One way to think about risk management is as a set of procedures designed to mitigate risks identified in a threat assessment. In this view, the risk management program contains a set of rules that can be taught to the right people who can implement the procedures to reduce or eliminate risk.
Humans are good at inventing routines to make repetitive tasks easier or faster to complete. In the beginning, we spend a lot of time and energy working out how the parts of the puzzle fit together, what causes what, what can go wrong, and how to achieve the goal most efficiently, in this case, to mitigate risk.
Once the routine is designed properly, we test it. If it works, we implement it and then begin the second phase of embedding the routine into a body of standard procedures.
Then, too often, we let the routine run on and on. If it’s designed well, it will continue to perform its purpose. We continue to train others who are responsible for the routine and maybe even let it drop to a lower level of the organization so it costs less. Over time, and sometimes fairly quickly, people will minimize the time and effort it takes to perform the routine. As long as nothing bad happens, the standard procedure just keeps being repeated.
This ‘routine’ process is the birth of complacency.
The problem is that risks are not static. A single risk mitigation solution that works at a point in time may not be effective against unanticipated risks, risks that evolve, or simply changes in the workforce so that the institutional memory that made the routine effective in the first place is lost.
The general aim has to be to test risk mitigation routines to determine if they can actually detect, report, or nullify risk. One aspect of this is to perform regular performance audits to ensure that risks have been managed effectively. Organizational fraud, for example, can occur over a long period of time if controls have been thwarted or poorly designed.
A second, possibly more difficult objective, is to analyze the process or procedure in place to learn if it is properly designed to address the kinds of risks that might occur: Where are the internal vulnerabilities in the process? What threats are there in the environment for this particular process?
As the organization moves through time, both internal and external changes occur that modify its risk profile. If complacency sets in because nothing has gone wrong, the first indication that the risk management procedures are inadequate could be when a big failure occurs. The dynamic, recurring nature of a risk management program planning and evaluation are essential in fighting dangerous complacency.
Where is complacency lurking in your organization? What strategies do you have in place to combat complacency and keep risks in control?