Basics of Risk Management – Step 3: Integrate ERM into Business Practices

December 2011 Feature Article

By Diana Del Bel Belluz, M.A.Sc., P. Eng.

In this article, I’ll share tips on how to integrate ERM into business practices. This is the third article in a 4-part series on risk management basics. The series introduces the Risk Wise ERM Implementation and Organizational Learning Cycle and its four essential steps for bringing ERM to life in any organization:

1. Define the context and criteria for enteprise risk management (ERM)
2. Assess risks and its implications for performance and stakeholder value
3. Integrate ERM into business practices
4. Close the learning loop to fine-tune & optimize ERM

The Risk Wise approach moves beyond a narrow focus on how much STRUCTURAL ‘capital’ (i.e., ERM framework, processes, and tools) an organization has developed. It contains important information on how to bring your ERM structures to life by developing essential HUMAN ‘capital’ (i.e., ERM knowledge skills and culture) and RISK INTELLIGENCE ‘capital’ (i.e., leadership to drive the information flows and behaviours that produce optimal organizational results).

The third step of the ERM Implementation and Organizational Learning Cycle focuses on motivating actions that maximize the organization’s:

• effectiveness and efficiency in successfully exploiting risks that will help it achieve its corporate objectives and advance its mission, and
• resilience to risks that threaten its short-term health and long-term sustainability.

Integrating ERM into business practices is all about driving appropriate risk-taking behaviour. This includes traditional defensive risk management aimed at preventing downside risk events from destroying value.

It also goes beyond traditional risk management to enable the organization to take an offensive posture on value creation by fully exploiting opportunities for mission fulfillment. This requires taking action to align the organization’s risk exposures with its risk appetite.

Here are 3 tips for making ERM an integral part of your organization’s business practices and culture.

Tip #1. Focus On Your People

A framework or process, no matter how perfect, doesn’t manage risk. People manage risk. 

To make the risk discipline part of your organization’s culture and business practices you need to focus your ERM implementation strategies on motivating managers to habitually and consistently consider risk in their decision and actions.

ERM cannot work to manage risk more effectively, consistently and transparently, unless your people have the knowledge, skills, and motivation to use the structures, processes and tools you provide. Many ERM leaders learn the hard way that you need to focus more on developing Human ERM Capital than on Structural ERM Capital.

There is no way around it, integrating ERM into business practices means asking your people to change their ways. Whenever you set out to change behaviour, you will encounter resistance. This is true whether you are seeking a major change (such as introducing a whole new accountability structure for risk management) or a minor change (such as asking people to make their intuitive risk management approaches a little more formal).

There are three main sources of resistance:

• Rational resistance stems from concerns about the quality and feasibility of the ERM implementation plan.
• Emotional resistance stems from an individual’s feelings about how ERM will affect them personally.  
• Political resistance is typically seen in leaders who fear that ERM could reduce their power.

For tips on how to overcome resistance see the 3-part series of Feature Articles I wrote on the topic:

• Part 1: Know Who and What You’re Up Against (July 2008 Feature Article)
• Part 2: Why You Can't Afford to Ignore Their Feelings (August/September 2008 Feature Article)
• Part 3: Breaking Through the Political Barriers (October 2008 Feature Article)

ASK YOURSELF: How can we help our people to cultivate the habit of weighing the potential risks of their decisions?

Tip #2. Define Appropriate Risk-Taking Behaviour

Integrating ERM into business practices is about motivating people to take appropriate risks. That means selecting strategies that strike the fine balance between taking enough risk to achieve your corporate objectives while avoiding excessive exposure to the potential downsides of actions.

This is difficult, if not impossible, to achieve if people are not clear on what constitutes appropriate risk taking behaviour. Your people need clear targets on what kind of risks the organization is willing to take in the pursuit of its objectives; what kind of risks it wants to avoid or minimize, and for each category of risk what constitutes too little or too much risk.

See this month’s Bonus Resource article Getting Practical on Risk Appetite and Risk Tolerance for tips on how to frame the risk appetite discussion. 

ASK YOURSELF: How can we strengthen our people’s knowledge about the organization’s appetite and tolerance for risk?

Tip #3. Accentuate the Positive to Align Risk-Taking 

Recent risk management failures shine a light on how inappropriately management incentives and disincentives that are inappropriately conceived or applied can lead to perverse risk-taking behaviour by managers and executives at the all levels of an organization.

The consequences of misaligned risk-taking can catastrophic. Think of the failed levees that multiplied the devastation of hurricane Katrina, the massive oil spill into the Gulf of Mexico, and the corporate meltdowns that occurred in the wake of the 2008 credit crisis.

If your leaders aren’t actively using an appropriate mix of incentives and disincentives to guide their people toward appropriate risk-taking, you may well be courting disaster. 

Traditional risk management tends to focus on disincentives, i.e., detecting and correcting breaches of risk controls. Inappropriate risk-taking should not be condoned or ignored. However, a focus on incentives, e.g., positive reinforcement of appropriate risk-taking behaviour, is much more effective for aligning individual and collective risk-taking with the organization’s overall appetite and tolerance for risk.

Incentives do not have to be monetary. The saying “You catch more flies with honey than vinegar” also applies to ERM. The quickest and most effective way to integrate ERM into your business practices is by acknowledging appropriate risk-taking behaviour. This sends a strong message about what is expected.

Your leaders need to engage in regular conversations about risk with their people to encourage appropriate risk-taking decisions and actions (i.e., that align with the organization’s risk appetite) and discourage inappropriate risk-taking behaviour (i.e., that takes too little or too much risk in a given situation).

ASK YOURSELF: How can we incent our people to engage in appropriate risk-taking?

The Risk Wise bottom line…

Embedding ERM into business practices is all about behaviour. How people apply your ERM framework is more important than any detail of what is in the framework itself. To make ERM an integral part of your organization’s business practices and culture, you need to motivate your people to continually develop and apply their ERM knowledge and skills.

*

My forte is coaching executives on how to integrate ERM into their organization’s unique business practices and culture. If you need help in bringing ERM to life in your organization, contact Diana Del Bel Belluz at Risk Wise: Diana.Belluz @ riskwise.ca  or by telephone at (416) 214.7598

Follow the links to:

• Read this month's Bonus Resource - Getting Practical on Risk Appetite & Risk Tolerance
• Download a printable version of the entire December 2011 issue of the Risk Management Made Simple Advisory.
  
• View the Article Index to access back issues of the Risk Management Made Simple Advisory.