Much has been written in recent times about the usefulness and necessity of risk management before, during and after the corona era in which we now find ourselves. People write about "Black Swans," "Novel Risks" and "Risks we can't foresee”.

Communicative risk management: the pandemic risk

Could and should the pandemic risk have been foreseen in the form as we know it today? Could the impact have been reduced?

To those questions, I have no scientifically based answer, but an opinion: yes and yes! It could have been foreseen and the impact could have been milder.

Of course, pandemic risk is one in the 'Small chance, big consequence' category. But why do we spend tens of billions to strengthen dykes, to bring the probability of flooding for parts of the Netherlands to 0, but take no impact-reducing measures for the risk of our country being hit by something like a pandemic?

This question cannot be answered unequivocally and answering it probably only raises more questions. What does become clear is that risk management in Dutch organisations mostly takes place at two levels: at political/management level (call it Enterprise Risk Management, ERM) and at project level (Project Risk Management, PRM). Where ERM looks at the various threats and opportunities that affect the continuity of an organisation or a country, PRM mainly looks at the risks that make a project fly out-of-scope. And lo and behold: the mismatch is clear. These worlds do not align and this mismatch ultimately causes projects to fly out-of-scope and policies do not help prevent this from happening in the future. And that, in turn, is a potential threat to a country's stability or an organisation's continuity. Do you understand the problem?

Projects often stand alone as mini-entities within organisations. Sometimes they are part of a national/regional programme, or a collection of several projects. Even those programmes are often stand-alone. Why is that anyway? After all, project organisations exist by the grace of running those projects. So why is there no clear communication between the ERM and the PRM?

And there, in my opinion, we then have the problem: there is a lack of communicative risk management within and between organisations and projects to deal with risks (and opportunities!) in a conscious and controlled way. Also read: Rare dialogue on risk.

The big difference between implementing risk management and applying Communicative Risk Management lies in 3 aspects:

Awareness

Humans have a tendency to ignore clear signals about the presence of potential anomalies. This stems from standardised working and thinking patterns and preferring to live in a predictable world. Awareness of the presence of both small chance, big consequence and high chance, low consequence risks is step 1 in thinking in scenarios and possible actions to be taken.

This awareness can be created by discussing different topics with people from different backgrounds and levels, and feel free to call this a risk session! Let everyone have their input, without value judgements. Communicating about the potential undesirable events without trivialising them is an art in itself and therefore requires an experienced discussion leader and interactive tooling. Make it accessible for every stakeholder to be able to give his/her input.

Simplicity and effectiveness in communication

Despite the preceding aspect, creating awareness, risk communication should adhere to the KISS principle; Keep-It-Stupid-Simple. Formulate the risks, causes and consequences as they are and make them as striking and tangible as possible. This makes it much easier to then think about preventive measures (to avoid causes) or mitigating measures (impact-reducing).

Subsequently, it is also easier to share this information because differences in interpretation are nil. To avoid ending up with large amounts of risks, prioritisation and quantification can be applied, but this does not mean that the measures listed for low-scoring risks should not be implemented! Also when prioritising, use multiple insights from multiple levels to get the right picture.

Insight at all levels

Information related to the named possible events, scenarios and the measures to be taken should be accessible at every level. Anyone should be able to contribute and share their additions to it. Therefore, position the risk management function at an organisation as 'a needle that pierces through the organisation'. This function should have a mandate at both strategic, tactical and operational levels. And, also know that provided this prick is timely, it does not hurt, but offers protection in times of adversity!

And as for a risk management function at national level, the same applies. A function, which operates from the deepest layers in a country (citizens) all the way up to politics in The Hague, which lets people express their opinions on possible (disaster) scenarios and ensures that future policy actually contributes to the prevention of undesirable events on the one hand, but above all ensures a reduced impact when a risk occurs. Let citizens, companies and politicians work together in this... it's really not that difficult, but everything depends on aspect 1: becoming aware of the existence of risks.

Of course, the above aspects are not 1-2-3 introduced and respected within organisations. Yet it can't hurt to enter into a dialogue on this as a manager, or with your manager, and start the first step, awareness-raising. Using interactive tooling that raises awareness and facilitates cooperation can certainly help. If it works within an organisation, surely it will also work outside?