I’ve been reading a lot on people’s views of current trends impacting risk management. As you’d expect, there is a lot of discussion on disruption and cyber risk. Some are focusing on the pros and cons of a three line of defense model. There is also a common thread of talking about risk analytics and quantification – especially from those focusing on software tools. What I haven’t seen though is much in the way of conversation on strengthening the ERM team.
Towards the end of 2018 while at PwC, I cowrote with Hélène Katz a blog on the COSO ERM Framework one year after its release and what have we learned. We commented then that ERM teams had opportunities to improve so rather than give another take on current risk trends, I’ve decided to post five things (for now) that ERM team can do to improve their capabilities.
1. Take a colleague for coffee. Many ERM teams are overly insular. They spend time with those they know. But it’s time to learn more about the business you’re in. Find someone outside of the normal circle of contact and take them for coffee or lunch – not to audit, not to find risks, but to extend your understanding of the business. Listen to what they can tell you about the business. Don’t engage in risk jargon but listen to the tone of the business.
2. Learn something new. Many ERM teams focus on improving the current practices – sometime referred to as ERM maturity. Often, they look to improve rigor by using more data, include more people in the process, or look for new ways to measure risk. While these are all good, they may not actually help you learn something new. Go learn something new. Read a book on strategy, attend a conference on a topic of interest not normally associated with ERM, or listen to podcasts on a variety of topics. Consider ways to bring these insights into your ERM team’s thinking.
3. Step outside your comfort zone. Often brought up through an insurance, audit, or internal control role, many ERM managers are risk-averse by background. Conversely, those with a strategy or innovation background will see the business through a more opportunistic lens. Put yourselves in their shoes. One of my favourite people to work with was one of the least risk averse people we know. He raced dune buggies, skied the hardest runs, and pursued his private pilot’s license. He truly believed that to be a great risk manager, you had to put yourself in risky situations to learn. Find a personal, higher-risk venture and pursue it to get comfortable in such scenarios. Bring that insight into the ERM role.
4. Turn your risks upside down. Take your most significant risks and ask your team how to take one or two and reshape them to be a competitive advantage for the company. Focus on how to harness this risk to drive company success. Divide the ERM team into groups and reward the group that comes up with the most compelling proposition.
5. Avoid temptations to use ERM tools. An ERM manager I know gets several calls and emails each week with someone wanting to showcase their tool – offering some unique insight into how to do ERM “better”. Resist the temptation. Spend more time learning how to connect threads from across your business to find something insightful. This seldom happens when we get overly focused on metrics and dashboards.
I encourage you to pick one item from the list above or select something of your own, so long as you embark on a new adventure.