This focus isn't wrong, but it is limiting and ignores the more important opportunity that managing risk well presents.
Namely, the assurance of improved chances of meeting objectives and ultimately enabling the delivery of the mission of your company.
The deficiency in the aforementioned approach is substantial. Importantly, the opportunity to help deliver the corporate mission puts risk managers in a unique power position to influence and partner with the many leaders directly involved in daily mission delivery.
The centerpiece of a better approach to risk management is the linkage between risks, controls and objectives; from individual objectives of managers to the departmental, subsidiary and enterprise-level objectives of the firm. Simply put, a risk is not a risk unless it threatens an objective or through increased risk taking, enables the accomplishment of an objective not otherwise likely without taking that incremental risk.
The trouble is, this concept is not intuitive for many managers. There isn't often a natural connection between objective setting and risk taking. Most managers don't think in terms of risks being the reason why they don't accomplish that to which they have committed.
When something isn't coming naturally in the work setting, it is likely a function of the culture. In the case of risks and the performance of companies, the risk culture may be insufficient to support the success most leaders desire. The risk culture necessary to enable this mindset puts risk management at the center of culture and uses education, training, tone from the top and the middle as key elements of driving desired behaviors. A consistent message of this linkage and its central role in individual and corporate success is critical and requires continuous reinforcement. Consistent and frequent modeling from the board and senior management is also critical to achieving this desired state.
Incentives and rewards are another element of the connection between risk and performance. It is widely held that without direct incentives for prudent risk taking, you cannot expect to drive a risk culture let alone the desired performance outcomes upon which they depend. These incentives need not be outsized and in fact ideally should be balanced and measured consistently across the enterprise. It is well known that what gets measured gets done.
By extension, what gets rewarded is even more likely to get done. The key is to ensure the correct design for an incentive system that drives only targeted behaviors. It has been shown time after time, that without accountable measures and incentives directly tied to them, a high performance risk culture is not likely to emerge otherwise.
Finally, risk and risk decisions must be directly linked to both the formal planning process as well as the day-to-day decision making of management. This can take many forms and can be as simple as ensuring that the risks to the operating and strategic plans be identified, assessed, measured, monitored and periodically updated to actual.
With this linkage, the messaging to drive a risk culture takes on heightened importance as management realizes that risk is an important consideration in everything that is important to the success and mission accomplishment of the company. And for those who care about Standard & Poor's enterprise risk management (ERM) assessments, you would do well to seriously consider making this a part of your risk culture.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society Inc.
April 1, 2010
Copyright 2010© LRP Publications