There is a story about the biggest lie in the world. The risk management practitioner enters the executive’s office and says, “I am here to help you.” That is not the biggest lie. The biggest lie is when the executive says, “I know, and you are welcome.”
It is one thing to explain how risk management or internal audit can and should add value. It is quite another to get to where the key players in management actively welcome you to their table because they know that:
- You want to help them succeed (instead of pointing out their failures) and
- You have proven your ability to do so.
A couple of relevant pieces explore this topic which I would like to add my own comments to.
First, let’s read what Carol Williams has said in “5 Ways to Improve ERM’s Reputation with Executives.”
‘Think Like a Manager’
Williams writes that most “executives continue to see ERM as a check-the-box compliance exercise solely focused on preventing failure and not helping the company achieve goals and objectives and make informed and timely decisions.”
That is not a reputation you want. It means you are not considered a credible partner. At best, you are credible as a barrier to their entrepreneurship.
Williams suggests five ways for ERM to improve:
- Start thinking like management: ERM practitioners “need to stop thinking like ‘risk people’ and start thinking like management.” This includes talking the language of the business, not using risk terminology. What are ways that risk can be integrated into executives’ daily conversations and decisions?
- Examine potential scenarios: When it comes to big decisions involving uncertainty, work with relevant individuals and departments to develop scenarios, determine which ones are most likely to occur, determine how to ensure success, and develop plans around these likely scenarios. Consider also developing high-level plans for those unlikely scenarios. After all, you do not have a crystal ball into the future to know what will happen.
- Consider rebranding: This may be the biggest step you can take and it’s one I’ve addressed in the past. If ERM is there to be an enabler of success and not a roadblock or “Debbie Downer” to initiatives, should its name within the company change? Some companies refer to it as “Enterprise Risk Advisory.” Or, you can take the “risk” out of the name altogether. Our friend Hans suggests that risk management should really be thought of as “Decision Quality Assurance.” Another potential option includes “Decision Management” or “Success Management.” Whatever title and branding you choose, it should be made clear that you are there to provide support, not follow a strict process.
- Closely examine reporting structure: Where ERM resides in the company hierarchy is also important for improving the perception of ERM. If it’s housed within the internal audit function, executives and managers may feel they’re under the microscope. If it is taken out of management altogether and reports directly to the Board, ERM will be seen as preventing management from taking too much risks, as seen in this recent piece.
- Whatever you do, it’s important to quit doing the things you’ve been doing all along and expect a different result as noted in this analysis of the NC State report. After all, that is the definition of insanity — you keep doing the same thing and expecting a different result.
These are all great ideas, but there is (as always) more to consider.
Related Article: Revitalizing Risk Management Through a Changed Reporting Structure
Active Listening Is a Key Skill
In 2012, McKinsey shared a great piece, “The Executive’s Guide to Better Listening.”
While on first glance it may seem to be off-topic, active listening is a great way to gain credibility with executives.
I’ll highlight just three important points:
- Show respect. That doesn’t mean you have to be subservient. It just means that you should show respect to everybody for their experience and insight — even if you disagree. Respect their opinion and make sure you listen to it! If your opinion is different, explore why.
- Keep quiet. The author says this, although I have been saying this for decades myself (and I heard it from someone else.) “I have developed my own variation on the 80/20 rule as it relates to listening. My guideline is that a conversation partner should be speaking 80% of the time, while I speak only 20% of the time. Moreover, I seek to make my speaking time count by spending as much of it as possible posing questions rather than trying to have my own say.” I add to that that keeping quiet doesn’t mean you are just waiting for them to stop speaking so you can talk. It means you are paying careful attention, listening actively.
- Challenge assumptions. I would add that you should understand and address your own biases. They adversely affect your ability to listen.
Further Advice for Enterprise Risk Managers
All of this is good advice. Let me add my own:
- Have the right attitude. If you believe in your heart that your mission is to help each executive succeed, that will influence your demeanor, words and actions.
- Understand what they need to happen as well as not happen to be successful. Then focus on that rather than (only) a compliance checklist, a standard, or so-called best practices. Help them manage (including taking more ‘risk’ when appropriate) all the things that might happen so they can achieve their and enterprise success.
- Stop doing stuff that is not necessary. Work on potential issues that would never be a significant risk to enterprise objectives is wasting not only your time but theirs as well. In fact, take care not to waste their time to any degree. If they don’t see the value of what you are doing, are you sure you should be doing it?
- Make them champions. If they do not believe you are adding value, perhaps because until now work by your function has focused on a list of risks or on finding fault, ask them for an opportunity to prove what you can do. Is there a problem, or a difficult decision, that is troubling them? Perhaps there is a situation where they cannot obtain agreement with another department on how to move forward. Suggest a workshop that you could facilitate with all the parties so everybody can share perspectives and reach a consensus on how to resolve the issue. Or perhaps your team could consult with everybody, analyze the situation, and then lead a discussion on your assessment and insights – without an audit or other report to senior management.
- Celebrate management success rather than the length of your report. When management has everything under control, that is good news. A clean internal audit report is excellent.
- Work with management to upgrade. If issues are identified, listen actively to management. Agree with them on the level of risk to objectives (and be specific as to which objectives) and discuss the best course of action. Take a business perspective and don’t recommend what you wouldn’t do in their shoes.
- Be humble and listen actively. I repeat this because it is so important. People love to vent. Let them, encourage them and don’t betray that trust by sharing their words with others. If you listen and help them believe you care about their success, their attitude towards you will change. Similarly, listen actively and discuss rather than preach when the results of your work disclose an apparent issue.
Think a Seat at the Table Guarantees Respect? Think Again
One of the things that bothers me is the desire of many practitioners to have a ‘seat at the table’, by which they mean an official and formal position within the organization (such as reporting to the board or to the CEO) that puts them on an (apparent but not real) equal level to top executives.
Trust me. Your title does not mean you are invited and welcomed to meetings of the management team. It does not mean that they listen to you. It does not make you credible.
Your actions make you credible. They make you trusted and respected — not for your title, but for your insights and contributions to their personal and the organization’s success.
I welcome your insights and comments.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.