Sean Thompson, President & Chief Executive Officer of NAVEX, discusses the concept of “risk management theater” in corporate risk and compliance. This term refers to the implementation of processes that give the appearance of security and compliance without actually achieving desired outcomes. This approach can lead to significant corporate risks and undermine the goals of the risk management process. Thompson emphasizes the importance of prioritizing tangible outcomes over superficial appearances in compliance efforts.
Thompson uses the example of the Deepwater Horizon disaster to illustrate the dangers of risk management theater. In this case, safety analyses failed to address underlying safety risks adequately, resulting in severe consequences such as environmental catastrophe, reputational damage, fines, and criminal charges. This serves as a cautionary tale to move beyond the illusion of risk management theater and towards a genuine commitment to risk management as a fundamental business discipline.
To avoid the pitfalls of risk management theater, organizations must invest in robust risk and compliance programs. Key best practices include adopting a Socratic approach to continuously question and verify the efficacy of controls, maintaining an always-on approach to risk management, building a risk-aware culture within the organization, and measuring key risk indicators that impact the organization’s objectives and strategies. These practices are essential for effective risk management that propels the business forward and avoids the negative consequences of shortcuts in compliance.
Thompson emphasizes the importance of unifying the organization around risk and compliance to ensure that employees understand the organization’s approach and are empowered to make the right choices. By breaking down organizational silos and using a single technology solution to manage risks, organizations can gain a comprehensive view of enterprise-wide risks and take the most appropriate action based on all available data. Additionally, measuring what truly matters in terms of risk indicators and using data-driven approaches can help business executives and the board of directors make effective risk-based decisions.
In conclusion, Thompson stresses that risk management has no place for theatrical performances, and organizations must focus on outcomes rather than processes to achieve true risk management. By implementing practices such as adopting a Socratic approach, maintaining continuous vigilance, unifying the organization around risk and compliance, and measuring key risk indicators, businesses can move beyond risk management theater and achieve a robust, effective, and compliance-driven strategy. The goal is to safeguard the organization’s success and make risk management a competitive asset that propels the business forward.
