In a recent article by Sean Thompson, President & Chief Executive Officer of NAVEX, the concept of “risk management theater” is explored. This term, inspired by Bruce Schneier’s “security theater,” refers to processes that create the appearance of security and compliance without actually achieving real risk mitigation. Thompson emphasizes the importance of prioritizing tangible outcomes over superficial appearances in corporate risk and compliance practices to avoid the pitfalls of risk management theater.
Thompson warns against the allure of risk management theater, which can lead organizations to believe they are effectively managing risks when, in reality, they are not achieving desired outcomes. He uses the example of the Deepwater Horizon disaster to illustrate the potential consequences of prioritizing process over substance in risk management. The disaster resulted in environmental catastrophe, reputational damage, and criminal charges for some involved parties, highlighting the dangers of relying on risk management theater.
To prevent the pitfalls of risk management theater, organizations must invest time, resources, and expertise in developing and implementing robust risk and compliance programs. Thompson outlines key best practices to guide this transformation, including adopting a Socratic approach to questioning controls, maintaining an always-on approach to risk management, unifying the organization around risk, and measuring key risk indicators relevant to success. These practices can help organizations move beyond the illusion of risk management theater towards a genuine commitment to effective risk management.
Thompson emphasizes the need for organizations to build a risk-aware culture, empower employees to make informed decisions, and focus on outcomes rather than processes in risk management. By implementing a data-driven approach to risk management, organizations can make informed decisions that align with their strategic objectives and operational goals. By avoiding risk management theater and focusing on substantive practices, businesses can achieve robust, effective, and compliance-driven risk management strategies that propel the business forward.
Overall, the key takeaway from Thompson’s article is that risk management has no place for theatrical performances. Organizations must focus on achieving true risk management that safeguards their success and makes risk management a competitive asset. By prioritizing outcomes, adopting best practices, and avoiding shortcuts, businesses can move beyond risk management theater and establish a solid foundation for effective risk management that propels the business forward in today’s complex threat landscape.