First popularized by UPS in the mid-90s, the slogan ‘moving at the speed of business’ has become a go-to phrase for conveying efficiency and reliability.
With uncertainty and turbulence becoming more and more the norm with each passing day it seems, its relevance has only grown since, including with ERM.
According to surveys like the State of Risk Oversight report from NC State, it appears ERM has a long way to go to reach this ideal for most companies.
ERM’s reputation has been plagued for years as being too rear-facing, focused on lists for satisfying regulators, and even worse, too bureaucratic.
I believe one, if not, the main reason for this reputation boils down to the following…
As long as “ERM” is considered a separate activity from managing the company, executives will continue to see little benefit.
To this, I would add…
As long as “ERM” is treated as a separate activity, it will also be considered too bureaucratic and therefore unable to move at the speed of business.
Now this isn’t too imply that your company should completely forego formal governance and processes. After all, it’s important to have clear roles and responsibilities and even a committee that oversees the ERM program.
The ERM oversight committee at the management level plays an important role in ensuring action plans for risks are not only working as intended, but also understanding and resolving problems to getting action plans implemented, and getting resources allocated or reprioritized as necessary.
Besides this oversight function on the process side, the job of this committee is to take a step back and look at risks holistically.
However, not all decisions and the risks around them are created equally. But many companies approach risks as if they were, which is where the “too bureaucratic” moniker begins to enter the picture.
Here’s how this often plays out…
An executive has an idea they believe will help the company achieve a given objective. As with anything, there are risks, but the manager or executive believes the risks are minor and is eager to get started with the idea.
The risk manager comes in and says, “Wait. I know you want to do this, but we’re going to need to pause and conduct a risk assessment and have some in-depth conversations before you can move forward. It will take a few weeks [or months?].”
Be honest – how well do you think that’s going to go over?
From past experience as a practitioner and conversations with executives as an ERM consultant, a conversation like this example will go over as well as a burnt cookies at a meeting!
Think about it. How would you like to be told you’ve got to delay something you are eager to get started, plus allocate time on your calendar to go through a formal process, especially for something you consider to be relatively minor? Nope, nope, and nope.
This is ERM moving at the speed of a snail (or slower), not at the speed of business.
What are some actionable steps that can be taken so ERM can ‘move at the speed of business?”
There’s no question that companies have to be adaptable in today’s world.
ERM is the same, which alone places it in a different category over traditional risk management.
So here’s one idea to make ERM more agile…
Instead of lumping anything and everything risk related into a specific ERM committee and running it through a full assessment process, why not embed risk conversations around these one-off decisions into regularly recurring management meetings?
Much of this will depend on how you function as a company, but chances are, your management team meets on a regular basis.
In these meetings, there can be a short list of general questions that should be asked around every decision – questions around upstream dependencies and downstream consequences that can help leaders quickly judge the viability of a particular idea.
As long as these questions are asked, answers are well thought out and discussed, and everybody is good with the answers, it’s safe to say the decision is risk-informed. At a minimum, at least better informed than they were!
Of course, this doesn’t mean you can just check a box and say risk management has been done. That’s not going to work.
Think of it like a sliding scale bureaucracy…
On the one end, you have the stifling situation mentioned earlier. If executives are constantly being told “we need to schedule an assessment and come back with a list of risks,” ERM will continue to be seen as too bureaucratic and therefore be sidelined, or at least relegated to the semi-annual or annual risk assessment that doesn’t reflect the current state of the business. The only effort that will be put into it is whatever regulators and ratings agencies require.
On the other end, taking a cavalier attitude towards risk can lead to decisions that introduce new risks or exacerbate existing ones, all without any mind towards properly managing the risks before they get too big, too many, or out of control.
A good balance has to be struck between these two extremes.
Once you find this balance for your organization, the ERM committee can focus on the broader portfolio of risks, the status of action plans, and monitoring.
Agility in this committee is important too…
In the past, committees like this met on a quarterly basis, but business doesn’t work that way. While it may be possible to retain this quarterly schedule for formal meetings, it would be best to communicate with at least monthly updates and recognize the need for an occasional ad-hoc meeting.
The last thing in the world you want to happen as an ERM professional is to be asked, “why did you not take the steps to address a risk you know was brewing? Why did you wait until the scheduled meeting when you know that the likelihood of a particularly high-impact risk was going up?”
It may be considered ‘best practice’ to do a formal assessment for every risk in every situation, but that would be too stifling in the real business world.
Embedding risk into other areas where it can deliver actionable insights in the moment helps address many of the negative perceptions of ERM being too bureaucratic.
In the end, ERM is a tool for decision-making and not there for its own sake.
When it is viewed as such, the possibilities become much more clear.
What are other ways you’ve discovered to make ERM move at the speed of business?
Please feel free to share your thoughts or experiences in a comment below or join the conversation on LinkedIn.
If your company is struggling to use ERM in a way that reflects the realities of today’s business world and is suffering from the perception of being too bureaucratic, please reach out to me to discuss your company’s current state and different paths for moving forward.
