GRC Tuesdays: When it Comes to Risk Management, Ignorance Is Not Bliss!
I have been dealing with risk, compliance and audit projects for the good part of the last 15 years, but I must admit that I am still surprised when I am asked whether it’s better —for an organization and for an executive— to know or not know about critical risks?
Ignorantia Juris Non Excusat
For most people, this would be an absurd question, but trust me, I continue to hear it under the rationale that one can’t be reprimanded for not knowing that critical risks—for instance a regulatory breach—were taking place. Thus assuming that plausible deniability is somehow a good defense strategy when things go wrong…
When asked this, I always turn to the legal principle “Ignorantia juris non excusat” (Ignorance of the law is no excuse). Not that I either speak Latin or that I am a legal expert, but I think this provides the exact answer that I want to convey. And because Latin always provides this sense of gravitas that you just don’t get anywhere else!
Acting like an ostrich with its head buried in the sand won’t help the organization thrive and regulators, but also customers, partners and other stakeholders won’t accept this strategy. There’s the odd chance that few risks will be nearly missed, but consistently avoiding damages without steering the ship seems pretty unlikely to me.
Reward for Risk Transparency Comes from the Top
Going back to the original topic though, I usually try to then drill-down to understand the root cause of the question, and I often find out that it’s out of fear. Fear that colleagues will have a negative perception of a manager whose department’s raises critical risks, fear that management will deem this a negative performance for the business unit, etc.
Unfortunately, this is where a software solution is not able to help. Indeed, attitude towards risks relates to the core risk culture of the organization. A company that rewards lack of transparency is one that navigates in troubled waters and that is in denial. The regulatory, competitive and overall business landscape is continuously evolving, and new risks arise. This is a fact. At the same time, these new risks can also be turned into opportunities and risk aware organizations capture the strong winds carried by these opportunities to get ahead of the competition.
By providing top management with precise information, and listing the actions that are being taken to avoid the threat ahead or to monitor it, can show the true value of an Enterprise Risk Management program and its positive impact in the decision-making process. Such transparency can then start instilling the right tone at the top. Only with such risk awareness and full information can organizations be successful in achieving their objectives.
As a result, don’t wonder what the life status of Schrödinger’s prodigal cat is: use technology to get real time, instant updates on your most important risks. This way, should one of the indicators turn to red, you will at least have a chance to put in place a mitigation procedure to try and avoid incidents.
What about you? Does your company reward a risk aware culture?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard