On average, a company will lose 25% of its revenue from an organizational disaster – and that’s the good news.
Hi I am Joe Mayo, creator of the risk hurricane and author of two risk management books (Chaos to Clarity and Cultural Calamity).
Normalized deviance, rejection, deception, and risk normalization are cultural patterns that can lead to a risk hurricane. Hurricanes occur in nature every year. They are predictable, make a mess of everything, and no good comes from a hurricane that makes landfall. Risk hurricanes, like hurricanes in nature, are predictable, extremely costly if ignored, and avoidable with planning and preparation. Visit my website, twitter, or LinkedIn to read about a variety of risk management topics. Get a copy of Cultural Calamity to learn about organizational culture challenges and risk hurricanes.
Symptoms of a Risk Hurricane
Normalized Deviance
Rigidities in perception and minimizing emergent danger are cultural patterns that are symptoms of normalized deviance, which we touched on previously. When allowed to proceed unchecked, normalized deviance leads to catastrophic failure. The question of failure is not if, but when and how bad the failure will be. A key point to keep in mind is that the longer normalized deviance is allowed to persist the greater the impact will be.
Rigidities in perception cause individuals within an organization to develop a collective blindness to problems. Individuals may recognize that a problem exists but the organizational culture overshadows their concerns. Normalized deviance is a classic example of collective blindness that, in almost all cases, leads to disaster. Compliance auditors and risk practitioners must always be on the lookout for collective blindness and normalized deviance.
Minimizing emergent danger occurs when a group or individual recognizes that a hazard or vulnerability exists but they don’t fully understand the magnitude of the impact and tend to trivialize or undervalue the impact. Beware of risk impact that cannot be clearly articulated, as this can be a symptom of minimizing emergent danger.
Risk Normalization
Monetization and information difficulties are cultural patterns that are symptoms of risk normalization. Risk normalization is the process of modifying risk impact information to produce uniform data. It is frequently used to simplify risk reporting. Monetizing risk impact is the most common form of risk normalization and it occurs when all risk impact is expressed in monetary terms. Risk normalization sounds good in theory, but it tends to obscure the actual impact of the risk, especially with safety and reputation risk events. When risk impact is understated or obscured,organizations tend to underestimate the resources required to treat the risk, resulting in many, very expensive loss events. Monetizing and normalizing risk makes it very easy to report risk exposure and risk treatment cost but obscures the true risk impact. When risk impact is obscured or undervalued, it causes decision makers to make very poordecisions. This is particularly the case for safety risk where poorly managed risk events can lead to loss of life.
Information difficulties are caused by people attempting to communicate information about ill-structured, complex or poorly understood problems. Ill-structure or poorly understood problems are generally caused by unresolved ambiguities. Ignoring ambiguities or using normalization to obfuscate ill-structure problems can lead to disastrous results. Information difficulties are generally associated with ill-structured or ambiguous problem statements. The general, vague, and subjective terms used to describe ill-structured problems are often accompanied by incorrect, incomplete, or ambiguous information making it very difficult to clearly document the problem, associated impact, and resolution procedures. Ambiguities and data gaps that are allowed to persist should be seen as warning signs and risk practitioners should immediately escalate these situations.
Deception
Decoy problems and Potemkin Villages are two symptoms of deception. Decoy problems can be created intentionally to move attention away from a known problem or they can be created unintentionally by a lack of understanding.
A decoy problem can be created intentionally as a distraction or a smoke screen to steer attention away from the real problem. Decoy problems can also be created by incorrect information or poorly understood information. Ill-structured problems are excellent candidates for decoy problems as they are described in vague, subjective, or qualitative terms. Well-structured problems, on the other hand, are often numerically described which make it very easy to use mathematical models to demonstrate potential outcomes and impact based on any number of alternative scenarios, making them weak candidates for decoy problems.
A Potemkin Village is another example of a decoy problem. A Potemkin Village is a term used to describe situations where a facade is constructed that leads one to believe underlying mechanisms are refined and highly effective, when in fact, it is nothing more than a house of cards that can come crashing down with the slightest jostle. Legend has it that Grigory Potemkin became Governor of Southern Ukraine and Crimea after the Russian takeover in 1774. Potemkin was assigned to rebuild the areas after a series of wars between the Ottoman Empire and Russia. In 1787, the Russian Empress Catherine II and her entourage embarked on a six-month trip through the area, floating down the Dnieper River on a caravan of barges. To assure his continued favor with Catherine II, Potemkin is reported to have built a fake portable settlement along the banks of the Dnieper River. Each night after Catherine II and her entourage passed the village, Potemkin would have the village disassembled and reassembled further down river to give the impression of a thriving, prosperous economy throughout the region. Many people question the authenticity of the legend but whether it is true or not, the fact remains that organizations do construct facades with very little substance behind them.
Rejection
Disregard for nonmembers, involvement of strangers, and regulatory non-compliance are symptoms of rejection. Rejection is a cultural pattern or trait that borders on arrogance. There are two aspects of rejection. On the one hand, rejection can be somewhat passive where organizational behavior trivializes risk impact, threat capabilities, and vulnerability of the organization’s assets. On the other hand, rejection also includes organizational behavior that actively rejects industry best practices, proven standards, and laws that the organization perceives do apply to them.
Disregard for non-members is characterized by behavior that is dismissive of non-members or the existence of a “not invented here” syndrome. Non-members need not be total strangers; they can simply be people from another division within the same company. A notable lack of teamwork or teams that operate in silo environments are symptoms that point to a disregard for non-members.
The involvement of strangers doesn’t literally mean involving strangers off the street. Involvement of strangers is more commonly used to describe people or organizations that are improperly or inadequately trained. Insufficient or inadequate training can cause people to react in unexpected or unusual ways and inadvertently trigger a hazardous situation that can quickly escalate to become a full-blown disaster. The Chernobyl nuclear disaster is one of the best-known cases where improper training and inexperience were the driving forces behind the worst nuclear disaster in history.
One would think that regulatory non-compliance is rather unusual, but that is not the case. Some organizations overlook or trivialize regulations that they perceive to be ridiculous, outdated or not applicable. Speed limits are a very simplistic example of regulatory non-compliance. Just about everyone has seen someone exceeding the speed limit. Organizations that do not implement internal controls to monitor regulatory compliance are effectively telling employees that compliance is optional. This quickly becomes a slippery slope as the organizational culture can become increasingly tolerant of regulatory non-compliance over time, which sets the stage for disaster.
These seven cultural patterns are subsets of four significant risk management problems; normalized deviance, risk normalization, rejection, and deception.
Written by: Joseph Mayo
Hits: 25
Lifecycle of a Risk Hurricane
Written by: Joseph Mayo
Hits: 8
Aftermath of a Risk Hurricane
Here are some examples of recent risk hurricanes.
Risk Hurricane Disaster
Incubation Period
Aftermath
Recovery Period
GM Ignition switch
14 years
·124 deaths
·275 people seriously injured
·$4.1 billion settlements, fines
5 years, still ongoing
VW Dieselgate
9 years
·$33 billion fines, settlements
·leadership purge
·reputation damage
·jail sentences
2 years, still ongoing
Equifax
3 years
·160 million consumers affected
·lost 80% of market value
·leadership purge
·reputation damage
·$1 billion and growing in fines & recovery cost
2 years, still ongoing
WannaCry
3 months
·tens of thousands of infections in over 150 countries