Lord Voldemort is a character from the Harry Potter book series by J. K. Rowling’s. A feature of the character is that no one dares to say his name out loud and thus his nickname is ‘He who must not be named’. There are two reasons for this. The first is because the minions of dark magic can trace your whereabouts if you say “Voldemort” and the second is because it reinforces fear in his moniker.
The Harry Potter story arc is about the redemption of good and bringing light into darkness. In a way, there is a parallel to risk management. It is about attempting to have certainty in a world of unknowns and changing circumstances. By articulating a single risk, an organization is consciously shining a light into one dark corner at a time.
Not to carry the literary theme too far, but are there dark corners beyond the reach of even Harry Potter’s wand? Are there risks that exist in an organization, but no one dare speak their name out loud? I am going to propose that we name these ‘Voldemort Risks’, the Uncertain that Shall Not Be Named’.
Some Dark Examples
- Enron, summer 2001: questionable accounting practices will lead to he implosion of this company and likely the destruction of our auditors, Arthur Anderson, in the next year but certainly well before 2003. The likelihood is 100% and the impact will be catastrophic for our investors and employees.
- Phoenix pay system, May 2015: going live will result in the massive incorrect payments to thousands of public servants and that the subsequent costs to remediate the errors will be many times the cost of delaying the deployment. The likelihood is 100% and the impact will be massive loss of reputation for the Canadian government and financial hardships for employees.
- Challenger Shuttle, January 1986: launching the shuttle in low temperatures will exacerbate a serious design flaw in the O-Ring seals of the booster rockets. As a result of the compounding events, the shuttle will experience a catastrophic failure. The likelihood is near 100%. The impact will be the death of the crew, the delay in using the shuttle programs for nearly 3 years and a severe loss of reputation for the US Space Program.
Okay, the above examples are being made with perfect hindsight and it is unlikely that few people would have had the information so as to make these exact predictions. The point is this: even if a person had perfect information, it is unlikely that the risk would have been accepted by the organization.
The Garden Variety Voldemorts
For most organizations, the risks that shall not be named are more garden variety. For example, a family member of the company’s owner who is using her position to undermine employees, a teacher who is having untoward relations with her students or a government policy running amuck but no one dares to criticize because it is the darling of the president/minister/premier.
At the other extreme are organizational ‘Chicken Littles’ who see the sky falling with every organizational change.
How to Control Voldemorts Varmints
ISO 31000 provides the methodology to varmint control Voldemorts. In this case, the most important step is identifying risk using some or all of the following tools:
- Whistle Blower Protection: provide policy and real protection for those who call out an organizational failure. In this context, Whistle Blower policies should be seen as a tool of last resort. If your organization is relying on this tool, you are likely failing your staff, contractors and suppliers.
- A High Trust Culture: in many ways this is the opposite tool of the Whistle Blower and by far the preferred one. It is a lot cheaper and more efficient for a lowly employee to feel comfortable saying to the president “Bob, I think we got a problem on the shop floor…”.
- Allow for Anonymity: If your trust quotient is not where it should be, when conducting risk assessment, allow staff, contractors, suppliers, etc. to contribute anonymous risk items. As required, consider using an independent third-party to facilitate communication or use technology to do the same (e.g. using an avatar on an external website).
- Mandate a Shocker or Two: finally, as part of the risk management process, mandate the organization to come up with a shocker. Even if it is not included, the act of identifying potential Voldemorts may be enough to mitigate them… or at least drive them back into the children’s section of your local library.
Conclusion and Voldemorts in the Closet
What are your thoughts? In your career did you have a few Voldemorts that you wished were on the final risk register? Any tools to add to the above list? Drop a comment or me a note to share your thoughts.