When my wife was expecting our first son, it surprised me that most of the stories we heard about childbirth from other people involved something going wrong. At some point, we made a conscious decision to ‘switch off’ and ignore those stories. I don’t really know whether our experience was representative.
It strikes me that risk management appears a bit similar; it is easy to hear what went wrong. Before I go any further, I admit my share of guilt for writing about risk management lessons from enforcement cases of the UK’s Financial Conduct Authority (here, here, here, here and
here). This post seeks to address that bias by sharing a paper about risk management success stories.
The paper is based on extensive field work with two companies outside financial services. This makes it more even more interesting for me because it removes the inevitable interaction with regulation in financial services.
From the perspective of designing and implementing an ERM system, there are seven lessons I take from these success stories:
1. The background of the CRO did not seem to matter. In one case it was someone with a business background, and in other case it was someone with a corporate background. The common factor was the CRO’s determination from the outset to find a practical way of adding value to the business.
2. Success seemed to be described by reference to the role of risk management in the preparation of the business plan. The path to this involved in both cases a discrete deliverable, typically preparing and maintaining a business risk profile.
3. Successful engagement of the risk function with the business was crucial. Needless to say, each CRO tailored it to reflect the business. For example, one of the organisations was more project-focused, and there was more emphasis on risk assessment by business lines.
4. It was important to develop a common risk language in an unobtrusive manner. This could be in terms of controls and risk, impacts that reflect the various functional dimensions of the business or scenario planning.
5. The risk function needed a degree of self-confidence. This could be useful to start the risk assessment process, develop business-specific tools and encourage the business to take more risks where it is deemed appropriate to meet business objectives.
6. Risk functions achieved a balance between being close to the business and being independent of the business.
7. An effective tone from the top was more helpful in terms of behaviours. This is really about how CEOs interact with others and ask questions about risks as part of the usual scrutiny of initiatives.
I believe that I have come across most of these lessosn in different contexts. It is, however, interesting to see all of them together.
If I had to single out one lesson from the above for financial services, I would choose the link to the annual business plan. On a scale of 0 to 100, where 0 is no risk management involvement in the annual business plan and 100 represents the full integration of the risk management in the annual business process, what would be the score for your organisation?
More importantly, what would be your target score for the medium term? What would that mean in terms of different activities? What would you need to persuade your CEO to accept that involvement?
If you work in financial services, I would be keen to hear your thoughts about this article. If you don’t, I would be keen to know if these lessons resonate with your experience.
You can subscribe to future posts at http://crescendo-erm.blogspot.co.uk.