Schrock on Risk and Audit

Charles Schrock's blog posts cover risk management and associated audit topics.

The essence of inherent risk

cdschrock Friday April 7, 2017

This is a very challenging question. You can find easy answers by searching the Internet. However, they are simplistic and I'm not sure they ring true at the most basic level.

Wikipedia wrote:
Inherent risk, in Risk management, is an assessed level of raw or untreated risk; that is, the natural level of risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of a mishap, or the amount of risk before the application of the risk reduction effects of controls.

This implies that all threats are completely unmitigated. There is a potential fallacy here - is it even possible for any threat to be entirely unmitigated? By simply being aware of a potential threat aren't we unconsciously taking steps to provide some level of mitigation? For example, we might take no active mitigation steps and blindly step out into traffic without looking in either direction. However, if we hear a horn suddenly arise very close by, we probably don't simply keep strolling through the traffic. Don't we automatically jump out of the traffic lane? So did we truly have "untreated risk" when we blindly stepped into traffic? There was a certain level of threat mitigation already in place. We know this because we jumped back to safety when the threat arose.

I suppose we could say that we can have untreated threats if we are totally ignorant of their very existence. But if that's true, then how can we possibly acknowledge, much less measure, the level of inherent risk within a plan or strategy?

I was initially accepting of the following example of inherent risk. Certain activities can expose the organization to potential regulatory fines if the organization fails to abide by all of the rules. I've seen these potential fines referred to as "inherent risk" when performing a risk analysis of that activity. I acknowledge that there is some comfort to this. But there is a problem here. First, calling this an inherent risk is a semantic error. Remember, risk is about uncertainty. We would be more correct in calling this an inherent threat. But now we are widely diverging from Wikipedia's definition. We could more reasonably call this an unmitigated threat (i.e., the threat of financial loss or reputational damage). Or, if you prefer, we could simply acknowledge these fines as the potential downside limit among the range of potential outcomes when we choose to engage in this regulated activity.

So we go back to the question of whether it is possible to have an unmitigated level of uncertainty. Perhaps it is possible, depending on how you choose to define and refine the terms.

My point is that I have never run across an instance where there is value in dealing with this thorny issue. When developing good risk-conscious strategies we need to simply be able to identify threats and, if appropriate, mitigate those threats. There is no practical value identifying a theoretical inherent risk starting point.

The four levels of Risk Management Integration

cdschrock Tuesday December 27, 2016

People waste a lot of time trying to define what is, and is not, good risk management. But reading someone else’s opinion seems largely irrelevant. Everyone views it through their own lens of experience.

Some view it through the lens of regulatory oversight. You know – ERM began when this law was passed. And it fundamentally changed when that regulation was implemented. Well, that’s true for some industries.

Others view it through the lens of their profession. ERM is all about managing investment risk. Or it’s all about eliminating financial reporting fraud. Or it’s about buying the right insurance. Or it’s primarily about environmental safety. Pick one.

I grant that these are all legitimate ways to look at risk when you’re operating at a low level of risk management integration. I argue, though, that it’s a waste of time to debate these issues at the top of the organization. These are discussions that should be addressed by subject matter experts further down — within the context of their specific needs and expertise. The top of the organization should not be trying to sort out the details of a good risk management design. They should be focused on moving up the maturity level for risk management skills and integration. Everything else will take care of itself.

The four levels of risk management integration.

I refer to the lowest level of integration as “Stakeholder Management.” At this level, the organization’s goal is not to manage risk, it’s managing stakeholder expectations. If the CEO says “Give me some kind of risk management to get those auditors off my back” you know you’re stuck in a Stakeholder Management scenario. It’s all about appeasing those damned regulators, or auditors, or outside directors, or bankers. No interest whatsoever in actually improving the organization’s ability to manage risk.

The next level up is “List Management.” Here the focus is on gathering a list of risks. Management wants to do something with risk management and lists seem to be a good place to start. Management may not be entirely sure how these lists are to be gathered, or why. The focus is on the list itself and the ability to share it with other stakeholders.

Another step up along the integration path is “Risk Management.” At this level management wants to recognize and take steps to lessen exposure to threats. There are often clear processes to handle operational risk, vendor risk, financial risk, environmental risk, etc. Ownership of certain risks may be assigned. They may have a risk appetite statement. Management has read the literature and is doing what the experts suggest.

