Before you can manage risk, you need to identify it correctly and accurately. Nowhere has this been more graphically illustrated than in Boston on 31 January 2007, when a marketing gimmick went badly awry.
A marketing organisation, working on behalf of Turner Broadcasting`s Cartoon Network, placed 40 electronic LED-driven devices around Boston, in high-visibility locations such as overpasses and hip and trendy areas. These devices were promotional electronic placards for a late night cartoon programme, but they were mistaken by residents and police for bombs, and the city went on high alert, deploying "an army of emergency vehicles" to deal with the supposed threat.
After several hours, it became clear to city authorities that they were dealing with an elaborate hoax, and there was hell to pay. Turner Broadcasting, in a landmark settlement, paid the city $2 million; Turner apologised publicly for the incident, and Jim Samples stepped down from his position as head of Cartoon Network after 13 years.
Clearly, this was a case of over-reaction, but Boston can hardly be blamed, as the city has had its fair share of bomb scares. Note that while several other US cities were also exposed to this marketing campaign, they did not identify it as a threat, or respond in similarly positive fashion.
The marketing campaign was successful in New York, Chicago and San Francisco, to name a few. The police in each city had a different approach to identifying and managing risks. There was not a documented manual about potential terrorist threats arising from LED boards in any of those cities, but Boston still took the initiative.
What we can learn from this incident is that Boston had a culture of identifying threats and responding quickly; that people were empowered and required to think for themselves; and they were happy to take the initiative, make decisions and stay with them. (Even if the risk was ultimately over-stated.)
Today`s organisations face many different risks, and in the area of governance, this has led to the introduction of the discipline of enterprise risk management. Your employees need to be able to take the same initiative. Sometimes you might end up with a false alarm, but what if it`s not a cry of wolf?
Historically, most organisations have shown themselves to be averse to risk, which is entirely understandable. However, risk lies at the heart of entrepreneurship, so there must be a certain degree of risk in any business.
The need to address risk arises from many quarters:
* Legislation: ECT, MFA;
* Governance requirements: FICA, FAIS;
* Shareholders and investors: King II;
* The need for transparency: Basel II, NCA and Sarbanes-Oxley; and
* Internal processes.
Your workers, in turn, have to deal with risk in various ways:
* Information workers, the most empowered, analyse information, make decisions, and have to observe due process;
* Process workers have a set and defined task to fulfil, and are not allowed to think outside the box; and
* Physical labourers, in turn, do manual work, are closely supervised, and are nor required or, for that matter, allowed to think.
This worker makeup represents a particular challenge in Africa where, on the one hand, we have a serious knowledge chasm, set against a need for proactive thought.
In addressing enterprise risk, you need to follow some basic steps. First of all, you need to incorporate people and skills into the planning, while not overlooking the importance of technology. You need to be able to identify and manage inevitable exceptions, and while it is impracticable to cover and address every risk, you need to be able to keep a record of all events and transactions for historical analysis should the need arise.
In terms of technology, you need to deploy a multi-disciplinary approach, embracing records management, workflow management, risk assessment, business intelligence, process automation and enterprise content management - quite a task.
And all of this must be done against the reality that most organisations today (and yours is no exception) have silos of information that must be managed; physical and manual processes alongside the digitised ones; and their own, unique operational landscape and need for integration.
As you contemplate this complexity, many vendors will come forward with their specific "solutions". In contemplating one of these offerings, you need to keep the following in mind:
* Is the offering appropriately certified for what you are aiming to achieve?
* Does it comply with the requirements of your auditors?
* Will it be easy for the users to operate, will it add to their workload, and are they likely to resist it?
* Will it integrate easily to existing applications?
* What degree of business process reengineering will it involve?
Of all the steps, getting users to accept, adopt and use the enterprise risk application is the toughest. It is one thing to deploy an application; quite another to get the users to make it part of their daily working regimen.
With that in mind, you need to do the following:
* Regularly measure throughput and exceptions;
* Work with your employees to gauge feedback and drive improvements;
* Actively campaign with employees and involve yourself in the application`s roll-out;
* Constantly improve the technology, as implementation will be incremental, rather than big-bang; and
* Always remember - the technology is merely the plumbing, and the vendor does not have to live with the solution: you do.
Follow this approach, and you might react better to a threat than the city of Boston did.
Share