how to avoid being C-3PO
the journal of Michael Werneburg
twenty-seven years and one million words
I recently came across a bullet list of the three principle jobs of the risk manager. I'll get to the source later as it's complex and worth commenting on in its own right. In the mean time, it's the list that's motivated me to comment.
- [The Chief Risk Officer (CRO)] will report directly to the chief executive officer (CEO) and will champion and coordinate our approach to ERM. Accountabilities for managing risks will remain with line managers as before. The CRO role will provide ways to help us view risks from across our company and to better allocate our resources. The CRO will be a support function helping the management team with reporting to the board, and in coordinating risk activities across the organization.
- [Risk criteria] will help decision makers across the company understand how much risk is tolerable, what is intolerable and where further action is required. These criteria (often referred to as risk appetite, risk attitude or risk tolerance by some) will be updated by management and reviewed by the board at least annually.
- ERM will also involve better and more explicit integration of risk considerations into the strategy development, business planning and execution processes. Everything we do as a company should be done to treat and optimize the risks and uncertainties to achieving our long-term strategic plan.
This is one of the things I find trickiest: getting the line managers to actually address risk, but not winding up doing the job for them. On the one side, you run the risk of being a C-3PO-like character, spouting the poor odds of success and generally being an ignored butt-monkey. I've worked with internal auditors who were perceived this way. On the other hand, you find yourself creating the work products, making changes to process, and directly interviewing and guiding staff while the management complain.
I don't have a hard rule about this issue, because every case is different, and I get the sense that this matter is one of the sensitivities that defines the boundaries of the job. But I do have some working guidelines.
If it's the first run through some area of the firm (this doesn't happen much past the first two years), I do everything I can to help the line manager understand our attitude toward risk and how we use internal controls for both prevention before an event occurs, and amelioration after such an event. I walk them through the process flow, and we work out appropriate controls along the way.
If I'm revisiting a certain area of the company and things have either not improved or worse have back-slid, I tend to intervene in a few ways. First, I put the questions to the line managers plainly on how things have gotten to where they are: rather than lecture, this lets the line managers think about the situation and draw their own conclusions as they're speaking. If it emerges that they need help outside their department, I manage that inter-departmental communication. Second, I add the area of concern for the risk committee meetings that I chair. This is a venue where I update the rest of the management team on ongoing operational issues that contain enough risk of impact to the company's objectives that I deem them worth tracking at that level of seniority. The senior management team appreciates the updates, to discuss solutions, and the chance to volunteer their assistance.
This seems to be simply a matter of asking, "Are we happy with this level of risk?" I've done what I can to educate the line managers about what risk actually means, and how "risks" (threats) are difficult to deal with because of their unlikely nature. So far, so good. In most cases. Except when the back-sliding starts....
[Update, 2015] I've established a risk tolerance statement at the firm level, but am still working out ways to bring that guidance down to the operational level during the day-to-day. Since our risk tolerance statement is both a) published and b) supported by some guiding questions to ask of any situation, I'd hoped that the connection would be apparent. It's turned out to not quite be that easy.
This is an area where I've found my contributions to complement those of the rest of the management team. There are two aspects.
The first is to highlight the weaknesses the firm currently faces. That is, not in terms of performance, but in terms of threats to the company's long-term profitability if not survival. In framing questions about a range of possible events ("in the unlikely event of..."), I find that new insights are presented. The trick seems to be to draw people away from thinking on the day-to-day, or even the coming quarter, and looking at where the firm might be in the three-to-five year range.
Secondly, when drafting the business plan for a new venture, I ensure that we've considered the major areas of risk for the venture itself. Where might we fail in its execution? Where might unintended consequences arise? What shall we do about those two groups of potential problems?
On the source
The original article was a blog post by Norman Marks. It drew the above points from an article posted by a fellow risk practitioner here in Toronto. The original article was behind a pay-wall, which I find a frustrating way of burying timely and relevant information.