The highest level of integration is “Opportunity Management.” I created this phrase and it has a very specific identity. It is not about looking for opportunities. It is not about the so-called "upside of risk". Instead, it's about taking advantage of opportunities and actually delivering results. With Opportunity Management, the organization recognizes that risk is synonymous with uncertainty. And uncertainty exists in every strategy and process. At this level, it is an integral part of the organization’s culture … every bit as integral as doing performance reviews or sending out a company news letter. Business line leaders are concerned about third party vendors because they represent a clear uncertainty relative to a strategy that they own and for which they are accountable … not because the Senior Risk Officer says so. Threats are identified, but it is all in the context of developing strategies and overseeing operations. People are focused on managing uncertainty so that the organization can deliver more predictable future results. Everyone is trained about the role that risk plays within the organization and how it impacts their individual responsibilities. Everyone understands why it’s critical to explicitly recognize key assumptions that they may not be able to control, and how those key assumptions could affect future performance. At this level of risk management integration, employees recognize these thought processes as a normal part of their high performance culture.

Focus on moving to a higher level of integration

At a board or executive level, the greatest benefit does not come from developing a risk appetite statement. Or reviewing a list of threats across the entire organization. These things come about as a natural outgrowth of simply moving up the maturity scale to a higher level of integration. But so do many other benefits. When an organization reaches the Opportunity Management level, everything simply falls into place. Threats are aligned with strategic assumptions. These assumptions are discussed and considered before a strategy is ever approved. Management monitors these key assumptions and knows exactly what to do when one turns from green to yellow to red. Management knows that its goal is not to reward past success. Its goal is to assure future success.

So if you’re in an executive leadership role, ask how your organization is moving toward Opportunity Management.

The essence of strategy management

cdschrock Monday January 19, 2015

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about strategies.

Strategies are the foundation of risk management. That’s right – strategies, not risks. All so-called risk management is (or at least should be) performed within the context of strategy management. We don’t manage risk for its own sake. We do it to help us develop and execute strategies. So let’s put a different spin on risk management.

First, people own objectives and associated strategies. By “strategies” I simply mean the processes that we use, or steps that we take, to accomplish the objective. People own strategies, not risks. See my prior post on risk ownership for more explanation.

Here is why it makes much more sense to focus on strategies. No organization is in business in order to “manage risk”. It is in business in order to accomplish something. In our personal lives, we don’t design our day around “managing risk”. Instead, we have goals – things we want to accomplish. We develop a plan (strategy) either intuitively or explicitly to accomplish our goal.

So where does risk come in? Risk is the variability in that strategy. It is the potential that this strategy may not lead to the results that we want. We manage risk for only one reason – to improve the odds that our strategy will deliver a favorable result.

Virtually any strategy has some set of potential risk events that could cause problems. Risk management is the process of understanding and addressing those potential risk events. There are two types:

  1. Controllable: Some risk events can be controlled if we choose to invest appropriate time, money, and energy. We can put additional procedures in place (internal controls), we can buy insurance, we can create and test prototypes, or any number of other potential options. These are all ways that we can prevent potential risk events from derailing our strategy by investing additional time, money, or energy. Now it becomes a strategy decision – do we want to strengthen our strategy by investing the time, money, and energy to make it a bit more predictable?
  2. Uncontrollable: Some risk events we cannot control. The economy could falter. New unforeseen regulations could be harmful. Weather patterns could change, impacting company logistics. One way to address this is by thinking of these as “strategic assumptions”. Simply put, what assumptions are we making as a foundation for this strategy? What operational, financial, legal, compliance, etc. assumptions are we making? Although we may not be able to control these assumptions, we can typically monitor their potential existence. We can set up a Key Risk Indicator that monitors the economy. If the economy declines, it turns our “KRI” from green to yellow to red. Now we know that we need to revisit any and all strategies that were based on those economic assumptions. Simply put, those assumptions are no longer valid so the strategy is no longer optimal.

The essence of strategy management is to recognize it as the focus of risk management. Strategy management is the sole reason that we spend any time or energy focusing on risks. Keep “risk management” in that perspective.

The essence of risk ownership

cdschrock Wednesday September 24, 2014

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk ownership.

Many organizations try to implement risk management in a way that includes the idea that individuals own risks. Examples that I’ve seen include the CFO owning “Financial Statement Reporting Risk” or the Chief Counsel owning “Compliance Risk”.

