When you answer, “it’s just the way we do things” you are subtly telling your team that you don’t know or they are not valuable enough to know. Both options undermine your credibility as a corporate leader. But you do care about your team, their development, and organization, that’s why you’re the type of leader who answers the call for better risk management.
Your team’s question might be an indication that a process is obsolete or not performing as intended. We all deal with the hot fire of the day. When you put a process in place and it isn’t making any noise, we usually leave well enough alone and tend to other matters. Your team questioning a process can be your first indication that something isn’t right. Eliminating or improving all but labor-intensive processes will give you incremental gains so move through this process expediently.
Make the assumption that every business process is meant to reduce the likelihood that some unwanted outcome will happen. We call these unwanted business outcomes risks and by reducing their probability or controlling them, we increase the chance that our company will achieve the outcome it desires.
To provide a more plain language example, most people think a manufacturing process to produce yellow no. 2 pencils is to ensure that pencils are produced correctly. This is true in a sense, the risk is that a pencil does not conform to the design specifications of the company for yellow no. 2 pencils. The process exists to reduce, or control, the number of pencils exiting the process that do not meet that desired outcome to a level the company finds acceptable.
Rather than thinking of processes as producing the good, think of them as preventing the bad or undesirable. With that switch in your mindset, you will have an easier time identifying the risk and control and then giving a great answer to your team.
This is all sounds pretty good so far, but in lots of companies these risks were identified and controls were designed and put in place by people who have long since moved to other departments, been promoted, retired, or moved to other companies. So how do you know what risk the process is meant to control and whether it is still useful? Let’s assume you don’t work in a company subject to Sarbanes Oxley (SOX) requirements where internal controls and risks are heavily documented.
Reverse Process Engineering
You already know the process your that has interested your team. Somewhere within that process is the control steps. Sit down with the professionals in your organization like the internal auditors, controllers, operations managers, IT and others who have ownership of the process. Think through the process output, what the process does. Use the negative outcome thought process we discussed earlier to determine what the different steps in this process in front of you help prevent. The negative or undesirable events the process is preventing or reducing in frequency, are the risks.
This is the important part. Once you complete these steps. Take a few minutes to think about and discuss with your management team the risks and controls you’ve documented. Are the risks still relevant to your business? Do you now have other controls that manage that same risk decreasing the efficiency of your team’s efforts? Has the risk grown in significance over time and you need to do more to prevent it from preventing you from reaching your goals as a company?
Sometimes your team asking, “why do we do things this way” is an opportunity to reassess the effectiveness of your control structure and improve efficiency. If the control is still needed, you will have a great answer and look like the competent professional leader that you are. Risk management is another tool in your toolbox and when used effectively, it will help you achieve the outcome you desire more consistently. Learn more about enterprise risk management and internal controls through the Committee of Sponsoring Organizations