I recently asked of fellow risk professionals, “What is your single biggest challenge when it comes to ERM implementation?”
What do you think the answers were?
Maybe figuring out how to assess risks?
Maybe integrating with strategy?
Or aggregation of risks?
Nope.
Tone at the top!
Yes, the executives and how they convey their thoughts about risk are noticed by everyone in the organization.
Tone at the top can consist of many things, such as “walk the talk” (as one respondent answered) and attitude (whether indifferent or overconfident that they know what they need to know).
What it really comes down to is organizational culture…which is set by the executives and board of your organization.
If they do not believe they need risk management, then you will not get very far. Sad but true.
You may make progress with mid-level management with operational risks and possibly project risks, but you will not be able to add the true value of enterprise risk management, which is the strategic view and supporting management in their achievement of the strategic plan.
Executives must take ownership of risk management. Don’t just say “we want ERM.” Show it to your people in your words, actions, and attitudes.
Oh, and this other thing – talk about risk. After all, risk should be embedded in daily decision-making. But if leadership isn’t talking about it, it isn’t embedded.
And the board is not immune to this either. The board is responsible for oversight of management, correct? Then part of that oversight is asking management:
- Are they identifying risks to the business?
- What are they doing about those risks?
- What are the risks that are being accepted as part of doing business?
- What is coming down the road 5 to 10 years in the future?
- Does management have processes in place to ensure that risk is consistently considered throughout the organization from top to bottom?
Risk professionals have a role in this challenge as well.
How are you talking about risk?
- Are you using the language of the business?
- Have you explained the “why” of ERM?
- Most importantly, are you keeping it simple?
Too many times, I believe that risk professionals make things overly complex. Why do I say that?
I used to be one of those people.
We forget that ERM has to function like a business within a business.
Your organization changes products, services, structure messaging based on its customer demand, business environment, etc. In other words, the organization adapts itself.
If ERM doesn’t adapt to a changing organization, how can ERM stay relevant and meaningful to its executives?
Are you struggling to get or keep executives engaged with risk? If not, how are your executives demonstrating a positive tone at the top?
I would love to hear from you. Comment below or join the conversation on LinkedIn.
Featured image courtesy of Lloyd Smith via Wikimedia Commons