This concept of risk ownership is based a weak foundation. People really don’t understand what it means to “own” a risk.

When you say that someone owns a risk, you’re really implying that the person owns an objective. The CFO owns the objective of issuing financial statements according to professional standards. The Chief Counsel owns the objective of reasonably complying with laws and regulations. From a purely psychological sense, most people are more comfortable with the concept of owning an objective rather than owning a risk. We know how to own and embrace an objective.

Another problem with the concept of risk ownership is that real risks, rather than broad generalities, are often obviously outside the control of an individual. That’s what makes them “risks”.

For example, if an organization is planning on expanding into a new service line the strategy may depend on hiring experienced staff – a reasonable assumption. The clear risk is that it may not be possible to hire enough experienced people with a required skill set. How does the concept of “ownership” fit in here? Someone owns the objective of expanding into the new service line. That person also owns the strategy that will attempt to deliver that goal by hiring experienced staff. The risk that there might not be experienced staff to hire is simply an inherent part of the strategy; it is one of the things that can go wrong with this strategy. If the risk materializes, the strategy may need to be revisited and modified to incorporate the new, more complete, set of facts.

Here’s another illustration. Using the prior example, another risk might be that the economy will decline over the next 2 years. That would clearly impact the strategy associated with moving into the new product line. But, this same risk would also impact other strategies – perhaps dozens of other strategies. It might impact a plant expansion strategy. It might impact a compensation strategy. So – who would “own” the risk of an economic decline?

Risks are the things that you are not controlling within your strategy. Don’t waste your time identifying (and often negotiating) ownership of broad, general risk categories. In the end, it’s simply not actionable. Instead, spend that effort identifying which strategies are dependent upon outside factors that either you cannot, or choose not to, control – like the ability to hire experienced staff or a continuing improvement in economic conditions. Then, put a system in place to to alert you when those uncontrolled risks are taking a turn for the worse. This allows you to quickly attend to the strategies that need to be revisited and reconsidered.

The essence of risk ownership is that no one can own a risk. People can own objectives and strategies.

The essence of key risk indicators

cdschrock Saturday August 16, 2014

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about key risk indicators.

There are two common types of metrics that management might use. One is the key risk indicator (KRI) and the other is the key performance indicator (KPI).

Key performance indicators are intended to establish performance goals and then help management focus on those processes that are not delivering desired results. As an example, management might establish a KPI to limit waste materials to <.31% in a particular phase of production. Then, actual waste is periodically measured and compared to this goal. If actual measurements consistently fail to meet the KPI, then the process should be reviewed and corrected. It is intended to be a historical measurement.

Key risk indicators, on the other hand, are intended to warn management if risk levels are increasing. COSO published a thought leadership paper in 2010 on key risk indicators. It’s a pretty good document and I recommend it.

What I want to address here is how to actually put this concept into use. A challenge that I’ve run into is that management is not naturally attuned to focus on risk events. When asked to come up with a list of risk events that might impact some activity, management often responds with “Well, um, I suppose that (this or that) could happen.” You need to identify these risk events in order to then identify leading indicators (KRI) that might give advance warning of the risk event. The problem is that you’re asking management to poke holes in their own strategies. That’s not something that anyone readily wants to do.

Instead, consider asking management about the key assumptions (rather than the potential risk events) in their strategy. I have had great success here. Management is usually much more able to talk about these assumptions. Given a few minutes of thought, they might identify assumptions like the ability to hire adequate staff for the new production facility or the general growth in consumer demand. Further, it is easy to get management to agree that these assumptions, while valid and reasonable at the moment, could decline or fail to materialize over time. We can’t be 100% sure. That’s the nature of assumptions – they are often outside of our immediate control. Management can relate to this concept.

So we turn these assumptions into KRI. We track these assumptions over time. If any significant assumption declines or fails to materialize then any strategy that relied on this assumption should be reevaluated. Management is, in essence, receiving advanced warning that the risk level (the unpredictability) of that particular strategy is increasing because the assumptions on which the strategy is based are no longer valid.

Focusing on key assumptions is attractive because management can relate to it. It’s also very transparent. The assumptions can be discussed and agreed-upon in advance of the strategy’s execution. If the external assumptions fail to materialize it’s no one’s fault – everyone had already agreed that the assumptions had been valid at the time. There is no incentive to hide the problem. Just go back and adjust the strategy to take advantage of knowledge that simply didn’t exist before. And establish newly revised assumptions that you will once again monitor.

