Several times I've run into objections to my candidacy based solely on my lack of experience in these industries. While my initial reaction was often one of offense, I realize in retrospect that these institutions often didn't know any better and in a few cases, may have had good reasons for their narrow view.
However, with the evolution of the discipline along enterprise risk management lines, coupled with my latest reinvention as an ERM-focused consultant, I have become increasingly sensitive to and somewhat annoyed by this mind-set.
The fact is, risk is risk and the risk management model is, in my estimation, roughly 80 percent the same for all. I continue to maintain that ERM done right is customized to the culture and expectations of management and governance.
So what are the distinctions that would make managing risk unique in a particular setting?
First, the process of identifying risk is most influenced by an understanding of operations and the exposures inside and out that most reflect the potential for loss or gain. Both company and industry type will drive the result, but the process itself is unlikely to be unique to either. The risks themselves will be a blend of what many experience, and will be shaped by operations and structure.
Processes used to assess risk will be common to most entities and distinct only as a function of chosen methods. Assessments will be a function of exposure, which will be more distinct.
In risk measurement lies the first area of the risk model that may be more specific to an industry or company. Distinctive measurement will be a function of how quantitative stakeholders tend to be in measuring other aspects of the business. The methods will vary in accordance with the types of exposures that require measurement. Tools and methods will be uniformly available to all but often designed and marketed toward specific industries and company types.
Uniqueness is certainly important in risk mitigation, because it's driven by culturally influenced and management-defined risk appetite and tolerance. These are likely to be unique to each entity. It is an area impacted by the extent to which audit and compliance expose companies to regulatory requirements.
This leaves the monitoring and reporting processes. In both cases, these elements will be most affected and influenced by the nature of the company and culture, and secondarily by the industry. But the processes used to execute these will be essentially the same across entities. The most significant differences will be the amount and frequency of each activity sought by risk stakeholders.
So why do so many still think that you can't manage risk effectively unless you're bred in the specific company or industry in question?
This is a paradigm that needs breaking. The more progressive and successful companies of the future will be those that recognize the value of a fresh perspective not skewed by a company's culture or by the belief that any industry has a monopoly on best risk management practices. In fact, the best risk practices are naturally engendered in the best performing companies.
CHRIS MANDEL is the president of Excellence in Risk Management LLC, and executive vice president of rPM3 Solutions LLC. A former president of the Risk and Insurance Management Society Inc., he can be reached at firstname.lastname@example.org.
October 11, 2012
Copyright 2012© LRP Publications