As risks have become more widespread, often affecting multiple business units in different locations at the same time, risk managers are increasingly embracing enterprise risk management strategies. It can be tricky, however, to work hand-in-hand with the managers of individual units as well as subsidiaries and overseas operations to carry out these initiatives. Developing a diplomatic approach may well be the key to designing, implementing and constantly re-invigorating ERM and governance, risk and compliance (GRC) programs.It is no secret that selling a risk program internally has always been difficult. The corporate risk manager frequently encounters hostility from units, line managers, domestic and overseas subsidiaries, and competing silos. Some executives worry that they will lose control of their own risk-specific endeavors, while others fear that deferring to someone else will cost money, prestige or reputation. And, of course, some hope that, if they do absolutely nothing to assist in an ERM launch, the attention of the C-suite and board will eventually shift elsewhere.
All of these roadblocks can make taking charge of ERM seem like a lost cause, but it does not have to be this way. The right ERM leader can confront these challenges head-on, building trust and confidence one person at a time, silo by silo. Often, this requires a new approach to demonstrate the value of ERM and change the perception of risk from just another cost center for the business to something that reduces expenditures, both short- and long-term.
"Being successful in ERM design and implementation requires bringing risk internally to a new level," said Donna Galer, an ERM consultant, co-author of Enterprise Risk Management: Straight to the Point and former executive vice president at Zurich Financial Services. "It all depends on how you approach things, and that includes showing by example and being deferential to the P&L folks who have their own bosses and incredible lists of competing priorities. Often, risk is barely on their radar screen-and is viewed as your responsibility anyway."
Forcing an ERM approach will not work. "The executives with whom you're working don't want to hear, 'This is something you have to do,'" said Larry Warner, president of consulting firm Warner Risk Group and former staff risk officer at Mars, Inc. "They don't want to be treated like your kids, where you're saying, 'You can do this, but you have to use a life preserver.' Instead, you want to do the opposite, giving them enough flexibility so that they want to use your ERM program."
Defining the Leader
Choosing the right executive to head a company's ERM efforts has become extraordinarily difficult and, first and foremost, requires interpersonal skills second to none. "Many well-intentioned GRC programs tend to be centered on strategy, process and technology," said Rick Machold, chief audit officer at payments processing company TSYS and co-author of the Crisis Management International paper "The Human Side of GRC: The Essence of Governance, Risk & Compliance."
In many cases, these efforts tend to either neglect or underemphasize the human dimension, which includes all the personal characteristics, competencies and actions needed to make GRC successful. "The all-too-frequent result is that the real work of risk dialogue and critical risk/reward decision-making never actually takes place," he said. "The best GRC strategy, process and technology will most often fail if the organization's people are not fully committed at a personal level."
More than anything, heads of ERM programs must demonstrate their ability to empathize with the executives they are looking to for support. "Ironically, what might seem to be softer character traits typically produce the strongest, most resilient risk and compliance cultures," said Bruce Blythe, Machold's co-author on "The Human Side of GRC" and chairman of both Crisis Management International and the Crisis Care Network. "Generally, character traits that contribute to a positive GRC leadership environment include humility, 'teach-ability,' reflective listening, empathy, empowerment, a strong sense of belief and conviction to core values."
In addition to these diplomatic traits, ERM leaders need to have a variety of skills. First, the leader has to be an architect, designing and creating a workable program that knits together existing risk management practices. Second, the risk executive must be a great facilitator. "You're helping create risk dialogue among risk owners, while making it clear that you don't own the risk," Machold said. "You're just the one who creates the right environment for that dialogue and keeps it going."
The head of ERM is also a coach. "You tell your line executives, 'You're doing great, thinking about risk issues in the right way, but you want the business to do better at managing risk as a whole,'" he said. "You want them to be excited about being part of this risk-thinking team-and proud of it."
Finally, as the leader of everything risk, the executive acts as a communicator who can synthesize and relay the big-picture risk profile both credibly and effectively. "You have to connect the dots, recognize that there are bigger things going on, then communicate them effectively in business terms, not just in technical risk terms," Machold said. "These are all critical capabilities, and they're not easy to find in one person. And by no means do you necessarily find that in the person who's in charge of risk management today."
You're in Charge—Now What?
The biggest initial challenge facing any ERM head is building trust and earning respect from the company's business leaders. "The functional people have to respect those who are managing risk," Machold said. "Otherwise, it's like pulling teeth. Earning that respect is especially important because, in some cases, you're playing a counterpoint role, questioning everything that's being done and why, so the risk manager has to have credibility and garner respect. You need that relationship equity and trust. If the person isn't liked or respected, it's a non-starter."
Humility plays a role here. "It's vitally important to show the functional areas that you understand the business and that you prove it to them," Galer said. "You do that in whatever way the business will allow, including simply walking around and introducing yourself to people. At Zurich, when I heard of an upcoming meeting that might involve strategic risk, I'd say 'I'd like to be there,' and rarely if ever was I turned down. You're inviting yourself to be at least a very careful listener and add value even at that first meeting."
No ERM head can afford to be an island. "It has been a big issue throughout my career to get risk management connected throughout the company," Schaefer said. "In the old days, you had to take advantage of any opportunity the insurance risk function would give you to become involved with the individual business units, line managers, C-suite and the board. And there were opportunities if the risk manager didn't wait for those business unit managers to come to him."
