I have been dealing with risk, compliance, and audit projects for the good part of the last 15 years, but I am still surprised when I am asked whether it’s better – for an organization and for an executive – to know or not know about critical risks.
Ignorantia juris non excusat
For most people, this would be an absurd question, but trust me, I continue to hear it under the rationale that one can’t be reprimanded for not knowing that critical risks – for instance, a regulatory breach – were taking place. Thus assuming that plausible deniability is somehow a good defense strategy when things go wrong…
When asked this, I always turn to the legal principle “Ignorantia juris non excusat” (ignorance of the law is no excuse). Not that I speak Latin nor am a legal expert, but I think this provides the exact answer that I want to convey – and Latin always provides this sense of gravitas that you just don’t get anywhere else.
Acting like an ostrich with its head buried in the sand won’t help the organization thrive. And regulators, as well as customers, partners, and other stakeholders, won’t accept this strategy. There’s the odd chance that a few risks will be missed, but consistently avoiding damages without steering the ship seems pretty unlikely to me.
Reward for risk transparency comes from the top
Going back to the initial issue, I usually try to drill down to understand the root cause of the question, and I often find out that it’s out of fear. Fear that colleagues will have a negative perception of a manager whose department raises critical risks, fear that management will deem this negative performance for the business unit, etc.
Unfortunately, this is where a software solution cannot help. Indeed, attitude towards risks relates to the core risk culture of the organization. A company that rewards lack of transparency is one that navigates in troubled waters and is in denial. The regulatory, competitive, and overall business landscape is continuously evolving, and new risks arise. This is a fact. At the same time, these new risks can also be turned into opportunities, and risk-aware organizations can capture the strong winds carried by these opportunities to get ahead of the competition.
By providing top management with precise information and the actions being taken to avoid or monitor the threat, you can show the true value of an enterprise risk management program and its positive impact in the decision-making process. Such transparency can instill the right tone at the top. Only with such risk awareness and full information can organizations be successful in achieving their objectives.
As a result, don’t wonder what the life status of Schrödinger’s prodigal cat is: use technology to get real-time, instant updates on your most important risks. This way, should one of the indicators turn red, you will at least have a chance to put in place a mitigation plan to try and avoid incidents.
What about you? Does your company reward a risk-aware culture?
I look forward to reading your thoughts and comments on Twitter. @TFrenehard
Join our Knowledge Transfer webinar on September 17 and find out how to build, integrate, deploy, and operate an intelligent application with the capabilities of SAP Data Intelligence.
This article originally appeared on the SAP Analytics and is republished by permission.