Building the case for ERM
This week, a risk officer from a major UK company asked me how to move the mind of top management from thinking about enterprise risk management (ERM) as something they have to do (a ‘ check-the-box activity) to something they want to do.
I have found this to be an issue in all parts of world. Even where companies are appointing chief risk officers (CRO) and agreeing to a risk management program, their hearts aren’t really in it. Risk is not top of mind. The CRO is not at the executive table and does not participate in executive decision-making, such as the setting of strategies and plans.
Why? Because they don’t see risk management as something that helps them succeed. All the CRO is offering is insight into the top risks facing the company. Hopefully, this is driving actions to ensure those risks are monitored and remain within organizational tolerances.
So risk management may be considered as helping protect the business, but is that enough? Apparently not.
I believe the problem lies in talking about ERM as protecting value.
I believe the solution lies in talking about ERM as helping optimize performance – the corporate bottom line. It enables agile, sustained operational and financial performance.
Change the perception of ERM and the role of the CRO from being the department of “no” to the department of “how”. The CRO can be the pilot of the ship, helping them not just avoid hazards – but reach the desired destination quickly.
Move from talking about caution to talking about achievement.
The best CRO works with management not only to recognize and understand risks, but to seize opportunities and navigate the organization to success.
The best CRO shares the desire of the corporate leadership team to grow stakeholder value. He or she understands where that lies, the strategies the board and leadership have established, and has a positive frame of mind about achieving them.
The best CRO is not a “worry-wart”, always thinking of what could go wrong. He or she is thinking of how to move forward – with due consideration of potential obstacles and opportunities.
One more thing: an ERM program that assesses risks and takes action on a periodic basis cannot be effective. That’s like driving down the road at 40 miles per hour and looking up every 10 minutes. Managing uncertainty (and that is what risk is: the effect of uncertainty on objectives) requires constantly looking around and being prepared to make adjustments.
Are you driving at 40 miles per hour and looking up only every 10 minutes? Or are you monitoring risk and making adjustments on a continuing basis? Is risk part of daily decision-making, at every level of the organization? If not, make sure you are ready for the inevitable crash – when you run into the obstacle that materialized when you weren’t looking.
So back to the question. Top management will want ERM when they see it contribute to improved performance. The CRO can do this with the right attitude. Work with believers to get some “wins” and spread the news – of the new department of “how” to succeed.