Simple ethics Rules for Better Risk Management by Dante DisparteNOVEMBER 08, 2016 : Harvard Business Review
For far too long, managing risk has been seen as an esoteric business function — designed to control losses and adhere to compliance standards. But as more organizations fall prey to complex, intangible risks from unwanted disclosure due to rampant cyber threats to breaches of conduct driven by skewed incentive systems the aperture of risk management is expanding from protecting the balance sheet to promoting ethical leadership and values-based decision making.
Consider Yahoo, with its record-breaking cyber breach estimated at more than 500 million records, or Wells Fargo, facing unwanted public excoriation after creating thousands of fake customer accounts, or the Volkswagen emissions scandal or the warning signs that could have prevented the Germanwings disaster. Many of these failures were either fueled by or lost in the byzantine maze that is the modern enterprise, which often breeds a combustible mix of indifference and short-termism. Complex systems fail in complex ways. But all start with human failings.
Senior business leaders and their boards must therefore change the way they think about risk and how they respond to it. Rather than countering complex risk with an even more complex risk-management system, which comes with its own blind spots and brittle places, leaders have to equip the individuals in their charge with common levels of risk awareness, codes of conduct, and value systems.
To do this, I’ve often relied on a handful of maxims. While it’s true that maxims can sometimes sound cliché – like a phrase on a motivational poster that employees walk past every day but never really look at – they can also be useful if leaders put real muscle into them. Here are a handful that I have found most useful in fostering a healthy sense of risk awareness in organizations in which senior managers are themselves also demonstrating ethical leadership:
- Values matter most when they are least convenient: In an environment riddled with uncertainty and variability, value systems are meant to be the only constants. However, all too often they are proven to be meaningless words in an annual report. For value statements to be more than empty slogans, they must withstand the trial by fire of tough calls, guiding behavior and decision making when it is least convenient. The now famous Tylenol recall of the 1980s is an enduring example of how Johnson & Johnson’s credo guided decision making in a time of crisis. A small number of firms are counter-intuitively becoming activists about championing their value systems, even at the risk of short-term shareholder returns. No one gets extra credit for doing the right thing when it is easy.
- Bad things happen in the dark: Ethical lapses arise when people take risks but do not bear the downside of their risky behavior. These hazards are most prevalent where they can be most easily hidden such as in remote locations, less-supervised business units, or on understaffed teams. Misaligned incentives can also create organizational “blind spots”. Wells Fargo’s massive account-rounding scandal illustrates the insidious effects of incomplete employee incentives that turn a blind eye to unethical practices. Combating issues like these begins with transparency and accountability. When information is shared quickly and openly across the organization, bad dealings can be rooted out before they spread. It’s the leaders’ responsibility to shine a light into any dark organizational corners.
- Privacy is a luxury: In the age of pervasive cyber-risk and unwanted disclosure, consistently aligned behavior is the best defense. All it takes is one employee clicking on one sketchy link in one email for an organization or institution to be infiltrated by anyone from a disgruntled employee to WikiLeaks to nation state actors. The recent large-scale denial of service attack that affected internet stalwarts, like Amazon, Twitter, and PayPal, by exploiting connected devices underscores that the amount of money spent on cyber security is not a proxy for greater defense. The Clinton campaign spent months of time and effort atoning for statements made in emails sent through Hillary Clinton’s private server, and continues to respond to emails hacked by, allegedly, the Russian government and leaked through WikiLeaks. Apparently, the hackers were able to get access to the emails when campaign chairman John Podesta clicked on a phishing link. Today, risk lies between the chair and the keyboard. Given that breaches are now seemingly inevitable, risk managers might need to spend less effort trying to prevent the next hack and more time reminding employees not to include embarrassing or sensitive information in easily breached communications in the first place.
- Remoteness breeds indifference: Attitudes toward risk are deeply informed by the tone, tenor, and remoteness of the top. Leaders who practice what they preach, have conviction, and lead by example are better at managing risks than those that merely pay lip service to ethics, value systems, or codes of conduct. Simplicity is key in addressing this gap. When senior leaders encourage bounded risk-taking and show that they are open to hearing bad news, they can help hone an organization’s muscle memory on how to respond to emerging threats. When those executives conversely dismiss details as too “in the weeds” for their attention, show that they don’t want to hear questions or bad news, or are simply impossible to ever track down in the hallways, moral lapses become more likely. Remember the example of Citibank from the 2008 housing crash? Kellogg professor Adam Waytz found that leaders in New York were both physically and psychologically distant from whistleblowers in Missouri and Texas. No significant actions were taken to curb the improper behavior, and the company had to pay a $158.3 million settlement in 2012.
Just as David was able to slay Goliath with a simple sling, complex risks are best addressed with simple measures. Firms should not embrace ethical leadership or risk agility out of fear of failure or mere compliance. Risk agility is a source of lasting competitive advantage. After all, when the competitive landscape is littered with the tombstones of firms that failed to understand and respond assertively to risk, the ethical and agile enterprises will inherit the spoils.