How good are North America’s largest companies when it comes to detecting and dodging risks that can disrupt the hunt for growth and profit? It turns out that they have a long way to go before achieving a true standard of excellence. Indeed, BP is not the only firm that needs to head back to the risk management drawing board.

This view stems from the results of a survey that APQC (my firm) designed and executed in collaboration with IBM’s Institute for Business Value just after the Deepwater Horizon oil rig exploded in April. A full research report is in the works, but at this stage I can offer a few tidbits, along with a few words of caution:

(1) The typical rank-and-file employee cannot define the enterprise’s risk appetite;

(2) Senior management shares risk-related information haphazardly; and

(3) Strategy-related risks are generally ignored.

Traditionally, risk management processes and people were aimed at either operational hazards or at regulatory compliance. So, it came as no surprise when survey takers told us that they manage legal, financial, and operating risks with the most mature methods and processes. Those types of risks can be isolated, assessed, and mitigated at the business-unit level. It would be silly not to invest in warding them off.

But it’s much harder to justify and build processes to promulgate and actualize an enterprise’s stated philosophy toward risk. Take, for example, a company that declares itself to be deeply committed to environmental sustainability. To be sure that all employees and contractors behave in line with sustainability ideals, the company would have to invest in people and programs dedicated to defining, communicating, and enforcing policy compliance. And if those efforts work, nobody has to worry too much about, say, somebody dumping toxic waste in a creek behind a plant to save money on removal.

Unfortunately, most companies fail to ensure that the front-line worker instinctively knows “what is the right thing to do” and what the consequences (to the enterprise as well as the individual) are of “doing the wrong thing.” Moreover, in too many instances employees reach for the rulebooks instead of tapping their brain cells to make the proper call. That’s failure on the company’s part.

Outside the arena of institutional ethics and proscribed behaviors, there are strategy-related risks. Our survey takers said that this corner is another very weak link. One out of two companies do not systematically identify, assess, or plan possible responses to events that could damage market share, competitiveness, customer satisfaction levels, etc.

What would happen if your two most formidable competitors merged? A CEO or CFO might very well reply: “We’d deal with that if it happened. We don’t need to spend money on the care and feeding of strategic planning specialists just in case something like that could happen.”

Fair enough. It’s easy enough to call in the strategy consultants in an emergency. My point, however, remains: Failing to ask the “what-if” questions, failing to quantify the likelihood of a negative event materializing, and failing to imagine a response plan, just in case, will guarantee that you’re always on a back foot. Just go ask BP. ###