As risk managers look to define their role within an organization, they may find that the answers they are looking for lie in enterprise risk management.
American business writer Tom Peters is best known for his book In Search of Excellence. Less well known is his view on personal branding, which he equated to building and then reinventing “Me, Inc.” Peters characterizes personal brand as the promise of the value your customers receive in three areas: credibility, quality and satisfaction. Different from personal reputation or ethical code, personal brand focuses on customer delivery and perception. Arguing that each person is in charge of his or her own brand, he asks a simple question: “What do you want to be known for?”
As risk professionals, it is a question we should ask ourselves periodically. If a poll were taken in our organizations, what would people say is our tagline? Would we be seen as strategic business partners for taking risks, or would we be perceived as the ones who blow out candles on birthday cakes to avoid a fire hazard? As we plan for the future, let’s pause to rethink risk, reframe the ERM conversation and reposition our personal brands.
The first question we need to ask ourselves is, “What does risk management mean to you?” This may seem like a simple question, but it is has multiple meanings. In certain cases, risk management may refer to an organizational function: the area that holds responsibilities for shaping risk principles and policies, and consulting, communicating and training others on risk practices. More often, risk management is described as an assessment process for identifying, analyzing, monitoring and reporting on risks—either superimposed on or embedded within other processes or initiatives. RIMS (the publisher of this magazine) defines enterprise risk management as a strategic business discipline for decision-making that focuses first on achieving organizational objectives, considers risk from an interconnected, full-spectrum, “portfolio” view, and supports management actions based on developed “intelligence” of the combined impact.
Like sports teams executing plays that they have practiced over time, risk management as a discipline is a way of behaving in concert to reach common goals. This cross-organizational discipline is typically—but not always—led by the risk management function, utilizing the process described above as one of many supporting components of the organizational discipline.
Rethinking Risk
Common definitions of risk usually focus on the potential for loss or some other undesirable outcome. On the other hand, RIMS defines risk as “an uncertain future outcome that can either improve or worsen an organization’s position.” The RIMS definition is complementary to the ISO 31000 international risk management standard risk definition as “the effect of uncertainty on objectives,” but highlights both the potential upside as well as the more widely perceived downside that is reflected in the typical definition.
Each year, coastal areas gear up for hurricane season. Those who view hurricanes with a downside perspective consider the undesirable outcomes: potential loss of life, injuries, displacements, physical damage and business disruptions. With these potential consequences in mind, they prepare and respond accordingly. Those with an upside view may be equally concerned with the potential undesirable outcomes, but also see the opportunities. Product sales, such as for construction and restoration materials, increase. The demand for clean-up, demolition, salvage and temporary housing services peaks post-event. Some long-overdue improvements may actually make buildings and communities safer in the long run. How the hurricane risk—the uncertain future outcome that improves or worsens respective positions—is managed depends entirely on the organization’s unique objectives.
This broadened thinking about risk is reinforced if you consider its three inherent characteristics: probability, symmetry and change. Since risk is most concerned with an uncertain future outcome, the probability or likelihood of a situation, condition, trend or event occurring is one key element in decision-making.
In our example, the probability of hurricane-force winds and rain occurring inland is much less than in coastal areas. That does not mean that there is no risk inland. Remember how unusual Hurricane Ike’s unexpected and devastating impact was in 2008 for regions not typically exposed to such storms, like the Ohio River Valley and upstate New York, making it the third costliest hurricane to make landfall in the United States. Clearly, probability is not the only—or even the most important—risk criteria in decision-making.
As illustrated in the hurricane example, risk is symmetrical. The outcome may be pleasant or unpleasant. Risk professionals often attempt to quantify or qualify the impact of risk outcomes as another key element in the decision-making discipline—granted, usually by focusing on the downside and typically the financial cost. However, there are other elements that at times go unrecognized, but could impact future outcomes and risk considerations, including capacity of the organization to absorb, control and/or exploit the risk, relevance to objectives, timing, interdependencies, organizational readiness, effect on intangible assets such as reputation, and degree of confidence of execution.
Organizations within Hurricane Ike’s wide swath fared differently. While some were unable to fully recover, most survived without significant financial consequences. Without a doubt, limiting impact considerations—particularly by considering the downside financial consequences only—does not fully inform decision-makers.
Change, risk’s third inherent characteristic, is somewhat self-evident. If there is no change, there is no risk and it follows that future outcomes are certain. Two millennia ago, Greek philosopher Heraclitus noted that change is the only constant. In today’s world, change is increasing at an unprecedented speed, leading to even greater uncertainty. Climatologists and extreme weather-watchers tell us that even hurricanes—a known risk—are changing in intensity and frequency. ERM programs that do not address emerging and dynamic risks for potential implications on their organizations also may not be fully informing decision-makers.
