This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.
This post is about risk and opportunities.
I often hear that risk management should help an organization find opportunities as much as control potential problems. COSO says that part of risk management is the identification of events which could have a positive impact, a negative impact, or both. This concept does not work for me on multiple levels. In a future post I’ll write more about the idea of event identification. In this post I want to address a more practical strategic problem with this approach.
One of the toughest hurdles in risk management is explaining it in a way that makes it relevant to executive management. You need their support. The more that you ask executive leadership to accept concepts that are not intuitive to them, the tougher the sell. I normally describe risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable. This usually resonates well with executive leadership. It fits their existing notion of risk management. When you start talking about risk management also being a source of strategic opportunities, I’ve found that executives start looking at you with a skeptical eye. It sounds like a salesman promising benefits that everyone knows he can’t deliver. I recommend staying away from this approach. There are other executives who are paid to identify and exploit opportunities. Maybe later you can help, but for now stay off their turf.
The essence is that linking a risk management function with the identification of strategic opportunities is a tough sell. It is hard enough to get executive management excited about risk management at its most easily understood and intuitive level. Don’t confuse the basic message with unproven claims that your executive team may find counter-intuitive.
You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).