One thing that I find especially annoying is when people make assumptions.
Do you know what I’m talking about?
Like women are inherently bad drivers, or that all men like sports, or that just because someone is a high performer at work, they’ll automatically be an excellent manager.
As my grandmother would say – that’s hogwash!
In the context of ERM, a common assumption is that if your company has robust ERM processes in place, it automatically means risks will not impact the company.
Is this true?
Well, the short answer is an emphatic NO!
This assumption, or whatever you want to call it, is one of many unrealistic expectations of ERM.
Hans Læssøe, who long-time readers know is one of several pioneers in the merging of ERM and strategy, explains in his book Prepare to Dare:
“Finally note that risk management does not provide guarantees. Even with the best ERM program imaginable, there is a possibility something devastating happens, it is just less likely when strong efforts have been made to identify and manage risks up front.”
Expanding further on Hans’ point, ERM helps create awareness of things that could get in your way when working toward an outcome (i.e., your objective).
Therefore, from this risk perspective, ERM essentially has three purposes:
- Increase awareness of those potential roadblocks or hurdles – risks
- Determine which risks are acceptable vs which require resources to reduce or manage the risk to an acceptable level
- Help the company be prepared in the event a risk occurs.
For certain risks, it is possible to reduce the severity of the risk (impact) and/or the chances of the risk occurring (likelihood).
ERM brings tools together to help accomplish these purposes – to understand what can be done before and what needs to be done after a risk event occurs. The alternative without robust ERM is this randomly occurring thing that throws the company into chaos.
An example of a tool for helping your company accomplish this purpose is the bowtie analysis.
In its simplest form, the left side of the bowtie represents all the pre-event actions that can be taken to reduce the impact and/or likelihood of the risk occurring. The right side of the bow tie represents all the actions or steps to take if or when the risk does occur.
Now it is possible that steps taken on the left side of the bowtie will be enough. If the risk can be managed to an acceptable level or there really isn’t anything that can be done in the first place, then there isn’t any need to determine actions or steps – all that can be done at this point is to monitor the risk.
Should it be determined that preventive measures alone will not bring the risk down to an acceptable level, tools like crisis management, crisis communications, business continuity, and others can be harnessed to ensure the company’s readiness.
How will you communicate with your customers and vendors?
What plans can be put into place to ensure the company can continue operating should the risk occur?
As we discuss in our article on harnessing the visual bowtie, it’s just one tool that may or may not work for your company.
Coupled with risk tolerance though, some great risk response strategies can be developed that can be deployed should the risk occur regardless of the tool being used.
But as we discuss in this article on the low-hanging fruit of opportunities, these tools also help identify areas where the company can take more risk.
(Remember, it’s not all about reducing or avoiding risk; that is not the key to success anymore than a completely hands-off approach.)
It’s almost like a flow chart…
Before any of this can be done, and before you identify any risks, you have to identify a specific strategic or business objective first.
It’s here that you begin to sift through what is important and what isn’t.
So, the lesson learned today is this: it’s a dangerous (…and annoying) assumption that is frequently made – just because a company has ERM means risks won’t impact the company.
However, it is through tools like the bowtie, risk appetite & tolerance, crisis management, business continuity, and others that enable the company to weather the storms that inevitably come, and even seize opportunities should they arise.
What other assumptions about ERM do you encounter? How do they impact your ability to deliver timely, actionable insights?
I’m interested in hearing your thoughts, so please join the conversation on LinkedIn.
If you’re either struggling to overcome assumptions like this, or otherwise trying to develop an ERM program that can better enable a company to see risks coming and address them more effectively, please reach out to me to discuss your specific situation today!
