Home > Risk > How to build credibility with management

How to build credibility with management

There is a story about this: the story of the biggest lie in the world. The practitioner enters the executive’s office and says, “I am here to help you”. That is not the biggest lie. The biggest lie is when the executive says, “I know, and you are welcome”.


It is one thing to explain how risk management or internal audit can and should add value.

It is quite another to get to where the key players in management actively welcome you to their table because they know that:

  • You want to help them succeed (instead of pointing out their failures) and
  • You have proven your ability to do so.

I am going to share a couple of relevant pieces and then add my own comments.

First, let’s read what Carol Williams has said in 5 Ways to Improve ERM ‘s Reputation with Executives.


She tells us, accurately in my opinion, that most “executives continue to see ERM as a check-the-box compliance exercise solely focused on preventing failure and not helping the company achieve goals and objectives and make informed and timely decisions.

That is not a reputation you want. It means you are not considered a credible partner. At best, you are credible as a barrier to their entrepreneurship.

Her 5 Ways are:

  1. Start thinking like management– ERM practitioners “need to stop thinking like ‘risk people’ and start thinking like management.” This includes talking the language of the business, not using risk terminology. What are ways that risk can be integrated into executives’ daily conversations and decisions?
  2. Examine potential scenarios– when it comes to big decisions involving uncertainty, work with relevant individuals and departments to develop scenarios, determine which ones are most likely to occur, determine how to ensure success, and develop plans around these likely scenarios. Consider also developing high-level plans for those unlikely scenarios; after all, you do not have a crystal ball into the future to know what will happen.
  3. Consider rebranding – this may be the biggest step you can take and one I’ve addressed in the past. If ERM is there to be an enabler of success and not a roadblock or “Debbie Downer” to initiatives, should its name within the company change? Some companies refer to it as “Enterprise Risk Advisory.” Or, you can take the “risk” out of the name altogether. Our friend Hans suggests that risk management should really be thought of as “Decision Quality Assurance.” Another potential option includes “Decision Management,” or as Norman Marks suggests, “Success Management.” Whatever title and branding you choose, it should be made clear that you are there to provide support, not follow a strict process.
  4. Closely examine reporting structure – where ERM resides in the company hierarchy is also important for improving the perception of ERM. If it’s housed within the internal audit function, executives and managers may feel they’re under the microscope. If it is taken out of management altogether and reports directly to the Board, ERM will be seen as preventing management from taking too much risks, as explained by Norman in this recent piece.
  5. Whatever you do, it’s important to quit doing the things you’ve been doing all along and expect a different result as Norman points out in his analysis of the NC State report. After all, that is the definition of insanity–you keep doing the same thing and expecting a different result.

These are all great ideas, but there is (as always) more to consider.


In 2012, McKinsey shared a great piece, The Executive’s Guide to Better Listening”.

While it may on first glance seem to be off-topic, active listening is a great way to gain credibility with executives.

There are just three important points:

  1. Show respect. That doesn’t mean you have to be subservient; it just means that you should show respect to everybody for their experience and insight – even if you disagree. Respect their opinion and make sure you listen to it! If your opinion is different, explore why.
  2. Keep quiet. The author says this, although I have been saying this for decades myself (and I heard it from someone else.) “I have developed my own variation on the 80/20 rule as it relates to listening. My guideline is that a conversation partner should be speaking 80 percent of the time, while I speak only 20 percent of the time. Moreover, I seek to make my speaking time count by spending as much of it as possible posing questions rather than trying to have my own say.” I add to that that keeping quiet doesn’t mean that you are just waiting for them to stop speaking so you can talk. It means you are paying careful attention, listening actively.
  3. Challenge assumptions. I would add that you should understand and address your own biases. They adversely affect your ability to listen.


All of this is good advice.

