One of the elements COSO-ERM does not thoroughly address is stakeholder consultation in risk management. Sure, there is the required communication capping stone on top of the COSO pyramid, but the activities described therein fails to adequately address the needs and complexity of interacting with your stakeholders on a regular basis in the context of risk management.
ISO 31000, born out of the ISO practices of often and frequent consultations, does not fail to address it. Consultatin is a part of the quality cycles. Inspired by AS/NZS 4360, it gives consultation and communication a key position in the entire process. Just look at this visualization.
But how would you go about consulting your stakeholders in the risk management process? And more importantly, what can they contribute to your risk management?
Stakeholders as sources for the unknown unknowns
As Donald Rumsfeld put it, the most challenging elements in any situation are the so called unknown unknowns. The problems we aren’t even aware of we have. The exposure we don’t know exist. It was an unknown unknown that made Challenger explode, that sunk the Titanic … And it’s likely to be an unknown unknown which will result in you failing to reach your objectives. More on that in another post.
However, stakeholders a great sources for unknown unknowns. Because they look at our activities, operations, actions from a different vantage point, because they come to the table with different objectives, they often see issues where we see none.
Any organization which fails to recognize that it needs to comply with or at least listen to and validate concerns of an important stakeholder, fails to understand that this stakeholder, through his actions or inactions, can revoke its license to operate, killing any chance of the organization reaching its objectives. For those familiar with history, the initial “hearts and minds” strategy the United States followed in Vietnam was a recognition of this essential element. Without support from the villages and villagers, the conflict was bound to go against the US. The abandonment of this strategy influenced the outcome, as there was no longer an implicit license to operate. (the matter is mo complex, but this was an important contributing factor)
Gathering the information
Gathering the information is as simple as asking the question. Asking the question is however not the challenge. What is the challenge is creating an initial environment of trust where stakeholders do not feel exploited of used for the greater good of the organization which may adversely affect their lives. So you will need to establish real trust. And establishing real trust takes time. You cannot buy that trust, you need to earn it. Which basically means that you can throw any ideas of window dressing out of the, well, window.
I believe that an important step to building real trust can be achieved by transparent information sharing. Communication needs to precede consultation, as it builds rapport and it shows the intent to share. You want the information, you need to initiate, you need to cross the bridge first.
What I would not share upfront is the risk analysis conducted inside of the organization. Not because you don’t want to share that information, but rather to avoid influencing the risks identified by the stakeholders. After all, just like you, they can be influenced in their view on the subject matter. Better to get their information without prior contamination.
First open, then closed questions
The stakeholder risk identification needs to be as broad as possible. Remember, we’re mainly looking for the unknown unknowns.
I would start off with interviews which aim to identify their objectives with respect to the organization (remember, no risks without objectives) and the threats they see to these objectives, as well as the current confidence they have in the organizations ability to deal with these issues and achieve the objectives.
A number of risks will likely be similar. Another set of risks will new. As in a traditional ISO 31000 approach, you need to not only identify, but analyze and then assess these newly identified risks. D’uring the first or if necessary a second open interview, each of the risks needs to be revisited for further clarification. We try to ensure we clearly understand how the stakeholder perceives the risk. In a second or third interview, or by means of an online voting approach, the risks are then evaluated (current level of risk management, probability of occurrence, consequences).
Visualization, interpretation and treatment
As to visualization, a good visual representation of an analysis, if it is done in an objective manner, provides a good basis for discussion. I would use different colors to look at different scoring of the same risk. This will take some time to develop (although you could probably automate it) but discussing a clean visualization brings a lot more to the conversation than a cluttered whole.
First, you are likely to find risks which score can be compared to the scoring by the organization. This can be interpreted as a validation of the internal risk assessment.
Second, you will find risks which were not identified in the internal assessment. These risks need to be reassessed by the internal responsibles. If they turn out to be considered to be a real risk, they need to be included in the risk assessment (risk update) and treated.
Third, in case their scores are significantly different from the internal assessments, there is at least an interpretation difference, which needs to be managed.
Let’s imagine for a minute a situation in which the organization fails to deal with a risk it considers minor, but the stakeholder considers very important. If the stakeholder is not adequately recognized in his concerns and the time is invested in explaining why the risk treatment is done the way it is, this may lead to stakeholder protests and eventually the revocation of the license to operate.
Throughout the entire risk analysis there needs to be a continuous communication with the relevant stakeholders. Failing to do this properly may create the most significant threat to the achievement of organizational objectives ever.