Reframing the ERM Conversation
A 2011 Oxford Metrica and Ernst & Young report titled “Risks that Matter” examined causes and management of sudden and major shifts in shareholder value, both positive and negative. The findings indicate that the majority of shifts—59% and 72%, respectively—relate to strategic risks.
Is it any wonder, then, that board members and executive management are calling for a greater risk management role in managing strategic risks? In the 2013 RIMS/Marsh Excellence in Risk Management survey “Delivering Strategic Value through Risk Management,” C-suite executives chose three top roles for risk management in strategy: managing risks arising from the strategic plan (52%), risk input into strategic planning (46%) and managing execution risks related to the strategy (40%). This is a quantum leap from a 2008 IBM Global Business Services CFO Study that characterized CFO perceptions of risk managers as tacticians or “daily operators” with a low tolerance for risk.
All the same, many risk professionals see their primary role in strategy as that of an “advisor”—but only on specific strategy issues. In the Excellence in Risk Management survey, 34% of the risk professionals characterized their role in this way versus 17% of C-suite respondents.
Reframing the ERM conversation to encompass setting and executing strategy focuses efforts on the risks that matter most to an organization’s viability and growth. If the role of risk managers is perceived as only defensive or risk-avoiding, reframing ERM from a compliance and controls perspective to one of strategic risk management may garner greater organizational interest and board support.
When asked about risk management’s role in strategy, Doug Leatherdale, retired chairman and CEO of The St. Paul Companies, Inc. and board member on a number of large public companies, asserted that “risk management has to be involved in forward planning, have a role in strategic planning sessions,[and be involved] for a particular product or service.”
As defined by RIMS, strategic risk management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution, which should be part of an overarching ERM program. The key question risk professionals should ask in planning sessions is not how to mitigate strategic risks, but whether a key risk should be controlled or exploited—or both. After all, even changes in severe weather may improve an organization’s position, depending on its objectives. This approach can reduce uncertainties and reveal potential untapped opportunities that then can be built into the strategy execution plans. Incorporating a symmetrical SRM focus on growth opportunity conversations fulfills a possible unmet internal customer need. Who better to play both offense and defense in a reframed ERM environment than risk professionals?
Reposition Your Personal Brand
Why rethink the definition and inherent characteristics of risk in the context of personal branding? Why reframe the ERM conversation around strategy and strategic risks? This broadened thinking opens up opportunities for risk professionals to build greater credibility, quality and satisfaction among “customers,” thus increasing personal brand value.
As we reposition our personal brands, Tom Peters counsels that there are four things we need to measure ourselves against. First, we have to be great teammates and supportive colleagues. Next, we should be exceptional experts, producing real value for our organizations. Third, we need to be broad-minded visionaries—leaders, teachers and what he calls “far-sighted imagineers.” Last, we must be businesspeople obsessed with pragmatic outcomes.
As great teammates and supportive colleagues, are we most interested in having the organization succeed through others? What do others gain by having us serve on their teams? As exceptional experts, what do we know that others within our organizations do not? How much value does that bring to the organization in the context of its overall objectives? As visionaries, do we think like strategists, looking for untapped opportunities among all those uncertainties? As businesspeople, what can we do to help determine which potential future outcomes will improve or worsen our positions, and what strategic advice can we provide decision-makers?
The RIMS Risk Manager Core Competency model notes, “Risk professionals of all levels must know their own industry dynamics, its economics, operations, staff, customers, competitors and other business partners and stakeholders.” This view was reaffirmed in the Excellence in Risk Management survey in which C-Suite executives cited the top three risk management competencies as having an intimate knowledge of the business and industry (72%), a strategic view of risks and risk management’s role (55%), and a broad-based operational perspective (38%).
Is what you are known for now what you really want to be known for? If not, it is time to reposition your personal brand to 1) deliver credible and usable information—not just data—for the overall success of the organization, 2) provide your unique knowledge and expertise to strategy-setting conversations and execution initiatives while being focused on pragmatic outcomes, 3) find ways to be an accelerator for the organization’s objectives rather than an obstacle, and 4) reflect a commitment to being a collaborative internal business consultant and overall strategic advisor. Recommit to satisfying your internal customers with quality services and products to fulfill that otherwise unmet need.
What future outcomes could improve or worsen your personal position? Ask yourself: what is it that I do as a risk professional that adds remarkable, measurable, distinguished and distinctive value that others in my organization cannot or do not add? As you begin to reposition your personal brand, the answer to these questions may reveal untapped opportunities to advance your tagline as a positive team member, a visionary who is willing to take risks for the right rewards, and a strategic business partner.