Let me add my own:

  1. Have the right attitude. If you believe in your heart that your mission is to help each executive succeed, then that will influence your demeanor, words, and actions.
  2. Understand what they need to happen as well as not happen to be successful. Then focus on that rather than (only) a compliance checklist, a standard, or so-called best practices. Help them manage (including taking more ‘risk’ when appropriate) all the things that might happen so they can achieve their and enterprise success.
  3. Stop doing stuff that is not necessary. Work on potential issues that would never be a significant risk to enterprise objectives is wasting not only your time but theirs as well. In fact, take care not to waste their time to any degree. If they don’t see the value of what you are doing, are you sure you should be doing it?
  4. Make them champions. If they do not believe you are adding value, perhaps because until now work by your function has focused on a list of risks or on finding fault, ask them for an opportunity to prove what you can do. Is there a problem, or a difficult decision, that is troubling them? Perhaps there is a situation where they cannot obtain agreement with another department on how to move forward. Suggest a workshop that you could facilitate with all the parties so everybody can share perspectives and reach a consensus on how to resolve the issue. Or perhaps your team could consult with everybody, analyze the situation, and then lead a discussion on your assessment and insights – without an audit or other report to senior management.
  5. Celebrate management success rather than the length of your report. When management has everything under control, that is good news. A clean internal audit report is excellent.
  6. Work with management to upgrade. If issues are identified, listen actively to management; agree with them on the level of risk to objectives (and be specific as to which objectives); and discuss the best course of action. Take a business perspective and don’t recommend what you wouldn’t do in their shoes.
  7. Be humble and listen actively. I repeat this because it is so important. People love to vent; let them; encourage them; and don’t betray that trust be sharing their words with others. If you listen and help them believe you care about their success, their attitude towards you will change. Similarly, listen actively and discuss rather than preach when the results of your work disclose an apparent issue.


One of the things that bothers me is the desire of many practitioners to have a ‘seat at the table’, by which they mean an official and formal position within the organization (such as reporting to the board or to the CEO) that puts them on an (apparent but not real) equal level to top executives.

Trust me.

Your title does not mean you are invited and welcomed to meetings of the management team.

It does not mean that they listen to you.

It does not make you credible.


Your actions make you credible. They make you trusted and respected – not for your title, but for your insights and contributions to their personal and the organization’s success.


I welcome your insights and comments.

  1. July 19, 2021 at 8:01 AM

    Perfectly said. This is what is called “ Business / operations is the star” . Auditors generally tend to give precedence to audit objective than the larger business objective.
    Every internal audit should be done only with the objective of value addition to the business operation, rest all audit activities are just means to this end.

  2. Anonymous
    July 21, 2021 at 12:29 AM

    This is very informative. Vey humbling. Very important for all practitioners. Perhaps we should come up with a list of words that can be safely used in discussions with management that may help to build credibility…..

  3. Hussein
    July 21, 2021 at 4:02 PM

    It’s great thought however, most audit departments care about their appraisals at the end of the year ( how many scandals have you brought ). Neither the audit standards nor the audit objectives are drawn on solving the problem of their clients without showing the AC what have they done.

  4. sean coleman
    July 21, 2021 at 5:47 PM

    Great comment about your actions and gaining respect. You have to earn it,

  5. Ross
    August 1, 2021 at 2:15 PM

    Norman, I’d like to challenge you on not having a ‘seat at the table’, particularly when we’re talking risk management (not including internal audit). I have risk mangers being far more impactful in assisting decision making when included early on in these discussions (even if just listening at the time), than being included at the 11th hour or excluded all together. If risk managers are only have part of the picture, than they’re merely part of a tick-box exercise.

    What surprises me most, is how often organisations will allow external consultants this privilege (to punt their wares) and exclude the internal resources they’ve appointed to these positions.

  6. Norman Marks
    August 1, 2021 at 5:53 PM

    Ross, my point is that a title or position in the org chart doesn’t mean you will be invited to and listened to at the table. What you do and how you behave, how you help decision-makers, will get you a seat.

  1. July 20, 2021 at 1:25 AM
  2. August 5, 2021 at 8:22 AM
  3. August 5, 2021 at 8:47 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: