Damocles, a Greek character and likely mythical, was given the opportunity to experience every luxury and pleasure of his time. However, during his unusual experience, a sword hung over his head, held up only by the hair from a horse tail. The stress of having the sword hanging above him was more than he could take, so Damocles happily reverted to his ordinary life without the stress.
Like Damocles, leaders are continually managing risk. And most leaders significantly underperform at this vital task. Here are seven ways leaders fail at risk management.
1. Failing to see risk as an opportunity.
Leaders often think about risk through the lens of elimination, forgetting that our capitalistic system is based on taking risks. Instead of trying to eliminate risks, leaders should find ways to simultaneously mitigate and manage them in a way that creates wealth. This is a huge mindset shift, but one that successful leaders embrace; they successfully manage risks that others avoid.
2. Failing to classify risks.
Organizations often create a matrix of potential risks that predicts their likeliness to occur and potential impact, from high to low. This becomes a tool to help identify highly likely and highly probable events that can negatively impact an organization, but specificity is needed.
Organizational risks can be classified in three ways: internal, strategic and external. External risks get the most attention, but strategic risks are the most likely to take down an organization. Since each risk class is managed differently, they should be identified in separate groups. We still use the matrix noted above at our company, but we have a separate one for each risk class.
3. Spending too much time trying to identify specific external risks.
Most companies have a process for identifying potential external risks. While there is a place for this, especially if specific actions can protect an organization from those risks, almost everyone spends too much time trying to identify specific external risks. Instead of trying to predict the specific “black swan” or other unlikely events that could impact your business, accept that “something” will happen. Once leaders stop trying to predict specific disruptions and start developing plans to manage through disruptions, real work to protect the organization begins.
4. Viewing risks too narrowly.
Many leaders get mentally hijacked worrying about one or two risks, failing to take a broad enough risk perspective. Recently, I read a prediction that 75% of S&P 500 companies would not be around in 10 years, reinforcing the importance of organizational continuity planning. Many organizational failings result from unidentified strategic risks. Preparing your company to stay in business after the manifestation of any risk is not only essential, but is also a huge opportunity.
Technological risk is an existential issue for every organization. Artificial intelligence and quantum computing are just two of many technological advances that will change the world. Data management and telematics are changing how we operate and carry heavy privacy requirements. Many of our organizations are connected to third parties that must keep up, too. Also, don’t view technological risks as linear; upcoming change will be exponential.
Related to technological risk is cybersecurity, which is everyone’s challenge. If your organization is connected online, it is almost impossible to guarantee 100% safety. However, a good response can be guaranteed. Cybersecurity should not be viewed as simply a technical issue but also as an important managerial issue.
Environmental risk is also a big concern, especially when viewed solely as a compliance issue. Effectively mitigating environmental risk requires viewing it as much more.
Financial risk results from focusing on an organization’s operating statement at the expense of focusing on the balance sheet. Profitable companies have gone bankrupt because they were poor at cash management. This often results from poor inventory management but can also result from illiquid investments or excessive concentration risk.
Financial risk also results from capital allocation, which tries to convert cash into other assets that will produce even more cash. Every organization has a capital constraint, and misallocating it results in lost opportunity and potentially going out of business.
I mentioned that the risk that hurts organizations the most is strategic. Bad forecasting leads organizations to make bad strategic decisions. You can do anything on a spreadsheet, so leaders must ensure forecasts are not tainted by the team’s enthusiasm to move forward with a plan.
Other risks include lack of a healthy culture, lack of diversity or lack of employee development. And finally, there is reputational risk, which is often layered on top of other risks.
5. Not identifying the root cause of risk.
Leaders often can identify a potential risk, but not in a way that it can be mitigated. For instance, an organization may identify bad product quality as a potential risk, but that is too broad. The real risk may be that the organization needs to properly execute the methodology known as Design for Manufacturing and Assembly. Applying the “5 Whys” process to any risk can help identify underlying concerns.
6. Ignoring “gray rhinos.”
“Gray rhino” is a metaphor my friend Michele Wucker developed to describe significant and high-probability risks facing a company that are ignored. The gray rhino finally gets our attention, often too late, when it starts charging. Examples of gray rhinos include noticeable upcoming economic or market changes, advancing technology, new business models or even leadership succession. Wucker’s excellent book Gray Rhinos will help any organization better-deal with these beasts.
7. Complicating the process.
Studying risk management, as I have done this year, includes many complicated ways to consider the subject. There are countless statisticians, people much smarter than me, who use quantitative methods of measuring and managing risk. What they do is helpful, which I respect, but can be intimidating. Extensive quantitative analysis is not always necessary; leaders can protect their organization well by following the outlined counsel here.
Like Damocles, every leader considers risk, even if he or she doesn’t realize it. The best leaders either do an excellent job of making decisions on the proper side of probability — sometimes called luck — or manage to have a good plan to deal with risks as they happen. Leaders cannot keep bad things from happening, but they can be prepared. Instead of investing time trying to predict extreme events, leaders should be ready for any contingency.
Given enough time, almost any risk you can think of will manifest. The best leaders frame risk as an opportunity and find ways to leverage it to their organization’s benefit.
Correct Craft CEO Bill Yeargin has earned a certificate in risk governance and is recognized by the DCRO Risk Governance Institute as a Qualified Risk Director.
This article was originally published in the November 2023 issue.
