Call to Action to Enterprise Risk Management Leaders

December 2012 Feature Article

By Diana Del Bel Belluz, M.A.Sc., P. Eng.

This article was recently published as a guest editorial in RiskPost, the newsletter of the New Zealand Society for Risk Management.]

If you want to successfully implement enterprise risk management (ERM), focus on action rather than the design of your framework (policies, accountability and reporting structures, principles, processes, or tools). This may seem like heresy. But action is the only path to a healthy risk management culture where your people take appropriate risks and then actively manage the outcomes for success.

Here’s a story from my family lore that illustrates the importance of skill above technology (or framework) – a crucial lesson for implementing risk management.

When my father was a young teen in the early 1950s, the yo-yo craze was all the rage in Canada. He bought one, brought it home, unwrapped it, tied a knot in the string and placed it on his finger. Then he let go of the yo-yo and with the aid of gravity, it headed to the floor. But, much to his chagrin, it didn’t return to his palm as he had seen in the ads. Annoyed that the yo-yo was defective, he decided to return it. The storeowner took the yo-yo, put it on his finger and immediately began to do tricks with it, declared there was nothing wrong with it, and handed it back to him. My dad was very embarrassed at the time, but later used the story to regale his kids with his humorous retelling of it – a wonderful lesson in humility.

The more important lesson is that you don’t become a master by purchasing technology. To become proficient at anything takes many hours of practice and heaps of motivation to stick with it until it becomes second nature.

Likewise, you can’t achieve effective risk management by simply introducing a framework. Yet, as risk management leaders we often fall into the trap of focusing almost exclusively on developing the ‘perfect’ risk management framework. We forget that people – not frameworks – manage risks.

While a good risk management framework is helpful, the secret of achieving effective risk management is to develop your people’s skills and motivate them to apply those skills. That requires leadership. Why? Because the actions of leaders is the most important determinant of culture.

Here are three things you can do as a risk management professional and leader to put an emphasis on developing ERM skills in your organization.

1. Motivate your people to develop their ERM skills.

This is best done by actually applying the ERM policies, processes, and tools you have worked so diligently to create. It’s not about a change management plan that introduces a framework; rather, you need a plan for how you will create change in people’s behaviour.

The most effective way to do this is to establish feedback loops that encourage the kind of behaviors you want and discourage inappropriate risk management decisions and actions. Feedback can directly influence behaviour.

What your organization’s leaders do (not what they say or put in a policy) sets the ‘tone from the top’. This applies to your leaders’ actions in terms of their own risk-taking and risk management decisions.

It also applies to how your leaders provide feedback by rewarding, sanctioning, or passively permitting the risk-taking and risk management behaviours of managers and employees. Over time that direct feedback reinforces the behavioural norms that become your organization’s culture around taking and managing enterprise risks.

In addition, the use of a few well crafted questions can create indirect feedback loops that force you to look at the changes in your business landscape and adjust your risk ERM strategies and drive action. For example, your board, executives, managers, and you (as the risk management professional) could ask:

  • Have we followed our risk management process in developing this business plan?
  • What’s changed about our business environment this quarter and what are the implications for achieving our objectives this year?
  • How are our risk response plans coming along?
  • Do we have the capabilities and capacity to withstand a major shock to our system?
  • Do we have the flexibility to regroup quickly and capitalize on a major new opportunity?
  • What surprised us this year and what does that tell us about our risk detection/monitoring capabilities?
  • What opportunities did we miss and what does that tell us about how we are interpreting our risk appetite and tolerances?

2.  Dedicate time to developing your people’s skills.

In planning your risk management implementation activities, I recommend allocating as much time (or more) as you do to building and refining your ERM framework. The know-how required for effective ERM does not develop spontaneously. A sustained investment of time and effort is required to cultivate it.

No one goes from novice to master in one step. Instead, when it comes to building know-how and competence an evolutionary process works best.

Don’t try to teach your people everything they need to know about risk management in a single training session. Instead, impart a little risk management knowledge; let them apply it and experiment with it; and then lead them through some structured reflection to help them evaluate the results and determine what they need to learn next. Repeat.

As your people gain confidence with their new risk management skills, they will develop an awareness of knowledge gaps or new questions for which they will need additional education and skills training.  

