For too long, there has been an unspoken assumption in traditional risk management that organisations and people function on rational lines. The implication being that you if can devise the right rules, risks will disappear because people will respond to them logically.
In reality, all organisations consist of real people who exhibit the range of normal human feelings, emotions and behaviours. These are as important as logic in making decisions in the real world. Real people constantly react to real life in ways that, whilst predictable, are not strictly rational. It is those who lack these feelings and emotions who are unusual, not those who exhibit them.
For example: You visit the baker to be faced with an aromatic array of fresh bread. Do you rigorously compare the nutritional content of each loaf, run quality tests and carry out a price and product comparison with other bakers in the vicinity (not forgetting transport and opportunity costs) that, if you are strictly rational, you ought to consider?
Of course you don’t. You follow your eyes, nose and feelings rapidly to choose what you feel is the best choice: today a bag of bagels; tomorrow scented spelt scones; and if you like sweet things you may scoff the scrummy sugared doughnut you know you should shun. If you stuck to strict logic, the baker’s shelves would be empty by the time you made your decision.
Feelings and emotions are an important element in normal decision-making, and this is true of all normal people in all contexts – including the most intelligent and respected business leaders in their work. Unfortunately the emphasis on ‘homo economicus’, economists’ rational, benefit-maximising model of man leads many leaders to assume this crude model represents reality, a double danger if they do not realise the extent to which their own decision-making depends on feelings and emotions.
Real people use what behavioural economists and psychologists call heuristics and biases in making decisions. Heuristics are mental short cuts that we all use to simplify decision-making. There are dozens of them, working beneath our consciousness. For example there is evidence that where we recognize one of a number of choices but have no better information, we are likely to put a lower store on the option we do not recognize. That is the recognition heuristic.
Then there are biases. An important bias is the ‘optimistic bias’. As healthy humans we tend to delude ourselves that bad events are less likely to happen than good ones. And we tend to attribute positive events to our skill and adverse ones to ‘them’ or bad luck: the ‘self-serving bias’. Many more heuristics and biases provide the numerous unrecognised assumptions and short-cuts that make the life of a normal person – well, normal.
This matters. People and the way they behave is what can make organisations great. But one of the insights to emerge from our work on "Roads to Ruin", the 2011 Cass Business School report for Airmic (we were two of the report’s four authors), is that people are almost always at the root of why organisations are derailed. They are implicated twice over: first because individual and collective human behaviour, most of it perfectly normal and predictable, lies at the root cause of most crises; and then because it regularly tips potentially manageable crises in to unmanageable reputational calamities. We have since established that seniority amplifies the consequences of behaviour for good or ill. So, other things being equal, behavioural and organisational risks related to leaders typically have far more serious consequences than analogous errors lower down the hierarchy.
Unfortunately this area of risk is not systematically recognised by classical risk management. Some areas of people risk are captured by looking at process safety, but this leaves huge gaps. And a restricted view of reputational risk has left large areas of risks to reputation doubly unprotected. Leaders and risk professionals have a structural blind spot that leaves the organisation – and its leaders – predictably vulnerable.
We have solved the problem by rethinking reputation and reputational risk – and so can you. The Financial Times lexicon defines reputation as: ‘Observers’ collective judgments of a corporation based on assessments of financial, social and environmental impacts attributed to the corporation over time’; and there is much bickering over the nature of reputational risk.
Whilst the FT definition is good in parts, it is too narrow. We prefer the deceptively simple:
‘Your reputation is the sum total of how your stakeholders perceive you.’
Think about it and you will find its hidden depths. One is that you lose your reputation when stakeholders come to believe, rightly or wrongly, that you are not as good as, or are worse than, they previously believed you to be. That leads to our definition of reputational risk:
‘Reputational risk is the risk of failure to fulfil the expectations of your stakeholders in terms of performance and behaviour’
Many ‘performance’ failures are captured by enterprise risk management; but few risks from behaviour are captured. The result is that risks that both cause crises and destroy reputations are not captured, so they remain unmanaged. Worse, the research shows that behavioural and organisational risks can take many years to emerge. In the meantime, leaders think all is well when, helped by the self-serving bias, they have been fooled into complacency by what is, in truth, a run of good luck; and they have lost the opportunity to deal with potentially lethal unrecognised risks before they cause harm.
And as Richard Feynman, the late lamented Nobel laureate who uncovered the people risks that caused NASA’s Challenger disaster, said: ‘The first principle is that you must not fool yourself; and you are the easiest person to fool.’
Professor Derek Atkins and Anthony Fitzsimmons are the authors of Rethinking Reputational Risk: How to Manage the Risks that can Ruin Your Business, Your Reputation and You, which will be published on 3 January
Image source: flattop341/Flickr