Risk Insider: Elizabeth Carmichael

Putting Your Organizational Values Where Your Risks Are

By: | July 8, 2016

Elizabeth Carmichael is president of Carmichael Associates LLC. She formerly was director of compliance and risk management for Five Colleges Inc. She can be reached at [email protected].

I think that many risk managers (myself included) struggle with guiding their organizations to choose what risks to prioritize for management.

Even when we work for an organization that has a highly functional ERM process, and senior leaders are actively engaged in the identification, management and mitigation of risks, can and/or should compliance and risk officers be leaders in helping them set their priorities?

If the answer to that question is “yes,” how can we be better leaders? We can do it by identifying and aligning risk management as a cornerstone of institutional values.

One of the things that has always bothered me about “reputational risk” is that it measures how the outside world will view the institution (by measuring lost revenue, increased costs, or reduced shareholder value) if it fails to address a particular issue.

This has become a shorthand of sorts for measuring the ethical aspects of failure to address some kinds of risks. The problem is, it doesn’t address the actual values of the organization. Reports have been published on the atmosphere at Penn State where alumni and other donations actually increased in support of the university after the news of the Sandusky sex scandal broke.

Other schools, like Dartmouth University, may have seen a drop in applications from women because of sexual assaults and harassment, but given the strength of the school, it probably hasn’t impacted the bottom line. The outcomes of bad press are impossible to predict.

There is no discussion, no scoring, in the enterprise risk management process of “How antithetical to our institution and our values would it be if something happened because we failed to address this risk?”

Or, “What are our institutional values and how does this risk conflict with our values?”

We should ask ourselves how risks might be scored if these questions replaced, “What is the reputational risk?”

Assuming — and admittedly it may be a big assumption — that organizations want to align their operations with their stated and implied values, the ERM process can and should be used to support this objective.

Even when we work for an organization that has a highly functional ERM process, and senior leaders are actively engaged in the identification, management and mitigation of risks, can and/or should compliance and risk officers be leaders in helping them set their priorities?

Now, if your company’s sole value and objective is to sell products more cheaply than any other company, ethics and values will not be likely to have any traction with company leadership on risk matters.

But if your company or organization has a mission, vision and/or values statement, you will have a place to start.

Reputation, on its most basic level, is a measure of trust — how well does the organization deliver the products and services, the values, which it promises?

This applies to both the organization’s customers and employees.

Do employees know what the organization’s values are? Are policies, procedures and risk mitigation efforts aligned with its values?

Compliance officers and risk managers may find that, when faced with opposition on a risk mitigation effort or prioritization, that helping mangers understand how the mitigation helps the organization’s actions align with its values will break down the resistance.

I’ve seen it work; try it!

More from Risk & Insurance