Another noise; you don't dare to even look. Heart pounding, blood pumping, you now race to your car in terror. We have all at one point have experienced that kind of fear. When we as humans "see" something that we fear our brains instinctively prepare us to survive that dangerous situation. This is an instinctual physiologic response. It is our inborn response that prepares the body to "fight" or "run for your life."
Even though our human fight-or-flight response to fear is hardwired in us and dates back to the days when we fought off dinosaur-sized predators, some things do influence what we actually fear; such as the culture we grew up in. For example, people in South American jungles do not fear large insects, snakes and other reptiles because they grew up seeing them. But if I were to see a python I would run faster than the wind. This very notion made me ponder. Does it mean we can effectively overrule our "primitive instincts" of fight or flight with solid cognitive processes? And how much time does it take to alter our natural response to such risks?
When your organization faces a deadly risk, does it fight or does it run far away from it? Is your organization aware of what its natural responses are to risks? More specifically, does your organization influence, foster or try to overrule the instinctive risk responses of its employees?
Since 2009, many regulators have desired the answers to these very questions. Companies as part of reporting on their governance and risk management processes are being asked to formally prepare risk policy statements that clearly articulate the organization's "risk appetite and tolerance." They want organizations to understand the type and amount of risk that the organization is willing to pursue, avoid or retain to achieve its goals. In essence, they want companies through these statements to precisely articulate what will be the reaction of employees when faced with "a giant green hungry python." Will they take it on as the corporate risk policy prescribes, or will they run?
When we think of the permutations and combinations of risks, it is easy to see that clearly articulating the collective risk response of an organization is not an easy task. Such a report would have to describe the behaviors of a collection of humans and set in place precise guiderails for risk responses. It would be an attempt to "hardwire" an organization to a prescribed reaction to risk. As such, preparing meaningful "risk appetite and tolerance" statements that accurately describe aggregate corporate behaviors may be an unrealistic task and may be of questionable value.
If we have to "hardwire" anything in an organization I think better to focus on embedding day-to-day risk management capabilities in the organization that routinely seek out those scary large reptiles and decide on how to handle them individually with the aid of some pre-defined criteria that has the freedom to change as the organization changes.
It is no wonder that we see many organizations struggling with this very task. But as humans, we are complex beings coming from varied cultures and every day we face and are altered by new personal risk experiences.
JOANNA MAKOMASKI is a specialist in innovative enterprise risk management methods and implementation techniques. She can be reached at firstname.lastname@example.org.
May 1, 2012
Copyright 2012© LRP Publications