Published in Extra Cover
European norms and risk management
let’s call a spade a spade
For decades, European Directives and individual country regulators have called upon companies to adopt risk management techniques in areas such as health and safety at work, personal data management and others. Yet despite these initiatives, many companies have still not embraced a culture of risk management. In the current macroeconomic context, however, an holistic approach to the management of risk is, without a doubt, fundamental “to optimize the resilience and operations of businesses”.
Over the last few years there can be little doubt that European lawmakers have taken the advantages of risk management to heart when looking at how to ensure corporations act to reduce any potential harm to their own employees and wider society.
This tradition stems back to the introduction of Union Law over thirty-five years ago and the approval of a milestone directive on the introduction of measures to encourage improvements in safety and health at the workplace (89/391/EEC). This directive called on company managers to identify and assess threats to health and safety within their own organizations and to plan and put in place measures to avoid accidents.
Over the last decade there has been numerous European legislation obligating companies to in essence implement risk management techniques. And whilst the full list of legislation is long, the most well-known is undoubtedly the General Data Protection Regulation of 2016, which superseded the former framework, the 1995 Directive, and introduced an adequate process for risk management that resembles the ISO 3100 standard (identification, analysis, assessment, processing, report and follow-up) as a reliable system to secure custody of personal data.
More recently, we have had EU Directive 2019/1937 on whistle-blower protection, approved on 23 October 2019, which mandates that governments should compel companies to assess their risk exposure to determine whether they need to create an internal whistle-blowing channel. And looking forwards there are proposed regulations on norms for artificial intelligence. These are currently being debated at European institutions (2021/0106 COD) and propose that companies manage the risks generated by the use of such technologies in order to protect society.
These three examples alone demonstrate that the EU definitely prioritizes risk management as an administrative tool whenever it looks to legislate on corporate risk.
However, the influence accorded by the EU to risk management practices and approaches is in stark contrast — at least in Spain — to what happens on the ground, where risk management is rare, if not entirely absent, from most company management cultures. The reality is that after over thirty years of identification, assessment and risk control in companies, few managers know that the techniques they employ in their prevention and protection schemes actually originate from something called risk management. The same is true with their internal data protection policies, safeguards against money laundering or criminal conduct (which is Spain is called penal compliance) or measures to foster equity within their companies. Each of these aspects of daily management at corporations are perceived in the vast majority of cases as an airtight siloed department and there is no appreciation of the close links between the several areas from an administrative standpoint.
The perception of diverse policies and organizational matters in companies as being separate and disconnected realities is a real problem. If the people who must decide on the best way to organize a business, which is to say, company managers or directors themselves, do not see the commonalities among their professional risk prevention, data protection or compliance policies, it is all the more difficult for them to accord risk management the importance it deserves. But without it, it is impossible to organize companies efficiently. After all, when you can't see the forest for the trees, the risk of dividing up and compartmentalizing what should naturally be managed in a holistic manner clouds one's vision of the whole. Furthermore, a lack of understanding of the close connection between risk management and the internal policies lawmakers are increasingly imposing, both nationally and across Europe, gives entrepreneurs the false impression that all they do is add more useless bureaucracy to the daily affairs of their companies, yoking them to more and more protocols, procedures and channels — that come at a cost and seem to multiply in an incomprehensible manner.
It is lawmakers that are substantively responsible for this state of affairs. The legislation imposes risk management as an administration technique for several of the problems discussed with little or no regard for drawing connections between them. If all you do is regulate trees you forget, there's a whole forest they form a part of. To foster risk management, starting with legislation, the first thing one must do is call a spade a spade. That is to say, it's good and proper to make directors and managers identify, analyse, assess, and control the risk they are exposed to, but it would be even better to establish those duties while you make them see that each one is a stage in a global process called risk management. Much better if one also insisted that the whole process serves to manage every corporate risk, not merely those regulated by law.
Surely this is not asking too much. Especially when, these days, nobody doubts that holistic management of risk is the right way to optimize the resilience and operations of businesses.