What Does It Take To Be Engaging? Getting Management Buy-In On Risk Matters
Risk professionals are often caught in an unenviable position when it comes to convincing management that risk matters should be taken seriously; not just operational risk or credit risk, but the whole spectrum of risks, real and virtual, that confront every business today. But risk matters are not the exclusive responsibility of the organisation’s risk function. Organisations have risks innumerable; these are rarely confined to just one department or business unit. Collectively, they could cause extensive, irreparable and costly damage.
So much to do, so little time
However, the Board and senior management are often too preoccupied with other matters to prioritise risk. Board members are not in the office full-time, and have limited hands-on engagement with staff. Senior management has its hands full, running the business and fulfilling the responsibilities entrusted to it by the Board. In many cases, management has little time or opportunity in its day-to-day operations, to fully understand the concepts of ERM. Little wonder then, that both risk matters and ERM are often left out of strategy, policy and business planning.
What does it take, to get management buy-in on risk matters?
One has to understand “where they’re coming from.” Examples of successfully-applied ERM are always helpful. If the focus of management is constantly on the bottom line, then the risk professional should emphasise where and how ERM mitigated the risk and saved the company from a large expense or damage to its reputation or conversely, helped the company identify and capitalise on an opportunity. There should also be equal focus on managing risks to help management make decisions in an informed, timely manner. In the long run, this will be a more holistic approach to maintaining profits, competitiveness and sustainability.
What should be considered
The Board may approve any strategy, policy or framework but, realistically, it is the people on the ground – management and employees – who will ultimately have to make it work. Getting management buy-in therefore means crafting things that work for management, which can be cascaded down the line without adding to the work it already deals with, or subtracting too much from always-constrained resources. Perhaps the most effective method to apply, particularly if the risk professional faces management scepticism, is to just start conversations about the risks confronting the organisation.
Unless the organisation already has a mature risk function, the risk professional is rarely in a position to influence the way the firm approaches its risks, much less influence management’s perspective of it. Conversations like these could be framed within the context of business development or business continuity planning. There are other factors which can be worked into the conversations as well. Many firms are intensifying their marketing efforts online, creating exposure to a plethora of hitherto unanticipated risks. The risks associated with globalisation grow by the day; awareness of them should increase in tandem.
How the risk professional supports management
As risk conversations develop, risk professionals could offer concrete support of management through the application of ERM tools like risk assessment and analysis. The fact that ERM is not a stand-alone process exclusive to management, should be emphasised. It is something which concerns all levels of the organisation, and should be approached as such. It is worth noting that selecting the right technology can be very helpful in gaining acceptance for ERM. Careful measurement, assessment and documentation, combined with ERM tools, processes and procedures, can produce robust, accurate information that supports decision-making.
It is not easy to quantify the value of ERM programmes but risk managers can start by understanding what the firm’s core issues and strategies are, and position ERM frameworks, processes and procedures as solutions to achieving the firm’s objectives. Identifying the firm’s major risks, and offering workable mitigation, will help the ERM conversation gain traction. If management will only consider results, risk managers could then start with small projects to demonstrate effectiveness. The success of these will show that ERM works while providing a conduit for feedback, which is always important.
Long-term, deeper insight
Data collection, documentation, feedback and analysis are all elements of assessment and measurement that give deeper insight into the organisation. They are capable of demonstrating what the firm has experienced, how it has reacted, and been impacted by both its reactions and the environment it has been operating in. Most importantly, this type of information helps management construct a roadmap for future action, i.e., enables it to make better decisions for sustainable business development. By looking at what has happened in the past, the organisation can hone its anticipation and formulate appropriate responses to future events.
While the extent of data collection and careful documentation may be onerous and sometimes labour-intensive, this can be mitigated somewhat by technology. There are programmes available which can be applied to support data collection, documentation and trend analysis that effectively lessen the administrative burden and streamline processes. Risk managers should understand their organisations enough to anticipate what kind of data is most crucial, and be tech-savvy enough to find the technology that matches these needs. They will be demonstrating their own abilities – and value – by doing so.
Risk managers have to be multi-taskers, and be able to fit into a multitude of roles. Their position gives them unique perspectives of the organisation and its people. Through their interaction with employees at different levels, they are able to identify areas of concern and emerging risk. This may not be obvious to management, which is usually focused on running the business. Conversations about risk are never easy; they tend to push people out of their comfort zones. The good thing is that once the conversation starts, it becomes easier to carry on, and involve more people in the process.