Product quality failures make headline news and damage brand reputation. Strategic failures cause industry leaders to become also-rans. Natural disasters and geo-political turmoil make shambles of global supply chains. Pressures to meet performance targets drive unethical and perhaps illegal activities. Why are organizations so often caught by surprise when these types of risk events materialize, disrupting business strategies, and what can they do to be better prepared?

APQC recently released a research study examining this issue, underpinned by a survey of global organizations. The study is APQC’s fourth in the field of risk management, and I have had the privilege of being a member of several of the teams; the “Enterprise Risk Management: Imperatives for Process Excellence (Collection)” can be accessed through this link – http://www.apqc.org/knowledge-base/collections/enterprise-risk-management-imperatives-process-excellence-collection

Chief Executive Officers (CEO) are the executives most critical in the establishment, guidance, and monitoring of key enterprise strategies; yet only one-quarter of CEOs are actively involved in Enterprise Risk Management (ERM). But surely the failure to foresee major risk events is not really a surprise given the failure of CEOs (and other CXOs) to actively participate in the very discussions that identify such risks and which should challenge their strategies. Two other organizational failures amplify the problem. First, only one-in-seven organizations have a central ERM team that guides the ERM process using a common language or taxonomy. Try running any organization without an official language, where only 1/7 of the employees literally speak the same language! Second, an even lower proportion (how much lower than 1/7th can we get?), one-in-eight to be specific, of business unit leaders report their risks to top management, and this can cause seemingly ‘smaller’ or ‘local’ risks to escalate into major organizational nightmares. Think of product quality issues: they rarely emerge all at once with customers more or less simultaneously reporting problems; rather, they generally start like a series of seemingly disconnected ‘local’ brush fires that suddenly converge and overwhelm the organization’s ability to respond.

So how can organizations improve their ability to see both further and wider, or in other words to see both longer-term risks as well as those coming from seemingly ‘out in left field’? The study provides several key recommendations to meet these challenges and I would like to highlight and comment on three of them here:

First, CXOs – and particularly CEOs – must actively participate in risk challenges to the strategies they have articulated or embarked on. And this participation includes demanding that the ERM team ask questions, challenge assumptions, and push the executive team to see risks and define plans and actions to be taken if the risk events emerge. Much of this can be achieved through a culture of open discussion and the deployment of scenarios assessed via planning & forecasting tools.

Second, CXOs must mandate their ERM leadership to develop a common risk language or taxonomy, one that establishes enterprise-wide definitions of key terms such as likelihood and impact, but also identifies the key risks facing the enterprise. This common language is key because, simply put, ‘minor disruption’ or ‘probable’ are hardly terms that all employees will interpret the same way. It also allows global organizations, such as Caterpillar, to manage a $55 billion global operation with only about 80 risks identified and defined at the enterprise level (I fully expect that most of you have hundreds of risks defined across your – likely smaller – enterprises!) How does Caterpillar do this? Not by ignoring risks, but by explicitly aligning ERM with strategy and requiring business units to articulate how they are affected by and addressing the risks defined at the enterprise level.

Third, CXOs’ must destroy the commonly held – although rarely expressed – perspective of ‘in a culture of gotta look good, there are no risks’, as was put to the author by a direct report to the CEO of a Fortune 20 company. Doing so requires, in part, that business unit leaders report all risks to the ERM team, along, of course, with planned mitigation actions. And in turn, the ERM team must assess risks across the enterprise, including how ‘local’ risks might propagate across the enterprise, and raise potential events to executive leadership.

In summary, it is possible to see at least some of the unforeseen and have some insights into the seemingly unknown. Doing so requires that organizations take the three key actions described above: actively involve leadership, use a common language for risk, and have an open discussion across the enterprise of all risks.

“I can see clearly now … I can see all obstacles in my way” – Johnny Nash, 1972