Creating a Healthy ERM Culture – Part 3

March 2013 Feature Article

By Diana Del Bel Belluz, M.A.Sc., P. Eng.

This is the third article in my series on creating a healthy risk management culture by nurturing 12 Enterprise Risk Management (ERM) cultural traits in your people. The 12 cultural traits (shown in green font in Figure 1) support specific phases of the ERM Implementation and Organizational Learning cycle. (For details on the cycle, see the Advisory issues of April 2011, October 2011, December 2011, March 2012). 


Figure 1 - 12 traits of healthy risk culture

The earlier articles in the series covered four of the 12 ERM culture traits:

In this article, I describe how to promote a culture that is Inquiring and Vigilant.

Healthy Risk Culture Trait #5: Inquiring 

For most of us, the word inquiry doesn’t inspire a warm and fuzzy feeling. Instead, it can conjure up a scary image of being under a judicial glare where all our weaknesses, missteps, and omissions are exposed for all to see. It can also bring to mind a pesky young child who incessantly replies “But why?” to every answer you give.

Inquiring minds can make us feel vulnerable or annoyed. It’s no wonder that many of us avoid or discourage inquiry in ourselves and in those around us. But, that is a huge mistake when it comes to ERM. Why? Because a culture of inquiry is essential to:

  • achieve a full and true understanding of your risks,
  • learn from experience and then apply that learning to enhance your risk management capabilities, and
  • question your status quo to get inspired to innovate and take advantage of upside risk.

Mary Ann Archer at Nxknowledge provides a more productive way to think about it. “Inquiry is asking questions to learn more about other views and to encourage others to learn more about your view.”

To properly assess risk and its implications for organizational performance, you need to do two things:

  1. gather information about the risk, and
  2. extract meaning from it, i.e., determine what is relevant and important to act on now.

I find that anonymous voting approaches help people to accomplish the first task, i.e, to get their view of the information on the table. However, people are often reluctant to divulge the reason behind their vote and to engage in a discussion about which perspectives are the most relevant. As a result, too often the opinion of the majority or of the strongest personality prevails, even when that view is woefully incomplete or inaccurate.

For example, I often witness situations where the most senior executive in the room (often the CEO) “explains” why his or her view is ‘right’ and either ignores or discounts the opinions expressed by others.

Such autocratic behavior completely shuts down discussion about either the potential implications of the risk or how best to manage it. Whether it's intended or not, they are sending an immediate and strong message to the other people in the room that their views are not needed or valued by their leader.

The insidious longer-term effects are twofold. First people will be reluctant to contribute to future discussions of ERM because they don’t think they will be heard. As a result, the best possible information will not be available for risk decisions.

Secondly, it delegitimizes the risk management process. And if people don’t buy-in it will be difficult, if not impossible, to sustain the ERM program.

A healthy culture of inquiry enables your organization to surface and test assumptions about gaps and blind spots in the understanding of your risk exposures and the effectiveness of your risk management efforts. For three practical tips on how to deal with assumptions, see the June 2008 Bonus Resource article on The Achilles’ Heel of Risk Management.

A culture of inquiry is also foundational for organizational learning and innovation. For example, I find that when I drill down into operational risks with my clients, they frequently begin to question: “Why are we doing this activity?” or “Why do it this way?” or “Is there a way we can turn this to our advantage?” Questions are a powerful starting point for identifying opportunities to improve processes and ultimately performance.

How to cultivate it:

To have a truly inquiring discussion all participants in the risk management process must articulate their views about the risk (including its implications for achieving the organization’s objectives, the options for managing it, etc.) and invite others to confront those views.

While these actions may sound simple, they require real courage on the part of the individuals both to speak up and to invite input on their views. Thus, healthy inquiry won’t happen if leaders fail to foster an atmosphere of trust and respect.

To establish a culture of inquiry leaders must first model it by:

  1. expressing their initial view as one of many possible perspectives (not the single ‘correct’ view)
  2. seeking input from others on this initial view and giving thoughtful consideration to that input, and
  3. describing how they have evolved their understanding based on the input received. This is essential to ensure that managers know that their views have been honestly considered.

