Just as most of you know how much I love Rock and Roll; you also know I am an uber-Houston Astros fan and have been so all my life. Tonight, the Astros host their first Game 1 of the 2019 World Series, battling the Washington Nationals in the fall classic. It features two of the best pitching staffs ever to meet recently in the World Series. The Astros have two Cy Young Award winners (and probably a third this year, more later on Gerrit Cole), Justin Verlander and Zack Greinke. The Nationals have a Cy Young winner of their own, Max Scherzer; as well as fire-baller Stephen Strasberg. One special note on Astros pitcher Gerrit Cole, as he is having  a season for the ages. According to Brian McTaggart and Jamal Collier, writing in MLB.com, he “is on one of the most amazing runs of any starting pitcher in recent history, going 19-0 with a 1.59 ERA, a 0.81 WHIP and 258 strikeouts in 169 1/3 innings in his last 25 starts, including the playoffs. The Astros have won each of his last 16 starts.” Cole is clearly the favorite for this year’s American League Cy Young Award.

I will have the chance to attend my first ever Game 1 of a World Series in Houston. Should I jinx the Astros by noting they are the favorites or predicting an Astros win? No, but I think I will just enjoy watching the best team in baseball open a World Series game at home. Go Astros.

Today, I conclude my two-part blog post series based on the seminal Harvard Business Review (HBR) article “Managing Risks: A New Framework”, by Robert S. Kaplan and Anette Mikes. The authors identified three key categories of risk: Internal Risk, which they identified as those risks arising from inside an organization; Strategy Risks, which they identified as risks taking on in hopes of greater strategic outcomes; and External Risks, which they stated “arise from events outside the company and are beyond its influence or control.” Today, I will consider some techniques and strategies to help manage these risks.

The authors had some interesting concepts around how to identify and manage risks which would resonate with a compliance professional. The first is to use outside, independent experts to challenge business types of the risks they are facing for work. This translates into using such a strategy for high-risk business areas under the Foreign Corrupt Practices Act (FCPA). Under this strategy, you could have a risk review board made up of independent experts whose role is to challenge project design, risk-assessment, and risk-mitigation decisions. These experts ensure that evaluations of risk take place periodically throughout the project lifecycle. It would force the business development team to think in advance about how they will describe and defend their decisions and whether they have sufficiently considered the likely risk scenarios.

Another approach is what the authors call the facilitator approach. It certainly is intriguing but would probably only work for an organization which has a high degree of trust in the company. The need for this approach arises, “Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers. This increases managers’ awareness of the risks that have been taken on across the organization and provides decision makers with a full picture of the company’s risk profile.” Under this approach, a facilitator leads workshops, roundtables and town halls to talk through strategies going forward and to seek input from those participating. The key is that employees feel safe to speak up and that their voices are heard.

Another approach is what the authors call “embedded expert”. In this strategy, “Risk managers, embedded within the line organization, report to both line executives and a centralized, independent risk-management function.” The face-to-face contact with the managers enables the risk managers to continually ask “what if” questions, challenging the assumptions of the managers and forcing them to look at different risk scenarios. Clearly this approach has the danger that these embedded experts will ‘go native’ aligning themselves with the inner circle of the business unit’s leadership team—becoming deal makers rather than deal questioners. Preventing this is the responsibility of the company’s senior risk officer and—ultimately—the CEO, who sets the tone for a company’s risk culture.”

At the end of the day, it all comes down to leadership. This is because, as the authors note, “Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy.” Moreover, there is always a tendency to kick the can down the road to make it someone else’s problem. Such an approach has the added advantage of little or no monetary or resource outlay.  Conversely, “mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. Managers may find it antithetical to their culture to champion processes that identify the risks to the strategies they helped to formulate.”

The authors believe that a risk management “group must report directly to the top team. Indeed, nurturing a close relationship with senior leadership will arguably be its most critical task; a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon.” Companies which have strong internal risk-management functions and leadership teams that understand and manage the companies’ multiple risk exposures tend to not only survive better but also thrive more often than companies which do not.

The authors conclude with the following, “Risk management is nonintuitive; it runs counter to many individual and organizational biases. Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.” Every Chief Compliance Officer (CCO) needs to take this wisdom to heart and consider it for your organization.

I realize some readers may be from Washington and/or National fans but if you are not, please join me and jump on the Astros Express as we ride towards our second title in three years.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019