posted 2 Sep 2002 in Volume 6 Issue 1
Your Say: Managing knowledge to manage risk
Recent events have pushed risk management up the boardroom agenda, yet many organisations fail to recognise the importance of establishing the discipline as an enterprise-wide activity. Simon Lelic talks to representatives from Alarm, British Airways, California State University, Entovation, Glasgow Caledonian University and KMCI, and discusses how knowledge management can help an organisation maximise the impact of its risk-based strategy.
Organisational risk is a diverse concept, incorporating all manner of threats and, indeed, opportunities. The publication in 1999 of the Turnbull Report, which offered guidelines on corporate governance (see separate textbox), together with the fallout from more recent events (11 September, Enron, Worldcom, Andersen – the list goes on), have, if nothing else, served as a wake-up call to businesses right across geographical and industrial sectors. As John Dombrick, senior manager, Business Continuity and Emergency Planning, at British Airways, says, “There is nothing like a few spectacular failures to focus the minds of those who previously believed it would never happen to them.” Risk management is a discipline organisations can no longer afford to ignore. And if companies are serious about both mitigating the effects of the threats their operations encounter and seizing the opportunities that are passed their way, knowledge management in turn must sit right at the heart of their risk management strategy.
Sheila Boyce, chief executive of Alarm, the national forum for risk management in the public sector, defines risk management as, “The identification and treatment of risks that threaten the achievement of an organisation’s objectives and thereby its future success.” Or, put even more simply by Debra Amidon, founder and CEO of Entovation, it is the practice of maximising positive results while minimising negative ones. In order to achieve this goal, it follows that organisations must be able to identify the numerous forms risk can take (see ‘Risk and the learning organisation’ on page 14), quantify their potential impact and develop the means to control or respond to those threats. In fact, as Lynn Drennan, head of the Division of Risk at Glasgow Caledonian University, points out, it could be argued that risk management is nothing more or less than good management, which perhaps compounds her surprise and frustration that so many organisations continue to fail to seriously address the topic.
As Amidon suggests, risk management is integrally linked to business strategy and the innovation process that enables ideas to get to market efficiently, effectively and competitively, hence its continuous importance in a corporate context. “Risk taking has always been essential to the innovation process,” she says. Risk is also at the centre of any form of decision making. As Joseph Firestone, co-CEO of KMCI and CKO of Executive Information Systems, puts it, “To moderate the risks we take in decision making is to lower the expected loss and, other things being equal, to increase the ratio of expected benefits to expected costs. To do this is to increase the prospects that the enterprise will successfully adapt to its changing environment and, if the case can be made for better prospects, to increase its market value.” Without the means for thinking about extreme external risks and intelligent internal responses, adds Robert Smith, professor emeritus, Strategic Management, at California State University, managers are just the pawns of those competitors that are able to utilise a knowledge-based risk framework.
Yet despite the obvious importance of risk management to profitable organisational activity, it is only following the tumultuous events of the last 12 months that disciplines such as business continuity planning, disaster recovery and reputational risk have started to receive the attention they warrant. Finally, though, any last vestiges of corporate complacency seem to be fading. “The events of 11 September have brought home the reality of terrorism and their own vulnerability to many who previously perceived terror-related risk as only ‘theoretical’,” says Firestone. “As a result, the whole field of risk management is getting a second look as possibly providing concepts, tools, techniques and models that may be relevant for countering terrorist threats.” For similar reasons the area of business continuity planning is also generating renewed interest, while myriad accounting scandals have highlighted the importance of having contingency plans in place to deal with the potentially disastrous impact of corporate malpractice and the resultant danger to companies’ reputations (see ‘Dealing with reputational risk’ on page 23).
Nevertheless, the responsibility for managing risk remains in the hands of the isolated few in the majority of commercial enterprises. As Drennan says, for many organisations risk management is piecemeal, unco-ordinated and focused exclusively at an operational level. “There is a belief that the risk manager can do it all, while in reality their role is to facilitate and co-ordinate activity,” adds Boyce. In Drennan’s opinion, this is far from the ideal situation. The responsibility for managing risk, she argues, should lie with every employee and board member of an organisation, with the CEO being ultimately responsible for every aspect of the management of risk throughout their company. Amidon agrees, emphasising the need to make such core principles and standards of operation more explicit. “In the end,” she says, “it is a matter of practising what we preach, walking the talk and being the role model for desired behaviour enterprise-wide.”
