Have we gone a bit too far with our attempts to mitigate risk? Several people, I talk to work for or with organizations where this would be true. It seems many of these organizations have walked into the conundrum where, for example, they need to innovate fast to stay ahead of the competition or market needs and technological drivers, but their people don’t seem innovative.
It is near impossible to explore new territories without accepting that a certain element of risk will be involved and that one would inevitably make mistakes.
This makes it very difficult for leaders to continue to develop new strategies without input from those at more tactical and operational levels. That in itself could be a symptom of a system that has become risk focussed, rather than solution focussed, to the point where the organizational culture resembles avoidance behavior, often driven by fear of failure or fear of reprehension. This may manifest itself in organizations, groups, teams, and individuals as a lack of innovation. One of the key concerns I hear from industry leaders is that they need more people who are willing to be creative, who can innovate and who don’t mind taking a few risks. The trouble with that is when the rest of our systems, policies, procedures, laws, regulations, etc incentivize risk-averse behaviors through either punishing those who make mistakes or rewarding those who stay within the boundaries of the current business-as-usual norms. It is near impossible to explore new territories without accepting that a certain element of risk will be involved and that one would inevitably make mistakes. Very few risks are life-threatening or detrimental in any way, yet, the risk of not complying with a regulation (not necessarily hinged in a principle) could lead to severe penalties in terms of time, money, litigation, reworking, reputation and career limitations – as mentioned by many people I come into contact with.
Excessive risk averseness and policing naturally leads organizations, and potentially whole industry sectors, to direct and allocate their resources in the wrong or suboptimal parts of the organization. This could have adverse consequences or at times even detrimental consequences simply because the focus and resource allocation becomes very unbalanced, directed away from the main purpose and functions of the organization. One classic vivid and physical example of this kind of scenario comes to mind: when the SS Eastland Passenger Liner ship rolled over while still tied to the dock, killing more than 840 passengers and crew on 24 July 1915. Ironically, the main reason for this seems to point to a recent law change at the time. The law change required a minimum number of lifeboats on ships to mitigate the loss of life-based on the events that took place during the Titanic disaster three years earlier. For those who have watched the movie, you will remember that there were not enough lifeboats to save everybody on board the Titanic when it went down. You can read more about the SS Eastland case here.
Excessive management of potential risk based on secondary issues caused by the primary reason for the Titanic tragedy, ironically, did not manage to help save over 840 lives.
The problem was that the additional lifeboats made the SS Eastland even more top heavy and the consequence of that, added to the number of passengers congregating on the upper decks, was that it rolled onto its side. The SS Eastland was not designed to carry that additional weight at the upper levels, but that was the only place where the additional lifeboats could be installed. Within this tragedy, we can learn valuable lessons. One of them, for example, is taking note of the focus on ensuring that there were a sufficient number of lifeboats should the boat sink. This new regulation was based on events observed during another incident a couple of years before it, namely, the Titanic not having sufficient lifeboats to save all the passengers after it collided with an iceberg. Anyone will be able to empathize with the thinking behind this risk management regulatory decision and that it was a decision made in good conscience by people at the time to isolate, minimize and eliminate the presenting risk. Nevertheless, one would think that a better solution would be to focus more on reducing the probability of the root cause for the Titanic sinking in the first place. Excessive management of potential risk based on secondary issues caused by the primary reason for the Titanic tragedy, ironically, did not manage to help save over 840 lives. In other words, the additional lifeboats added unbalanced weight to the SS Eastland and contributed to the reason one would need lifeboats on a ship, yet it could not help to save the lives lost because of its implementation. The secondary risk mitigation strategy lead to the primary risk becoming a reality and could not help deal with the secondary risk it was supposed to mitigate.
Given the events surrounding the Titanic and SS Eastland, one could rightly ask whether the next set of risk regulations may now include three layers of risk mitigation management. For example, including also changing the shape of ships to accommodate a sufficient number of lifeboats in the case of a ship tipping over because of the weight distribution at the top. The concern with all of this is that we end up with a patchwork of regulations, policies, procedures, documentation and a culture of risk averseness blocking any form of innovation and exploration. It also introduces the risk of changing the shape (structure) of our organizations to a point where is not aligned with its core purpose. Could this approach to risk management – by trying to prevent very unique and isolated incidents from ever happening again in places where it would likely never have happened in the first place – cause an organization to roll over and sink, taking with it all the people employed by it?
