Learn a lot from Bottom-up Risk Management

We sat down with Jack Tatum, Riskonnect’s global evangelist, to talk strategic risk for a few minutes and especially about bottom-up risk management. Organizations of all sizes and types face daily risks that fall outside of the “insurable” risk space. We’ve been bombarded with headlines about rogue traders[1], failed mergers[2], and currency conversion implosions[3] for many years. And the headlines just keep coming.

You’ll remember news stories from just a few years ago about the reputational risk of an oil rig disaster[4]. Unheeded, long time contract employees complained about the potential for failure and reluctantly became whistle blowers. “What we learn from these stories is that strategic risk management is almost impossible in a top-down scheme,” said Jack.

“Those in the ivory tower of executive management just cannot be expected to understand all of the risks facing the ‘boots on the ground,’” he continued. “Strategic risk management must have a bottom-up component or, to quote Molly Hatchet, ‘You’re flirtin’ with disaster every day.’[5]”

Bottom-up risk management that is strategic requires collaboration tools that have not always existed, but do now. Imagine this scenario:

  1. Technology is put in place that continually polls the people closest to the front lines about risks they face in their particular function.
  2. Easy interfaces facilitate rapid updates of the details of these risks.
  3. Then, electronic conversations are started between the top-down risk experts and the bottom-up operational experts regarding things like likelihood, potential severity and possible controls/mitigations.
  4. Risk owners are assigned, plans are logged and connected to the risk, and both the owner and the plans are scheduled for periodic exercise and/or update.
  5. All of this activity is logged and organized in reports, dashboards, and heat maps that are available in real time to the board of directors.

Speaking of the board of directors, these non-insurable risks can sometimes spawn an insurable risk, as the board is keen to avoid D&O claims by shareholders.

[1] https://www.theguardian.com/business/from-the-archive-blog/2015/feb/24/nick-leeson-barings-bank-1995-20-archive
[2] http://fortune.com/2014/05/09/behind-the-failure-of-the-publicis-omnicom-merger/
[3] http://www.ft.com/cms/s/0/21b4f346-3818-11e4-b69d-00144feabdc0.html
[4] https://www.theguardian.com/business/2010/apr/27/bp-whistleblower-atlantis-rig
[5] https://www.youtube.com/watch?v=sFs8G0yOtfc