Home > Risk > Time for the risk office to take its own medicine

Time for the risk office to take its own medicine

From time to time, risk officers (from experienced to novice) talk to me about the problems and challenges they face building a mature enterprise-wide risk management program. I am flattered that they turn to me and always curious about the issues they face.

For example, there was the very senior chief risk officer, prominent in a professional association, who told me he couldn’t get the attention of the CEO. Another seasoned risk professional talked about the challenge of creating a culture within operating management where the risk office was seen as value-add rather than something people had to comply with. Finally, there was the new CRO that wondered where to start and how much to take on when there was just himself and one staff member for a large organization.

Now, I know from personal experience that getting to a mature risk management program that is respected and valued at all levels of the corporation, from the warehouse to the boardroom, is one of the toughest jobs you can have.

But, none of these people are taking a structured, risk-intelligent approach to the challenge.

How about doing this?

  1. Define, with care, where you want the risk management program to go. What do you want it to look like when it grows up?
  2. What are the risks to achievement of that goal, that vision?
  3. What are the gaps between where you are today and where you want to be?
  4. What actions are necessary? What is holding you back and what will you do about it?
  5. What are the opportunities for over-achieving, for increasing the likelihood of success? After all, risk management is not only about mitigating adverse effects of uncertainty but seizing opportunities?
  6. What is your plan of action?
  7. Why are you reading this instead of doing something?

The second part of number 4 is critical: “what is holding you back”? If you look at the case of the CRO who couldn’t get the attention of the CEO, it wasn’t due to a lack of charter. It wasn’t because risk management wasn’t considered important. It was because the CRO lacked important communication skills – he was a boring technocrat. In the case of the risk officer faced with the organization believing risk management to be a compliance chore, there was a problem with the intent of the CRO; the risk officer set himself up as responsible for the risk assessment and for reporting ‘high risks’ to the board, rather than helping management include the consideration of risk in effective decision-making. He was making them look bad instead of helping them succeed.

Sometimes, the person holding back the success of the risk management program is the person in the mirror.

But, rather than worrying about why risk management is not where you want it, take your own medicine. Use a risk management approach to define the vision, understand related uncertainties, address them, and succeed.

I welcome your comments.

  1. Mike Zachary
    June 23, 2011 at 6:45 PM

    You’re absolutely right Norman. I believe that the CRO’s need to be great communicators, and help management to be involved in the risk assessment process. If the CRO can make management look good to the board, then s/he will win a lot of support. CRO’s need to set realistic goals, and action plans that will lead them there. I’ll help the CRO all I can … and I hope they help me!

  2. Alpaslan Menevse
    June 27, 2011 at 3:10 AM

    CRO has to know organizational culture within he/she is functioning. The dirvers of action changes organization to organization and priorities also. Therefore CRO needs to have the ability to sense what is important for who and plan his/her starategy accorgingly. C-level can not and may not complain about anything in the organization. According to my understanding actually CRO has to position him/herself as a strategical guide to the organization. Otherwise, hes/she becomes a yes-man and nothing else.

  3. ARNOLD SCHANFIELD
    June 27, 2011 at 12:20 PM

    what if the CRO is doing all of what he/she needs to be doing but you have both an arrogant and ignorant CEO who believes it is his/her way or the highway or what if you have a Board that indicates that they fully endorse a high quality ERM program but pay it lip service in terms of financial and budgetary support and many other things. Then what? Why do you assume it is the fault of the CRO?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: