Norman Marks on Governance, Risk Management, and Audit

A conversation about risk with a CEO


This last week, I was privileged to share a trans-Atlantic flight with the chancellor of one of the top universities in Europe.

The time passed much more quickly than usual, especially when I was able to talk to him about risk management and how (IMHO) it should be practiced – in a way that focuses on achieving success rather than avoiding failure.

I had told him that I was returning from leading a 3-day training course on risk management and other topics. This interested him, but initially more from an academic than a practical perspective.

He asked me about the latest thinking on risk management. Of course, I was only too happy to share with him my view that it should focus on helping people make informed and intelligent decisions, knowing which risks to take, and helping them achieve objectives. I told him that most risk management functions focus on managing lists of risks, which only helps organizations avoid failure rather than achieve success.

That changed his tone and interest from academic to practical.

The chancellor was concerned about a major project, the building of a new hospital on campus. The university’s CFO was responsible for the building. But while he was a fine CFO with a bright future, he had not yet earned the chancellor’s confidence that he could complete a major building project on time, within budget.

The chancellor shifted his position in his seat to give me his full attention.

He explained that he wanted to help the CFO. But he wasn’t an expert on building projects either.

When I said that, in his shoes, I would ask the CFO to talk about what needed to go right for the project to succeed and what he was doing about it, he thought that was excellent. It’s such a better question than ‘what might go wrong’.

Identify what needs to go right, make sure resources and tasks are identified to make it happen, consider potential obstacles, then act and continuously monitor. (We had an interesting few minutes talking about the need to monitor progress and what still lay ahead.)

We got to the heart of the problem when I asked him whether the CFO was the right man to lead the project.

He was uncomfortable answering this. I think it was because he had doubts, didn’t know how to address them, and did not want to infer that the CFO was less than excellent at his day job. But he clearly had doubts and I left him thinking about how he could help (by asking questions rather than stepping) and whether he needed to hire a specialist project manager.

Our conversation lasted more than an hour – and we barely used the “r” word (risk) at all.

We talked about the effective management of the project, considering what might happen (things we want to happen and things we would prefer not to happen), assessing whether that would be acceptable, and what needed to be done to improve the likelihood of success.

When we parted, he said he was very grateful and had a lot to think about before he returned home.

At this point, I am convinced that the way to have a risk discussion with an executive is to leave the “r” word out of the conversation. (I would make an exception where the executive truly understands what risk management is about, but even in financial services most think of risk as something to avoid or mitigate.)

Focus on helping the organization succeed instead of avoiding failure.

This requires a change in attitude and orientation by the risk practitioner, and it has to come from the heart more than the head.

Do you think this would work for you?

After all, risk management is simply effective management. The “r” word is too often a turn off for executives and misunderstood by board members. So let’s try to avoid using it and have a constructive conversation about success.

I would appreciate your thoughts on this short video.