Are you comfortable with how your company is dealing with cyber-security risk? What about strategic risks? And how about risks related to legal and regulatory compliance?
The more I deal with boards and senior managements, the more I hear that despite their increasing concern and focus on existing and emerging risks, there’s a consensus that in today’s world exposure to these and other significant risks is only increasing.
A few months ago I had the privilege of delivering a keynote address at Gartner’s annual risk-management summit in the Washington, D.C. area, where I spoke to the ins and outs of risk management—what works and what doesn’t, and how top managements and directors can rest more comfortably and focus more attention on growing the business. I’d like to share with you the more important messages of that presentation, centered on lessons learned from experience working with major companies.
Process vs. Culture
The late, great management guru Peter Drucker, whom I was fortunate to learn from during my graduate studies, said “culture eats strategy for breakfast.” While both are important, it’s the culture of an organization that drives behavior more so than any other factor.
We know that corporate culture played a crucial role in Siemens’ and Daimlers’ long-standing bribery, HSBC’s problems with money laundering, General Motors ignoring signs of ignition switch problems, News of the World’s phone hacking, and Countrywide’s ninja loans and robo-signing. There’s no doubt the culture of these companies allowed or in some cases encouraged the behavior that cost billions of dollars in settlements, fines, and penalties, and dealt heavy blows to the reputations of those companies.
Whatever management and directors intend, what really goes on in an organization is dictated by its culture—which can make or break a company.
Lesson Learned 1: Infrastructure is essential, but risk management will not work without the desired corporate culture of integrity and doing the right thing.
Culture Can Be Changed
Siemens provides a good example of a terribly flawed culture that was changed. Bribery began after World War II when it was legal in Germany, but continued when the laws were changed in 1999. Regulators called the bribery “systematic, widespread, egregious, brazen, massive, willful, and carefully orchestrated.” How was the culture changed? It began with a new CEO, general counsel, and director of professional practices. The CEO replaced 80 percent of top level executives, 70 percent of the next level, and 40 percent of the next! An amnesty program said to employees, “if you come forward and report wrongdoing now, you’ll stay—if not, you’re history.” Many were fired.
Infrastructure is essential, but risk management will not work without the desired corporate culture of integrity and doing the right thing.
There was a new strategic direction, rigorous new controls, new compliance and audit functions, extensive training, and clear messaging on integrity from the CEO, as well as monitoring to view how those messages were received and acted on by employees. Company officials report that the culture has been transformed, with requests for bribes turned down and reported market share and profits at record levels.
Lesson Learned 2: The key driver of culture is the CEO, supported by the senior management team. Changing culture can be like turning a battleship, but it can be changed.
Effective and Efficient Risk Management
A sound foundation for risk management depends on several factors, including having a shared view of risk, agreed-on business objectives at all levels, and a process that recognizes uncertainty and seizes opportunities to optimize growth and return. It requires a disciplined approach, aligning strategy, processes, people, and technology, and ensuring managers have the requisite information to identify and manage risks. At companies that manage risk well, risk information is communicated up, down, and across the organization, and risks are managed not only individually but also on an aggregate basis and used and recognized as providing a basis for enhanced business decision making.
[cw:quote:0]
While many executives talk about having an enterprise risk management process, often that’s simply not the case. To be a true ERM process, it must have not only the above-mentioned attributes, but also must be embedded throughout the entire organization, manage risks within risk tolerances, take a portfolio view of risk at the entity-level, manage risk within the company’s risk appetite, and serve as a basis for allocating capital based on growth, risk, and return.
With a true ERM program, risk management is built into the organization and aligned with the company’s business objectives. Business units are directly involved in setting and implementing risk-management policies, where responsibility rests not with risk officers, but rather with line and staff managers. At these companies, managers embrace risk-management protocols because they’re seen as enhancing business decisions.
Lesson Learned 3: Risk management superimposed on top of existing procedures is less effective, with soaring administrative effort and cost. On the other hand, risk management—preferably ERM—built into business processes drives efficiency and effectiveness.
Implementing ERM
Many organizations looking to develop an ERM process face an array of hurdles. Among the more common landmines put forth by personnel at all levels are: “Risk management interferes with ‘real work.’ It’s a negative thought process, not relevant to us action-oriented, ‘can-do’ people. Managing risk is someone else’s (staff’s) role. It’s just a formality not serving any purpose. We know what went wrong elsewhere, and it won’t happen to us. Risk management is simply so management can report to the board.” And then there’s, “of course we already do it, so go away!”
A realistic risk-management development plan begins with top management, whose support is absolutely critical. A CEO needs to be convinced of the business case with cost and benefit analysis—including the cost of bad decision making and being blind-sided by events—and benefits, including fewer and less-costly failures, seizing risk-based opportunities, making better decisions, and providing relevant information and greater comfort to the board of directors.
There are different approaches for successful implementation. One involves beginning with senior management in the strategic planning phase, where C-suite executives take a risk-based approach and then drive the methodology downstream. Another is to begin with one business unit, demonstrating the rewards of effective risk management. A third is to go “big bang,” by designing and rolling out the process companywide. The company’s culture drives which approach is best.
For companies of significant size, use of technology is useful if not essential. The right software can enable companies to identify top business objectives, capture related risks and opportunities, assign responsibilities, and maintain accountability.
It also enhances communication across the organization and allows roll-up for a portfolio view of risk. It’s important that the technology supports existing management protocols and processes, is not an administrative burden, and it is sufficiently flexible to support organizational changes.
Lesson Learned 4: ERM doesn’t just “happen”—it is carefully designed, bought into, rolled out, supported by technology, and implemented by managers throughout the organization.
Supporting the Board of Directors
Boards of directors need comfort that management has an effective risk-management process in place—preferably an ERM process. Directors want to know that risks are identified throughout the organization, both top down and bottom up. They want to be sure risk management is built into business processes, is used effectively in strategic planning and decision making, and makes effective use of technology. Yes, the board wants critical risks and related actions brought to the boardroom—not as the primary objective, but rather driven from the process embedded in the organization.
Lesson Learned 5: In supporting the board, management recognizes the board’s needs and concerns, and provides the desired level of comfort—as a natural outgrowth of an effective enterprise-wide process.
These lessons provide a successful roadmap to corporate managements in establishing effective risk management in their organizations and reaping the associated benefits.
No comments yet