Alignment around what enterprise risk management (ERM) should be
It seems that every study, article and report on risk management now comes to the same conclusions: that a smart approach to ERM improves organizational performance and shifts the traditional focus on risk aversion increasingly towards one of risk awareness and opportunity. There is universal agreement that risk management silos are a problem and that home-grown, spreadsheet-based systems are cumbersome, resource-intensive and, often, simply not up to the job. The objective now is to shift organizational attitudes towards risk management and take an enterprise-wide, integrated approach in which the downside of risk is intelligently balanced against the upside.
Key drivers for change in ERM
A recent publication by Deloitte and the Fortune Knowledge Group, “Shift risk strategies, accelerate performance”, concludes that there are three primary change drivers: strategy, culture and measurement.
Break down the wall between risk management and strategic planning. Start by inviting risk professionals to strategic planning sessions. Risk professionals and business leaders can and must share ideas on the threats and opportunities facing the organization. Only by openly discussing business problems can the two sides understand the other’s point of view and act on this knowledge.
Create a culture where risk is everybody’s business. Get leadership involved in risk conversations and educate professionals to understand their roles in risk management. This change doesn’t occur simply by telling employees that risk is everybody’s business. Individuals must be trained to identify risks; calibrate their response; and, ideally, act on the knowledge that for every threat, there is a business opportunity.
Employ data analytics to measure risk and predict trends. Data analytics is a major enabler of a value-focused risk strategy. Business has reached a level of complexity that demands a more scientific approach to the information generated inside and outside the organization. Technology is only as good as the people who use it. Data analytics requires skilled people to ask the right questions to uncover the most useful answers.
All of these three areas resonate strongly as the place to start creating change. It is important to overcome the gaps between what the C-suite care about and what risk management teams traditionally focus on, if there is going to be an aligned enterprise-wide approach. The cultural issue is also critical: shifting attitudes from risk management being the job of a specialized team to that of risk-oriented thinking being an integral part of all business management.
Data and technology are driving ERM
It is also good to see the emphasis on measurement and data analytics as being fundamental. This has been one of the most critical missing ingredients from most risk management practices. It has meant that for many organizations, risk management decisions have been based on a mix of subjective opinions and outdated perceptions of what has taken place historically, instead of making decisions with what is actually happening and most likely to happen in the future.
I would offer one more element to successfully driving and implementing change in risk management: the approach needs to be technology-driven in practice. This is not just the technology of analytics, but the technology needed to enable all the people and activities on which risk management depends.
Without effective technology enablement, the key drivers for transforming risk management are themselves at risk of being just good concepts, instead of actual realized shifts in the ways that organizations operate.