HOW TO STRENGTEN RISK MANAGEMENT
John Kyriazoglou*
Effective risk management requires both hard and soft controls.
Hard controls are formal policies and procedures and how well or not they are designed and implemented. They relate to tangible things, usually well-defined, formalized and approved like organizational structure, assignment of authority and responsibility, corporate standards, policies and procedures, risk methodology, ethics code, compliance procedures, computerized systems, company books, registers, audit trail mechanisms, personnel controls like segregation of duties, taking vacation, job descriptions, confidentiality statements, etc. These hard controls are implemented and used, in everyday business practice to carry out the activities of the organization, by various participants, i.e., people such as employees, managers, board members, customers, etc. These participants usually operate with their feelings, their beliefs, their trust and confidence, their motives, etc., collectively termed soft controls.
Soft controls are intangible things that have to do with behavioral aspects and social properties inherent in people (board members, executives, employees, etc.) and are utilized in applying hard controls in their daily business activities, and especially in business risk management, such as: tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, Ethical climate, Empowerment, Corporate attitudes, Competences, Leadership, Employee motivation, Expectations, Openness and shared values, Information flow throughout the organization and emotional contracting.
All of these types of soft controls (tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, ethical climate, empowerment, etc.), refer to the emotional contracting issue, also referred to as 'the psychological contract'. This is the crucial and powerful link between the organizational performance intent, and the motivations, values and aspirations of the people.
This emotional contracting element is sometimes overlooked by organizations, board, and managers, and that is the reason that may explain why people, at all levels of the organizations, have failed to do what the organization expected and asked them to do, and more specifically in the risk area. In management and organizational theory many employee attitudes such as trust, faith, commitment, enthusiasm, and satisfaction depend heavily on a fair and balanced Psychological Contract. Where the Contract is regarded by board members, managers and employees to be broken or unfair, these vital yet largely intangible ingredients of good organizational performance and risk management can evaporate very quickly. Where the Psychological Contract is regarded by all stakeholders to be right and fair, these positive attitudes including effective risk management can thrive in the long run.
Soft internal controls (trust, integrity, values and beliefs, etc.) should be part of the organizational process of strategy setting and ethical environment establishment. Corporate policies and procedures, vision and mission statements, strategic planning, ethics codes, job descriptions, training and coaching of staff, compliance programs, etc., are the tools and the hard controls that help define whether an organization consistently will do (supposedly ) the right thing. An organization might have written codes of conduct and other value defining type documents (vision, mission, values, social responsibility, etc.) but that does not guarantee whether they are actually followed consistently. Most of the real understanding will not be expressly written in any document but better evidenced in the day-to-day discharge of everyday duties and interactions. For example, the ethical culture can only rise as high as the tone set by the board and the senior executive management. If management distributes the message about ethics poorly or worst yet, delegates the message to subordinate levels, then the effectiveness of the ethical culture is greatly diminished.
Soft controls differ from organization to organization, but are typically set at a higher corporate level and are associated with the overall governance, mission and morale of the enterprise. In addition, measuring efforts like the ethics and integrity or the philosophy of the enterprise is not a simple task.
According to Aristotle ‘All human actions have one or more of these seven causes: chance, nature, compulsion, habit, reason, passion, and desire’. But how these human factors are used in a corporate setting and particularly in risk management in organizations is quite a difficult and tedious task to study, and it is usually forgotten, to say the least, by both boards and senior executives.
*Author’s Credentials
John Kyriazoglou, CICA, B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.
E-Mail: jkyriazoglou@hotmail.com