In preparation for my youngest child’s first Sacrament of Penance, I was reminded of the difficulty of explaining sins of omission. We usually do well identifying the clear wrongs we commit, but owning up to what we fail to do is a tougher task. The same challenge occurs in corporate environments where we can easily note obvious missteps, but recognizing the management responsibilities we fail to address are more elusive. Beware. Third-party stakeholders may hold the ultimate power to judge these sins of omission.
Most companies make sincere efforts to comprehensively address their corporate risks in relation to their organizational objectives. They find ways to mitigate, manage, leverage, and transfer as many of their risks as possible, but still face the most daunting threats of unknown and residual risks. How well do decision makers in your company try to account for knowable risks as they conduct risk assessments?
Risk management consultants and insurance advisors can help identify gaps in your enterprise risk management program in relation to insurance product offerings and standard industry practices, but you may still fall short of the expectations set by third-party stakeholders.
Consider the broad set of external stakeholders with expanding business ethics and risk management expectations for your organization:
- government regulatory agencies
- credit rating agencies
- social activists
- the media
- competitors (in coopetition)
A higher rate of judicial activism in our courts is also exposing corporations and individual managers to greater litigation risks for expected due diligence on managing risks that may never appear on executive dashboards.
The boundaries of corporate liabilities for proactive risk management are gray, but certainly expanding. Cases of negligence are relatively clear when standard industry practices and government regulations are ignored, but liability becomes more nebulous when standards of “expected behavior” come into question.
The healthcare field offers an example where customer and judicial expectations for hiring and training practices ran ahead of actual healthcare risk management practices before standards emerged. Businesses who depend on constant IT system availability to sell their goods and services in the digital age, continually raise the expectations for business continuity and sound disaster planning from their information technology providers. Looking ahead, politicians and global organizations are raising the stakes for managing environmental risks not considered by companies today.
Keep in mind directors' and officers' insurance may protect business managers if they use good judgment when a risk event causes harm, but good judgement is a relative term. Third-party expectations for good management continues to push the boundaries of business standards. This includes assigning responsibility for a lack of action on what may be in your company’s risk identification blind spots.
Even the best risk assessment tools can only guide decisions based on your historical data for your known corporate risks. Look for ways to extend your risk management assessments to consider emerging risks as well as the growing expectations for proactively managing a broader set of risk factors. Be sure to avoid sins of omission by integrating external expectations for risk mitigation into your organizational decision-making processes.