The implementation of a risk management system, what is usually called Enterprise Risk Management –or ERM- is not an easy task. It is often seen as generating bureaucracy and adding little value to the firm. Unfortunately, this is often quite true; it is not clear whether ERM systems end up generating additional value to the organization. This might seem counterintuitive, after all, risk management has a value in itself, and implementing it to a firm-wide extent should be good for the company.
The main reason for this lack of value lays in the way these ERM models are designed and implemented. It is quite common to see models designed by third parties and implanted in the firm; externally designed models are implanted in the company as prosthesis in a human body. The main problem with this approach is that there is a lack of cultural adjustment to firms without a risk management culture, and implanting an externally designed model will not help in the adaptation. If the risk management system is not generated in the firm by its managers it will be extremely difficult for it to work in harmony with the company’s management and strategy. It will be seen as something external that has been transplanted into the organization and generates some sort of additional duties to some of the firm’s employees.
In order to obtain a proper design and implementation of an ERM program we need to follow two parallel paths, and keep in mind that it is extremely important that both start at the same time. The first one is a cultural change throughout the organization, and the second one is a well-designed risk management system.
The cultural change is a crucial aspect of any successful risk management program. If people are not aligned in why the organization needs to manage risks, then no system, no matter how well designed, will do the job. Risk management starts inside the brain of the firm’s employees. Risk management is about people keeping their eyes open at work and outside the office; an important insight might happen at a social event, while reading a book or in the golf links. Only people who is thinking in terms of risk management will be constantly looking for important insights and value them in a correct manner. For this to happen we need to have them understanding the paramount importance of constantly assessing and managing the firm’s risks. This is one of the main consequences of the successful implementation of a risk management program.
The well designed system, the second leg of a successful risk management program, calls for a set of procedures that ensures that all the individual risk management efforts of the firm’s managers are adequately conveyed towards where they are needed at the correct time. This means that every piece of information that is collected by people in the organization needs to be inputted where and when it is needed. It means also that that all the pieces of information will reach the decision maker at the correct time, for him or her to make a timely and informed decision regarding the treatment of a given risk. I personally like collaborative environments where every member of the organization can input data and/or receive information as required by the system design.
Let me provide a brief insight of how this works. A good risk management system has some persons that are the risk owners; they are responsible for managing one or more of the risks faced by the company. They manage these risks based on a set of policies designed by the firm’s board. These policies define how much of a given risk the firm is willing to assume, and how it will eliminate or transfer the residual of that risk. Additionally, each risk has its determinants (a previous post in this blog explains this concept), each of these determinants need to have an owner; somebody who is looking at it with the adequate timing. The information system requires that each owner of a determinant input the information on a pre-specified timing, and the aggregate information of all the determinants of each risk reaches the risk owner on time for its decision-making. Good systems have also a way for people to share risk-related information that they deem important for the whole company.
This system works fine, but the crucial issue is: who will be willing to input data on the system if he or she is not convinced about the importance of this action? The cultural change plays a key role here. Everybody in the organization needs to fully understand the importance of his or her action for the whole system to work properly. This is ensured by a cultural change in the organization.
The first step of any risk management program is the identification of the risks affecting the firm. This process is also the starting point of the cultural change in the company. It needs to be done by the firm’s management working as a team, discovering risks in a coordinated and collaborative way. This is an important milestone in any risk management implementation, since it is the starting point of both paths of the model: the system and the cultural change.
Both, the risk management system and the cultural change are needed for the risk management to work. They should not be implemented as a sequential process, a risk management implementation stand on two legs: (i) the system and (ii) the cultural change. Having the system without changing the firm’s culture just leads to a bureaucratic and inefficient system, having only the cultural change leads to frustration, since people understands the importance of the matter, is aware of what is happening but is unable to have the organization move in the right direction when needed. This is why a risk management implementation needs both legs to succeed.
