Risk leadership - how they do it in FC Barcelona

In some respects, risk leadership in many companies resembles former Norwegian national coach Egil “Drillo” Olsen’s approach to football: controlled and defensive. Most of the time, the strategy resulted in the team steering slowly but surely towards a half-hearted draw.

August 2016


... However, boards and CEOs should not content themselves with risk leadership being of only moderate importance to the survival of the company. Instead they should take a closer look at successful football clubs such as FC Barcelona or Bayern München to get inspired by how to conduct good risk leadership. This would benefit owners, customers as well as employees.

The best defence is an attack

Drillo was known for his wellington boots as well as his approach to football. He coined the phrase “å være best uten ball” (to be best at off-the-ball running). Based on a solid defence, the players were not to take any chances, but only focus on scoring goals on long balls or set pieces.

At the beginning his strategy paid off – at least to some extent. However, the opponents quickly saw through the strategy, and in the long term it may have been a contributing factor in making Norway an insignificant player in the world of football. Norway hasn’t qualified for a championship for the past 16 years, and at the time of writing Norway is ranked 51st on the FIFA World Ranking after small footballing nations such as Kap Verde Islands, Iran and – perhaps even worse – Denmark.

We use specific templates to identify and assess risks.

In many companies, risk leadership has started to resemble the Drillo approach to football. We use specific templates to identify and assess risks. We describe how we respond to those risks and report it to the management. The more we try to manage the risks, the better.

This is a very sensible approach if the purpose is to meet the formal requirements of risk leadership, which is an important first step.

However, the approach is not of great importance to the companies’ ability to avoid losses or even to take advantage of the opportunities that may arise. In recent years, there have been several examples of companies losing ground or even going bankrupt. Not due to errors or losses, but because of a lack in the ability to develop and adapt to changing market conditions.

Attack is the best form of defence.

Thus, we ought to take a closer look at recent years’ most successful football teams such as FC Barcelona, Real Madrid and FC Bayern München. The leadership philosophy of these teams seems to be that “attack is the best form of defence”. They strive to keep or gain possession of the ball and win the ball as high up the field as possible. Even outside the field, they use offensive strategies. They invest heavily in the development of new players as well as new geographical markets.

Build on a solid foundation

However, an offensive strategy needs to be based on a solid foundation. A foundation where we have identified our most significant operational risks and work towards preventing them from occurring, and not least where we know how to react in case they do occur.

The foundation consists of three strong lines of defence: operation’s continuous understanding and mitigation of risks, risk leadership’s support by providing the right knowledge and tools, and the internal control function’s inspection of the mitigation of the most critical risks such as personal safety, IT security, compliance, and production capacity.

86% of all significant losses are caused by strategic risks.

On the other hand, when applying an offensive strategy you need to increase focus on and willingness to take strategic and emerging risks. Studies have shown that 86% of all “significant losses” are caused by strategic risks. However, risk programmes only spend 25% of the time on addressing strategic risks 1. A figure which, in our experience, is to the positive side.

We use different types of players for attack and defence, respectively; similarly we ought to use different tools and processes for addressing strategic and emerging risks. In our experience, many companies fail in trying to manage all types of risks in the same way. While risk lists and heat maps work well in terms of the well-known operational risks, they rarely make a difference in relation to achieving a better understanding and handling of strategic and emerging risks, because these risks are often characterised by the principle of “we don’t know what we don’t know”. Thus, strategic and emerging risks can be regarded as so-called “unknown unknowns” which, in the extreme, turn into “Black Swans”.


Black Swans

The concept of Black Swans derive from the story about how people in Europe up until the 16th century firmly believed that all swans were white. For centuries, people had only ever seen white swans, and therefore there was no way of knowing that swans could be a different colour.

This all changed when black swans were first discovered by the Dutch explorer Willem de Vlamingh during his expedition to Western Australia in 1697.

The author Nassim Taleb discussed the concept of Black Swans in his books "Fooled by Randomness" (2001) and "The Black Swan" (2007) and thus contributed to spreading the concept in risk leadership circles. Taleb defines Black Swans as events that are extremely rare, difficult - if not impossible - to predict and of major importance.

Unknown and extreme risks

In recent years, a considerable number of Danish and international companies have got into trouble as a result of the risks they either had not predicted or had not imagined would affect them to such an extent. This applies to companies with a large exposure to oil and gas prices, geopolitical risks and freight rates as well as to companies that have been rendered superfluous by technological advances or market developments.

