You need to… and I’ll help you… TAKE MORE RISK!

4 things that will drive the success of  your risk management program


Before you tune me out as some nut who doesn’t understand the economic, environmental or regulatory climate we are in, please hear me out.


Organizations and people have to take risks to succeed and to achieve their goals. Everything great which has ever been accomplished is because someone took a risk. In the business world, this is even more evident. All great companies, organizations, non-profits, etc. which have ever existed, and will ever exist are the result of someone, or a group of people taking huge risks.


For example, you’re reading this on a piece of technology that would simply not exist without the founders of HP, Microsoft, Dell, Apple, etc. having taken massive risks. Right now everyday firms are putting people and assets in risky places to get the fuel which runs your car, the gold for the ring on your partner’s finger and the rare metals used in mobile devices which drive so much of our lives. All of these things exist, and can happen because organizations continually take risks. The simple fact is, without risk taking, we would not have the society we live in today.


So let’s throw out the idea that we don’t, or shouldn’t want to take risks, it’s just not true.


To be successful in anything you need to take risks. If you work for an organization of any kind, your stakeholders demand that you take risks. Risk equals return, and drives value for investors, customers and employees. It’s wrong to stop taking risks, we just need a better way to ensure we are taking smarter risks.


So, let’s start by embracing risk for what it is – a value generator, the engine of success, and something which all successful organizations need to stay on top of.


Now, let’s start talking about how you can take smarter risks.


I talk to executives all the time who are struggling with how to implement risk management within their organizations. I speak with lots of risk managers trying to get their bosses to pay attention to them, and I speak with consultants who want to provide better risk-based solutions to their customers. Regardless of which group it is there is one common underlying question they keep asking – how can I make risk management valuable to my organization, and get people involved?


Through my work with organizations across the world I have found there are 4 things that drive the success of a risk management program:

  1. Support from the Top
  2. Focusing on Your Goals
  3. Simplifying the Process
  4. Making it Personal


1. Support from the Top – This is simple. If you are the top executive or a board member of an organization and you are not actively supporting and involved in risk management process, why do you expect anyone else to be? It is not good enough to talk about it on investor calls, write about it in annual reports, or discuss it once per quarter at a meeting. Risk management is an everyday activity, and the risk culture of an organization is set from the top. It must be clear that risk management will be a fundamental aspect of how the business will operate, and that you as an executive will be actively involved in promoting it, and doing it yourself every day.


2. Focusing on Your Goals – To be relevant risk management needs to be focused on creating value, not just protecting it. Risk management creates value when it helps an organization achieve its goals and drive its strategy. This is not rocket science, it does however require you to focus on the right things.


To link your strategy and goals to your risk process start by asking 5 focused questions:

  1. What are the goals we have for our organization/project/program/team/etc.?
  2. What are the key things we need to do, or which need to happen, to achieve these goals?
  3. What are the different things which can stop/reduce/slow down the items identified in question 2 from happening?
  4. Who is going to be responsible for ensuring that the items identified in question 2 and 3 are monitored continuously?
  5. How do we ensure we will know if something from question 2 and 3 starts to go wrong


Executives, risk managers and the general public thinks that risks are big things. The reality is that risks are the small things which when put together lead to big issues. Most items on your strategic risk assessment are not your actual risks, but are the end result of a bunch of small things going wrong, leading to a big impact. Risk is an everyday process of managing the items identified, and getting ahead of the surprises. If you start with the 5 questions above, you can start to link what you do in risk management with your goals, and start to use risk management as a driver of strategy and a creator of value.


3. Simplify the Process – If you’re one of the people who follow me on Twitter via @ERMStrategy, or if you have read any of my previous blog posts – you know that I believe risk management needs to be simpler if it is going to work. I think the risk industry; software companies, analysts, consultants, etc have all done a great job making risk management appear a very complicated undertaking. The thing is, at its core, risk management is not complicated, it’s just become distracted. If you start with your goals, and then ask the right questions, risk management becomes much simpler.


Simplified enterprise risk management is focused on answering three key questions;

  1. What are my REAL risks? The only real risks you have are the one which impact your goals. Everything else is interesting, but not relevant. Don’t get caught in the “Risk Admiration” trap, where you have pet risks which you want on a list to look at. If it does not impact a goal (questions 2 and 3 from above), look at it later!
  2. What are you doing about them? – What, who, when, why, how much… all of these questions apply. If you have a risk with no plan to manage it (which can be something which is totally out of your control, but you will just be aware of) then you are sitting on a ticking time-bomb. Hope is not a strategy!
  3. Is what you are doing working? Many organizations have lots of controls in place, but have no idea if they need them all, if they need more, or if the ones they have even do what they think they do. I’ll give you an example. In 2011 there were $350 billion in losses around the world, but only $106 billion were insured. So for many firms, the insurance they had simply did not cut it against the actual risk they had. Make sure you know if your controls or plans to mitigate risk actually do mitigate or control risk.


Asking yourself the three questions above focuses you on what really matters, makes the process more efficient and simplifies how and why you do risk management.


4. Make it Personal – Risk management is about people. People manage risks and organizations. If you want risk management to become a standard operating principle, then you have to make it personal for the people involved. If you’re the CEO/CFO/COO etc. then enterprise risk management is about value creation. It is a driver of strategy and has a direct impact on your bottom line. See my post on ERM and the bottom line for more on that topic. Most important, managing your risk more effectively allows you to TAKE MORE RISK. When you are in control, have confidence and have accountability for your existing risks, you can start talking about where you can extend and take additional risk. Risk is a value creator and a value protector.


If you’re the risk manager, following the above makes you more relevant, more valuable and more effective. You have a better handle on your risks, your controls and your future.


And for everyone else in the business, in a tough economic climate, enterprise risk management improves the health of the business, helps drive effective resource allocation and helps ensure the longevity of the company. To translate – enterprise risk management helps ensure you have a job, your job is safe, and the company you work for more likely to stay in business.




In summary, we have all spent too long talking about risk and risk management as a negative, when in truth, and when managed well, risk is a massive positive. If it’s focused on achieving goals, when it’s simplified and when it is personal for everyone, risk and risk management have very positive effects on organizations.


So next time someone wants to talk about risk, or when you are going to explain why your firm should engage in better risk management, remember… embrace risk and you will start to build value!


Download our free guide on “How to Embed a Risk Culture” to create the right environment in your organization to enable you to take smarter risks.


Leave a Response