The four levels of Risk Management Integration

People waste a lot of time trying to define what is, and is not, good risk management. But reading someone else’s opinion seems largely irrelevant. Everyone views it through their own lens of experience.

Some view it through the lens of regulatory oversight. You know – ERM began when this law was passed. And it fundamentally changed when that regulation was implemented. Well, that’s true for some industries.

Others view it through the lens of their profession. ERM is all about managing investment risk. Or it’s all about eliminating financial reporting fraud. Or it’s about buying the right insurance. Or it’s primarily about environmental safety. Pick one.

I grant that these are all legitimate ways to look at risk when you’re operating at a low level of risk management integration. I argue, though, that it’s a waste of time to debate these issues at the top of the organization. These are discussions that should be addressed by subject matter experts further down — within the context of their specific needs and expertise. The top of the organization should not be trying to sort out the details of a good risk management design. They should be focused on moving up the maturity level for risk management skills and integration. Everything else will take care of itself.

The four levels of risk management integration.

I refer to the lowest level of integration as “Stakeholder Management.” At this level, the organization’s goal is not to manage risk, it’s managing stakeholder expectations. If the CEO says “Give me some kind of risk management to get those auditors off my back” you know you’re stuck in a Stakeholder Management scenario. It’s all about appeasing those damned regulators, or auditors, or outside directors, or bankers. No interest whatsoever in actually improving the organization’s ability to manage risk.

The next level up is “List Management.” Here the focus is on gathering a list of risks. Management wants to do something with risk management and lists seem to be a good place to start. Management may not be entirely sure how these lists are to be gathered, or why. The focus is on the list itself and the ability to share it with other stakeholders.

Another step up along the integration path is “Risk Management.” At this level management wants to recognize and take steps to lessen exposure to threats. There are often clear processes to handle operational risk, vendor risk, financial risk, environmental risk, etc. Ownership of certain risks may be assigned. They may have a risk appetite statement. Management has read the literature and is doing what the experts suggest.

The highest level of integration is “Opportunity Management.”I created this phrase and it has a very specific identity. With Opportunity Management, management recognizes that risk is synonymous with uncertainty. And uncertainty exists in every strategy and process. Therefore, risk management is something that the organization does. It is not the responsibility of this or that person. It is an integral part of the organization’s culture … every bit as integral as doing performance reviews or sending out a company news letter. At this level, business line leaders are concerned about third party vendors because they represent a clear uncertainty relative to a strategy that they own and for which they are accountable … not because the Senior Risk Officer says so. Threats will be identified, but it is all in the context of developing strategies and overseeing operations. It is all focused on managing uncertainty so that the organization can deliver more predictable future results. Everyone is trained about the role that risk plays within the organization and within their individual responsibilities. Everyone understands why it’s critical to explicitly recognize key assumptions that they may not be able to control, and how those key assumptions could affect future performance. At this level of risk management integration, employees recognize these thought processes as a normal part of their high performance culture.

Focus on moving to a higher level of integration

At a board or executive level, the greatest benefit does not come from developing a risk appetite statement. Or reviewing a list of threats across the entire organization. These things come about as a natural outgrowth of simply moving up the maturity scale to a higher level of integration. But so do many other benefits. When an organization reaches the Opportunity Management level, everything simply falls into place. Threats are aligned with strategic assumptions. These assumptions are discussed and considered before a strategy is ever approved. Management monitors these key assumptions and knows exactly what to do when one turns from green to yellow to red. Management knows that its goal is not to reward past success. Its goal is to assure future success.

So if you’re in an executive leadership role, ask how your organization is moving toward Opportunity Management.

For more information go to