Best practices are often born out of failure. The deadly Tylenol poisoning spree in 1982, for example, became the model of crisis management. Parent company Johnson & Johnson acted quickly to pull product off shelves, publicly warned consumers not to use their product, and set up a toll-free hotline for consumers to call with their concerns. The company was hailed for a swift response that put the emphasis on consumer safety over profits, creating a model that many companies still emulate today.
Yet some best practices can actually hamper a company’s ability to succeed. As markets, economies and consumer needs change, companies may find themselves unable to take risks or move forward, hamstrung by, of all things, best practices.
The Trouble with the Best
Broadly, best practices refer to the processes, frameworks and guidelines established by an authority, such as an external regulator or internal management, that dictate a recommended course of action. These practices are often the “industry-standard” method of achieving a desired result, whether that is a financial outcome, compliance benchmark, security or ethical standard, or some other goal.
While best practices can be helpful for establishing efficient business processes, Dr. Jing Ai believes part of the trouble lies in how they are characterized within an organization. A professor of finance at the University of Hawaii’s Shidler College of Business, Ai says that simply following best practices without question does not necessarily lead a company toward the right risk management strategies.
“Under different circumstances, one can either fall short of adequately managing their risks or waste resources by engaging in unnecessary risk management activities by blindly following these ‘best practices,’” she said.
In the case of risk management, the assessment of risk and the review of potential mitigation strategies are often complex, requiring a high level of knowledge about the company and how it is equipped to respond to potential risks. Developing a risk management strategy involves many unique factors and a good deal of decision-maker input, and best practices may not fit into the equation.
That may be because many companies assume that all best practices are universally compatible. “It’s a one-size-fits-all mentality,” said Bob Sibik, senior vice president of Fusion Risk Management. “It presumes that everyone wants to—or should—perform risk management the same way.”
This way of thinking does not take into account the company’s unique identity. Sibik believes a better approach is to define the best practices specific to the organization based on its risk appetite. “Given the finite amount of resources an organization has to address risks created by an infinite number of threats and vulnerabilities, each organization should evaluate and manage risk in a way that aligns with their culture and their brand, and to the level of precision necessary to ensure they can continue delivering benefit to their customers,” he said.
Ai agreed, saying that too much reliance on industry-wide best practices can lead to a false sense of security. She used the example of enterprise risk management, explaining, “ERM is largely considered a ‘best practice’ by many industries and companies, while in reality, the potentially very costly ERM program is only going to benefit certain types of companies—large, complex, highly leveraged and heavily regulated companies.”
To counter that problem, Deloitte Risk and Financial Advisory CEO Chuck Saia believes risk management should be actively analyzing best practices to ensure they are effective and that they evolve with the company and the risks. The company’s value system is often another hurdle. “Many organizations have created a system of values, beliefs and behaviors that shape how things get done, but many are falling short in two areas: communicating the importance of everyone in the organization adhering to shared values; and leveraging technology to monitor behavior, ensure the safety of employees and get ahead of cultural risks,” Saia said.
Failure to Launch
Failing to implement enterprise-wide best practices can also have devastating consequences. For example, in 1999, Enron Corporation made a bold decision when the board of directors gave one of its executives an ethics code waiver. The idea was that CFO Andrew Fastow would make deals that would move bad investments from the company to both shield the actual value from shareholders and enrich his bank account.
When the CFO was sentenced to six years in prison, followed by two years of probation, it was just one more failure of ethical best practices in the Texas-based energy company’s incredible rise and disastrous fall. Corruption was rampant within Enron, and nearly 20 years later, one cannot pinpoint a single failure, but rather several within the company’s daily operations that ultimately led to its demise in 2001.
Robert Bradley Jr., Enron chairman Kenneth Lay’s speechwriter, spoke in a recent Houston Chronicle interview about how the company’s decline may have started in 1984, when the newly-hired Lay decided that all of the company’s travel business would be funneled to a travel agency Lay and his sister owned. But Bradley said the final straw was the board’s decision to waive the company’s ethics code so that Fastow might help keep the false narrative of Enron’s financial success going. “It’s a slippery slope when you make a deviation from best practices,” Bradley told the paper. “It creates a dependency to keep making bad decisions.”
Unfortunately, that failure to implement proper best practices is still prevalent within organizations. For example, in a recent Deloitte survey of 400 CEOs and board members, of the 96% who expect their organizations to face serious threats or disruptions in the next two to three years, more than 50% of respondents lack a plan to develop or acquire tools to address reputational risks, including crisis response strategies. “We’ve found that too many leaders don’t view or manage risk strategically—they view it in a vacuum, acknowledging its existence but missing the mark on solving for it,” Saia said.
