Corporations and high-level risk management are built around the people in organizations—and people are fallible.
The need to evaluate human risk is clear: Stories abound of rogue employees in large and small organizations who have destroyed their entire firm.
At the extreme, rogue firms, such as Enron, can destroy shareholder value and employees’ lives.
Building a quality-based organization helps to drive out rogues, but that’s not the only way.
Control measures need to be in place.
Legal measures, the spotlight of publicity, and backing up corporate policies with firm action are all effective tools.
Best practices in strategic risk management are intended to prevent weaknesses within corporations causing damage or even pulling down the firm. However, effective strategic risk management tools and techniques became harder to implement as business operations grow, become more complex, and operate in multiple locations. The controls that might have once been deemed acceptable in keeping employees within corporations on the same page begin to be less effective in cases of corporate restructurings that split businesses into smaller business units, and where employees are prodded into making deeper contributions to the bottom line.
Technology has not necessarily been a savior in this type of situation. Although technology has provided a platform for enhancing competitive advantage for business, it has also been a tool used by smart, capable, yet ill-intentioned employees to steal and distort overall results.
In the age of managerial cutbacks and increased workloads, a lot of things can happen that go unnoticed by overburdened managers. Interview techniques intended to keep rogues out of the workplace are—in spite of all the high-end questionnaires and intensive interview techniques that may be used—oftentimes ineffective, as potential employees are extremely savvy about modern interview techniques. Players in the job market are often familiar with the drill. Job hunters pass through many revolving interview doors, allowing them to hone their skills on how to dupe the interview process. Some interviewers may be incompetent or show poor judgment. HR departments are not foolproof, and it is only realistic to accept the fact that rogues in the workplace are here to stay. HR people will sometimes catch potential wrongdoers at the gatepost through psychological tests and other forms of due diligence involving intuition and criminal checks. But don’t count on it.
Newspapers are full of stories about accountants who pad the books and give kickbacks to friends and family. Unhappy workers can damage product on the assembly line. A fired employee can show up at the workplace intent on payback for the injustice he or she feels they have suffered (in the United States this is called “going postal”). A multinational manager away from the watchful eyes of the home office can withhold information and deliver selective reports. Expense accounts can be padded. Goods can be pilfered from warehouses.
Given the current economic and political shocks, the last thing a company needs is to find itself in the news on account of the excessive creativity of one or more of its employees. Managers must face the fact that rogues will enter their organizations. So the question becomes: What can be done about it before the damage is done?
Keep in mind that human risk is about more than employees stealing from a firm; it can include individuals making unsound business decisions because nobody told them otherwise. Mistakes can be just as bad as deliberate fraud, as the following case shows.
An Invitation to Rogue Employees
The example of a small Costa Rican bank serves to illustrate this point. At the height of the opening of Costa Rica’s financial markets to foreign financial institutions in 1995 there was a rush to change operations practice. In the pre-free market era, Costa Rican banks could do as they pleased and were immune to punishment even when there were banking scandals and losses that were large for Costa Rica’s fragile economy during the 1980s and 1990s. Old-style banks, accustomed to getting away with providing poor customer service and having lax internal controls, found that their business environment was changing with the pending legislative changes, set to open Costa Rica’s financial markets to the world.
With poor leadership at the helm, and a lack of almost any strategic management initiative, employees were forced to take on new and undefined roles in their bank. Most of these were ill-suited to employees who were given inadequate training and guidance for their new tasks.
As part of rising to the challenge of this expected competition from foreign banks, and in light of the assumed effectiveness of recently ordered ATM machines, the bank we are considering decided that a (ill-informed) lean and mean policy of rampant firing would be an acceptable cost-saving measure. Half of the bank’s staff lost their jobs, and those who remained quickly became demoralized. The newly installed bank machines did not function properly. Friday afternoon payday waits grew to two hours from the already unacceptable 15–30 minutes.
Internal communications broke down. In place of the usual courteous conversations, vitriolic emails flew from one cubicle to the next—seeding the environment for “surprise actions” from a growing league of unhappy, overworked, and demoralized employees. With no controls in place, an inexperienced bank teller authorized a loan of $US 1 million to a long-standing customer—based solely on the fact that the teller liked the man and felt that he could be trusted with the money. For a small bank with a net worth of $37 million, this inappropriate loan decision was the start of a string of poor management decisions that led to its implosion. Throughout this process the business culture undermined any attempts to implement benchmarking studies or best-practice management solutions. The “generous” employee was not fired and kept his duties with a severe reprimand. The future of the bank was sealed, and eventually it went down.
At the Extreme
At the extreme end of the spectrum, there is a widespread pattern of “pushing the boundaries” of everything from accounting rules to disclosure rules for public companies, lax internal controls, managements that focus on doing deals rather than managing, outright fraud and theft, and incentive systems that reward the wrong actions.
