At our Tea Talk session on 12th September, IERP® faculty member Zaffarin Zanal gave a featured talk on Creating Value out of ERM. Zaff started off by stating that—to strong murmurs of agreement across the room of risk practitioners—implementing ERM is hard. The typical difficulty with implementing ERM is that while risk professionals understand the value for ERM, the top management (as well as the rest of the organization) might not readily see its value. Zaff noted that when something has perceived value, psychologically there is a ‘pull factor’ to it. It doesn’t require much forceful selling (the ‘push factor’).
He shared that from the results of a 2017 ERM Benchmark Survey which showed that whilst enterprise risk management is a ‘popular’ framework being implemented in organizations, management and line managers are still quite resistant to it. The challenge lies in establishing that pull factor when risk management is so often seen as tedious, bureaucratic, and expensive. To treat this particular ‘acceptance risk’, it is important to understand the potential causes.
The Negative Perception of ERM
Zaff proposed the following two factors as the main causes of negative perception of ERM:
- It is human nature or psychology to be resistant to things that we are forced to do. Case in point: if ERM was initiated due to external pressures (stakeholders, regulators, etc.) or worse still, initiated in response after disasters occur, ERM inadvertently becomes viewed as a reactive and defensive measure taken only out of necessity and ‘forgotten’ once the crisis is over. Referring to a result of the the benchmark survey, he shared that the top four motivating factors for ERM efforts were: board directives, regulatory requirements, efforts from risk managers, and internal audit. In other words, ERM initiatives often still rely on the ‘push factor’ rather than the ‘pull factor.’
- Companies often get stuck in the ‘awareness’ part of ERM, after which little follow-through or value creation activities take off. In his opinion, many risk officers, unintentionally or otherwise, end up spending too much of their time carrying out training. A risk-aware organizational culture is key to a successful ERM framework, but training should not be the be-all and end-all. From the top-down, ERM has to be aligned to the organization’s objective and tied directly to it. Otherwise, it will only be seen as a trivial, nice-sounding idea with little impact.
Creating Value out of ERM
Zaff’s top two tips for value creation in organizations:
- Be more objective-centric. Typically, the risk management idea started out from its foundation to reduce hazards, comply to regulations or audit requirements. Unfortunately, that also popularized the taxonomy approach, which tends to restrict organizations to general risks unrelated to the achievement of organisational objectives. Although it works well for organisations operating in highly regulated environments where there are ready literature and specific standards set, risks for corporates in various industry tend to be more diverse and less constrained. By setting the risk register to focus on organization’s objective , the relevance (and thus, value) of enterprise risk management will be readily apparent to leaders and line managers, in both the short-term and long-term.
- Be more business-minded: Profitability i.e. increasing revenue and reducing costs) is the primary objective of an organization. Risk managers should consider more of the big picture as well as the organization’s long-term strategy and value creation initiatives. They should not be than taking an auditing or operational approach to ERM. Look outward for strategic opportunities rather than misguidedly focussing on simply improving internal processes – which is not the responsibility of the risk management function. After all, ERM should look towards the organization’s future sustainability. He shared that the same benchmark survey showed that only 22% of respondents listed in their top 2 reasons for implementing ERM, “ERM’s value is in increasing certainty in strategic and operational objectives.” This reflects the fact that organizations today are still not utilizing the ERM framework’s full capacity as a strategic management tool.
One of the Tea Talk participants asked to clarify about the objective-centric approach: does that approach mean they have to be privy to strategic meetings? Zaff responded with a strong yes: since risk management is more strategic than operational than nature, then it should be natural that risk officers attend relevant strategy or business meetings in order to be able to provide the relevant input or in the least be able to understand what the organization is trying to do. This is where the risk officer must be ready to wear the hat as a business owner as well. The one primary issue is that some risk officers are not comfortable in business settings or worse, not regarded as a useful presence in business meetings.
In his past experience, Zaff shared that he had made a point of proactively seeking chances to sit in on important meetings – going so far as to attend them uninvited if needed. But a good risk officer will not be able to do this without first establishing the right relationships and being in tune with the business. Efforts must be made to remove the perception that risk officers are merely ‘police officers’ or rebranded auditors who keep everyone’s hands tied. In his opinion, risk officers could benefit by striving towards more of a ‘rock star’ persona instead of just fading into the background.
All in all, risk managers often face an uphill battle. Zaff notes that charisma, reputation, and social skills matter for a risk manager. The ability for risk officers to drive ERM effectively largely depends on personal good will; a lack of popularity among staff and bosses could impede value creation and further perpetuate the negative perception of ERM. In other words, to create value out of ERM can depend on your ability to first persuade others of the value of ERM itself.