The importance of consultation and communication in risk management
ISO 31000 refers to consultation and communication with stakeholders as a key activity in a well implemented risk management methodology. Let’s examine why these elements are important.
ISO talks about consultation and communication with stakeholders. So we need to explain why:
are important. We’ll start with the whom, then discuss the two interactions.
“A stakeholder is a person with an interest or a concern in something, especially a business.”
A stakeholder is therefore influenced by the objectives of an organization and whether or not it achieves these objectives. Note I’m not saying that every stakeholder is necessarily aiming for the organization to reach (all of its) objectives. On the contrary, a stakeholder may be defined as a stakeholder because his or her interest runs counter to the objectives of the organization.
Not recaptured in the definition is that stakeholders have many means at their disposal to influence whether or not and how or at what price an organization can reach its objectives. A voter, for example, may have interests aligned with a political party. If that party does not achieve its stated objectives, it’s entirely possible the voter will take his or her vote elsewhere, and impede the party from realizing all its objectives.
A political party and its voters are relevant as an example of the diversity of stakeholder interests in another sense as well. A political party has a programme, often a concensus of the diverse needs of its intended voters and its political objectives. Not every voter is as interested in the party achieving the entirety of its programme. On the contrary, quite often there may well be conflicting interests within a party programme. It all depends on the weight of the stakeholders in the decision making process.
Lastly, note that not all stakeholders are external to an organization. Your employees are stakeholders as well. And believe me that you should not automatically assume that they are aligned with each and every aspect of your strategic intent. Because they are not.
Let’s be clear, stakeholders are a force to be reconned with. I’ll come back to that later.
“the action or process of formally consulting or discussing”
When we’re defining consulation, we need to define the verb “to consult”.
“have discussions or confer with (someone), typically before undertaking a course of action”
Consultation is all about exchanging information and ideas with someone, preferrably an expert or a party involved and with a particular view on an aspect of what you’re dealing with, prior to an action.
Lots of issues or problems or elements on the road to achieving objectives benefit from being examined from different angles. I’m not suggesting to adopt an overly committee like approach where decisions are postponed and killed in committee. However, quite often problems are only looked at from an extremely narrow point of view. This ivory tower mentality has led to significant mistakes in decision making because certain aspects of a problem where never recognized as such.
In programming, there is a dictum that states “Given enough eyeballs, all bugs are shallow” (Eric Raymond). The same goes for issue management. If enough people involved in the problem look at it from their particular point of view, bringing together all these elements will result in a best possible view on the issue.
However, there is a difficulty with this approach: sometimes the time between potential risk detection and that risk becoming a reality is too short to allow for a full consultation. It pays to have a consultation group of stakeholders with different points of view at the ready to allow for quick consultation.
At BTC, we established a consultation committee on integrity. Representatives from all divisions of the organisation gather on a regular basis to discuss integrity related issues and advice my team on how to approach certain integrity related issues. As stakeholders, they have an expertise which my team members, acting as the integrity bureau, does not necessarily have. This committee can be called together on short notice to discuss concrete issues.
Through consultation, you bring to bear all competence within the stakeholder group on a specific problem you are being faced with. You recognize the value these stakeholders have to you, and by doing that, you recognize their value.
However, and that is essential, by no means to you transfer responsibility or accountability for the decisions taken to deal with issues, problems or risks. That remains the sole responsibility of the organization.
“the imparting or exchanging of information or news”
Consultation is not enough. In consultation, you gather additional perceptions and information to make better decisions. Once those decisions are taken you need to communicate to all stakeholders. In essence, you want to communicate:
- What: you decribe what the outcome of the consultations and the integration of the information learned into the decision making process;
- Why: you describe, wherever possible and not counter to any commercial objectives, why you’ve decided to do what you do;
- How: to those impacted, you explain how the what will be realized. What can they expect to happen to them or around them in what timeframe;
- Outcome and corrections: once a decision is implemented, it leads (hopefully) to results. These results need to be communicated as well. Based on the outcomes, certain corrections may be chosen. These and their impact and the what, why and how need to be communicated as well.
Bringing it together
One well placed, misinformed stakeholder can bring an entire strategy down.
When dealing with any time of activity of an organization, enhanced stakeholder involvement is important to gain perspective but also to develop acceptance of actions that need to be taken. Inviting your stakeholders to the dance is an important means of gathering the necessary support for implementation or of timely identifying key blocking factors.
When dealing with risks and risk management, this need is amplified. After all, you are investing time and means in avoiding the occurrence of certain situations. But just as with Y2K, a risk avoided is something that did not happen. Clearly involving your stakeholders to get a realistic view on the issues and gathering ideas to deal with the issues in the most effective way possible is a sound business tactic. Moreover, it shows diligence where diligence is due.
By making communication and consultation with stakeholders one of the first elements of risk management, ISO has clearly stated that no risk management approach can be successful without the proper support of the relevant stakeholders.