One of our business analysts recently came to me with a particularly troubling conversation he had with a prospective client. The client reported to him that while 6 months ago the appetite for ERM had been strong, the enthusiasm and excitement for the program had since waned and the risk manager was now preparing to take “micro” steps forward over the next several years, halting any risk management progress.
This account is far too common for enterprise risk managers in today’s environment. Hired into an energetic and new function, they are faced with a crucial task of establishing a first line of defense for their organization, but their window of opportunity is often perilously small. Without a quick win, their program loses momentum. But before they settle for baby steps, risk managers need to ask themselves: how long is it acceptable for our company to ineffectively manage risk?
Risk managers are being set up for failure by management that does not appreciate or understand the work they’ve been tasked with accomplishing. In fortifying their company’s risk universe, risk managers need to be constantly making demonstrable progress. “What have you done for me lately” is not a refrain risk managers should take lightly. They need hard, concrete evidence of their work and a firm direction for how they will achieve the strategic goals outlined by senior leadership.
The best way to measure this progress is through the utilization of industry tools designed to mark the way forward. The RIMS Risk Maturity Model will benchmark your program as it stands today, and equip you with ammunition to build a business case for more resources. If you work at a public company, the Risk Maturity Model report can quantify whether your leadership could be found negligent for inadequate risk management.
While baby steps should be frightening for risk managers, I’ve heard worse. ERM programs have been, for lack of a better word, disassembled countless times on the road to real risk management progress. Your executives don’t have time or money for programs that aren’t providing real, measurable value to the company. Risk Managers can’t settle for slow progress and can’t measure their effectiveness by what hasn’t happened yet. They need to make their organization’s problems their own, and use the energy and freshness of their programs to generate the quick wins and momentum required of successful Enterprise Risk Managers.