Adequate risk management requires responsibility and response-ability

The other side of the coin

A couple of days ago, I wrote an article on risk acceptance and how it actually requires a lot of work in terms of contingency planning. Of course, there is another side to that coin.

The curse of middle management

What is the scope of your responsibility? How able are you to respond to challenges that come your way? If you are an average middle manager in an average organisation, my guess is: not that wide. Our traditional, hierarchically built, production oriented organisations seldom give any real delegated authority to middle management.

This, by the way, is not the “fault” of senior management. It’s likely to be a combination of three key factors:

  • The traditional structure of organisations, which are built for industrial production optimization. Industrial production entailed making a lot of the same things at an as low a cost as possible. Hence, the need for middle management (shop floor management) decisions was likely limited to hiring and firing what in the production mentality were replaceable assets (i.e. workers) and how to “organize” the daily work. There was no real need for middle management to be able to respond outside of the framework of a very limited set of parameters. In short, our traditional organisational structures do not promote middle management taking broad responsibilities.
  • the traditional training and schooling of our middle management, which, especially in larger organisations, waits and sees before acting. By waiting and seeing, you are limiting your own ability to respond, of course. I’m with Sir Ken Robinson when he states that our current schooling does not respond to the needs of our current environment, but that’s another blog post, or perhaps even a book. In short, middle management has not been trained to be assertive in taking responsibility.
  • the hierarchical structure itself, which traditionally does not promote (both literally and figuratively) people who take too much initiative and come and ask for formal authorisation later. Traditional hierarchies promote like-minded, hence predictable people. This makes “renewal” less evident. It’s interesting to see that this holds even in organisations that proclaim their own innovative approaches, such as major consulting organisations. In short, even if middle management would take the initiative, it would not necessarily be appreciated in most organisations.

Back to risk management

With risk “management” becoming more and more embedded in organisations, it does not pay to make risk management only about risk identification at the middle management layer, with decisions to be taken only at the top management level. If that were to be the purpose, I would propose to automate middle management to the maximum extent possible, as the cost to benefit ratio would never be positive enough to actually keep real people in play.

Middle management, ideally the management layer closest to day-to-day operations, is the management layer which is the most intimately aware of what can go wrong in day-to-day activities. Rather than establishing an elaborate reporting system where all information needs to go to top management for decisions, it would pay to make the middle management responsible and hence able to respond to certain types of risks, without the need to consult (hence bother and pull away from other, more strategic responsibillities) top management.

How to?

This of course all remains rather conceptual. What do we need to do in order to make sure that our middle management has adequate means and abilities to deal with the risks they are being faced with? The solution I propose here is not new. About 10 years ago, Josiane Van Waesberghe and I wrote what would eventually become the MobiRisk methodology, which went on to win the European strategic risk management award in 2009.

In this methodology, we were thinking about how to solve these issues as well. When the main reasons we started to look at this problem is because we noted that quite a few middle managers were unable or unwilling to go beyond the very restrictive scope of their authority in order to deal with problems.

In other words, because they did not feel responsible they were not able to provide an adequate response. And sadly, this has become more the rule rather than the exception. The fear of making a mistake leads people to no longer decide at all. The responsibility for all issues, including operational ones, is being put on the shoulders off top management. But we should never forget that top management was not necessarily selected for its operational competencies. Rather, they are responsible for managing a strategy.
Of course, this digression does not bring us closer to a solution. So let me offer my five cents worth.

One of the solutions that we came up with is to have top management agree on the principles of risk management, and leave actual execution to middle management. That of course requires adequate monitoring. This simple but in my experience rather effective approach gives the ability to response to middle management, while asking top management to make the initial decision on how to deal with this type of problem. This approach recognizes the issues raised above, and deals with them appropriately, but not in an aggressive manner. It is important to recognize that certain sensitivities remain and need to be correctly addressed. It would be an illusion to believe that these deeply embedded, structural issues can be resolved in a couple of days.


A middle manager discovers a risk, or a real issue, in one of the activities under his responsibility. This risk has never been dealt with before in the organization. He or she knows this because he has consulted the risk reference framework for his organization. The risk reference framework is nothing but a structured repository of answers the organization has developed for risks it has encountered before.

The manager consults with his operational experts and these A proposed solution for the problem. He proposes this solution to top management, which considers not only the solution but the overall impact On the other responsibilities. In case the solution is deemed acceptable, the middle manager gets a go. In case it is not, the remarks are communicated to the middle manager, who goes back to the drawing board.

All accepted solutions are captured in the risk reference framework, where they will remain available for the entire organization.


The consequences of this approach are interesting. First it actively involves top management in the decision on how to deal with a specific risk. However, they’re not alone in this. They use the experience available in the organization to solve the problem.

On the other hand it enables middle management to take more and more responsibility in the actual day-to-day management of the risk. This is important because it moves them beyond the traditional risk identification towards an approach in which they take real responsibility in order to deal with the problems that they’re facing.

This approach recognizes the important role of top management while at the same time ensuring that middle-management plays its core role in the day-to-day management of risks. In order to do that they need to be recognized by top management as being authorized and relevant to do that work.