Enron followed this pattern. The case of Enron shows how a combination of intellectual laziness and groupthink by a large number of employees, consultants, and analysts allowed a group of greedy and ambitious individuals to get away with massive fraud. Enron was not a case of one or two people at the top undertaking a complex scheme unbeknown to others, but rather a case of many individuals who knew what they were supposed to do, but didn’t do it. This was a case of analysts who never really questioned how Enron made its money, of accountants who didn’t ask simple questions, and of employees and board members who saw dubious things but were afraid to stand up and ask the questions they should have.
Strategic Risk Management: A View
What is risk management, and how does it apply to the actions of employees? According to Kent D. Miller, “‘risk’ refers to variation in corporate outcomes or performance that cannot be forecast ex ante.”1 The key element here is to recognize that there is true uncertainty about human risk, or indeed any risk. The fact that an organization has survived to today without major scandal does not guarantee that it is safe in the future.
So what to do? According to Miller, effective risk management responses frequently include avoidance (which we have noted is almost impossible with the case of human risk), control (to be addressed in a moment), and cooperation and imitation (which can be achieved through quality initiatives).
Quality Initiatives Can Help
An organization is only as good as its parts—in this case the human parts. One fractured link in the chain means one vulnerable corporation. The quality aspect of management can be evoked to work hand in hand with problem prevention, but it is all too often overlooked.
Typically quality applies to (but is not limited to) reducing or eliminating defects in manufactured products. Beyond this, management also needs to invoke quality principles that smooth the internal environment. When intra-corporate communication channels are damaged, the ensuing misinformation may foster rogue behavior within the organization. Many quality experts cite training, transparency, empowerment, and clear communication as vital steps in building a quality organization.
Whether dealing with production issues or those relating to customer service, quality initiatives espoused by management thinkers like Armand V. Feigenbaum, J. M. Juran, Philip B. Crosby, and Frank Gryna can help a business. Firms that include quality as a core value, and reinforce this value through everyday practice, have experienced reductions down to zero of defects on production lines, lower worker turnover, higher levels of worker empowerment through training, more worker satisfaction, greater productivity, and a positive outlook on the company. Valuing people as the key drivers of both quality and performance is important to a firm and can go a long way toward identifying rogues and frustrating their efforts.
Quality starts with managers. Being an ethical role model is a key function of any leader. And the good news is that nothing special has to be done to become such a positive model. However, when leadership falters it can open the door to a rogue hit, doing as much damage to the corporation as a rogue wave can do to a ship at sea. You have to work at good leadership.
But the emphasis on quality alone is not enough. Control mechanisms, including both financial and performance audits, are important for preventing and uncovering potential problems. The really effective tools are punishment and brandishing the legal arsenal available to the company. Such measures reassure the public. A corporation just can’t hunker down to avoid embarrassment. Swift and fair measures will fill the void of those strategic management initiatives that fail to catch rogue employees and will serve as a heavy reminder to others who may be about to embark on a negative course of action.
To many, the idea of punishment seems to be a return to management’s dark past in the days of command and control. This is not the case. Taking corrective action, including negative reinforcements and punishments, is a legitimate function of managers, just as much as positive reinforcements are. Corrective actions can include firings, admonishments, wage deductions, and suspension without pay. People in authority are chary about digging in their heels to fight for what is ethically and obviously right for fear of being politically incorrect, or worse, manifestly insensitive. Many in decision-making positions prefer a course of inaction because they lack the gumption required to stay the course. If a manager has documented proof (paper or electronic) of wrongdoing by an employee, and particularly in a unionized environment, there is little that a union can do to “rescue” the employee from receiving the appropriate reprimand, short of the union condoning such rogue behavior.
A manager faces many risks—from industry-wide risks such as currency and interest rate risks, to department-specific risks such as accounting and treasury risks. Most of these risks can be quantified, though we are finding out that many of the numbers assigned to these risks are little more than educated guesses. Unfortunately the identification, measurement, and quantification of human risk are difficult and challenging. In spite of our best efforts, and in spite of pundits who spout an arsenal of “proof” to the contrary, reliable numbers cannot be assigned to human risk. Nor can risk be completely eliminated from an organization. But quality initiatives and control mechanisms can go a very long way to minimize exposure.
Making It Happen
Learn to live with the uncertainty of any risk, especially human risk.
Vigilantly tweak and enforce the control mechanisms already in place. Think about expanding and/or adding controls.
Revisit your own role as a highly visible manager. Are corporate controls short-sighted, or are they clearly structured so as to prevent deceit, fraud, and rogues from doing future damage?
Identify high-risk areas in your firm—from inventory to treasury areas. Think about safety and security measures in addition to internal controls.
1 Miller, Kent D. “A framework for integrated risk management in international business.” Journal of International Business Studies 23:2 (1992): 311–331.