Tuesday, 23 March 2010

Risk figurehead - essential or an admission of failure?

At a recent dinner debate I hosted on ERM trends, the topic which generated most passion was definitely whether an organization needs a risk figurehead like a CRO. Attendees came from industries including mining, retail and transport and there were definitely two schools of thought.

One view was that a figurehead was needed to spearhead the initiative to drive the process and cultural changes required - and to present the corporate risk profile information to the board.

The other school of thought was that the need was for an enabler - not a highly visible focal point. Their role would be to embed risk management deep within the organization so that the collection and reporting of risk data was 'part of the job' for all levels of managers - ie it was everyone's responsibility. Indeed the appointment of a CRO could even be seen as an admission of failure that risk wasn't taken seriously by the whole business.

This debate could run and run as it didn't seem tied to organizational risk maturity or industry characteristics.

Friday, 5 March 2010

Beating 'initiative fatigue'

Recent discussions with SVPs from a range of sectors have highlighted concerns around culture change inertia and the barriers this creates to embedding an ERM/GRC approach into organizational DNA. 'Initiative fatigue' at business unit level means new corporate programmes often fail to get traction - and when the terms 'risk', 'ERM' or 'GRC' are used the problem is magnified.

An approach I would propose is to incorporate these initiatives under the banner of improving business performance. Not only does this recognize their importance but reduces the reliance on terminology which often confuses. It also shows the link to improving the quality and visibility of information - which can only lead to better decision making and an increased chance of delivering the business plan.

Tuesday, 2 March 2010

Thoughts on the IRM annual lecture

This year's Institute of Risk Management lecture focused on messages coming from the recent World Economic Forum in Davos. I don't think attendees left filled with joy that our leaders are sure the downturn is ending anytime soon - but there were certainly some important points risk managers should take to heart.

Dr Gareth Shepherd, the speaker, made it clear that there would be closer attention to corporate governance and risk management - "not just box ticking", with world leaders personally angry with the people who brought on the economic crisis. We are already seeing measures filter through like the SEC ruling in the US.

Shepherd's advice to risk managers was to understand, even more closely, how the CFO is thinking and to "monetize" risk so that it could make it onto the board agenda and be discussed in a meaningful, standardized way. My own view is that the effectiveness of attaching a financial value to all types of risk will depend on the maturity of the board-level risk debate. If the risk and opportunity debate isn't a fixture of discussions then putting a $ value to risks will certainly grab some attention - but when risk debate is embedded in an organization then the discussion can be more nuanced pulling in topics like reputational risk which may be harder to monetize.

Tuesday, 23 February 2010

Trends in enterprise risk management to support greater transparency

In my role at STG I get to see how many organizations are rolling out risk management across their businesses. One trend that's emerging is a definite swing away from taking a specific project or division to focus on as an ERM pilot.

An increased requirement for transparency - evidenced by the recent SEC rule 33-9089 - and a need to risk-adjust business plans and forecasts to aid certainty, means that many organizations are looking at an immediate 'lite-touch', enterprise-wide risk management approach.

You could liken it to taking the pulse of the organization - rather than to giving a top-to-toe examination of just one part of the business - and missing the symptoms elsewhere which might kill you.

The lite-touch approach will provide an enterprise-wide health check relatively quickly which will highlight the areas which need more focus. However it does have implications for information sharing, buy-in and cultural change. But in today's climate this seems like an infinitely sensible approach - as a first step - but you will still need to follow up to join up the top-down and bottom-up to cover all levels in the organization. Only when this is done will you increase the probability of detecting emerging risks.