When my wife was expecting our first son, it surprised me that most of the
stories we heard about childbirth from other people involved something going
wrong. At some point, we made a conscious decision to ‘switch off’ and ignore
those stories. I don’t really know whether our experience was
representative.
It strikes me that risk management appears a bit similar; it is easy to hear what went wrong. Before I go any further, I admit my share of guilt for writing about risk management lessons from enforcement cases of the UK’s Financial Conduct Authority (here, here, here, here and
here). This post seeks to address that bias by sharing a paper about
risk management success stories.
The paper is based on extensive field work with two companies
outside financial services. This makes it more even more interesting for
me because it removes the inevitable interaction with regulation in financial
services.
From the perspective of designing and implementing an ERM system, there are seven lessons I take from these success stories:
1. The background of the CRO
did not seem to matter. In one case it was someone with a business background, and
in other case it was someone with a corporate background. The common
factor was the CRO’s determination from the outset to find a practical way of
adding value to the business.
2. Success seemed to be
described by reference to the role of risk management in the preparation of the
business plan. The path to this
involved in both cases a discrete deliverable, typically preparing and
maintaining a business risk profile.
3. Successful engagement of
the risk function with the business was crucial. Needless to say, each CRO tailored it to reflect the
business. For example, one of the organisations was more project-focused,
and there was more emphasis on risk assessment by business lines.
4. It was important to
develop a common risk language in an unobtrusive manner. This could be
in terms of controls and risk, impacts that reflect the various functional
dimensions of the business or scenario planning.
5. The risk function needed a
degree of self-confidence. This could be useful to start the risk assessment process,
develop business-specific tools and encourage the business to take more risks
where it is deemed appropriate to meet business objectives.
6. Risk functions achieved a
balance between being close to the business and being independent of the
business.
7. An effective tone from the
top was more helpful in terms of behaviours. This is really about
how CEOs interact with others and ask questions about risks as part of the
usual scrutiny of initiatives.
I believe that I have come across most of these lessosn in different
contexts. It is, however, interesting to see all of them together.
If I had to single out one lesson from the above for financial services, I would choose the link to the annual business plan. On a scale of 0 to 100, where 0 is no risk management involvement in the annual business plan and 100 represents the full integration of the risk management in the annual business process, what would be the score for your organisation?
More importantly, what would be your target score for the medium term? What would that mean in terms of different activities? What would you need to persuade your CEO to accept that involvement?
If you work in financial services, I would be keen to hear your thoughts
about this article. If you don’t, I would be keen to know if these
lessons resonate with your experience.
You can subscribe to
future posts at http://crescendo-erm.blogspot.co.uk.
No comments:
Post a Comment