Being sensitive to the costs of risk and how to mitigate them also goes a long way toward building a long-term ERM partnership with the businesses. "You have to be very aware of what you're costing business units," Galer said. "You have to show them not only that you're aware of those costs, but also that you care about those costs and will work with them in all kinds of ways that will matter, enhancing their reputations and status both internally and externally."
It is critical to understand what individual businesses do. That includes how they make their money, how any given risk positively or negatively impacts that number, and how those numbers can be changed proactively with the bottom line in mind. One way to do that is by having thorough, intensive conversations with the business units, understanding how they view risks, what they are doing to manage them, and what frustrates them. "You have to find out what the needs of the business managers are," Warner said. "Then you can take your whole toolbox and find out which tools are attractive to them."
An up-front focus on any particular ERM model or formula—a "canned answer"—without buy-in from the full ERM team and business managers definitely sends the wrong message. "Thankfully, those in charge of ERM and getting buy-in internally are more flexible than they were when enterprise risk was first introduced as a concept years ago," Warner said. "Then, the head of ERM would often say, 'We need to pick one model-COSO, the Australian model, now ISO 31000-and stick with that to the exclusion of any other model or thoughts.' And that was just wrong, because every company has its own specific risk profile, and every model has its virtues."
A corporate head of ERM once approached Warner to ask about fine-tuning a model already under discussion at that corporation. "They were incorporating pieces of COSO and ISO 31000," he said. "And then they looked at another model I had put in place and borrowed one or two things from that-things that weren't really a formal part of any program, just nuances. Flexibility—adaptability—is absolutely critical."
Dealing with Doubters
Even with the most adept, flexible, sensitive and sensible management, some executives hesitate to fully support ERM. It is possible, however, to win them over. Start with a single silo or even a single plant. Galer, for instance, knows a risk manager who worked with a plant manager to make it a certified highly-protected risk (HPR) facility. "The ERM leader was able to show that manager the potential benefits of being an HPR shop, including fewer accidents, reduced insurance premiums and increased worker morale. The ultimate decision as to whether to become one was left to that manager," she said. "Despite the upfront costs of improved sprinkler systems, protective equipment and new safety protocol, most managers will make a good business decision, be happy with the outcome and, in the process, will establish the beginning of a partnership with ERM."
Then there are those executives who say they do not need to buy into ERM because they are already doing an excellent job of managing risk, at least in their own silo. "Assessing the value proposition of ERM is especially difficult when you're dealing with an executive who has generally been successful in managing risk," said Chris Mandel, senior vice president of strategic solutions at consulting firm Sedgwick, Inc., and former head of ERM at USAA. "If you're asking them to take on more responsibility when things are going well, you quickly discover it's much harder to get them involved in supporting the creation of an ERM program. Sadly, it often takes a disaster to generate commitment to ERM."
To deal with this, Mandel said the head of ERM must get executives to look at how their risks affect other portions of the company. "Even though an individual business unit leader may be managing risk well, meeting or exceeding his or her objectives, the question is, what are the implications across business units for risks so often managed within silos? Because they're often not thinking cross-silo, there's often a lot of risk left on the table-essentially inter-related risks not fully accounted for. Getting those executives to see that, and act accordingly, can be a real challenge."
Not surprisingly, those who have dealt with these obstacles say ongoing dialogue is the answer. "Board members, executives and employees tend to tire quickly in limited discussions of process that do not lead to real, practical insight about what's getting better or what are we doing about it," Blythe said. "The real value and benefit is not in the process itself, but in the risk dialogue that leads to the best possible risk/reward decisions that result in better and consistent business performance. Good risk dialogue is the foundation of the human side of GRC and the essence of an effective program."
Thinking Enterprise-Wide
From the start, the goal of every ERM manager is to have all employees invest in ERM. That will take time, but one way to start that process is by convincing business executives to prioritize ERM.
For example, Mandel worked with one chief accounting officer to develop a risk-based audit plan. "Before, we were not aligned regarding how an audit plan was developed for our significant risks," he said. "Working with ERM, they started to use our own risk assessment results to supplement-and ultimately replace-some of their audit work." They became process owners, taking increased responsibility for their risks.
"There's nothing like an auditor to help drive attention to risk issues," Mandel said. "Executives realized that, if we trained process owners on assessing their own operational risks, then maybe auditors wouldn't have to audit them as much. And that's what happened."
The company had the same success on financial control issues. Before the ERM process was initiated, it worked with an outside consultant on Sarbanes-Oxley risk assessment and compliance. "When ERM joined forces with the controller, he was able to reduce the total dollars paid to those consultants because he started using ERM-driven risk assessment results to accomplish his SOX goals," Mandel said. "He jumped on this opportunity for collaborative efficiency, saying, 'Why should I spend $5 million on consultants when I can spend $3 million?'"
Sometimes, focusing on an executive's wallet can be the most effective strategy. "Ultimately, we started basing bonuses on how the entire company was doing, not simply the area run directly by any one executive," he said. "Very little in this world changes overnight, but there's no doubt we had everyone's attention."
It is good for C-suite executives and members of boards and audit committee members to think about ERM strategy, process and technology, but the human element should be a top priority as companies strive for effective enterprise risk management. Without that, participants eventually retreat into their own silos and revert to thinking only about that silo's risks. "And once they jump back in," Machold said, "it's infinitely harder to get them thinking 'one for all, all for one' again."