The essence is that key risk indicators are most easily understood when tied to strategic assumptions. Keep it simple and link this concept to strategy setting in a way that is transparent and non-threatening.

The essence of risk and opportunities

cdschrock Saturday August 9, 2014

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk and opportunities.

I often hear that risk management should help an organization find opportunities as much as control potential problems. COSO says that part of risk management is the identification of events which could have a positive impact, a negative impact, or both. This concept does not work for me on multiple levels. In a future post I’ll write more about the idea of event identification. In this post I want to address a more practical strategic problem with this approach.

One of the toughest hurdles in risk management is explaining it in a way that makes it relevant to executive management. You need their support. The more that you ask executive leadership to accept concepts that are not intuitive to them, the tougher the sell. I normally describe risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable. This usually resonates well with executive leadership. It fits their existing notion of risk management. When you start talking about risk management also being a source of strategic opportunities, I’ve found that executives start looking at you with a skeptical eye. It sounds like a salesman promising benefits that everyone knows he can’t deliver. I recommend staying away from this approach. There are other executives who are paid to identify and exploit opportunities. Maybe later you can help, but for now stay off their turf.

The essence is that linking a risk management function with the identification of strategic opportunities is a tough sell. It is hard enough to get executive management excited about risk management at its most easily understood and intuitive level. Don’t confuse the basic message with unproven claims that your executive team may find counter-intuitive.

The essence of risk and reward

cdschrock Saturday August 2, 2014

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about operational risk and reward.

It’s a common understanding that you need to take on more risk in order to get greater rewards. The common context for this risk/reward tradeoff is when you’re managing a financial portfolio of investments. Highly conservative investments tend to deliver lower returns over the long run when compared to those investments that might have more risk. However, risk/reward also applies in other ways. It impacts how you manage your organization and deliver operational results.

Imagine a common operational scenario. You’re assigned a goal and you need to develop an appropriate strategy to deliver that goal. If you choose a conservative strategy you’ll get highly predictable results. It’s tried-and-true. If your assigned goal falls into the predictable results that your conservative strategy will deliver, by all means use that conservative strategy and pat yourself on the back for being eminently practical.

Conversely, if you’re handed a stretch goal then that tried-and-true strategy will not deliver it. In that situation, you need a new or revised strategy that has, at least, the potential to deliver the desired results because the conservative strategy absolutely has no chance. You must select a strategy that takes on some uncertainty; you must take on more risk. To be clear – simply taking on more risk does not in any way imply that you will automatically get greater rewards. It only means greater uncertainty. But without that uncertainty you may stand no chance of delivering desired results.

The essence is that risk and reward are definitely related. Conservative strategies deliver predictable results. If you need to provide more aggressive results, you need a less conservative strategy that has the potential to deliver those results.

The essence of risk appetite

cdschrock Saturday July 26, 2014

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk appetite. It probably is the most misunderstood foundational concept of risk management. This term comes from COSO’s 2004 ERM framework. They describe it as ‘the amount of risk, on a broad level, an organization is willing to accept in pursuit of value.’ I’m not sure how they really intended its use, but it was widely interpreted as requiring some single and specific board-level analytical component (amount of risk) that would guide management in developing strategies and activities. Many envisioned the board defining how big of a bucket of risk would be allowed. As long as the actual risk wasn’t overflowing the bucket, then everything was operating at an acceptable risk level.

The problem was that it’s impossible to come up with a single number that could represent the maximum risk that an organization is willing to take on. How can an organizationally analytically measure different types of risks and then aggregate them in some meaningful way in order to compare to an established level? It is not illogical, it is simply not practical.

I believe that COSO knew that this was a weak point in their framework. They came out with an explanatory document in 2012 called “Understanding and Communicating Risk Appetite”. This does a better job of explaining many concepts, but it’s still not very actionable.

Risk is unpredictability. In some cases, you are willing to allow unpredictable results. In other cases you are not. For instance, your culture may say that you’re willing to take on risk for product development. But you’re not willing to take on risk for product quality. How do you address the total risk in the organization and incorporate these two very different risk requirements? You can’t establish, much less aggregate across disparate objectives, a single number to indicate how much risk currently exists across the organization. Don’t bother – it’s a meaningless distraction.

