By Gary Pearce

Jun 14, 2022

In a recent message we commented on an excellent analysis of the CEO’s Risk Perspective from McKinsey & Company which offers a compelling case for risk management as a top priority for the Chief Executive Officer. Our part I commentary spoke to some of the high-level issues that risk executives and CEOs should consider to make the McKinsey analysis relevant to their organization. Now we present some implementation issues that risk teams and executives should address in order to ensure effectiveness.

 

Assembling the Team

The CEO will probably have in place a multidisciplinary risk management team as a core element of a risk-aware organization. Risk management programs are destined for failure if they are effectively a one-person show. 

It’s generally understood that a spectrum of functional disciplines should be included within a core team, mixing both staff and operations roles at senior levels. However there is an additional perspective that should be considered: some people are more oriented toward risk-taking and assertive initiatives, while others have an inclination toward defensive prevention. A team that is top-heavy in either area may underperform. 

The implication is that while compliance and audit-oriented representatives are certainly valuable, companies shouldn’t overload a risk governance or enterprise risk team with those functions. Include representation from those interested in the upside opportunities posed by an ever-changing business environment. Moreover, charge all persons, regardless of their role or background, with considering both risk and opportunity…including the consequences of not taking aggressive action.

 

Don’t Wait for 100% Buy-In

While it behooves senior leadership to be aware of any pervasive opposition or concerns, risk management programs are no different than any other major initiative in that not everybody will necessarily be 100% on-board.

An effective enterprise risk management program will likely have many facets, and they won’t all deploy on the same timetable. Expect a healthy skepticism in the early days of launching any new or expanded element. Some may regard risk management as this season’s passing fad, some will be disengaged, and others will lack understanding. 

 

Awareness Doesn’t Ensure Accurate Assessment

Recognizing the presence of a particular risk is a prerequisite to mitigation and prevention. But mere awareness doesn’t ensure an accurate assessment of relevance. There are often vast differences between the likelihood of a particular matter occurring but with low or mild severity, versus the much less likely event of it occurring in its most severe form. Business generalists can be surprisingly inaccurate when assessing the relative importance of various risks, and things can get very complicated if the processes for prioritizing risks aren’t standardized. 

A good way to ensure consistency is to measure both frequency and severity only at a near-worst-case level. When doing so, beware of the tendency for assessors to woefully over-state the likelihood of a near-worst-case event, while understating its potential severity.

 

Consider Using a Framework

It’s a good idea to utilize an enterprise risk management framework as part of the risk-aware company’s toolkit. A framework raises the likelihood of addressing an appropriately broad spectrum of risk issues, consolidates the hard lessons learned by others, can be reassuring to board members, and affords a validation foundation for auditors.

Although the advantages are many, beware of having an enterprise risk framework become an end unto itself. The key objectives and emphases of various risk frameworks can differ greatly. More notably, any framework may not fully address the specific risk circumstances of a particular organization. 

The best approach is to use a framework, but avoid it becoming the prime source of authority. A risk management program that happens to check all the boxes of a risk framework, without having explicitly attempted to do so, is probably a good program.

 

Measurements Will Move the Needle

A risk program that doesn’t measure its effectiveness probably won’t be very effective. It’s important to measure the right things while avoiding overwhelming stakeholders with too much information. Ultimately the selection of what matters most will be very specific to a particular organization, and aligned with the CEO’s top concerns and interests.

A good set of measurements probably includes a mixture of activity and outcome metrics. Consider having a limited set of key measures that are socialized amongst executive management with the intent of their becoming part of the language of the business, supplemented by additional metrics primarily for the benefit of the risk management team. 

Don’t be afraid to include one or two subjective measures in the portfolio, and remember that trailing measures are unlikely to reveal strategic insights.

 

Transforming Risk Advocacy

Not all risk managers are well-suited for the role of assisting their CEO to become truly risk-aware. In some organizations, the risk management function is too junior in stature or talent level to be part of the c-suite dialogue. Its only interaction with operational leadership may be in the aftermath of a severe event or when insurance costs come in over budget.

The talent set needed to be an effective assistant to and advocate for the CEO may be quite different from the skills needed to execute traditional risk management priorities. While this represents a genuine growth opportunity for the risk manager, it may also be an appropriate time to retain an outside consultant to help get an expanded risk management program off the ground.

 

Put it Into Practice

Managers have a keen ability to distinguish career-shaping expectations from mere rhetoric. If the CEO is vocal about risk empowerment and the importance of high-level risk management, but does nothing to reflect those concerns within job descriptions, performance evaluations and business plans, then full engagement on the part of the leadership team won’t happen.

 

You Can Teach This Stuff….And Probably Need To

Neither the CEO nor their leadership team ascended to their positions solely on the basis of risk management acumen.  While risk proficiency is now a necessary skill, it’s not the job of senior leaders to be full-time risk managers.

It behooves the risk management function to assemble the necessary support and educational content to help senior leaders succeed in installing a risk-aware culture.  The human resources function may have a prominent role in this endeavor as well. Keep the emphasis on high-level issues and content, and try to help determine what needs to be personally owned by the CEO and what should instead be delegated.

It’s also very appropriate for the risk manager to help shape the CEO’s perception of top organizational risk issues. This can be far more difficult than may seem to be the case, because while risk managers live with risk issues on an ongoing basis, they don’t have the benefit of experiencing the issues, constraints, and expectations that the CEO encounters every hour.

 

Unlock True Risk Management with Technology

Finally, and as we mentioned in our earlier commentary, technology is a necessary element of a risk-aware culture driven by the CEO. The uses of technology are many: timely detection of new events and trends, collaboration and efficiency among multiple stakeholders, adapting to change, maintenance of reliable metrics, verification and validation of key mitigation and prevention activities, and identification of what risks matter most.  It’s no longer acceptable to depend on worksheets, siloed standalone applications, tools that only measure trailing results, or platforms designed for other purposes such as audits.

Customization to the particulars of an organization is highly important, but be very hesitant to develop the necessary tools totally in-house. There are simply too many lessons to be learned and incorporated, too many facets to a state-of-the-art risk management information system, and too much ongoing change for in-house resources to be flexible enough to keep up.

The risk manager who takes under consideration the advice of the McKinsey white paper, and heeds the advice given in our followup messages, will be better prepared to assist the CEO in socializing an appropriate risk management instinct throughout the entire organization. Socialization of risk management throughout the enterprise is the surest path to better results.