This mindset change is necessary, but is not happening, he said. For example, Deloitte found that just 30% of CEOs and board members report being highly engaged in cyber response strategy and governance. “One-quarter of leaders are not leveraging practices like war-gaming and scenario-planning even though they’re proven cybersecurity methods for assessing vulnerabilities and creating crisis response strategies,” he said.
It is that lack of follow-through on best practices that is causing risk management to shortchange itself, according to Gary Patterson, president and CEO of FiscalDoctor, Inc. “You can have best practices, but do you really take them throughout the organization, or do they hibernate and not get shared?”
Patterson suspects that sometimes the lack of adoption of best practices has a political undercurrent to it. In many cases, the critical problem comes when politics gets in the way of implementation—there is an unwillingness to take a chance and advocate for risks that may not fall within the risk manager’s purview.
Smaller workforces also mean larger workloads, which may make regular best practice reviews difficult to manage. He used the example of hiring and layoffs: “The world is good now, but in 18 or 20 months when there’s a problem, you lay off your most expensive people. If you do that every four to six years, you lay off the people who have experience and bring in new people, that’s a best practices issue.”
Better Best Practices
That kind of misstep could be happening in other departments as well. Yet Saia believes companies can still review and implement best practices without a large risk management department. He recommends companies focus on three areas: governance, reporting and sensing. Listening or “sensing” tools allow organizations to continuously monitor emerging trends in internal and external data to identify possible risks to their reputations to better keep track of their competition and the changing external environment, and to quickly adjust strategies and devise mitigation tactics. “Reputation often evokes emotions, but emotional decision-making may lead to poor decisions,” Saia said. “Risk sensing replaces emotion and second-guessing with facts and logic.”
By gaining a more complete understanding of its risk environment, a company might discover that their best practices are not necessarily the best. This issue can be alleviated if companies try to understand the assumptions and rationale behind those practices first. “Make an assessment about whether these assumptions and criteria fit the reality of your company before starting to follow them,” Ai said.
She also recommended using best practices as “suggestive guidelines to aid analysis and decision-making.” When looked upon as references, companies can then adapt them as needed to fit their own circumstances.
Making risk management more strategic can also help establish risk as an organizational priority and lead to the adoption of more applicable best practices. One way to accomplish this is to put risk management on the executive committee. “I’ve seen how effective risk management can be when the right people are in the right roles, meeting on a regular basis to talk about strategic and emerging risk issues,” Saia said. Another effective strategy is to have a strong risk reporting process that allows organizations to stay proactive on risk issues.
Organizations can also engage outside help to review current practices and priorities, which can help focus more attention on other areas without relying on any preconceived notions. “Best practices are nice,” Patterson said, “but if you’re inside that company, how many battles do you fight?” He also suggested looking to other companies outside the organization’s industry that have faced similar challenges to see how they handled them and examine how their practices might line up with the organization’s needs.
No matter what, all best practices need to be adjusted to fit the company’s requirements—financial institutions and health care providers, for example, are going to have different approaches to their businesses. To presume that they should all manage risk the same way does not make sense, Sibik said.
Similarly, approaching risk management without understanding where the organization needs to prioritize investments is also a mistake. Prioritization of these investments poses a sizable challenge to organizations that goes beyond simple best practices. Having a chief risk officer at the helm can help determine the appropriate direction. “Leading organizations ensure that their chief risk officer has a strategic mindset with thorough knowledge of the organization, industry, technology and competition,” Saia said. “This kind of CRO is in a better position to guide the organization on possible strategic risk management investments.”
The bottom line is that organizations should be flexible and strategic within their risk management division, regardless of what best practices might dictate. “It means leveraging innovative technology to identify, monitor and manage risk; elevating the role of the CRO; and making the right investments to safeguard brand and reputation,” Saia said. “CEOs and board members must view strategic risks as interconnected and understand that complex threats—when managed correctly—can create opportunities for accelerating growth.”
Sibik agreed. “The breadth and depth of the risk management program should be balanced against the investment, the continuity of operations, based upon the mission of the organization, and aligned with the organization’s culture.” The key, then, is to understand when best practices can help you achieve your risk management objectives and when it is better to make adjustments to chart a different course. After all, it is not about best practices, but the practices that are best for your company.