In this second article on the seven principles of managing for safe behavior, we focus on two ways of managing risk: rule-based management and risk-based management. The term risk is used here in a broader sense and refers to the hazards that must be managed at the executive level. For example, submitting a bid is a risky process. In the case of a large contract, a miscalculation can jeopardize the entire organization.
The essence of entrepreneurship
Entrepreneurship is about taking calculated risks. Organizations that manage their risks most effectively tend to be more successful and better able to survive economic volatility. Risks are often labeled as something negative, but in reality, strong organizations distinguish themselves precisely through their ability to manage risk well.
Organizations that take too few risks may deliver a flawless product, but they innovate insufficiently. Kodak demonstrated how this can end. At the other end of the spectrum, we find organizations that take too many risks. While this may enable rapid growth, it also leads to fragility during economic turbulence—Lehman Brothers being a well-known example.
Survival in a competitive environment therefore lies in the optimal zone of the risk spectrum. Where this optimum lies differs by industry and by process.
The rule paradox
Safety management is often equated with the elimination of risk. This confuses eliminating risk with controlling risk. Classical safety management tends to attempt to eliminate risk by describing as many activities as possible in rules. This approach is appropriate for standardized processes.
The price paid, however, is that a rule-based approach typically leads to a rigid structure that makes adaptation to changing situations difficult. Moreover, goal-oriented employees may be tempted to circumvent rules if doing so makes it easier to achieve results. As a result, safety measures can unintentionally create new and unforeseen risks, which in turn undermine safety once again.
This is the rule paradox.
The optimal level of regulation
Safety management can be viewed as an integral part of organizational governance. Analogous to the optimal point on the risk spectrum, there is also an optimal level of regulatory density.
Too few rules lead to chaos and repeated reinvention of the wheel—an indication that insufficient learning has taken place. Too many rules make an organization rigid and insufficiently agile. Rules work well for predictable risks and standard processes, but they fall short whenever deviations occur. An excess of rules also has a stifling effect on innovation.
Incubators
This effect is often visible in over-organized companies. As a response, they establish incubators—small startups that operate separately from the parent organization and its mandatory policies. These serve as breeding grounds for new products and services.
There is nothing inherently wrong with incubators. The problem lies in the fact that organizations often fail to ask why they are necessary. If management believes that promising initiatives cannot flourish within the existing organization, this should at least prompt a reconsideration of the extent of regulation.
Regulatory reflex
The failure to ask this question may have two causes. First, organizations may be so accustomed to regulation as a control mechanism that they revert to it automatically. Rules then become a modern form of bloodletting—a panacea for all ailments. Second, organizations may lack awareness of the alternatives available. Can we organize effectively without regulating everything? What options exist besides issuing another rule?
From rule-based to risk-based management
Brain Based Safety invites organizations to seek solutions in our fundamental human behavior, in our basic programming as human beings. After all, our ancestors managed to deal with risks acceptably without formal rules. They survived repeatedly and ensured the continuation of the species.
Risk management is therefore in our blood—or more precisely, in our DNA. We refer to this capacity as risk-based behavior: the ability to respond adequately to risks in our immediate environment and in our plans.
Rule-based management: top-down
Rule-based management implies top-down control. Typically, a staff expert formulates a procedure that is rolled out through the line organization. The message from the top is: “This is how you must do it.” That same staff function later reports whether implementation has occurred as planned, and this becomes part of management reviews or audits.
Rule-based management falls under process control.
Risk-based management: also bottom-up
Risk-based management means, among other things, that a dialogue is conducted at every level of the organization about potential risks and how to control them. The message from the top is: “Show me that you understand the risks and are equipped to manage them.”
This message has a pedagogical dimension. People must first be educated and initiated before they can truly perceive risks. As Johan Cruyff famously said: “You only see it once you understand it.” Social interaction therefore precedes risk-based action. This places risk-based management within social influence, with clear bottom-up elements.
In closing
Naturally, social influence encompasses more aspects than those discussed here. What matters is recognizing that both room for action and management attention from the top are required for this form of control to be effective. The next articles will explore these elements in greater depth.
Juni Daalmans
September 2016