LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.
During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.
Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.
Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: A set of decisions made at a given point in time, based on business intelligence, that when successfully executed, support the purpose, growth & survival of the organization.
She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.
She identified three major problems with ERM that can dampen its prospects:
- A limited view of the organization’s mission, growth and survival.
- Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
- Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”
Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.
Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.
She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.
When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.
Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”
At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”