Gaining acceptance for risk management
Vernon Grose is a veteran of safety management and has received multiple awards in that capacity. Given that background, it is not surprising that he comes to risk management (in which he is recognized by some as an expert) from the loss prevention and insurance side – rather than the enterprise risk management side exemplified by advocates of ISO 31000 and COSO ERM.
In a recent post, Vernon asks these questions – all of which are good:
- How can you get the Board of Directors to take more interest in risk management?
- How can you convince both top management and front line employees to give it more credence and support?
But, I am afraid he gives very poor answers in the form of 4 steps that won’t work! I will let you read them, but note how he ends the piece: “If you cannot secure the desired level of buy-in with these 4 steps, consider whether the organization is deserving of your skills and dedication”.
Mr. Grose’s first is “Know your total cost of risk”. My reply to that is in an article published by CFO in 2012, Total cost of risk redefined. My good friend Carol Fox of RIMS is quoted:
“CFOs don’t think of total cost of risk as what we’re measuring.” While insurance remains important for transferring risk and protecting the balance sheet, Fox said, companies are trying to strengthen their overall risk-management capabilities with an eye to overcoming obstacles to reaching organizational goals. “They’re looking at what their strategic plans are and how those play into risk scenarios,” she said.
Let me see if I can come up with four better steps:
- Show how risk management enables more informed, more intelligent, and therefore better decisions that provide a higher likelihood of success
- Show how risk management helps executives be successful personally as well as enabling the organization to improve the odds and extent of achieving objectives
- Stop talking about losses and start talking about success
- Stop using the techno-babble of risk management, insurance, or loss prevention, and start talking in terms that the executives and the board can relate to – the achievement of objectives, attainment of increased revenue or profits, and the delivery of value to stakeholders
In other words, let’s focus on better decisions and increasing the likelihood and extent of success. Talk to the board and executive management about seizing opportunities as well as avoiding banana skins.
They will listen and pay attention (and contribute resources) to success when they won’t necessarily to simply avoiding failure.
Then act in accordance with those principles. Partner with operating management and help them make better decisions that optimize the results of uncertainty, instead of acting as the corporate police that stops them from taking the risk they believe necessary for success – and inhibits their innovation, entrepreneurship, and speed of decisions.
For those interested in discussing standards and frameworks, which is better in explaining risk management to executives and the board, COSO ERM or ISO 31000? Or, are they only suitable for practitioners? (This is a trick question to a degree – every board member and executive is a risk practitioner.)