Embedding Sound Risk Management Practices into an Organization
Core principles for risk management adoption within an organization.
Regardless of how much capital you sink into risk management technology and systems, the underpinnings of your GRC success is going to boil down to the riskiest of commodities: human diligence. It's an old refrain, but it's true, and it's way too easy to forget as you look for hardwired solutions.
A quick survey piece at Risk Management Magazine polled 22 "experts" (not identified) about how large corporations such as BP, which invested a ton of cash in risk management systems, can still screw up so badly. Of course, the laundry list of 11 critical factors is dominated by human failings (including not buying adequate systems, we'd note). Many of the responses are predictable; "Delay to Schedule" and "Cost of Preventative Measures" (e.g., greed) make the cut. Also on the list is a seemingly more innocent, but perhaps more insidious, villain, "Normalization of Deviance," that you don't hear that much about these days in the GRC press.
Normalization of Deviance approached the level of catch-phrase after sociologist Diane Vaughan coined the term in her analysis of the Columbia space shuttle disaster for NASA. (The two U.S. shuttle tragedies dominated risks and catastrophe management research for quite a while; we touched on them recently ourselves). Essentially, NASA knew that the re-entry shields on the shuttle were acting abnormally and well below specification - it even coined the phrase "foam shedding" for the phenomenon - but since no serious consequences resulted, it came to accept the deviance from standard as normal. Until the shuttle burned up on re-entry.
On one level, you can just ascribe such laxness to "complacency," another of the failure points cited in the Risk Management Magazine article. But it's actually a little more insidious, if you think about it. Simple complacency speaks to people not acting vigorously on issues they still know matter, at least intellectually. Normalization of Deviance describes a phenomenon in which folks convince themselves that something doesn't really matter, since they don't see any immediate consequences. People are short-sighted - an unusually warm or cold season becomes a rebuttal for decades of climate change data, and so on. Again, NASA had a pet name for what ultimately destroyed Columbia.
Normalization of Deviance can impact all aspects of your business - practices as odious as allowing USB thumb drives in the office can be let slide until the first virus handshake or data leak. The RMM article warns Normalization of Deviance can become institutionalized by experienced employees who, without malice, pass along shortcuts and other "normalized" bad habits as a form of "on-the-job training."
In risk management, you are always dealing with uncertainty. The goal is not to eliminate risk; it's to find acceptable levels of risk based on potential benefit and costs/damage to your business. Just remember that because an obvious bad practice hasn't damaged your business yet doesn't mean it's any less likely to do so - in fact, negative consequences get more likely every time you dodge your own version of "foam shedding."