Risk management is getting better. More CEOs and their senior management teams are identifying where things could go wrong, and where they need to go right, and doing the associated analysis and taking action to manage the risks. Experience shows it might be a CFO, general counsel, or board of directors prodding a CEO to take such actions. But in any event, we see more CEOs embracing risk management and their organizations doing better at it.

A few weeks ago, I met with members of the boards of directors of two NYSE companies, and I found that management has been providing heat maps and or “top 10” lists of the more significant risks, making the directors comfortable they were receiving information both relevant and at the right level to enable their oversight of risk management. Or at least they thought so until we looked a bit deeper.

Reports to the board

Heat maps can provide important information to a board of directors. They typically include the more significant identified risks, as well as likelihood of occurrence and potential impact. They may also include velocity—speed with which a risk event might occur—and usually depict actions being taken or planned to mitigate the risk, along with where responsibility is assigned and the expected timing of actions.

So, what’s the problem, if there is one? Well, there are actually at least a couple of significant problems:

The first problem is that where these heat maps are developed by a risk management staff function and/or senior management personnel, they present a perspective that may show only part of the real picture of risks facing a company. And in those instances the company doesn’t have a real risk management process, and certainly not what could justifiably be called an enterprise risk management process.

The second problem is the board of directors is doing only part of its job. Yes, it is looking at some of the more significant risks and considering how well management is dealing with them. But the board is not carrying out a fundamental responsibility, which is to ensure that management has designed, developed, initiated, and uses a process where managers of all units and segments throughout the organization identify current and emerging risks in their spheres of responsibility, and assess the potential implications and take steps to proactively and effectively deal with those potential eventualities.  

There’s another major deficiency that we see too often—failing to consider what I call “global risks.” What I mean by this is not necessarily risks that might affect international operations, but rather major risks that are game-changers, with potentially devastating effects or presenting huge opportunities for the organization.

We see again and again that where senior management’s primary focus is to bring risk information to the board of directors, the attention is misdirected. Rather, there needs to be focus directly on establishing an effective risk management process throughout the organization, with management using the resulting information to ensure appropriate actions are being taken. Then, reporting to the board becomes a natural outgrowth of that process, where the board is apprised of the working of the process as well as of the more critical risks.

Global risks

There’s another major deficiency that we see too often—failing to consider what I call “global risks.” What I mean by this is not necessarily risks that might affect international operations, but rather major risks that are game-changers, with potentially devastating effects or presenting huge opportunities for the organization. Examples are as varied as the world around us. They may include such far-reaching matters as the implications of climate change; changing customer buying patterns, processes, and venues; evolving skill needs of the employee base and related availability; technological evolution or revolution and potential use for competitive advantage; geopolitical changes; emerging regulatory rules and enforcement activities; customer and stakeholder views on sustainability; and evolving cyber-risks. Anyone aware of major trends and their potential implications to an enterprise can quickly think of other such “global” risks that can wreak havoc upon a company, or enable it to reach new heights.

When discussing risk management with directors of these two companies, and asking whether their organizations are looking at such risks and opportunities, the answer was “not really.” Well, I expect that may change shortly.

Transformational change

Forward-looking companies are indeed looking beyond their current circumstances to see what is outside their traditional lines of sight. Let’s look at a couple.

Ford Motor Company. Historically Ford has worked hard to sell more cars—expanding product lines, grabbing a larger share of markets, and opening and expanding new markets. Now it is looking at what I call “global” risks, including those that will reduce demand for automobile ownership in the broader transportation market. Reports indicate that with an eye to Zipcar, Uber and Lyft, as well as Google Maps and Moovit that ease use of public transportation, the company’s management is looking at “multimodal transportation,” encompassing buses, subways, bicycles, ride hailing, and walking among other means of getting from one place to another. It’s also reflecting on the reality that more goods are being delivered. A manager in Ford’s “smart mobility” unit says “we see these not as threats but as opportunities for our business.” Ford is about to bring out FordPass, services ranging from car sharing to electronic payments for parking. The company’s goal is to “future proof” Ford’s place in the broader transportation market.

But it’s not surprising this company is looking to the future. When Henry Ford in the early 1900s decided to mass-market the automobile, he recognized the changing world and conceptualized the future, saying: “If I had asked people what they wanted, they would have said ‘faster horses.’ ” Ah, shades of Apple, where success emanates not from asking people what they want, but rather developing products people didn’t know they wanted but soon found they couldn’t do without.

AT&T. This company, which has been broken up, taken over, and rebuilt, is looking to reinvent itself once again, recognizing that it competes not only with other phone and cellular carriers, but also with such technology companies as Amazon and Google, among others. It acquired DirectTV and a slew of wireless businesses, and reports say it looks to grow as a computing company managing not only phones but also satellite TV and reams of big data through its cloud capabilities.

What the company now is doing will transform its workforce, by getting people to reinvent themselves with expertise in technology. Management says it recognizes the company’s dependency on technical prowess—where things like virtualization uses software to allow numerous computers to operate like one piece of hardware, enabling what used to take a year of development to now occur in hours or minutes. Workers are told they need to reinvent themselves now and to continue to do so; those who don’t will become technologically obsolete. The company offers tuition assistance, provides weekly disseminations on online learning, and offers to track progress, suggest new courses, and advise on what careers are available. The union head is supportive, recognizing that the changes are inevitable—he believes that union members will go along, saying “you can’t fight technology and win.”

As such, the company is continuing to reinvent itself and working toward ensuring its people have the skills to drive the change.

Strategy and ERM

Okay, you may know that I have a “thing” about inappropriately using the term enterprise risk management when a company has only rudimentary risk management activity. ERM is a defined term, and I’m partial to the COSO Enterprise Risk Management — Integrated Framework description. Regardless, effectively managing risk involves using the relevant information to drive action within an organization, including focusing on global risks in setting strategic direction.

In talking with the CEO of one of the companies mentioned earlier, I asked whether it was fair to say that the industry name with which the company is tagged isn’t really the industry the company is in. It looks to me, I said, that you’re really a technology company. He immediately agreed, saying the company needs to start looking at itself as such and gear up to be well positioned in the future.

Risk management involves gaining information and perspective not only to deal with relatively obvious (though important) risks facing a company, but also the global risks and opportunities. Identifying and analyzing such potentialities, with thought and foresight, will help determine what industry or industries the company is in now, and where it wants and needs to be going forward—to ensure not only survival but success for the long-term future.