhanced systems, but have not been supported in your request? The list of reasons for the “no” answer have been long, but essentially boil down to funding constraints and / or competing priorities. Unfortunately, these decisions can also reflect ego factors, where some managers have an inability to support something not of their own making. As my Risk Management skills developed, I quickly learnt that there is a better way to approach these recommendations that is likely to get a very different level of consideration, and response.
Perhaps you’re asking the wrong question? Perhaps the question should be – “if you are not prepared to accept the recommendation, are you prepared to accept this risk in its current form?” Clearly, it must be one, or the other.
When the request is put into a risk context, it changes from an argument of “ we want / we need”, to a position of “to reduce the risk / enhance the effectiveness of our controls”. This requires more than a binary yes / no answer to the request, as a no decision requires that the risk, in its current form, be accepted as part of the decision-making process. This might not sound like much of a difference, but when management is required to put the decision into an accept / enhance risk context, their attitude often changes. It can be quite sobering to have to formally accept a risk, as opposed to simply making a stand-alone decision on the request.
A couple of examples might give you some context of how this works:
Example 1: The IT Team at a large organisation identified weaknesses in the cyber security that presented an unacceptable risk to the organisation. Efforts to address the weaknesses through enhanced system controls were refused based upon financial limitations – “not in budget”. In this case, culture played a role as Management did not agree that the exposure to the business warranted the expense. Whilst the risk was analysed, the level of analysis was at best superficial, reflecting the level of risk management maturity across the organisation as a whole. The request for control enhancements was made on numerous occasions, on each time declined. At no time did the request for additional controls enhancements get put into a risk context in which Management was required to formally accept the risk.
Example 2: The staff at a dedicated high-risk medical facility recommended increased staffing levels to give them a greater capacity to maintain service and security. The request was refused on the basis of funding limitations. The request was made numerous times, each time with the same outcome. When facilitating a risk workshop with the team the need to reduce the risk to staff was clearly identified, with increased resourcing flagged as an action that would increase control effectiveness and shift the risk to an acceptable Target Risk rating. Based upon the past experience of declined requests, the proposed action was challenged by the team as being unachievable. The request was resubmitted based upon the risk Residual (Current) and Target risk ratings, noting that the risk should be formally acknowledged / accepted by management if the increased controls were not to be approved. The resources were approved.
In the first example, was management negligent in failing to adequately understand the risk? Did the refusal without formal review and acceptance of the risk reflect negligence rather than poor judgement?
In the second example, the additional resources are still no guarantee that the risk won’t arise – that’s why we have prevention and mitigating controls. However, if it did arise it would not be through the negligence of management in ignoring the facts. A risk-based decision was made.
Of course, once someone at the appropriate pay grade makes a decision to accept the risk, you must accept it and move on.
In my case, I learnt this many years later in my professional life than I would have liked. What a difference it would have made!
From Risk comes Opportunity.
Brett Palmer M Risk Mgmt, M Comm, B Bus, GAICD, FGIA Partner ABM Risk Partnership Sydney, NSW 2000 M +61 438 435 545 abmrisk.com.au