The limitations of current risk management approaches
Risk management is most usually limited to the organization whose risks are being analyzed. Stakeholders are considered in most frameworks, but often only in the context of information and communication. They are seldom considered an active, contributing party in the context of risk assessment. Adding a third dimension to risk management by identifying, analyzing and prioritizing the risks as seen by stakeholders, will yield important insights and assist in saving the organization’s license to operate.
Why stakeholder perception matters
Your organization does not operate in a void. Risks are certain to threaten it, and some of these risks will also significantly impact your environment and other stakeholders active in this environment. And of course your stakeholders will react to the exposures they experience. Exposures caused directly or indirectly by your organization. In a worst case situation, their perception of an issue where you are convinced no real risks exist may create an issue where you expected none. If this catches you unaware, you have a real, additional exposure on your hands, an exposure you will have to manage.
Just imagine the following situation … your company operates a production site which treats certain types of contaminated materials. In order to process these materials, you need the authorization of the local authorities. No matter how safe your operation actually is, if you cannot convince the stakeholders present in that environment of that very simple and to you more than obvious fact, they may convince the local authorities not to extend the license to operate for your authorization. Do you have a plan B? Can your organization carry the costs of moving your clean-up activities elsewhere? Can you deal with the possibility of having to move your entire operation? In less than a year?
How do you know what is bothering the relevant stakeholders? I may be reaching here, but perhaps you should ask them. It may be a rather novel or even a revolutionary idea, but approaching your stakeholders with questions on what they deem to be important, ideally introducing them to the exercises you have been running internally to assess your risks and even clearly showing them your current risk mitigation is not always a bad idea. In some cases, it may actually be a first step in establishing a true relationship or at least a regular communication with these stakeholders. In essence, you are applying the ‘First seek to understand’ principle Stephen Covey promoted. Doing this will increase your understanding of their concerns. Be aware that these are real risks to you if they can threaten any aspect of your business.
So, you could imagine yourself, in some future, querying your stakeholders on their concerns, checking whether their concerns map to your internal risk model and add the risks you did not take in account. Let them go through an exercise similar to the exercise your collaborators go through. Let them evaluate their perception of the current level of residual risk (impact and likelihood from their perspective) and their assessment of the current level of control or current level of effort.
We all have a natural resistance to bothering other people with our questions, ignoring that just asking the question can be considered to be a sign of appreciation, of relevance and may lead to the initiation of relationship.
Now imagine the following scenario, which I will call scenario 1: You spend a lot of time communicating on your corporate social responsibility, and note this message comes across really well. There is no significant difference between the perception of your stakeholders and the internal perception of the risk in your organization. You will not need to spend a higher effort in managing the perception of your stakeholders in terms of your CSR activities.
However, in scenario 2 you have spent a significant effort in securing your waste transportation activities. Your engineers confirm there is little to no exposure to the environment nor to the stakeholders active in this environment. You failed to communicate this appropriately, focusing on the technical aspects only. The stakeholders are not convinced and consider the actual risk to be significantly higher than you engineers lead you to believe. You have an issue, even if your processes are in fact under control.
Even if you haven’t seen it, it is still there
In conclusion, You need to be continuously aware that the risk as perceived by your stakeholders can evolve into a very real risk to you.
How? The stakeholders can influence or even determine the validity of your license to operate. In the case of the example scenario 2 above the stakeholders can organize themselves and become a pressure group challenging your license at the local government level. In turn, the local government can decide to raise your taxes or even deny an extension to your current license. Each of these possibilities will cost you money.