Few organizations even think about the fact that they have a risk culture, and building the right one is crucial.
Having just returned from another industry gathering where practitioners are trying to get a read on the keys to success in risk management, I thought I’d share some thoughts that I often include in my presentations and RIMS workshops.
Suffice it to say, no two practitioners are doing exactly the same thing nor following a template-based strategy if they’re having much success. I offer this introduction to say two things: There is no one right way to practice risk management, and, by extension, the best risk strategies are those that are aligned with, if not custom-designed to fit, the priorities of the organizations for which they are intended.
One thing is nearly certain: A risk strategy can’t be successfully executed without a risk framework to make actionable those strategies that inform success. A framework might best be guided by one of the risk standards that are increasingly informing how the work can best be done, but a standard is not a prerequisite to success. By contrast, a risk culture is a prerequisite.
Your corporate culture represents the ways in which management and governance prefer employees to behave. It is typically tied to a set of values such as honesty, integrity and excellence. But do you realize that you also have a risk culture, even if you haven’t purposely defined and implemented one?
Whether your organization is risk-averse, risk-assumptive or somewhere in between these two extremes, your employees have risk taking and managing behaviors that, without a specific design and strategy for the risk culture you desire, will not likely be the behaviors or culture you most need and ideally desire. Therefore, communicating on risk culture can be most valuable to your long-term risk-management effectiveness.
What matters most in achieving this desired state? Well, rather than produce another list of top 10 items, here are 11 things that, in my opinion, matter most in effectively managing risk. If you operate with these elements in place, you will be more likely to have an effective strategy that other leaders will both contribute to and enable through resources.
Downside Protection: This is job one. The first priority is to make sure reasonably preventable loss is addressed through both mitigations and financing tactics. Management and governance rightly assume this is under way.
Influence and Gumption: Every senior risk leader must have the respect to be heard and the gumption to push back on risk owners and stakeholders with whom he may disagree.
Consistency: With risk process and sub-processes being the way in which the work gets executed, it is essential that they are consistently applied by all users.
Process Rigor: Processes that produce results and have impact require a rigorous approach to how they are designed, measured for effectiveness and continuously improved.
Data Interpretability: There must be actionable information about results and impact.
Communication Clarity: Beginning with a clear definition of risk itself, an entire sub-strategy for communicating your messaging will ensure you reach the ”right recipients at the right time with the right message.”
Reliable Measurability: Not every risk can or should be quantitatively measured, but, when you do, make sure the measure is as believable as possible.
Value Creation: Recognizing and leveraging risk for gain is the necessary evolution of the discipline’s practitioners if they ever hope to move beyond the tactical.
Embedded Risk Culture: Driving consistent and aligned risk-taking behaviors and decisions across the enterprise can only be achieved by embedding a well-defined and disciplined risk culture.
Managing to Appetite and Capacity: Risk cannot be effectively managed without a clear view into how much risk you are taking, want to take and have the capacity to take or assume.
Aligning Risk and Performance: The ultimate outcome for risk professionals is to manage risk relative to performance. Alignment, if not integration, between risk and performance is essential to achieving short- and long-term goals.
So there you have it: the 11 things that matter most in managing risk effectively. Sure, there are many other tactical elements of a good risk strategy and framework, but I believe they will naturally flow out of these elements when put into practice with the proper senior level mandate and regular reinforcement of the strategy.