Risks from Reporting and Decision-Making Disconnect
Most people have probably heard the phrase “garbage in, garbage out”. This concept holds true in any number of areas, and certainly in the field of risk management.
No organisation can properly identify or manage its risks if the data input into the risk management process is deficient.
Similarly, it’s impossible to identify or manage risks if incoming data is ignored, or not recognised as relevant to the identification of risks.
A disconnect between the reporting of information from segments or levels of an organisation and the decisions made by senior management can result in a critical failure of the risk management process.
A case in point is the report earlier this year that the Commonwealth Bank of Australia’s (CBA) intelligent deposit machines (IDMs) had been used for transactions that resulted in allegedly over 53,000 breaches of the anti-money laundering and counter terrorism financing laws – despite increasingly desperate attempts from local branches to report their concerns and suspicions over the use of the IDMs (detailed here and here).
The failure of the CBA to fully recognise and manage the risks posed to the organisation by the use of its IDMs has resulted in substantial reputational damage and potentially enormous financial damage (detailed here and here).
While this is a specific example with details that won’t generalise to other organisations, the underlying fault of inaction (or inappropriate action) on reported data is not uncommon.
Imagine a site security shift manager providing a daily log of incidents that is lumped together with other operational data, resulting in a major security risk being overlooked. Or a division manager’s report including staff recruitment and retention issues being disregarded during the development of organisational expansion plans, resulting in an inability to deliver the new goods/services.
In most cases the provision of risk management awareness training to all levels of organisational management will help to better prepare them to identify and act upon critical data that might otherwise go unnoticed.
If this were undertaken in conjunction with an objective review of reporting mechanisms between levels of management, the organisation could be much more confident that high consequence risks will be identified and managed.
Please contact QRMC for assistance with the review of reporting processes or the development and delivery of risk management training.