"Doing the Right Thing" in Dealing With Risk

Risk Leadership as the Cornerstone of Effective Risk Management

The management of risk in a comprehensive manner has emerged in recent years as an essential aspect of organisational resilience, leading many companies to embrace Enterprise Risk Management (ERM) to address risks, albeit with varying degrees of sophistication. Although ERM has been widely adopted, recent events like the 2008 Global Financial Crisis, the 2010 Deepwater Horizon oil spill, the 2015 Volkswagen emissions scandal, the Covid -19 pandemic, the challenges with the Boeing 737 MAX Program, and other notable failures have highlighted the crucial role that board members and executive teams play in effectively anticipating and addressing risks within their companies. Research also shown that the success or failure of an entrepreneurial venture in managing risk is strongly influenced by the leadership's attitude toward risk. Understanding the distinction between leadership and management can help shed light on risk management failures in companies.

Management deals with problems and solutions that have a great degree of certainty, that is, it embraces known problems and tries to systematically solve them through proven processes to achieve specific and timely results efficiently. Leadership, on the other hand, deals with problems that have a great degree of uncertainty, embracing a lack of clarity regarding the timing and nature of results and competing perspectives to set the overall direction and inspire people to commit themselves to a course of action. In situations where problems lack clarity and solutions are uncertain, leadership is essential in charting a path toward a viable resolution that may otherwise seem unattainable.

Leaders typically do not possess detailed knowledge of the specifics and technical aspects of problems or solutions. Leadership therefore considers the relevance of management by asking the right questions rather than giving the right answers and by consulting a wide range of people with diverse knowledge, evidence, or questions that challenge the arguments of leaders’ direct spheres of influence. The result is a deeper and broader view of risks, opportunities and underlying assumptions, leading to better decisions, clear direction, and transparent communication. Generally, if leaders fail in their roles, it is because they avoid asking difficult questions or consulting outside their inner circle because they do not want to “rock the boat” or due to perceived benefits from uncertainty. Furthermore, they are unconcerned that their actions as leaders may lead to tragedy, as they see this compromise as a deliberate strategy.

Distinguishing between management and leadership is crucial for the effective functioning of companies. It is essential not to prioritise one over the other, as this imbalance can lead to organisational dysfunction. When management is favoured over leadership, there is a tendency to address unknown or leadership-related issues with known or management solutions. This approach often results in the creation of new problems or the exacerbation of existing ones due to a lack of vision and direction. A notable example is the initial response to Global Warming, where the focus was primarily on scientific solutions such as the development of biofuels. However, it was later discovered that the production of biofuels had adverse effects on global food resources, turning a perceived solution into a new problem. Privileging leadership over management can often result in a misguided approach where leaders attempt to address known problems with untested solutions. This can lead to confusion, conflicts, and resistance, resulting in contradictory communications and crises. Ultimately, the original problem persists and may even be misconstrued. An example of this occurred during the global research efforts to find a cure for the COVID-19 pandemic, where some political leaders proposed or enforced unverified remedies, such as suggesting the injection of detergents into individuals.

The primary function of management is to uphold and enhance certainty. Hence, a poor manager would instead transform certainty into uncertainty. Conversely, the core responsibility of leadership is to convert uncertainty into certainty. A deficient leader, on the other hand, would generate further uncertainty from an already uncertain situation.

The legendary Peter Drucker has probably done more than anyone else to simplify the distinction between management and leadership. One of his well-known statements is, “Management is doing things right; leadership is doing the right things.” In essence, management involves establishing and ensuring adherence to processes, rules, policies, procedures, or norms to achieve a specific objective. Leadership, in contrast, focuses on setting goals and motivating or empowering others to actively pursue them. Therefore, leaders should not view their role solely as defining goals, purposes, or visions, relegating implementation, and execution tasks to mere management responsibilities. They must ensure, through influence and guidance, that “the right things” get done.

