GRC Tuesdays: Stop Shooting the Messenger!
“Shooting the messenger”, this is how many of the risk managers I have discussed with over the years feel about presenting risk information to executives. And this is also the title of a Harvard University study that I think provides some food for thought on how risk managers can shift this feeling and be considered more as Iris from the Greek mythology than Cassandra.
You may recall that Cassandra was given the gift of true prophecy by Apollo but then, as she rejected his advances, she was then cursed never to be believed. Iris, on the other hand, is the messenger of the gods and travels on the rainbow. A much more enviable situation!
Being a Cassandra is not only a frustrating situation, but more importantly, one that prevents any risk manager from performing their tasks efficiently.
By leveraging various risk assessment methods – including stochastic approaches, some risk managers try to reduce this perception, but some are unfortunately still not able to achieve this objective.
This is where the Harvard University study I mentioned above – Shooting the messenger, will come into play and could provide insights on how to address this issue and its unwanted associated impacts.
The results of this study based on 11 experiments show that participants deem innocent bearers of bad news “unlikeable”. The study further shows that “recipients of bad news tend to believe their messengers have malevolent motives – a tendency [the authors] link to messenger dislike” and it gets worse since “[the bearer of bad news] are deemed less competent than bearers of good news”.
The conclusion of this study is that it results in a “triple whammy for those delivering and receiving bad news. First, those given the difficult but important task of breaking bad news are deemed unlikeable, a stressor unto itself. Second, recipients must grapple with a new and undesired state of the world. Third, because people loath to accept advice from those they dislike, recipients may be disinclined to recognize messengers as a resource. Especially when the messenger is integral to the solution”.
Bringing this back to risk management and to the critical threats that could significantly endanger the achievement of the company’s objectives, it could mean that:
- Recipients might not fully “believe” the information reported on risk exposure => as a result, critical risks could be underestimated and decision making hindered;
- Recipients might discredit the suggested risk mitigation strategy => the critical risks would then not get the right level of coverage;
- Recipients might “dislike” the risk manager => albeit not business critical per se, it is already not easy being the bearer of bad news – here reporting on critical risks, but this negative feeling could also add to the mental burden and might demotivate the risk manager. Finally, and since there are studies showing that “likability” is one of the factors contributing to professional promotion, this could have a direct impact on the risk manager’s own career path.
Since I don’t really want to be the bearer of bad news in this blog, I thought I would try to add my suggestions on how to counter and turn things around.
1. Explaining the motives for risk management
One of the more positive findings of the Harvard University report is that “dislike of bad news messengers is mitigated when recipients are aware of the benevolence of the messenger’s motives”. So there’s some hope here!
To be able to explain their motives, I think risk managers can leverage the risk management policy that should have been established to drive the end-to-end process. And here, why not communicate this policy to every employee even if they are not directly involved in the risk process for now? This would not only establish the motivation for having such a process, but also would help shape the company’s risk management culture. And when risk culture is infused within the organization, the role of risk managers is perfectly understood and so are their motives.
Just to illustrate, I have pasted below the section from SAP 2019 Integrated Report that details this topic:
2. Proposing solutions to mitigate critical risks
We’ve all heard the ever famous “Don’t bring me problems, bring me solutions” from executives. And yes, we all prefer to be guided to the light at the end of the tunnel rather than shown the proverbial tunnel.
Since the role of risk management is also to orchestrate the mitigation of critical risks, when reporting on risks, risk managers should make sure to include the suggested mitigations and the expected outcomes.
It then becomes less a discussion on the potentially daunting exposure itself but more of a business decision on the required investment level to achieve the optimum mitigation.
3. Including opportunities
Finally, and to me the most powerful tool available within the risk management toolbox: showing both sides of the coin.
As per ISO31000:2018, risk is the “effect of uncertainty on objectives” and this effect is “a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats”
Unfortunately, most risk reporting that I have seen focus on the negative aspects only. And of course, I do understand why: this is often what is asked of risk managers.
Nevertheless, I do think it’s in the hands of risk managers to propose that opportunities be included in their reporting alongside the threats. Maybe not all opportunities, but ones most important for the sustainable future of the company.
And, as for risks, risk managers would be able to propose adequate actions – the enhancement plans – designed to increase the chances of success of the opportunities.
Perception doesn’t change overnight though, so this will be a process for sure.
Nevertheless, I personally believe that these steps could enable risk managers to transition from being the bearer of bad news to heralds instead, and as a result, this should enable the message to come across untainted by personal judgement. As well as protect the risk manager’s own career options and aspirations!
What about you, are or have you been considered as the bearer of bad news? If so, how do you counter this perception? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
As the old saying goes, "Never let a good crises goes to waste!" In other words, a savvy CISO who isn't getting funding to bolster IT security for the company will know how to turn a successful hack into an opportunity.
I have also learned that with #3 polished presentation skills are a bonus. When I was brought on to my company 10+ years ago I was tasked with presenting to the CIO our current DR readiness. Two things: the company's state of DR readiness was non-existent and the CIO was unaware. And I was unaware that the CIO was unaware. Needless to say the presentation did not go well for anyone. Lesson learned: I should have been more prepared and presented better.