Home > Risk > Gaining acceptance for risk management

Gaining acceptance for risk management

September 12, 2015 Leave a comment Go to comments

Vernon Grose is a veteran of safety management and has received multiple awards in that capacity. Given that background, it is not surprising that he comes to risk management (in which he is recognized by some as an expert) from the loss prevention and insurance side – rather than the enterprise risk management side exemplified by advocates of ISO 31000 and COSO ERM.

In a recent post, Vernon asks these questions – all of which are good:

  • How can you get the Board of Directors to take more interest in risk management?
  • How can you convince both top management and front line employees to give it more credence and support?

But, I am afraid he gives very poor answers in the form of 4 steps that won’t work! I will let you read them, but note how he ends the piece: “If you cannot secure the desired level of buy-in with these 4 steps, consider whether the organization is deserving of your skills and dedication”.

Mr. Grose’s first is “Know your total cost of risk”. My reply to that is in an article published by CFO in 2012, Total cost of risk redefined. My good friend Carol Fox of RIMS is quoted:

“CFOs don’t think of total cost of risk as what we’re measuring.” While insurance remains important for transferring risk and protecting the balance sheet, Fox said, companies are trying to strengthen their overall risk-management capabilities with an eye to overcoming obstacles to reaching organizational goals. “They’re looking at what their strategic plans are and how those play into risk scenarios,” she said.

Let me see if I can come up with four better steps:

  1. Show how risk management enables more informed, more intelligent, and therefore better decisions that provide a higher likelihood of success
  2. Show how risk management helps executives be successful personally as well as enabling the organization to improve the odds and extent of achieving objectives
  3. Stop talking about losses and start talking about success
  4. Stop using the techno-babble of risk management, insurance, or loss prevention, and start talking in terms that the executives and the board can relate to – the achievement of objectives, attainment of increased revenue or profits, and the delivery of value to stakeholders

In other words, let’s focus on better decisions and increasing the likelihood and extent of success. Talk to the board and executive management about  seizing opportunities as well as avoiding banana skins.

They will listen and pay attention (and contribute resources) to success when they won’t necessarily to simply avoiding failure.

Then act in accordance with those principles. Partner with operating management and help them make better decisions that optimize the results of uncertainty, instead of acting as the corporate police that stops them from taking the risk they believe necessary for success – and inhibits their innovation, entrepreneurship, and speed of decisions.

Your thoughts?

For those interested in discussing standards and frameworks, which is better in explaining risk management to executives and the board, COSO ERM or ISO 31000? Or, are they only suitable for practitioners? (This is a trick question to a degree – every board member and executive is a risk practitioner.)

  1. September 12, 2015 at 7:26 AM

    I especially like 3 and 4. These tend to be the most powerful from psychological standpoint.

  2. September 12, 2015 at 7:54 AM

    Here here!!! Very well said. Thanks for communicating this view! Very refreshing and compelling.

  3. Ammar Ahmed
    September 12, 2015 at 2:55 PM

    Thx for a reminder on your evolutionary view of RM from which you are enlightening us for some time. Point 1 and 2 mean the same aspect but are absolutely valid, 3 & 4 are psychological means of ensuring better communication with the board/ C-suit executives – nothing more than that.

    I doubt that the conclusion in the second last para of the article can lead to change in IA’s view from “corporate police” to “trusted advisers” but whose views can easily be by-passed/ ignored by the operating management and hence end up diminishing their important in the Company. True, the value will be developed but only after management end up ignoring IA’s advice which may lead to big losses or as you would say unsuccessful attempt at achieving success.

    Also, any thing that speed up and taking more efficient/ informed actions by the management may also result in by passing levels of risk appetite that may be unacceptable to the board/ stakeholders. Don’t you think that the ideal role would lie somewhere in between corporate police and trusted adviser?

    • Norman Marks
      September 12, 2015 at 3:03 PM

      The post is really about risk management rather than internal audit. But some of the same lessons apply. Internal audit must be committed to helping the organization succeed, not just pointing to errors it has made. Yet there is value in identifying actions that should not have been taken, whether fraudulent or learning opportunities.

  4. Leonard Gavin
    September 14, 2015 at 1:44 AM

    Norman, your 4 points that you convey so well are exactly where the practice of risk management should be heading, and i think could almost be the benchmark of performance for the foreseeable future.

    if i could pick 2 points where a ‘risk practioner’ worth their salt should focus themselves it is on focusing the conversation on success and removing the techno bablle.which is so entwined at this point in time.

  5. September 14, 2015 at 7:07 AM

    I became immersed in risk management in 1998 and 1999 while I was consulting at Fortune 1000 companies to help them prepare for the Year 2000 (Y2K) issue. My marketing people tell me to stop saying this because it gives the impression that I’m living 15 years behind present day. I disagree. The unique feature of the Y2K problem was that the deadline could not change! This meant that for any organization to succeed it had to dramatically shorten the “management leash” on all initiatives related to the goal of avoiding business problems on January 1, 2000. I still view risk management as shortening the management leash for all things related to achieving the organization’s goals and objectives.

  6. Granville Lavin
    September 18, 2015 at 3:02 AM

    Vernon Grose is recognised by most of us in the safety profession as an experienced and professional operator and his thoughts are worthy of serious consideration. He comes at risk management from this legitimate perspective. This by its nature tends to be risk adverse particularly in high hazard industries were serious incidents are relatively rare but when the occur have significant impacts. If the sort of approach advocated “success is everything” prevails then incidents with serious consequences will be inevitable. In my view there are many examples where this is has been the case Deep Water Horizan springs to mind. Risk management if it is going to be taken seriuously must be relevant to the sort of organisation/industry in which it operates and the big question is defining and agreeing what is the righ level of risk appetite then perhaps measure of success can be defined.

  7. Thomas
    September 20, 2015 at 12:24 AM

    Thanks Norman,
    your 4 points are spot on. I’ve been struggling to have Board and Management focusing on risk and simultaneousley watching Risk Management forgetting about objectives. However, it is a long journey to get everybody involved and intrested, when you start from scratch. As an CAE my focus has been and will ne to have risk management continuously on the agenda to support Risk Management.

  8. September 22, 2015 at 8:44 PM

    Strongly agree with your 4 points Norman. A big issue we strike in helping organisations strengthen their risk culture is that many risk managers are great technically but not so strong on communicating & building influence.

  1. October 2, 2015 at 4:52 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: