Previously, we talked about the sort of role your ERM organization might choose to assume, based on three specific prototypes we have seen in the past. We next reviewed Risk Appetite Statements and KRIs. These are powerful tools to identify which risks your organization purposely decides to select from among the universe of risks that is faces, simply by being in business. We then suggested some approaches to salvage your investment in flawed risk matrices and use them as the starting point rather than the end point of your risk journey.
Today we ask: how do you tie all these pieces together to build a lasting risk culture? The answer: By ensuring tight and effective linkage between your ERM platform and processes.
Unfortunately, many organizations (even decent sized ones) get this wrong, and fail at one of two extremes. One extreme is to use Excel spreadsheets and manual ad-hoc processes to aggregate their data. The resulting process leans heavily on manual effort and the “tribal knowledge” of the individual participants. Thus, inconsistent approaches, slow and cumbersome processes, and knowledge gaps due to absences, retirements, etc. The lengthy data preparation process reduces Senior Management and Board review time and prevents high quality strategic evaluation. And the rank and file sees little value –and feels no ownership—in the ERM process.
The second extreme is to invest in the right tools, but in the wrong way, i.e., a proliferation of individual tools (usually GRCs) at the Line of Business level. Although this approach provides some discipline and consistency because of the tool itself, the proliferation of unique packages, risk frameworks, and approaches makes Risk Management at the enterprise level virtually impossible. The systems deployed are adequate for inventorying risks but don’t support interpreting or managing them strategically. Individual risk awareness may develop at the LOB level, but it varies considerably, providing no unifying vision or “glue” to risk culture or commitment.
In both instances, the majority of the efforts revolve around collecting, aggregating, and preparing data rather than truly analyzing trends, identifying root causes, or fostering continuous improvement. Routines and procedures obscure or overwhelm substance. This outcome is afar cry from what Regulators, Rating Agencies, or Senior Management require or what you should demand of your organization. And what we would consider to be Strategic ERM.
There is actually a third group as well. They don’t fail, but they never quite succeed. They invest resources in the right systems and achieve reasonable consistency in their processes, but just muddle along. Overall ownership across the enterprise is uneven, as is individual performance. It’s fair to say that very few companies actually succeed in achieving a truly strategic risk culture, which enables them to manage the risks they choose to take within their desired tolerance, monitor those risks continuously, and adjust as needed based on changes to the internal risk appetite and the external risk landscape.
From our perspective, the key to success resides not in the features of the systems used or the competence and sincerity of the participants involved. Rather it comes the superior integration of the two and can be achieved only when organizations ensure that their ERM processes are designed to be Measurable, Accountable, and Distributed (MAD). Only in this manner, can Risk Management be woven into the fabric of the organization.
Let’s explain: Profound organizational change—of any kind—only occurs when people redefine themselves and their roles to meet the changed expectations they face. This bears repeating any time an organization embarks upon an improvement project of any kind: Change the mindset, and you change the behavior. Don’t change the mindset….and you change nothing.
The implications for strategic ERM management and risk culture, therefore, are simple yet profound.
First, you must be passionate about being Measurable and insist that your KPIs, KRIs, Risk Statements, and Metrics are quantifiable. Terms like “I think,” “Medium,” or “Above Average” are the enemy of strategic excellence. Replace them with “I know based on peer review,” “50% percentile based on competitor performance,” or “Highest Net Promoter Score in Latest Survey.” Banishing ambiguity enhances focus and builds commitment. Everyone says: “you get what you measure.” More important over time, however, is that people internalize the metrics on which they are measured.
Accountability breeds actions, decisions, and resolution. No one wants to be identified as a slacker. In the ERM context, this means that individual Risk Owners or those responsible for risk identification, mitigation planning and implementation, etc., need not only to be identified, but explicitly tracked using a mechanism that is broadly transparent across the organization. Peer pressure is the most effective means to ensure consistent performance. Make sure that any process you create for risk deliverables is transparent enough to track ongoing performance of all of its participants - especially reporting of individual performance all the way to the highest levels of the organization.
Finally, the overall effort must be Distributed to accelerate the process. You need timely and consistent ERM reporting with minimal effort. This happens only when you distribute risk tasks to multiple owners and automate the risk consolidation process through a centralized tool. Oddly enough, broadly distributing this part of the risk process actually makes it more efficient and resilient, as long as you can ensure that all parties behave appropriately (see Accountability above!).
In MAD, there are the three design principles for building a robust and strategic ERM process within your organization, but what are the implications? And more specifically, what are the actual platform or system requirements that you should evaluate (or may need to reprioritize) when considering a new system or determining how to improve your current one? And how do these requirements support the underlying processes you need to create?
In our next article, we’ll address these important questions.
Book a Free, 45-min. ERM Strategy Session Now!
If you’re a CRO, CEO, CFO or COO, please fill out the form below with your name, title*, email, Company name, and phone number. We'll give you a call some time between 8:30AM - 5 PM ET, Monday thru Friday to schedule the session.
*Appointments limited to Senior Managers with Risk Management Responsibility only.