Companies realize the business value of managing risk across the enterprise effectively in different ways. Some rejoice as their reputations and stock prices rise. Others experience, often in a very public way, the negative impact of failed risk management: lost revenue, fines, litigation, damaged public images or worse.
In corporations around the world – particularly those in highly regulated industries – the connection between risk management and business success is an accepted concept. Enterprise risk departments are being established at record speed, led by risk staff with impressive analytical capabilities and risk certifications.
So why is there still so much confusion about enterprise risk management? Why are risk departments still having so much difficulty achieving demonstrable results?
At the Global Association of Risk Professionals (GARP) annual convention held recently in New York City, several speakers and attendees zoomed in on key points that companies and risk officers need to address head-on in order to fully reap the tremendous rewards of effective Enterprise Risk Management.
Here are the dos and don’ts of Enterprise Risk Management:
DON’T sit in your office all day, crunching numbers and sifting through data. The ability to analyze data in order to spot trends or hot spots is, of course, an important skill for risk officers. At the GARP conference, however, Ronald Burtnett, Executive Director of Operational Risk at Morgan Stanley recalled the efforts of medieval alchemists who tried mightily to turn base metals into gold. Though unsuccessful, some were broad-minded enough to embrace their unexpected discoveries, which ultimately became the mainstay of modern chemical and metallurgical industries. Risk managers, likewise, are right to study intricate data patterns, but often the most important discoveries will come directly from the people who own the risk: front line management.
“It’s about communication versus analysis,” concurred Bill Martin, Risk Executive, Bank of America & Chairman of GARP Board of Trustees. “In the end, what matters is not how accurate the risk assessment is but what impact that assessment has on decision-making. Enabling process owners to assess their own risks will increase their understanding of the risk and their buy-in to the prevention of those risks from occurring.”
DO communicate with others in the organization, especially those on the front line.
Successful risk management involves collaboration at all levels of the organization, beginning with the front line to senior management and back again. It requires risk managers to actively engage the operations teams in the entire risk management process. Since line management are the ones who ultimately own the risk, it only makes sense to have their participation in assessing risk impact and identifying the solutions. When risk is presented in terms that relates to their own jobs versus analytical buzzwords and formulas, they will be far more likely to assume responsibility for addressing the risk.