When dealing with risk within companies, “doing the right thing” or risk leadership goes beyond mere risk oversight, which is primarily operational as a governance process. It also extends beyond the top-down approach that aligns risks and their management with the company’s strategy, key objectives, and risk appetite, involving a centralised risk management function and aiming for a strong buy-in from senior leadership. This is senior leadership getting involved in “doing things right” by actively engaging in the formulation and implementation of a company-wide risk management plan from a strategic management standpoint. True risk leadership, however, entails board members and executive teams taking responsibility for steering the risk agenda, that is, setting a high standard or “the tone at the top” for organisational character in dealing with risk.

“Tone at the top” originated from auditing firms, where it was initially used to describe the attitude of a company's management towards internal controls and ethics. In the aftermath of various corporate accounting scandals, such as those involving Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom, the Sarbanes-Oxley (SOX) Act of 2002 promoted this concept as a risk management device aimed at preventing corporate disasters by requiring ethical behaviour among corporate executives and directors, ensuring compliance with laws and fiduciary duties. Today, the concept is widely employed as a call for ethical leadership, which entails upholding and demonstrating a universal standard of moral conduct characterised by a commitment to the common good grounded in principles of fairness, honesty, trust, transparency, and accountability.

Setting the tone at the top about risk leadership or doing the right thing in dealing with risk entails senior leaders ensuring that their decisions and actions are legally and ethically sound, benefiting various stakeholders including their companies, shareholders, regulators, customers, employees, suppliers, and the communities in which they operate. Consequently, risk leadership aims to guarantee that senior leadership within companies is exercising adequate fiduciary duty by taking the risks stakeholders expect and protecting their interests. This high tone in dealing with risks sets the foundation from which senior leadership defines and applies their company’s risk appetite, provides direction for the implementation of the risk management plan, and fosters a supportive risk culture.

To define and adjust the risk appetite, risk leaders must actively seek a variety of perspectives and ask questions that challenge the existing norms. This is essential to ensure that, in addition to the company's vision, mission, and objectives, the interests of all stakeholders and the principles of ethical leadership are also taken into account as key factors. To implement the risk management plan effectively and flexibly, they must motivate those responsible for risk management to move beyond mere management by questioning risk standards and conventional practices, and by remaining abreast of the latest risk management thinking and techniques. Moreover, they should serve as a primary source of ethical guidance for employees by embodying, rather than merely endorsing, the promotion of appropriate behaviour and attitudes towards risk. This is because employees often interpret a lenient stance from their leaders as implicit corporate approval to take on more risks and overlook most risks, despite the companies having a well-defined and clearly communicated risk appetite and risk tolerance.

In the context of the 2008 financial crisis, the impact of effective risk leadership was evident. Companies that navigated this crisis successfully generally had ethical leaders at the helm. These leaders demonstrated caution, prudence, and a keen awareness of their limitations, acting in a manner that was driven by a sense of moral obligation. They were mindful of the risks associated with jeopardising their fiduciary responsibilities through risky investments. These companies had clearly defined and effectively communicated risk appetites, enabling their employees to comprehend the potential repercussions of such risks and take prompt actions to mitigate them. Essentially, these companies fostered risk-aware cultures and possessed the capability to manage risk dynamics adeptly.

Conversely, companies that struggled or failed during the crisis typically had leadership that exhibited significant shortcomings before, during, and after the crisis. These leaders displayed a lack of concern for the potential harm to individuals and the loss of investors' savings. Some were aware that their companies were on an unsustainable path, yet they disregarded the risks. Instead, they fostered insular environments, forming exclusive groups of like-minded individuals who prioritised personal gain. They got caught up in the success of the moment, worse still, they believed they would be “invincible” and that they were much smarter than everyone else, both within and outside their firms. Consequently, they failed to heed differing perspectives or ask critical questions. This lack of critical evaluation resulted in unchecked assumptions and ideas, ultimately leading to detrimental outcomes.

In summary, if company senior leaders fail to “do the right thing” in dealing with risks by setting a high tone for the pursuit of the common good through integrity, transparency honesty, and accountability, and if they do not ensure that this tone influences the definition of risk appetite, guides the implementation of risk management plans, and fosters a risk-aware culture, then risk management policies and processes will not adequately prepare their companies for risks. The imperative here is therefore to emphasise and cultivate risk leadership as the foundation of effective risk management.