Imagine you are a senior executive responsible for a major initiative for your company. Your day is busy with crucial meetings and discussions about project plans, people issues, and fighting the fires that always seem to appear.
Then you see an email from the corporate office. It’s an individual you don’t know, so you open it with some degree of apprehension.
It tells you that you are about to receive a member of the corporate risk function. He is going to perform a risk assessment that will be incorporated into the company’s overall risk management process for discussion among the top executives and the board of directors.
Is this something you welcome? I doubt it.
The majority of executives will see this as a disruptive activity (disruptive because it will consume time that you can’t afford) and a risk assessment might be used to make you look bad or even to get your initiative delayed or worse.
The “greatest risk” that I am talking about is the risk that the work of the risk practitioner is seen as a compliance activity that does not help people run the business for success.
Surveys consistently show that most executives see as just that: something they have to do rather than anything they want to do.
They don’t see the value. It doesn’t help them make the informed and intelligent decisions necessary for success.
The problem has several contributing factors, including:
- Practitioners focus exclusively on the downside, the potential for harm. They ignore the potential for gain and, in the process, are not helping leaders weigh the pros and the cons to make an informed decision.
- All they talk about is “risk” and that four-letter word is greeted with a negative reaction. Leaders not only know they have to take risks (“take” is more descriptive by far than the passive “accept”) but want to talk about how they can succeed despite potential barriers, not how they can fail.
- Risk practitioners use their technobabble instead of the language of the business. They talk about something that is, for example, a “high” risk without explaining what that means in the context of running the business and achieving objectives.
- We don’t make it clear that we want to make sure leaders have all the information they need about what might happen (both good and bad) before they make an important business decision.
- Our reporting, especially heat maps, doesn’t inform decision-making. We don’t show how all the various sources of risk combine to threaten (by how much, with what likelihood) the achievement of enterprise objectives.
There is a solution. It requires a change in the practitioner mindset. Instead of making sure everybody knows what the more significant risks are, make sure they have quality information about all the things that might happen before they make an important business decision.
It requires not only saying that we are there to help operating management but to prove it every day by adding value to their decision-making processes.
Give management and the board the information they need, not just a list of risks or a heat map. That requires listening to them and understanding how we can share information more effectively: the material they will value and use. I have advocated joining forces with whoever does performance reporting to project the likelihood of achieving each enterprise objective.
We need to be seen as helping everyone succeed.
“Risk” is a four-letter word, so why not see if we can find ways to express ourselves without using it. Talk about “what might happen”, “scenario analysis”, and so on. Understand their personal as well as the department and corporate objectives, and discuss how they can best be achieved given both potential obstacles and opportunities.
I wrote about the concept of deleting “risk” from our vocabulary in my blog and one chief risk officer changed the name of his department to Decision Support. He told me that all of a sudden he was being welcomed by the executives, which was quite a radical change.
Practitioners have tools and skills that can be of great value to the leaders of our organization, but only if they are used.
The risk is that they are not.
Blog Author: Norman D. Marks, Author, Speaker, Thought Leader, OCEG Fellow, Honorary Fellow of the Institute of Risk Management