With the growing number of firms falling prey to cyber risk, governance failures and market forces, there is a need for greater agility in how decisions are made and risks confronted. Yahoo!, with its record-breaking cyber breach estimated at more than 500 million records, and Wells Fargo are but two of the latest firms to face complex challenges and an unwanted public excoriation. Like VW's emissions scandal or the warning signs that could have prevented the Germanwings disaster, it is time for senior business leaders and their boards to change the way they think about risk and therefore how they respond to it.
Complex systems fail in complex ways. Many of these failures are either fueled by or missed in the byzantine maze that is the modern enterprise. Addressing these organizational blind spots requires equipping people with common levels of risk awareness, codes of conduct and alignment to value systems. A maxim is a general truth, fundamental principle, or a rule of conduct that can be helpful in creating this alignment. The following risk maxims can help reduce complex enterprise risk management principles into actionable guidelines and patterns of behavior at all organizational levels.
Values matter most when they are least convenient - When confronted with challenging situations, value systems are meant to guide behavior and decision making. After 9/11 the Geneva Conventions took on entirely new meaning in the U.S., just like Johnson and Johnson's now famous Tylenol recall in the 1980's was informed by the firm's credo to put the people they serve first.
Sunlight is a great disinfectant - In the age of rampant cyber risk and unwanted disclosure, privacy is a luxury. The negative effects of the Sony Entertainment hack were amplified by inconsistent behavior among top officials. Contrasted to the leak of Mossack Fonseca's Panama Papers, few were surprised by the misdeeds of dictators and nefarious government officials.
Make it everyone's business to stay in business - Firing the whistleblower breeds organizational indifference. The notion of skin in the game helps create both a sense of loss aversion and preservation that is critical to firm survival. Agile enterprises are connected through firm-wide networks of people who share and respond to risk information (the signals in the noise) in real time.
There are no constants - Like in weather patterns and market forces, there are no constants in risk management. It is safe to assume high degrees of variability over time and therefore dynamic approaches should be applied to managing risk rather than passive ones.
Tone (and distance) at the top matter - Attitudes towards risk are deeply informed by the tone, tenor and remoteness at the top. Leaders who practice what they preach, have conviction and lead by example are better at managing risks than those that merely pay lip service to risk, compliance and codes of conduct.
Risk lies between the chair and the keyboard - In the era of man-made risk, internal and external threats emerge from human behavior. Unlike naturally occurring risks, man-made risk has agency and therefore a higher degree of planning. Incentive systems and deep stakeholder engagement can help reduce the incidence and severity of these risks.
You can't decouple the fortunes of companies from countries - Firms of all sizes are finding it increasingly difficult to shelter themselves behind their fortress balance sheets, protect their supply chains, people, systems and market access from global risks. At the same time they have a unique duty to invest in slowing down the decline of the global business commons on which they depend. Forming strategies that incorporates a foreign policy can address this tension.
Bad things happen in the dark - Moral hazards arise when people take risks but do not bear the downside of their risky behavior. These hazards are most prevalent under the cover of darkness, in remote locations and where incentive systems are not aligned. Combating moral hazards begins with having transparency, accountability and clear guiding principles that hold economic, social and environmental impacts in balance.
Simplicity is key - Just as David was able to slay Goliath with a simple instrument, the sling, complex risks are best addressed with simple measures. Encouraging bounded risk taking and reducing fear of failure can help hone an organization's broad senses - muscle memory - on how to respond to emerging threats and complex risk relationships.
Embark on a zero-failure mission - The airline industry like elite units in the military boast of one of the best performing risk management records. The reason is that the consequences of failure are dire and all parties typically have skin in the game. This zero-failure approach should be adopted across industries.
Firms should not embrace risk agility out of fear of failure or mere compliance. Risk agility is a source of lasting competitive advantage. After all when the competitive landscape is littered with the tombstones of firms that failed to understand and respond assertively to risk, the agile enterprises will inherit the spoils.