“I think we now live in an era when many of the concerns in running organizations are being reframed in terms of risk, which suggests that risk professionals are likely to rise to the top.”
(Source: “Managing Risk in the New World,” Harvard Business Review, October 2009)
My basic message is that 21st century leadership is all about making smart decisions under uncertainty, extreme volatility, constrained resources, increasing needs, and lack of full information. Borrowing Marshall Goldsmith’s term, I believe that the 21st century mojo of leadership will be all about making the tough decisions that need to be made in an economy running at a trillion-dollar deficit.
Twenty-first century leaders who understand, embrace, and execute smart political, financial, environmental, and stakeholder decisions will prevail and succeed. The 21st century leadership and management rubric will revolve around risk/cost/benefits involving enterprise risk management (ERM).
So, what is the “new normal?”
“The world is so integrated today. We no longer have direct control over our destinies, either individual or corporate. We are swimming in a sea of change and risk management can add stability to our lives.”
Dennis Arter, author, futurist
Many business rules and leadership assumptions have changed radically post-September 2008—the official period of the U.S. financial meltdown. I would almost say that most business rules have been reset. Harvard Business Review says that leaders need to understand and manage within the constraints of the “new normal.” Let’s look at some of the implications of the “new normal.”
We’ve experienced a number of “Black Swan Events”—low-likelihood, but high-consequence and even catastrophic events. September 11, 2001, was epochal in how it changed society as well as public safety decision making. There has been a sustained recession. The stock market lost trillions of dollars in market capitalization. Major companies went into dizzying tailspins because of financial fraud and massive overspeculation. A number of market bubbles also burst, all of which have resulted in overwhelming uncertainty.
Risks arise from uncertainty and the inability to plan, execute, and ultimately control events. So, “what if” questions and “how to” responses involving risk are now part of the fabric of every management discussion in companies as well as governments.
Most senior management decision making today is made through a risk filter. In the public arena, federal, state, and local agencies are focusing on risk and homeland security. In public-held companies, board-level and senior management decisions are based on a risk analysis, because of increased board- and executive-level accountability, increased financial reporting transparency, increased due diligence, reporting regulations of the U.S. Securities and Exchange Commission and the New York Stock Exchange, and a number of other reasons.
 |
| Figure 1: Upside risk/downside risk |
In Against the Gods: The Remarkable Story of Risk (Wiley, 1998), author Peter L. Bernstein says that the mastery of risk-based decision making is the foundation of modern life and it’s what divides modern from ancient times. These are pretty strong words. Let’s look at a few definitions of risk:
Risk—uncertainty of outcome, whether a positive opportunity or negative threat, of actions and events. It is the combination of likelihood and consequence, including perceived importance of a positive and negative event, which may involve a hazard, improvement, or new opportunity.
Risk—possibility that an event will occur and adversely affect the achievement of objectives
Risk—a situation or circumstance that creates uncertainties about achieving program objectives
There are a several critical points regarding these risk definitions:
“Risk is the watchword for this millennium. It’s at the forefront of management thinking in the areas of homeland security, health care, and supply risk management.”
Dick Gould, a Fellow of the American Society of Quality (ASQ)
Risk, like quality, can be managed to facilitate good decisions. Let’s look at the following definitions of risk management:
Risk management—an organized, systematic, decision-support process that identifies risk, assesses or analyses risks, and effectively mitigates or eliminates risks to achieving the program objectives
Risk management—all the processes involved in identifying, assessing, and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress
 |
| Figure 2: Management focus |
“Although regulatory compliance continues to be a ‘hot button’ issue for product sales, organizations are looking for solutions that can help them better manage multiple forms of risk.”
(Source: Gartner Group)
Enterprise risk management, or ERM, has been defined as a process affected by an entity’s top management and other personnel, applied strategically and across the enterprise, which is designed to identify potential events that may affect the entity. ERM helps determine and manage risks to fall within the entity's risk appetite, and provides reasonable assurance regarding the achievement of the entity's objectives.
Why is ERM the leadership and management model for the 21st century? In an uncertain world, the logic goes somewhat like this: Increasing threats and uncertainties lead to unknown events and unknowable risks, which can only be prevented, predicted, or maybe preempted through enterprise risk management.
The underlying premise of ERM is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents risk and opportunity, with the potential to erode or enhance value. ERM provides a decision-making framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.
A few years ago, I had to provide testimony on a technology audit. I needed to pull findings together into a visual ERM model, which eventually was called the “House of Risk.” It was composed of the following elements:
Governance: The vision, mission, culture, and philosophy of the business, including sustainability, profitability, stewardship, etc.
Risk management: Consists of the enterprise activities to manage opportunities and to mitigate potential adverse events.
Compliance: Consists of the activities to demonstrate adherence to laws, regulations, and policies.
Assurance: Consists of providing confidence that the organization is complying with laws, regulations, and policies.
Technology: Consists of infrastructure of technical processes and tools to ensure that enterprise governance, risk, compliance, and assurance are effective.
 |
| Figure 3: House of Risk |
Enterprise risk management integrates an enterprise view of governance, risk, compliance, process variation, and product nonconformance. Figure 3 offers a depiction of the enterprise view, which is able to explore, prevent, predict, mitigate, and even preemptive bad things from occurring.
The Toyota auto recalls illustrate the perfect storm of the unthinkable and the unknown. Who in the world anticipated that the exemplar of auto quality, inventor of the Toyota Production System (lean management), and many quality tools, would lose so much brand equity built around quality? Toyota had all the lean management and Six Sigma tools and data. However, Toyota didn’t connect the dots to the enterprise risk level. If they had, Toyota may have been able to anticipate, mitigate, and preempt the recall and substantial dilution of its quality brand equity.
As risk decision making has increased, there is now a sense of realization that activity, process, or project-based risk mitigation does not work—much like fixing or correcting the symptom of a quality problem results in recurring problems. Many managers realize that the root cause solution to a chronic or systemic quality problem is through enterprise risk management. Enterprise risk management in many ways is analogous to total quality management (TQM).
The differences between the two are also revealing.
Why should quality leaders and professionals learn risk management?
“You’re at risk in your quality career. Risk can be about how your job is going to be outsourced or somehow fundamentally changed. What can you do about it? Learn cutting-edge technologies. Be prepared. Don’t wait, your future depends on your making smart decisions now.”
Gerry Brong, futurist, writer, academician
What’s the new normal in your business? What’s been reset? What was the previous baseline and what is it now? Specifically look at your treasured leadership and management assumptions. Are they still valid? If not, what’s the new reset for you?
Quality has fundamentally changed. Quality leadership and professionals must take a hard look at their role in this new business environment, assess their current skill set, determine what they need to learn to be relevant contributors of value, and make a smart decision of where they will be in the near future. I suggest that you learn and do ERM.
Greg Hutchins is the principal engineer of Quality + Engineering (Q+E), a Portland, Oregon-based quality auditing, risk management, forensic, and technology assessment firm that specializes in supply chain management and quality assurance of electric power suppliers, and evaluating power transmission materials. Hutchins is the author of several books concerning risk management, quality assurance, value-added auditing, ISO 9001, and supply management strategies. He has also written extensively on risk management for Project Management Institute, Institute of Electrical and Electronic Engineers, American Society for Quality, Quality Digest, and for many other professional organizations.
Sign In to get started!
