mirror  in grass  reflecting a  bird  flying in the sky
PHOTO: Jovis Aloor

People, especially consultants, are not only telling us how to address the pandemic but also what we should look for when it’s all over.

In his latest post, my good friend Michael Rasmussen makes some good points. He is always worth listening to and this post is no exception. "Keep Calm & GRC On!" reminds us, first, what GRC is all about. I like the OCEG definition that he quotes as it makes sense. GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

He spells out his vision of what risk management (in particular, although he also touches on contingency planning and policy management) will look like once we are done with COVID-19. But I have a different perspective.

It's Time for Risk Managers to Prove Their Worth

It’s a tough line, but we need to face reality.

Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure, which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations.

These same leaders should now be asking whether the risk management program they had in place prepared them for the crisis, and whether it is helping them navigate through it now.

If risk practitioners (and internal auditors) are setting their prior practices, frameworks and standards aside and doing what the organization needs right now, they will earn recognition and respect from the board and management.

But if they insist on doing what they always have done, sharing heat maps and performing audits of what used to be risks, they are going to be seen as getting in the way of the management team. They are not helping in a time of crisis, when people need to make rapid and critical decisions.

Now is the time to prove our worth. Find out how we can help and then do it.

Related Article: Risk Practitioners Should Be Asking 'How Can We Help?'

Our Risk Management Future: From Push to Pull

Later, we should change from what I call (in Lean terminology) a "push" approach to one that is more of a "pull" approach. What I mean is that we should figure out what the organization needs from us if they are to be successful, and then deliver it (pull) — instead of doing what we think is right (based on industry or professional standards) and hoping that once we push it at them they will see some value.

I explain this and more in a recent video call I did with Alex Sidorenko. (I join the call a few minutes after it starts.)

I welcome your comments.