The following article was written by Greg Shields specifically for the Official Newsletter of the Canadian Society of Physician Executives (CSPE), who have given us permission to republish it on our blog.
Risk Management is in the Details
Creation of the Risk Wiki™ or Corporate Risk Wiki™
By Greg Shields
In the CSPE’s March 2010 Newsletter Dr. Tardif used a great sports analogy, “Teams whose forwards constantly criticize their defense never win the cup.” His comparison to physicians criticizing managers is equally applicable to executives who ignore their Risk Managers.
There is no better example than Lehman Brothers’ colossal failure. In January 2008, they had an implied market cap of over $30 billion and, by September of that same year, they had lost 95% of its value and sought Chapter 11 bankruptcy protection, making it “the largest bankruptcy ever filed.” (see the Examiner’s Report, here. pg. 1; the examiner was Anton R. Valukas of Jenner & Block LLP, here)
The greatest problem with the concept that “those who forget the past are doomed to repeat it” (largely attributed to George Santayana) is that, to learn from past failures, we are forced to read things like the 2,280 page, 8,000 footnote (not including appendices) Lehman Brothers Holdings Inc. Chapter 11 Proceedings Examiner’s Report. I doubt that CSPE members have that much free reading time available. Therefore, I will provide my – personal, with no reflection on my company, the CSPE, or this publication, slightly biased and very crude – summary:
Arrogant, egotistical, omnipotent and arguably unsupervised executive officers were allowed to completely disregard one of the largest risk management teams in the world.
When I say “allowed,” I mean that it happened and, therefore, a confluence of factors allowed it to happen. Whether it is allowed from the context of legal liability may take many years and hundreds of millions of dollars to decide. But, as the examiner’s report uses the phrase “the Examiner does not find Colorable Claims that Lehman’s Senior Officers Breached” no less than 19 times, I suggest that it could be allowed again in the future.
Risk Management, much like its sister fields, actuarial sciences, engineering, insurance, human resources, finance etc., is built on details. Some people in every organization find these details boring or unworthy of their time, but almost every major corporate financial loss, from major oil spills to a million – (or billion) – dollar employee fraud schemes, can be traced back to overlooked or disregarded policies and procedures. Unfortunately, such people can be found within every rank of every organization, but the odds their attitude becoming pervasive will increase if it is held by senior management.
Here is a small example. Do you remember the days when you could pull out the entire stereo out of your car, and bring it with you to keep it from getting stolen? My younger sister started using my car because I could not afford to bring it to university. When she called to break the news that the window was smashed and the stereo stolen, I asked why the stereo was in it. She said that she had been taking it out for months and months and “there were never any problems”, so she stopped. The task became boring and inconvenient, but, more important, it became inconsequential.
Risk Management is all about repetitive tasks and redundant functions. The problem is those terms are considered negative and have become synonyms of “unnecessary” and “extravagant.” That mindset may be difficult to overcome in non-life-threatening industries or with certain divisions like sales, customer service, administration and support, but, in an organization of physicians and leaders, there is at least the basis for understanding the importance of details, repetitive tasks and redundant functions.
Perhaps the only thing the Healthcare industry needs is regular reminders that consequential loss does not have to be human life to be important to the wellbeing of the organization and its people. Financial loss within an organization can still have catastrophic consequences. It may not be easy to quantify the downstream result of employee theft, loss of private information, or professional negligence lawsuits (not just medical but financial management, design, consulting, human resource, etc.) but they can ultimately lead to lost jobs, fewer nurses, fewer physicians, longer patient wait times and generally less money available for patient care and research.
It is human nature to protect our self-esteem by saying things like “it was an extremely sophisticated scheme” or a “very complicated product or technology” and “the resulting loss could not have been reasonably foreseen by anyone.” But often with a little digging, it is evident that standard procedures were not followed, bolts were not tightened, valves were not tested, background checks were not performed, management incentives were not aligned with desired results, complaints were not investigated, authority and reporting lines were not communicated, etc. etc. The systems or products may well have been complicated or technical and the loss significant, but many of the individual factors involved in the loss were neither technical nor significant.
