Managing enterprise risk management (ERM) is something every organization should want to do, not just have to do. Here are some tips on how to build the business case and get management actively on board.
From Have to, To Want to
This week, a risk officer from a major UK company asked me how to move the mind of top management from thinking about enterprise risk management (ERM) as something they have to do (a check-the-box activity) to something they want to do.
I have found this to be an issue in all parts of world. Even where companies are appointing chief risk officers (CRO) and agreeing to a risk management program, their hearts aren’t really in it. Risk is not top of mind. The CRO is not at the executive table and does not participate in executive decision-making, such as the setting of strategies and plans.
Why? Because they don’t see risk management as something that helps them succeed. All the CRO offers is insight into the top risks facing the company. Hopefully this is driving actions to ensure those risks are monitored and remain within organizational tolerances.
So risk management may be considered as helping protect the business, but is that enough? Apparently not. I believe the problem lies in talking about ERM as protecting value. I believe the solution lies in talking about ERM as helping optimize performance -- the corporate bottom line. It enables agile, sustained operational and financial performance.
Changing the Perception of ERM
Change the perception of ERM and the role of the CRO from being the department of “no” to the department of “how”. The CRO can be the pilot of the ship, helping them not just avoid hazards -- but reach the desired destination quickly. Move from talking about caution to talking about achievement.
The best CRO works with management not only to recognize and understand risks, but to seize opportunities and navigate the organization to success. The best CRO shares the desire of the corporate leadership team to grow stakeholder value. He or she understands where that lies, the strategies the board and leadership have established, and has a positive frame of mind about achieving them. He or she is not a “worry-wart”, always thinking of what could go wrong. He or she is thinking of how to move forward -- with due consideration of potential obstacles and opportunities.
Managing Risk on a Daily Basis
One more thing -- an ERM program that assesses risks and takes action on a periodic basis cannot be effective. It's like driving down the road at 40 miles per hour and only looking up every 10 minutes. Managing uncertainty requires constantly looking around and being prepared to make adjustments.
Are you driving at 40 miles per hour and only looking up every 10 minutes? Or are you monitoring risk and making adjustments on a continuing basis? Is risk part of daily decision-making, at every level of the organization? If not, make sure you are ready for the inevitable crash -- when you run into the obstacle that materialized when you weren’t looking.
Top management will want ERM when they see it contribute to improved performance. The CRO can do this with the right attitude. Work with believers to get some “wins” and spread the news of the new department on “how” to succeed.