Explaining the value of risk management
This week I was asked how the value of a risk management program can be explained to a doubting CEO. This can be especially challenging where resources are scarce and there are other uses with a clear return on investment.
I don’t think there is an easy answer. How can you come up with a value for risk management? It’s like trying to put a dollar figure on the value of ethics.
Some people justify risk management by explaining how it protects value. That doesn’t work for me: it is true, but unlikely to open the wallet. I think you have to talk about how risk management helps the organization excel.
I start this way:
- Risk management enables better decisions, from setting corporate strategy, to driving major projects, to operational decision-making. With reliable, timely, and current information on risk (both the negative and positive potential) people can make better quality decisions
- This enables more risk-intelligent management, which can lead to optimized and sustained performance
- By anticipating potential events, the organization becomes more agile. It is able to respond quickly, whether to minimize the impact of adverse events or to seize opportunities for gain
- In a way, risk management is like a comfortable pair of shoes. You don’t realize the value of the shoes until you have worn them for a while
- If you want to see the value of risk management, just ask an executive who has an effective risk management program whether he would like to give it up
- Look at what happened to the companies during the Great Recession that didn’t have effective risk management
Here are some links on the topic:
http://www.ermsymposium.org/pdf/papers/Hoyt.pdf
What do you think? How can you explain the value of enterprise-wide risk management in a way that will encourage the CEO to invest in it?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
These are great points and, when well articulated by the ERM professional, will certainly help us communicate much more effectively with skeptical executives. However, I also feel that in many cases the reason the wallet fails to open is because the executive posing this question is provided points that are too esoteric or generic. It seems executives often feel like the answers his/her internal experts provide are regurgitated from the marketing materials of large service providers or industry groups. I believe learning from these peers is extraordinarily important yet the highly effective ERM professional needs to take these conceptual points and synthesize them into more clearly actionable stories or metaphors that immediately strike a chord with the executive(s) in question by layering in both industry insight and experience/expertise related directly to the current state of the organization. So, I guess my question to industry observers is are we truly analyzing ERM value in the context of our organization/client… or are we more often repeating what we’ve read in an effort to quickly “explain” this post-SOX hot topic?
Dan, I love the point about stories as persuasive. Can anybody share stories about how ERM has added value?
At SAP, our CFO for Americas told an interviewer that the risk management program had helped the company avoid millions in bad or ‘risky’ deals. Our corporate CFO has talked about the millions in insurance premiums that have been saved.
thanks for sharing, there are some really good arguments!
From our current research, I would add two points:
First, risk management provides executives with the ability to priorize topics on a sound basis. This is kind of similar to your first point, but I would argue that it is more than supporting decisions, but also providing awareness.
Second, using risk management as and early warning system allows executives to be pro-active rather than reactive.
It is reassuring that you claim similar points as we found in our study on value drivers of GRC information systems: http://tinyurl.com/grcis-ecis
How can the value of a risk management program be explained to a doubting CEO? Increased likelihood of opening the wallet? If the value needs explaining and management’s job is to manage business risks, should a doubting CEO be CEO?
Other considerations could include: how the value is explained; whether or not collaborative support of others exists within the organization; and whether the listener is an ethical business person.
One way (not the only way)is to demonstrate an urgent need and put your ace on the table before listing other main benefits mentioned in previous posts. News stories about the consequences of control breakdowns and ineffective risk managment at other companies can be persuasive. No need to go far into history.
Some of the most memorable internal control and risk management presentations I attended use current newspaper headlines for effect. For example, a recent WSJ headline and a related story, “Jury Rules SAP Owes Oracle $1.3 Billion” – SAP wants a judge to reduce the $1.3 billion award a jury granted Oracle last year in its intellectual property-theft lawsuit to no more than $408.7 million… SAP accepted liability but considered the award’s size to be unfair.”
Those kinds of public headlines and numbers or headlines about executives getting prison time grab attention. Should the conversation with the CEO be about the value of a risk management program? Or could the conversation be transformed into talking about the effectiveness of the company’s risk management program, scope, risk appetite, tolerance, and monitoring?
The various submissions to date all contain interesting comments and observations. However, none really seem to ask why a CEO might doubt the value of Risk Management (except to suggest that such a person should perhaps not be CEO). I cannot help but think that a fundamental problem with current RM culture is the desire to make it seem an essential, somewhat complex, specialist additional discipline. Far too many RM practitioners seem to believe in the existence of RM for RM’s sake, as an appendage to the corporate whole that all others should consider essential.
In reality, good Risk Management is all about NOT being special. It is about furthering the REAL business (the mainstream activities) by supporting the rest of the corporate team (management and operational staff alike) to set and achieve sound business objectives more effectively and reliably, with the best prospects for ongoing viability.
The doubting CEO is quite likely simply to be recognising that he already pays a skilled team to “manage risk”; that is what business is all about. The only real value of Risk Management as an identifiable input lies in its potential for inherent and embedded contribution to better overall management of the whole.
Dan Zitting’s suggestion — to give something the CEO can relate to — is a good one. Storytelling is a classic way of getting ideas across; it’s been done for thousands of years. But the paradox of risk management is that the stories (ie, news) we often hear are about when risk management has failed. People seldom talk about times when risk management works properly.
I’m guessing the issue isn’t so much about whether the company should adopt risk management (in which case the company has a bigger problems to deal with), but whether to adopt an enterprise-wide programme like ERM.
There are indirect benefits of a risk management programme that you can talk about — the “investibility” criteria of investor advocacy groups or certain large institutional investors, regarding whether they can or cannot invest in the company, may include the existence of a (working) risk management programme.
In the case of my organisation, the risk management team successfully argued for the use of ERM as a way of providing management and the board with an overall picture of risks and how they are being managed. The problem had been in keeping track of all the different risk management activities across the company.
These benefits perhaps don’t relate to the direct effect of risk management, but are valuable to the company nevertheless. As those ancient storytellers would probably agree, getting the point across is all about understanding your audience.
May I reset the question? I have to prepare a project on Risk Management and I am trying to find, what the savings in company X were after implementing ERM, or how rating agencies improved or better considered company Y, or how shareholders’s value in another comapny improved or whatever a successful case I can study and show off. Obviously, the CEO of any company would love improved control, but ERM is more than that and involves a culture changing within a company, that only will be attempted, if clearly an added value is to expect.
Have you got any good information, papers, studies, books, you can share?
Cristina, while EY has written a paper on this topic (please search on the web) that reports a 28% increase in operating earnings, there is no authoritative document.
Norman D. Marks, CPA, CRMA
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
Vice President, Evangelist
Better Run Business
SAP
Join me online: IIA Governance blog | GRC and Audit blog | Twitter | LinkedIn
I was wondering whether you could give me any further information on the title or where to find this article you refer to? Thanks
Michael, I don’t have the link but you can search for EY papers on risk management.