Knowledge management can go a long way to helping businesses achieve this ideal, where workers at every level are actively involved with minimising an organisation’s exposure to adverse risk. “Since risk management is primarily about using previous knowledge and producing and integrating new knowledge – whose quality is affected by the quality of knowledge management – you can see that risk management is dependent on knowledge management,” says Firestone. Moreover, he continues, KM can contribute to more effective risk management by enhancing knowledge processes so that more widespread participation in knowledge production exists and more effective knowledge integration results in greater availability of knowledge for use in business processes. Good data collection, analysis and dissemination is also essential to involving the entire company in risk management, adds Drennan, as are awareness raising training sessions.
Perhaps most important of all in this process, though, is the establishment of an open, knowledge sharing culture. “This is absolutely vital,” says Dombrick. “It is only with such knowledge sharing that the impacts of risks that originate in one area can be known about in other areas that are impacted, before it is too late.” The difficulty however, and as Amidon points out, is that we remain steeped in the traditions of competitive strategy, as individuals, teams, enterprises and entire nations. The creation of a truly collaborative culture is consequently an extremely challenging task. As ever, the role of senior management here is crucial. “Regardless of how much study and analysis done on tools, technologies, systems and knowledge, if the workers and managers have low trust and confidence in the CEO, risk prevention will never be successful,” says Smith. “Unless people are confident in upper management’s credibility and trustworthiness, then little can be accomplished under fear, uncertainty and doubt about top management’s goals and motives.”
Those organisations that have developed effective, KM-based processes and ways of working are also less likely to be exposed to risk in the first place. As Amidon says, risk management is primarily a function of the inherent behaviours practised by the people that make up a business, and it is the knowledge that these people create, use and transfer that leads to the provision of given products or services. It therefore follows that the more effectively the organisation manages this knowledge – its most precious asset – the greater the chance that business results will be favourable (ie, that adversity is minimised and opportunities capitalised upon). Indeed, as Drennan puts it: “The old cliché that ‘knowledge is power’ applies here. Only with good knowledge management will an organisation, and its employees, have the quality of information that it requires for effective decision making.”
There seems little doubt that the association between KM and risk management will continue to grow, particularly as a deeper understanding of how modern organisations function develops. And as Drennan says, increasing external pressure – from stakeholders and from governmental agencies – on businesses to manage resources efficiently and to act to protect assets and shareholder value is likely to further underline this relationship. Ultimately, both disciplines have at their roots the values and processes that form the fundamentals of sound managerial practice, and while it may only have been the shock of recent events that has prompted companies to action, the progress such firms have made in recent months will amount to little if both KM and risk management are not, in the future, instilled in everyday operations.
Debra M. Amidon can be contacted at email@example.com.
Sheila Boyce can be contacted at firstname.lastname@example.org.
John Dombrick can be contacted at email@example.com.
Lynn Drennan can be contacted at firstname.lastname@example.org.
Joseph M. Firestone can be contacted at email@example.com.
Robert Smith can be contacted at firstname.lastname@example.org.
Risk management and corporate governance
The Turnbull Report, Internal Control: Guidance for Directors on the Combined Code, was published under the guidance of Sir Nigel Turnbull in 1999. The report stated: “A company’s system of internal control has a key role in the management of risks that are significant to the fulfilment of its business objectives.” Its main recommendation was that corporate governance be embedded within a firm’s operations and not treated as a distinct exercise, in order that firms are able to respond to both internal and external risks. The guidance also encouraged boards of directors, especially those on listed companies, to regularly report on the effectiveness of their internal control processes.
Both the Turnbull Report and recent events have pushed corporate governance and risk management up the boardroom agenda. Firms were taught invaluable lessons about the importance of not only having a business continuity plan in the first place, but also of frequently testing it, following the atrocities of 11 September. The fallout resulting from the scandals of Enron, WorldCom et al have further highlighted the need for effective corporate governance.
The bottom line is that firms should not only take risk management seriously, but should consider risk-related initiatives as ongoing projects, which must transform and mature as the company does.
Anna Scott, editor, Risk Transfer magazine