Solid collective procedures based on a rationally designed risk language are a much better basis for efficacy and efficiency in risk management than individual instincts.
When detecting a new risk-related event, it is not enough that some individuals within the company are personally aware of a potential new risk.
As long as the company as an organization is not aware of the new threat, the risk has not really been “detected” in any meaningful way.
A risk is only detected in an organizational sense when it is put on the agenda of those managers that “own” this risk area and are in a position to decide how the organization should react to it.
For example, a manager somewhere in the organization may become aware of a possible regulatory change that could have a significant impact on the company's business model. But if that manager doesn't communicate the information (or if it is not sufficiently understood by the appropriate management), the company as such hasn't detected the risk.
Even if a person or business unit is ideally placed to spot a risky new development or event, she will not detect it in any meaningful way unless she knows what to look for. Employees must know how to communicate this risk swiftly to those managers best placed to deal with it and prepare a response. Only with such a common risk language in place can a company act quickly to turn potential threats into opportunities.
Solid collective procedures based on a rationally designed risk language have proven that they are a much better basis for efficacy and efficiency in risk management than individual gut feelings.
This is especially dangerous when it comes to risk management. If no solid collective procedures are in place, instincts, group thinking and the inertia that comes from an intrinsic state of denial, could significantly delay detection of and reaction to “inconvenient” new risks.
Given the importance of risk management, it is surprising that there are more proven procedures and tools to design and implement performance management than for risk management.
As we explain in A new balanced scorecard: measuring performance and risk, an effective way to bring procedures in risk management up to the desired level is to integrate risk management in performance management tools such as the balanced scorecard.
Comparing the reaction times of Nokia and Ericsson
In March 2000, a Philips microchip plant in Albuquerque, NM (USA) was hit by lightning which resulted in a fire. Production had to be halted for weeks due to the contamination of the chips and the facilities with water and smoke. The plant supplied essential parts to both Nokia and Ericsson, two major competitors in the global market for mobile phones.
When informed of the incident, Nokia and Ericsson reacted very differently. Ericsson waited for weeks before taking action and limited itself to monitoring Philips' updates on the gravity of the situation. Nokia immediately started to contract capacity at other Philips and non-Philips plants to make up for the possible prolonged loss of capacity at the Albuquerque plant.
When Ericsson recognized the need to do the same, it was too late. All free capacity had been taken by Nokia. In that fateful year, Nokia increased its market share from 27% to 30%. Ericsson saw its market share fall from 12% to 9%.
Source: A Comprehensive Approach to Assess Operational Resilience, Stolker, Karydas, Rouvroye, Eindhoven University of Technology, 2008.