Here’s a better idea. Think of risk appetite as a conversation about the extent that management is willing to accept unpredictable results for each specific type of strategy. If you’re discussing management’s attitude about product development, assure that everyone understands that some risk is allowed. If you can define a number within that context, go ahead. These would be Key Performance Indicators (KPI) for product development. These KPI would, if defined correctly, encourage an appropriate level of risk-taking.

On the other hand, if you’re talking about management’s attitude toward product quality, assure that everyone understands that little or no risk is allowed. Predictable results are required and strategies must assure that this predictability is achieved. Once again, KPIs can help describe expected results. In this case, these KPIs would emphasize predictable product quality.

The essence is that a single risk appetite number, at the board level, provides little or no actionable guidance. Don’t bother. Focus instead on conversations within the context of specific objectives. Where are people expected to experiment and sometimes fail … and where are they not allowed to fail?

The essence of a risk management framework

cdschrock Saturday July 19, 2014

In an earlier post I described risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable.

A risk management framework is a systematic way of approaching those activities. I see four main parts to an effective risk management framework:

  1. A common language. It’s important to share ideas, not just words. The words must mean the same thing to everything otherwise you’re sharing the words but not the underlying concepts. For example, when you use the word “risk” what do you mean? Are you referring to the concept of uncertainty or does your organization prefer to speak solely about specific risk events?
  2. A primary focus. A good framework can be adapted for a number of purposes, but it typically exists for one primary reason. My personal experience tells me that the highest and best purpose for a risk management framework is to help an organization achieve its goals in a more predictable manner. There are certain attributes of any good framework (see below) that will make it adaptable for a variety of purposes – but every framework must target a specific benefit. For me it’s the achievement of organizational goals.
  3. Abstraction. In order to make a risk management framework broadly applicable you need rules that describe which ideas are fundamentally similar and which are not. For example, your organization may traditionally use the term “strategy” and “process” in different ways. However, for purposes of a risk framework it may be valuable to abstract these and treat them the same because they both describe the action that will be taken to accomplish some goal. In the case of “strategy”, it may be primarily a high level plan that mostly consists of delegating to others. In the case of “process” it may be a specific activity that a single person will perform. But from an abstract view, they both represent how you will achieve a goal.
  4. Breadth and depth. A framework needs to be a road map. It should be sufficiently broad that the big picture is easily seen. But it also needs to be supported by sufficient depth and insight so that it can help us understand and take action in a detailed, complex, and often confusing real world. For example, it’s not good enough for a framework to simply define a term like “risk tolerance”. It also needs to sufficiently describe how this concept provides value in the real world to a CFO, a regional sales manager, or a production supervisor.

As I continue with these ‘essence of risk management’ posts I will share the components of a practical risk management framework. These future posts will include my recommendations for common language, abstraction, and depth in order to help everyone use this practical management tool.

The essence of risk management

cdschrock Sunday July 13, 2014

This is the first in a series of posts that attempt to get to the essence of risk management. I’ll touch on various topics as they occur to me. Some of these posts will be on broader topics like this one. Others will be on very specific points that help you implement these concepts. As time goes on I hope to amass a series of short thought-pieces that help bring together a rather complicated subject.

The key word, of course, is “risk”. Risk is a synonym for uncertainty. It’s unpredictability. Risk is the uncertainty of whether you’ll safely cross a busy street. Risk is the uncertainty of your body’s reaction to medication. Risk is the uncertainty of investing your money and getting the hoped-for return. Risk is the uncertainty of a strategic initiative delivering the expected results. Risk is the uncertainty of your town’s first responders arriving at a fire in time to prevent a catastrophe. Risk is the uncertainty of your sports team winning today.

This topic – the first one – is on risk management in general. Let’s start with the big question. What is risk management?

To answer that question, I will first avoid recapping all of the authoritative descriptions. Many of the definitions and explanations lead to over-complication. I prefer to keep it simple. As a business person, my point of reference is always centered around organizational results. In that context, risk management is very simple. It is the group of organizational activities that try to improve results by making the unpredictable a little more predictable. It’s that simple.

Managing risk is simply taking steps to make each goal a little more certain. Whether it’s crossing a busy street, taking medication, or any of the other examples mentioned above – risk management consists those activities that eliminate uncertainty to help you get what you want and avoid what you don’t want.

With this understanding of risk at its simplest and most fundamental level, I will explore the essence of specific parts of risk management in future posts.

