When I was the Chief Operating Officer at one of the largest suppliers of orthopaedic and spinal implant products, most of our conversations about risk related to the impact of our products on patient care. We always took the approach of erroring on the side of the patient.
Risky Business – The Hard and Soft Side of Risk Management
5 min read Premium comments
#management#riskmanagement
Strategically, when we thought hard about risk, we evaluated it in terms of our core competencies and whether we should expand into other markets (like total joints).
For the most part, I think this served us well. With the notable exception of spine. We were extremely cautious in those early days of entering the spine market and that, I think, ended up hurting us. Those were the days when the industry was entangled in a legal fight over pedicle screws.
A Fresh Look at Orthopedic Company Risk Management
Where do you think the real risk exposure lies in your company?
Most effective managers worry about the risk of the sub-optimal clinical acceptance of product innovations, risks associated with failure to execute strategic plans, risks of putting the wrong people in critical positions or risks of regulatory non-compliance.
These are valid and important concerns. In fact, we can consider these to be “hard” risks and we as managers typically expend most of our effort to minimize them.
However, I would like to suggest that these types of risks are not what should be keeping you awake at night. The real risk in your organization is subtler, one that is hiding in plain sight.
Dare I say “soft” risks?
Hard Internal Controls
I was recently talking with a client who asked what additional steps he needed to take to protect his company from regulatory risks during a major strategic initiative. This client already had all the traditional support functions including internal control, quality and regulatory in place.
Still, great question!
It is undeniable that we cannot operate without effective quality and compliance functions. These elements of risk management—policies, procedures, and dedicated departments—are what I consider to be “hard” internal controls.
I cannot think of many instances where companies and executives faced real liability—both personal and professional—due to an underperforming internal audit or regulatory department.
Further, the medical device sector, perhaps more than most, expends significant resources to put in place robust internal, quality, and regulatory controls. We may be forgiven for thinking, because we have a solid internal audit department and excellent regulatory compliance organization, that we have risk management mastered.
Yet, where we are too often caught by surprise with respect to risk management and where, I think, the real risk exposure lies is in the area of “soft” internal controls.
Soft internal controls?
Soft controls are intangible controls such as morale, ethical climate, empowerment, competencies, openness, shared values, and, of course, the Big 3: Leadership, Trust, and Integrity.
“How often have you heard of organizations referred in terms such as[1]:
- Having a pervasively toxic and dysfunctional atmosphere?
- Depicting a mentality of ‘do as I say, not as I do?’
- Following a tone at the top that talks the talk but does not walk the walk?
- Demonstrating an entity wide ‘cover yourself’ mindset.”
Perhaps your organization is struggling with some of these questions.
If you are like many in today’s business environment, just hearing these descriptions will make your shoulders tighten and your stomach churn!
None of us wants to join the ranks of those that have been done in by lagging ethics and a weak corporate culture.
I find it ironic that internal controls related to these types of settings are labeled “soft.” Actually, there is nothing soft about either working under, or trying to improve, such circumstances. This is hard stuff—very hard.
Improving soft controls requires aligning culture to mission, acknowledging the impact organization design on risk, as well as transparency and consistency of communication. Successfully managing soft risks may have benefits both internally and externally.
Why am I so passionate about this subject?
I have firsthand experience of the importance of soft controls and why relying on hard controls is not sufficient. I learned the hard way that hard controls can provide a false sense of comfort.
The company I was managing was accused of serious FDA violations. I believe that inadequate soft controls led to the criminal investigation of both the company and several executives including myself.
I have had plenty of time to pose the question: How could a well-established medical device firm with a strong regulatory and compliance organization face criminal charges? The simple answer is that greater attention should have been placed on soft controls.
When most people think of criminal defendants, they picture someone who has intentionally broken the law. Many are not aware that corporate leaders can face criminal prosecution in instances where they did not know—but should have known—about criminal activity in the company. My belief is that the real risk lies with corporate culture, how we manage, communicate and “walk the walk.” These are classic soft controls. While having a strong regulatory and compliance department is a prerequisite, it is simply not enough to adequately manage company and personal liability.
Yes, it can be a crime to be unaware of what is going on inside your organization. Many are not aware that corporate leaders can face criminal prosecution in instances where they did not know—but should have known—about criminal activity in the company. I saw firsthand what can happen when things go awry under our leadership, something I address further in my book, Going Om: A CEO’s Self-Discovery Behind Bars. The company and me, personally, paid a huge price. I still have the scars on my back from that experience.
The Volkswagen emissions scandal otherwise known as “emissions-gate” is a great example. Their company’s formal governance structure was seemingly strong, but the informal communications and the resulting management behavior created a culture that was almost diametrically opposed to its stated values.
Had focus been placed on evaluating soft control gaps between the stated corporate values and the values that were practiced in reality, this might have been identified and addressed well before things got out of hand.
Corporate culture is the most powerful control in any organization[2].
Surprisingly, 45% of executives feel that having weak soft skills is the most pressing issue when it comes to gaps in workforce proficiency. In today’s technology and data-driven world, emotional intelligence has definitely been sidestepped, and soft skills are notoriously hard to teach.
Evaluating the risk exposure for your firm requires uncomfortable conversations about how you lead, communicate, and set the standard for the rest of the organization. It is easy to focus on structure rather than on culture. Yet doing the inner work to align your vision and mission with how we ourselves hold our management teams accountable will go a long way in addressing both hard and soft risks.
We are all on a journey, sometimes we lose our way, but it doesn’t mean that we are lost.
[1] Jim Roth, Soft and Strong: A Best-practice Paradox, March 2011
[2] Jim Roth, Soft and Strong: A Best-practice Paradox, March 2011
React:
Discussion
This is a fascinating development. In my practice we've seen similar outcomes with the revised protocol. The key differentiator seems to be patient selection criteria. Has anyone else noticed the correlation with BMI thresholds?
Great point. I'd push back slightly on the conclusion, the sample size in the cited study is too small to draw population-level inferences. That said, the directional signal is compelling and worth a larger RCT.
We implemented a similar approach last year. Early results are promising but we're still gathering 12-month follow-up data. Happy to share our protocol if anyone is interested.
Join the conversation
Orthopedic professionals are discussing this. Sign in and upgrade to read every comment and add your voice.