Data is the future of effective risk management

What can risk managers do to ensure that enterprise risk management is effective?

I believe we can help organisations achieve greater outcomes through better risk management leveraging data.

Senior executives and boards care a lot about risk, and if they are dismissive, it’s due to a lack of understanding.

Most traditional approaches fail to resonate with senior managers because they are too subjective, anecdotal, and high level. Risk registers and reports don’t provide sufficient content to enable meaningful decision making.

This in my opinion is the root cause of our profession’s challenge around maturity, culture, and the value derived from our efforts.

What’s the difference between ‘risk management’ and ‘ERM’?

The profession doesn’t help itself by creating terms that are ambiguous and providing varying expert opinions about their meanings.

Whilst I can appreciate the importance of language, I prefer to keep things simple when communicating to boards and senior executives because they have enough to worry about.

They know risk is important because it can affect performance, reputation, finances, operations, supply chains, people, the broader community and the environment…. everything that affects or is related to the organisation is in scope.

We should speak to them in simple language, focus on how risk management affects their organisation and seek to give them new perspectives and add value rather then using stakeholder meetings as information extraction exercise.

We know the world is full of risk. The markets are volatile, regulation is getting tougher, technology and society is changing at pace.

We’re also faced with new competition and business models. Companies like Amazon, Uber and Netflix are thriving while traditional businesses are struggling to remain relevant and cutting costs.

In this high risk and high change environment, it’s frustrating to be faced with the seemingly unmovable wall that is defined by the tick box mindset.

There are so many best practice frameworks, models, systems and solutions available – but how do I choose what’s right for me and my organisation? So much has been tried, what can I do that is different and works?

We should avoid “throwing out the baby with the bathwater”, there is much that the profession has done well, we just need to build on it. Keep things simple, focus on your key stakeholders and deliver content that helps them make decisions. In my opinion using data wrapped in a risk narrative is the best way through that tick box wall.

What tips can you give risk managers on effecting change with ERM?

I’ve had quite an interesting career where I’ve personally influenced significant risk reductions/improvements in several of the organisations that I’ve worked for. These are hand-on-heart moments where you can honestly say that you affected meaningful change.

For example, I worked with a major corporate that was fully dependent on a central mainframe system it had been using for more than 50 years. The technology had reached the end of its lifecycle and needed to be replaced, and the business wanted to add a lot more capability.

This was a mega-project there were many twists and turns. One third of the original budget was written off and the final budget was triple the original plan.

I lobbied the risk committee to get involved and ended up influencing its final delivery strategy. Specifically, the original plan was to divide the project into three phases to mitigate risk – I questioned why three rather, than 10 or 100?

I suggested using an IOS approach where we would create the base product with minimal capabilities (the phone) and then introduce new capabilities like you would an ‘app’. This meant creating a completely flexible platform.