Risk Management boils down to management attitude and enterprise-wide dedication to the function. Risk of loss can come from every department, division, product and service within a company. The tasks of identifying, assessing, prioritizing, controlling and monitoring risk must be split in to many categories and actions. No one person or team can perform all risk management, and it cannot be performed in a vacuum.
But it is not an insurmountable task. Many organizations do not have the resources to have dedicated risk management staff, but that does not mean that the function should not be organized and communicated. Many risk-management functions are already being performed, and the primary function should be to collect, centralize, organize and communicate existing risk management activities.
So today, I am going to coin a new phrase – as a quick Google search suggests that I am the first to use it – and perhaps incubate a whole new corporate mentality, the Risk Wiki™ or Corporate Risk Wiki™ (please notice I have added the trademark symbol, so now everyone will need my permission to use the terms.) I know the term wiki is over used, but at least it might help get some “web play.”
If you believe Wikipedia, here, wiki is Hawaiian for “fast” and it is “a website that allows the easy creation and editing of any number of interlinked web pages via a web browser using simplified markup language.” But, I would like to stretch it to include all free sharing of information in a collaborative environment, where a large number of people can contribute relatively small amounts of content, based on their own unique knowledge, skills and experiences, without obvious ownership or immediate financial gain, to create a valuable tool. With specific reference to Enterprise Risk Management and the creation of a Corporate Risk Wiki™, a firm’s management can start to embrace the concept of enterprise-wide involvement in the management of risk. They could set up a central location, perhaps even a wiki or intranet site (behind a firewall, with appropriate security, authorization and review before posting), to define and communicate the risk management function, areas of concern and existing policies and procedures. From there, systems could be used to collect the policies and procedures, checklists, crisis management plans and other protocols that employees currently use in their day-to-day jobs and to allow them to comment on the use, value and areas of improvement for these policies. It could also be used to collect loss examples (preferably public ones and appropriately generic so as not to identify actual people or companies) from related operations so that employees can see the impact of losses and the cost of ignoring certain activities or cutting corners.
Like all references to risk management, it is much easier said than done. If I am invited back as a guest contributor to the CSPE newsletter, I would like to highlight specific risks, loss incidents and the loss control activities that could be considered. But for now, I have taken a more macro-view of risk management.
Risk within an organization can come in all shapes and sizes. The impact of financial loss can be immediately obvious and easy to quantify (e.g. a slip and fall in the lobby of your building) or can bankrupt an organization well before the loss was even known (e.g., theft by employees, faulty products, loss of employees.) If the loss is truly impossible to foresee, then that is a risk of doing business that most people are willing to accept. But if the loss is “there to be seen just for turning the page” (a reference to a precedent-setting employee fraud loss and a great example of insurance risk), the circumstances would be much more difficult for most good leaders to accept.
Greg Shields is a Partner with Mitchell Sandham Insurance brokers, an independent company providing commercial, private client and financial services insurance. He specializes in casualty products that address directors’ and officers’ risk, crime, fiduciary liability, professional errors and omissions and cyber / media risk. He provides insurance negotiation and risk consulting services, coverage and claims advice to small and medium-sized enterprises, multi-nationals and nongovernmental organizations. Greg can be reached at 416 862-5626 or firstname.lastname@example.org or follow his blog at https://mitchellsandham.wordpress.com
Greg Shields, Partner, Mitchell Sandham Insurance Brokers, 416 862-5626, email@example.com
CAUTION: The information contained in the Mitchell Sandham website or blog does not constitute a legal opinion or insurance advice and must not be construed as such. It is important to always consult a registered insurance broker and a lawyer who is a member of the Bar or Law Society of the relevant jurisdiction with regard to this material before making any insurance or legal decisions. All comments and opinions are copyrighted by Mitchell Sandham Inc. and may not be reproduced in any form for commercial purposes without the express written consent of Mitchell Sandham Inc. Anyone seeking to link this site from any external website must receive the consent of Mitchell Sandham Inc. by sending an e-mail to firstname.lastname@example.org.