For many years, the image of an iceberg has been trotted out to compare what we see, to what we don’t. Its simplicity has made it a staple in management presentations, business pitches and is widely used across the media. When the environment is the focus, the iceberg model is not only simple, it is also symbolic.
If you have ever sat through a management presentation, then this scenario will be familiar. We are shown a picture of an iceberg. The presenter then notes, in a suitably portentous tone the fact we all know, that the visible part of the iceberg is only 10% of the real mass. The remainder lies beneath the surface ready to trigger <insert your problem here> with the next slide being a picture of the sinking Titanic. They have your attention - now comes the presentation, the pitch, the point. If you want to avoid hitting the iceberg and facing death and destruction, you should buy our product, our solution, our fix.
These days, how organizations manage their risks, operational or ESG related, have come under intense scrutiny. They cannot let an iceberg-like catastrophe happen. However, organizations that use the iceberg as a metaphor for managing risks are unknowingly limiting their own thinking as well as misleading their stakeholders.
The iceberg metaphor has had its day. It tells us wrongly that there is one big problem for which we must find one big solution. Find the solution, the problem is solved. The truth of the matter is that life – and risk management - is far more complex than that.
Organizations need to think about how they manage risk and performance in terms of complexity. We have to change the way we think about risk performance (the process of managing the risks themselves, not just results) and focus on the needs of consumers of this information. To do that, we need a new metaphor.
We propose that we think about risk information using the metaphor of a supermarket.
The supermarket is a marvel of the 20th century. Buying, storing, and marketing food has evolved over the last few decades, in ways that reflect our complex, interdependent and connected world. In the modern supermarket, there is no problem the size of an iceberg to be solved; instead, there is a daily web of complex decisions to be made to solve many different problems.
Supermarkets are wonderful places: they serve a widely diverse set of customers, each with their own tastes, eating habits, and dietary considerations. The supermarket serves all of those needs by making a vast array of perishable goods immediately accessible to anyone, from those on modest incomes to those looking for the unimaginable - the perfect strawberry for a fruit salad in the middle of winter. Supermarket have supply chains that reach all points on the globe to serves customer needs. If we were to look at a supermarket not from the front, but from the side, we start to appreciate the number and complexity of supply chains within this business. It helps us better appreciate how our food gets to us, where it comes from, and who has a hand in making that all happen. We need to see risk information like food at the supermarket and serve stakeholders in a similar manner.
For organizations managing risks the iceberg is too simplistic, one-dimensional and naïve; more to the point, it’s deficient, it’s delusive and it’s dangerous. It ignores complexity in favour of something that is deceptively familiar but easily comprehended.
Risk performance is complex in nature - like a supermarket. The products available at a supermarket are diverse, have far-reaching supply chains and a variety of shelf lives. In the context of risk performance, the ‘products’ are risk information and the consumers of this information are two groups: internal decision-makers and external stakeholders. The quality of risk information - diverse, disparately sourced and devaluing over time - is a product of an organizations value chains. The higher the performance of the value chains, the better the risk information is to serve the diverse needs of decision-makers and stakeholders. The performance of the value chains therefore, need to be constantly monitored due to the ever-changing landscape of business environments and tendencies of complex systems to trend towards failure. This is what risk performance truly reflects.
Internal decision-makers have specific needs when it comes to risk information that is - like the fruits and vegetables - perishable. Decision-makers, within an organization, are going to require insights that are timely, relevant and accessible. Therefore, what data organizations capture, and how these are collected, analyzed and communicated should all fall under scrutiny in the services of these decision-makers. Otherwise, there is no (metaphorical) fresh fruit to put on the shelf to help make day-to-day decisions. No manager wants to be left with empty shelves singing ‘Yes, we have no bananas!'
External stakeholders need information that helps them better connect with the story of an organization – specifically how the organization is managing its risks and progressing on its commitments. Stories are the way we connect with others. It helps us to make personal connections. Once we make those personal connections, we can make cultural connections. When cultural connections are made, then we can make business connections. However, it starts with stories. If those stories are not based in fact, then the ability to build trust will wane. The more trustworthy the information on which these stories are based, the better chance to make those connections: personal, cultural and business.
For example, a single organization will be using data it collects to manage multiple risks simultaneously. The information required, on a daily basis, to manage greenhouse gas emissions will be different from the information used to assess risks related to tailing dams or social engagements. The risk information organizations produce help stakeholders, internal and external, understand how well they are performing.
Organizations who are on the critical path of risk reduction and mitigation cannot ‘simplify’ their way to becoming trusted stewards. They need to become more sophisticated in managing the complexity. This means transparency and timeliness in their communication about how well they are managing risks. Adopting a risk-based approach means that risk performance is best expressed in terms of a company’s exposure to risks and how they control performance. Conveying an organization's capacity to demonstrate effectiveness and improvement is critical to differentiate leaders from their peers.
Thinking about transparency as the solution to complexity will drive better ways to measure and communicate risk information and make it accessible and useful for decision makers and external stakeholders alike. Once organizations liken risk information to the products of a supermarket and the performance of their value chains to the supply chains that get those products on the shelves, they are in a position to think clearly about how to value their performance. The days of using the iceberg model should be numbered. The longer the transition from the 'iceberg' to the 'supermarket' takes only increases the likelihood that businesses will not see performance through the lens of risk management and indeed end up like the proverbial Titanic.