3.  Develop your own risk management leadership skills.

I’ve observed that a great deal of a risk management leader’s success comes from the particular mix of people and business strengths they possess. Certain traits are consistently present in risk management leaders who succeed and typically absent in those that fail. In April 2008, I wrote an Advisory article on Key Ingredients for Systematic Risk Management that outlines the essential characteristics of successful risk management leaders.

Since that time, I’ve made another important observation that may explain why some risk management programs fail to gain traction. Many risk professionals are extremely reluctant to seek out ERM training (even if they have little or no experience in implementing ERM or leading organizational change) because they mistakenly think it signals they don’t know their discipline.

Fear of appearing incompetent stops them from seeking out the help they need. For example, I recently spoke with a director who had been leading her organization’s enterprise risk management program for 5 years and still had not managed to engage leadership support or employee buy-in. She spends her time refining her risk framework and can’t (or won’t) see that she needs to develop her skills in leading change. The writing’s on the wall for her; if she continues on her current path, either her ERM program will continue to languish or die, or she will be replaced.

I’ve observed that non-risk professionals, because they don’t have any formal background in risk management, are not afraid to seek out advice and assistance. For example, in the last few years I’ve worked with several leaders with titles such as Chief Financial Officer, General Counsel, Chief Operating Officer, Chief Executive Officer. With a little training and mentoring from me (a risk professional who has been there) these non-risk professionals have made tremendous progress in bringing ERM to life in their respective organizations.

As with any other skill, the right guidance can help you develop your ERM implementation proficiency more deeply and quicker than if you try to go it alone.

If you have been tasked with championing the implementation of ERM in your organization, a simple action you can take is to inventory your leadership skills and experience to identify your ERM professional development priorities. (You can use the exercise in the article referenced above to conduct the inventory.)

Then find an experienced ERM expert (a peer or a consultant) to help you round out the gaps in your risk management leadership skills. And don’t be afraid to seek out additional advice or a second opinion when you run up against an ERM implementation challenge you haven’t faced before.

A seasoned ERM professional who’s been there, can help you to avoid the common mistakes and stumbles of the novice. They can also greatly accelerate skills development and help you to rapidly achieve mastery. That’s why even elite athletes have coaches!

The Risk Wise bottom line…

Effective risk management requires an emphasis on action rather than on your ERM framework, process or tools. You need to plan how you will create change in people’s behaviour. This includes developing your own leadership capacity.

*

To learn to access our ‘Risk Management Personal Trainer’ services from any country through the power of the internet, contact Diana Del Bel Belluzat Risk Wise:This email address is being protected from spambots. You need JavaScript enabled to view it. or by telephone at (416) 214.7598

Follow the links to:

Current Special Offers for Subscribers

The code to access the following special offer has been emailed to all Risk Management Made Simple Advisory subscribers:

  • SPECIAL OFFER: $460 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Resilience 2017 to be held on April 24-26, 2017 in Edmonton, AB. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

  • SPECIAL OFFER: $150 off the full conference fee for Risk Management Made Simple Advisory subscribers on the Canadian Privacy Summit 2017 to be held on May 2-3, 2017 in Toronto, ON. (Subscribers have been sent the instructions on how to access this offer).  Not yet a subscriber?  Don't miss out, click here to sign-up for your complimentary Advisory subscription.

Not yet a subscriber, but want to access these special offers?

When you subscribe to the Advisory, we'll send you the code for all current special offers along with a link to your New Subscriber Bonus, a copy of Moving Beyond the Risk Map to Operational Vigilance.

FIND OUT FOR YOURSELF why risk management leaders subscribe, click to access the ARTICLE INDEX of all past issues of the Risk Management Made Simple Advisory.

"I save and study each issue of the Advisory. I appreciate how Diana gives very practical advice and links it to fundamental theories and best practices." 

Sherrie Hyde, Risk Manager, Lutherwood

FREE DOWNLOAD

Moving Beyond the Risk Map to Operational Vigilance

Read more about the Risk Management Made Simple Advisory.

"It is so refreshing to read a newsletter that offers real solutions for risk management challenges."
Cathy Taylor
Director, Risk
Kinross Gold Corporation

Diana's Pick

Neuroscience and the Nonprofit Manager (written by Andy  Segedin and published in the NonProfit Times) shares some of the tips on how to counteract common biases and habits that impede effective decisions.

The article is based on a workshop that Diana Del Bel Belluz of Risk Wise presented at the 2015 Risk Summit organized by the Nonprofit Risk Management Center.