Time for the risk office to take its own medicine
From time to time, risk officers (from experienced to novice) talk to me about the problems and challenges they face building a mature enterprise-wide risk management program. I am flattered that they turn to me and always curious about the issues they face.
For example, there was the very senior chief risk officer, prominent in a professional association, who told me he couldn’t get the attention of the CEO. Another seasoned risk professional talked about the challenge of creating a culture within operating management where the risk office was seen as value-add rather than something people had to comply with. Finally, there was the new CRO that wondered where to start and how much to take on when there was just himself and one staff member for a large organization.
Now, I know from personal experience that getting to a mature risk management program that is respected and valued at all levels of the corporation, from the warehouse to the boardroom, is one of the toughest jobs you can have.
But, none of these people are taking a structured, risk-intelligent approach to the challenge.
How about doing this?
- Define, with care, where you want the risk management program to go. What do you want it to look like when it grows up?
- What are the risks to achievement of that goal, that vision?
- What are the gaps between where you are today and where you want to be?
- What actions are necessary? What is holding you back and what will you do about it?
- What are the opportunities for over-achieving, for increasing the likelihood of success? After all, risk management is not only about mitigating adverse effects of uncertainty but seizing opportunities?
- What is your plan of action?
- Why are you reading this instead of doing something?
The second part of number 4 is critical: “what is holding you back”? If you look at the case of the CRO who couldn’t get the attention of the CEO, it wasn’t due to a lack of charter. It wasn’t because risk management wasn’t considered important. It was because the CRO lacked important communication skills – he was a boring technocrat. In the case of the risk officer faced with the organization believing risk management to be a compliance chore, there was a problem with the intent of the CRO; the risk officer set himself up as responsible for the risk assessment and for reporting ‘high risks’ to the board, rather than helping management include the consideration of risk in effective decision-making. He was making them look bad instead of helping them succeed.
Sometimes, the person holding back the success of the risk management program is the person in the mirror.
But, rather than worrying about why risk management is not where you want it, take your own medicine. Use a risk management approach to define the vision, understand related uncertainties, address them, and succeed.
I welcome your comments.