To build trust, senior leaders need to repeat this process consistently in the discussion of risks and ERM decisions. As trust grows, managers will be more willing to also embrace the culture of inquiry because people will feel safe to freely express their own point of view and invite input from others.

This month’s Bonus Resource article describes an online tool designed to help you learn and apply the skills needed to achieve a culture of inquiry.

Healthy Risk Culture Trait #6: Vigilant

An essential trait of an effective risk management culture is vigilance, i.e., to be on the lookout for changes in existing risks, for new and emerging risks, and for weakening in your capabilities and capacity to handle risks effectively.

Are you prone to these impediments to vigilance?

  1. We don’t see risk coming because we fail to monitor risk levels or track trends in our business environment. Thefactors that drive risk in your external and internal business environment are constantly changing. If like many organizations you conduct an enterprise risk identification and assessment process once per year, you are likely missing significant changes in your risk exposures that occur throughout the year.
  2. Our attention to risks fades over time. This degrades our readiness and capacity to respond to certain risks. Two common reasons for waning attention to risks are:
    1. Ceding management attention to other issues. For example, a manager becomes distracted by other priorities and pressing issues of the day, and neglects her ERM duties.
    2. Complacency. When the risk level is low or static for a prolonged duration, we can get lulled into a false sense of comfort that it won’t occur and subsequently let our guard down.
  3. We don’t provide ERM training to people who are ‘new’ to either the organization or to their risk management roles. People move into different roles as part of the normal churn within all organizations. This can lead to situations where people who are new in their roles are not fully aware of their risk management responsibilities and/or not equipped to carry them out.

How to cultivate it:

Make it a discipline to monitor risk and track trends in both risk levels and in the underlying drivers of risks. It’s resource intensive to measure risks, so be strategic about which risks you monitor and how often. It’s good practice to pay close attention to those risks and risk response capabilities to which the achievement of your objectives are particularly sensitive. Consider matching the frequency of monitoring to the expected velocity of the risk, i.e., monitor risks that can materialize quickly more frequently than those risks that will unfold slowly.

Periodically test your risk response capabilities. Table top exercises can reveal gaps in preparedness. Mock crisis response drills and full-scale exercises can expose complacency in terms of readiness to respond.

I’ll address the remaining 6 ERM culture traits in future Advisory articles.

The Risk Wise bottom line…

To achieve a proper understanding of enterprise risks, executives must lead by example to establish the trust and respect that support a culture of inquiry. The way to nurture a culture of vigilance is to systematically monitor your risks and periodically test your risk response capabilities.

*

If you want simple, pragmatic strategies to strengthen your ERM processes and stimulate a culture of inquiry and vigilance in your organization, contact Diana Del Bel Belluz at Risk Wise: This email address is being protected from spambots. You need JavaScript enabled to view it. or (416) 214.7598

 

Follow the links to:

  • Read this month's Bonus Resource - Communication Skills for Effective Risk Management
  • Download a printable version of the entire March 2013 issue of the Risk Management Made Simple Advisory.
  • View the Article Index to access back issues of the Risk Management Made Simple Advisory.

Current Special Offers for Subscribers

The code to access the following special offer has been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL OFFER: $460 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Resilience 2017 to be held on April 24-26, 2017 in Edmonton, AB. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

  • SPECIAL OFFER: $150 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Canadian Privacy Summit 2017 to be held on May 2-3, 2017 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood

FREE DOWNLOAD

Moving Beyond the Risk Map to Operational Vigilance

Read more about the Risk Management Made Simple Advisory.

"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation

Jump Start your risk management program.

Receive personalized advice from Risk Wise

See Details

Diana's Pick

Neuroscience and the Nonprofit Manager (written by Andy  Segedin and published in the NonProfit Times) shares some of the tips on how to counteract common biases and habits that impede effective decisions.

The article is based on a workshop that Diana Del Bel Belluz of Risk Wise presented at the 2015 Risk Summit organized by the Nonprofit Risk Management Center.