In other words, are we doing what we should be doing in line with the organization’s purpose, or are we doing what we are doing for the sake of doing it to comply with regulations, systems, policies, and procedures that are not relevant to our organization’s purpose?
Managing risk is essential and that is not debatable, nor does this article attempt to downplay the importance of risk management, regulations, systems, policies, and procedures. However, and by way of an analogy, taking out every type of insurance policy for every little thing that could possibly go wrong might actually end up making you bankrupt because you are paying money as a fixed cost for things that might never happen, thereby depleting your cash flow. For some insurance related issues, one might rather set-up a savings account. Similarly, we could end up patching regulations together from government level all the way to individual department levels within organizations, and this in itself could leave us with unbalanced resource allocation and time spent on activities that keep us so busy that we do not focus on our core business activities, ending in disaster.
It is also surprising to see how often some of the regulations, policies, and procedures we all work with seem outdated and need revision to align better with new ways of doing things, new technologies, products, services, etc., and more so, to be underpinned by a principle and purpose instead of lists of tasks and requirements. It is surprising to see how often regulations, policies and procedures drive our businesses, rather than the business requirements influencing the regulations, policies, and procedures. This is a risky dichotomy to manage and lead, especially when managed and lead as a dichotomy where one of those elements is regarded more important than the other, i.e. the business purpose and functions vs. the regulations/policies/procedures.
It would seem wiser to facilitate overall improvement and protection by considering the business needs and purpose as well as the regulations, policies, and procedures underpinned by a purpose and set of principles.
In organizational change literature authors often refer to the legitimate system and shadow system. The legitimate system provides the safety in what we do as business as usual and that gives us an opportunity to take some risks and attempt new things, i.e. the shadow system. A shadow system operating on its own could be destructive and a legitimate system operating on its own could mean stagnation. One could also refer to the two systems as order and chaos.
Another often-unforeseen consequence of overly risk-averse organizations – focussing too much on mitigating risks through policies and procedures – is that people end up working extraordinarily hard, but producing little in terms of real-value output. This leads to low productivity ratios, and consequently (and ironically) putting more HR measures in place to ensure appropriate performance management to mitigate the risks around low productivity and low engagement. In other words, in trying to solve or prevent one problem, we put lifeboats in the wrong part of our ship, and eventually, it tips over, drowning our people in administrative and operational work, which does not contribute to anything other than a metric on a dashboard. Potentially an interesting metric, but not a need-to-have metric. Unfortunately, we do see that regulatory bodies often seem far removed from the reality of day-to-day operations and do not see how the regulations they put in place, as well as the processes surrounding it, impact on the financial and operational viability of organizations. This inevitably leads to secondary and tertiary issues simply because organizations and the people working for them try to cope as best as possible to meet the requirements in order to continue operating, yet, they spend extraordinary resources on activities, which do not directly relate to the purpose of the business.
Restrictive policy and procedure driven systems within constraining regulatory frameworks also minimizes challenge, the need for responsibility and accountability, as well as growth – it creates underachievers. For example, it can offer a scapegoat for not meeting a target, but being excused and commended for at least following the policies and procedures. When the stakes are high and outcomes are of cardinal importance, it would seem immoral and unethical to stick with policies and procedures, especially when those regulations, policies, and procedures were not developed with a moral and ethical dimension attached. If they were developed purely from a process, documentation and metric perspective it becomes a demotivator and simply renders any management interventions to help grow people reasonably pointless… the same reason why fish remain small in a small fish tank.
Taking the analogy further, growth can even be constrained in a large tank if we put too many ornamental rocks and plants (plastic, not producing oxygen) in it, the tank representing a large organisation and the ornaments representing unnecessary regulations, policies, and procedures – it may look good, but do no good. That is like pushing our people harder to win a race against our competitors, but expecting them to get to the finish line first while they are running on a treadmill to ensure that we measure their speed and that they stay in line, etc. In basic terms we sometimes need to stand back and look at our policies, procedures, and regulations, and whether they are fit for purpose, but more-so whether it actually helps to drive our business forward and facilitate growth, or whether it constrains us. On the other hand, if the purpose of the regulations are clear and relevant, people can work within and towards a purpose. People who work with purpose can set meaningful goals. People who set meaningful goals have an opportunity to accomplish something of significance. When people achieve something of significance, they have a sense of accomplishment and progress… and a sense of progress leads to better engagement.