In short, if we are to safeguard ourselves against unknown and extreme risks, we must be able to live by the old cliché of “what doesn’t kill you makes you stronger”:

  • We need to be well-prepared – both financially and operationally – to survive an unanticipated battle.
  • We must acknowledge that we have been hit – and quickly change direction.
  • We must put ourselves in a position where we are able to take advantage of the change and seize new opportunities.

These three statements are common goals for most boards and CEOs. However, paradoxically, having a structured risk process is rarely a contributing factor in ensuring that the CEO reaches the company’s goals. Probably because the goals require us to go beyond the traditional leadership toolbox of risk managers.

For instance, it’s our experience that if we want to be able to quickly identify and respond to errors, change or new conditions, it requires that:

  1. We have a high level of agility in the strategic process, and that the strategy is constantly developing and not something that we only look at once every 4 – 5 years.
  2. We are constantly monitoring the development of the key assumptions we have made to ensure the right strategy.
  3. We work with scenario analyses in strategic planning and test very extreme scenarios.
  4. The organisation is willing to change and prepared to implement more frequent changes in direction.
  5. We, to a higher extent, are characterised by a “one-error culture” rather than a “zero-error culture”.
  6. Performance measurement and performance-based pay contribute to a healthy risk culture where we take appropriate risks.
The new role of risk management

Companies that wish to navigate in an ever-changing world need to demand more from risk management. The responsible risk managers will no longer sit on the bench but instead be actively involved by taking responsibility and be part of the attack. They must be faced with tasks that require strategic and organisational competences as well as change management.

Today, many risk functions act as post offices and risk consolidators in the reporting trap.

Luckily, most companies are able to release a significant amount of time, which is currently wasted on reporting, e.g. when people spend a lot of time reporting things that only few people actually read and even fewer learn anything from. Today, many risk functions act as post offices and risk consolidators in the reporting trap. It’s their experience that the organisation doesn’t appreciate having to report risks, and that the consolidated reporting doesn’t have any significant effect on management decisions.

To many companies, it’s important to maintain a certain level of bottom-up reporting. This is the key to risk leadership, because it ensures continuity and documentation. However, usually it’s sufficient to carry out the process once a year. For the rest of the year, the risk function could have the role as risk coordinator rather than risk consolidator. They could act as a Centre of Excellence for risk leadership, assisting the business with the right competences, tools and knowledge.

In our experience, at least 50% of the risks we report are not actually risks - in fact, they are existing problems.

How do we get started?

If the risk area of our organisation resembles Drillo’s football team, it’s difficult to imagine how we can turn into FC Barcelona within the foreseeable future. However, the ambition is in no way unrealistic.

At Implement, we help our customers get started; firstly by examining whether the traditional approach to risk leadership – the defensive approach – is strong enough to make up a foundation that can be further developed. Some of the elements that are often possible to improve include:

Fewer but better risks

For the past few years, we have helped companies simplify risk leadership by clearing out their extensive risk lists, reducing the number of risks and defining more clear risk formulations. In our experience, at least 50% of the risks we report are not actually risks – in fact, they are existing problems. These can be eliminated, so that the risk process in the organisation doesn’t repeat other processes, and so that room is created for discussing the actual risks.

Better allocation of responsibility

More clearly defined risks help ensure easier allocation of the responsibility for the risks. The awareness of the significance of the risks helps clarify the responsibility that the “risk owners” are taking on. Thus, the task will be perceived as more meaningful and value-creating.

Integration into existing business processes

In many organisations, risk leadership has become an addition to the way we are running the company. Core processes such as budget and production planning, investments, project management, and strategy development and execution are usually not supported by a systematic risk process. If we to a higher extent consider risk identification, analysis and communication as an integrated part of the core processes, significant optimisation and a higher level of quality will be achieved.

One thing is certain: change.


Once the defensive strategy is in place, it’s time to start focusing on the attack. Through collaborative consulting, Implement helps customers get started by making an assessment of how to reap the benefits of the improvement. We analyse the strategy process, monitoring of the strategy execution, financial and operational buffers, organisational change readiness, error culture and the ability to innovate.

We set up new objectives that are adapted to the industry and business environment, and we develop and implement simple action plans.

In our experience, we can help bring organisations from the bottom to the very top in 1 – 2 years. Thus, organisations become far better equipped for being successful in relation to international competitors and in a world where only one thing is certain: change.