Continuous auditing - is it really auditing?

cdschrock Friday February 14, 2014

Thomson Reuters’ magazine “Internal Auditing” has an article in their current January/February edition called “The Value-Added Significance of Continuous Auditing”. This is my rant because I continue to chafe at the concept of continuous auditing.

Let me preface this by saying that I am not an expert on continuous auditing. Quite the opposite. I’ve been reading about it for years but have never found its basic premise to be sufficiently compelling to encourage me to develop any expertise.

Now, on its face, there is clear logic for reviewing controls more frequently than less frequently. But every time I imagine which controls I could actually review by continuous auditing, I stumble. I first image detailed reviews of “exception conditions” that might be highlighted through automation. But in my book, that’s the role of management, not internal audit. Maybe it’s just semantics, but I can’t really conceive of anything that I would audit on a continuous basis. I go back to the assertion that continuous monitoring of a process is management’s role, not audit’s.

Audit’s role, in my view, is to stand apart from the process. To second-guess. To avoid getting caught up in execution of individual transactions and focus on the big picture – asking questions like “What is this function trying to accomplish? What are the risks? How is management monitoring and mitigating those risks? Is management’s monitoring process sufficient, efficient and effective?

The article that I mentioned at the top of this post asserts a difference between continuous monitoring and continuous auditing. I can accept their assertion that management is responsible for continuous monitoring. But their further implication is that continuous auditing is similar to a quality control function by assuring that management’s continuous monitoring is taking place. I don’t think that this definition of continuous auditing is a universal concept. I don’t feel that my profession and my experience is in any way aligned with quality control monitoring. It seems that this view simply doesn’t align with the words “continuous auditing”.

So I’m back to my starting point. Continuous auditing is so fuzzy that it is, to me, unusable – yet it keeps getting discussed in the literature as a critical leap forward for internal audit.

What am I missing?

A practical approach to reputation risk

cdschrock Wednesday October 16, 2013

Every organization has some desirable public image. Does it want to be perceived as environmentally sound? Family friendly? Political activist? A ‘high roller’? Cutting edge? Traditional? Or, perhaps it simply wants anonymity in the public eye. Reputation risk results from strategies or actions that conflict with the desired public image.

Rather than wait for reputation risk issues to arise, it is important to be proactive. Let’s take a step back. Organizations are constantly developing strategies at all levels. Whenever someone is assigned a new task or objective, a strategy needs to be developed to accomplish it. The process of selecting or creating a new strategy can include the evaluation of whether that strategy is consistent with the organization’s public image.

In risk management, I use the term “risk attitude” to describe which strategies management would, or would not, feel comfortable with. A “low risk” attitude indicates that management expects assurance that the proper results will be achieved. A “high risk” attitude indicates that management is willing to take its chances and would be comfortable with a strategy that might deliver results ranging anywhere from wild success to total failure. Neither is necessarily good or bad and can vary not only from one objective to the next, but also with different components of a single objective. It’s possible, for instance, to develop a desirable strategy that is high risk in some areas (e.g. financial returns) while low risk in others (e.g. worker safety). But nearly every organization wants very low risk when it comes to protecting its public image. If that’s the case, then it’s reasonable to have a specific question that needs to be answered as part of every new strategy — is it consistent with our public image?

Of course, this assumes one very critical component. The organization needs to define and be able to describe its preferred public image. If that’s not the case, then reputation risk is increased simply because it may be unclear what to embrace or avoid during strategy development. If employees don’t know that the organization is cultivating a worker-friendly image, then a cost reduction initiative may include a strategy that includes massive worker layoffs.

That’s the first part — making sure that the organization understands how to develop appropriate strategies that will, at least initially, be consistent with your public image.

There is another part. An organization needs to be generally perceived as trustworthy and competent. For example, while an organization may not be explicitly cultivating a public reputation for good customer service, excessively poor customer service will still create a public image problem. The same would be true for any normal business activity if it is executed poorly to the level where the public perceives the organization as being incompetent. Even something as mundane as an inability to pay its bills accurately could grow to the extent that it creates a public perception of incompetence.

To avoid this, an organization also needs a general performance and risk management environment where expected performance levels are defined. Performance levels that don’t meet reasonable expectations need to be elevated to management long before such “incompetence” becomes a subject of public discussion.

Please share some stories about how your organization is addressing reputation risk.