Date: Tue 24 Aug 2021
Title: Who is the Risk Champion?
Our Enterprise Risk Management Journey has so far included: exploding common misconceptions; facilitating High Quality Risk Assessment; achieving breakthrough risk mitigation. Soon we proceed to full implementation. But who is the ERM champion (or risk champion) leading the way?
So far we have discussed the technique of High Quality Risk Assessment sufficiently to enable initial experimentation. The question then arises: who actually is leading this work? What are the requisite qualifications and background? Is any special training needed?
Significance of the Enterprise Risk Management champion
– implementation lead
Formal role, title and training
– multiplicity of titles
– varied training
Background and qualities
– critical thinking
– influence and persuasion – properly understood
– promotes risk ownership
– leads experimentation
– coordinates minimal, essential documentation
– celebrates success
– in sum: builds capacity
1. implementation lead must understand the theory
2. able to lead trial sessions and explore the value in the new practice
3. no formal training is essential, except perhaps facilitation skills
4. competencies: critical thinking; lead the coordination of results;
5. use influence and persuasion to lead others o their own success
What constitutes success?
– how can we make ERM part of the corporate DNA? See quote (next).
”the ERM champion’s success in instituting ERM will not hinge on the degree of authority leveraged. The reason is that willing participation in genuine Enterprise Risk Management… is not a response to formal authority. It is an outcome of seeing the value of the new process.”
(Robertson 2016, Solving the ERM Puzzle, p.24)
[edited for clarity]
Episode 13: Who is the Risk Champion?
Well, at this point in the podcast series you might have had the chance to do some risk identification on projects or programs, and started to think about how to do full Enterprise Risk Management implementation — or you haven’t done any work on this yet and you’re still trying to figure out actually who should lead the way. I think my discussion today should be helpful to people who are already in a risk role, of any description, or indeed owners, managers or analysts who want to understand how to take on this role or delegate it.
[01:18] The first consideration is that any program or initiative where we expect people to alter their working methods is going to require a champion to lead the way: someone who understands and appreciates the value of the new practice; who can speak to its theory, to the principles; who can act as a central resource to explain things; to act as a facilitator or leader to help people demonstrate the new method or practice to themselves.
I will explain in more detail the formal training, title, functions, and so on, of the risk champion or the enterprise risk management champion. But before I do that it’s important to set out the assumptions that I have with respect to implementation.
[02:03] I’m suggesting a minimum of requirements. The solution that you eventually come up with will be the result of the unique situation that you have in your organization. I’m not being too demanding on exactly how this is done. I’m simply setting out certain principles that must be fulfilled in order to have success. For that reason, I don’t insist on the number of people who take on this function; on whether it’s a part time or a fulltime job; on whether it’s a permanent position or a temporary position — nor do I insist on the formal title that is used. So the principle that I do insist on, which will help you make all of those decisions, is this: be a minimalist. Don’t build bureaucracy. Don’t build a whole layer of work where it’s not needed.
So you might say at this point: “Well Edward, that’s rather disingenuous on your part because you’ve already counseled us to fix the planning process, do environmental scan, write a context paper, and so on.” Yes I am, I admit that. However if you compare the old regime, where you were producing a certain amount of paper to get a certain result, and you compare [that to] the new regime, I’m betting that the amount of paper you will actually produce will be less, but the quality infused in that paper will be higher.
[03:18] Furthermore I do not advocate a whole proliferation of guidelines, policies, tools, and templates that are extraneous to the work. In other words, I advocate going on an incremental basis and being a minimalist, with regard to method and with regard to formal bureaucracy.
The essential thing is to build in people’s understanding a certain way of thinking and a certain methodology that they can integrate with their own a planning and management practice. That’s the way to build ERM and integrate it with the DNA, so to speak, of the organization. So I won’t get too much further into the implementation — that’s a subject for a later podcast episode — but just bear in mind that, as we discussed… the risk champion, if you have to make decisions on various aspects of that role, use that principle to guide you (that is, the principle of being a minimalist with regard to bureaucracy).
[04:14] With regard to the formal role and title: Of course, if you’re the chief risk officer or you’ve got some similar role and title in the organization, then you will have more authority and more resources in order to pursue this whole initiative. You know, in the latest survey results from 2021 in the survey that I referred to back in Ep #1, they said that fewer than half of the organizations had actually designated a CRO or a similar role in the organization. Therefore we might see someone who’s the risk champion or ERM champion to be someone who does not have the word “risk” in their title. On the other hand, they could have a risk-related role already — and that’s quite common. Someone with a title such as Risk Analyst, Emergency Planning and Risk Analyst, Risk Manager, Claims Manager — in fact someone who is responsible for managing the insurance portfolio — is often delegated or designated to be the person who leads the ERM initiative. I do recommend that someone who’s not in a senior role get sponsorship from an individual at that level.
[05:20] This leads us to formal training. In my opinion, for the general preparation of an ERM champion, there is no single type of conventional training in risk management, insurance, finance, or business administration that confers an advantage. This is because this is a young discipline. None of the training that I have seen so far captures all of the following:
- Facilitation skills
- Professional development training
- Change management and organizational development
- Program implementation principles
Exposure to any of these is great. The only formal training that I really recommend is to get training in facilitation, especially when you’re going to be conducting risk ID in areas where the subject matter is highly contentious, sensitive, charged with emotion, and so on.
[06:03] Now, as opposed to formal training, what I would really look for in an ERM champion is certain qualities, capacities, and background. The first in this list of competencies is to have critical thinking and analytical skills. It is scarcely going to be possible for a person who takes on this role to blindly copy a method. They’re going to have to analyze the business, interpret the culture that they work in, and apply the methods accordingly.
The second competency is leadership. This is not leadership in the grandiose sense. This is leadership in a quiet and intelligent sense. We often hear that a good leader makes other people successful — and that’s exactly what’s required here. Are we looking for the risk champion to actually understand and manage all the risk in the organization? Of course not. We’re asking this person to do skills transfer, to help demonstrate the method, and to transfer those skills to the program heads.
The risk champion will have to show some initiative beyond just initial trials, because in the course of these trials, people will be adjusting and developing the precise method that they want to use. It’s really up to the leader to coordinate those efforts, to compare results and [guide people to] come to a common decision as to the best methods and tools to use.
[07:23] Now the other important function of a leader, as indicated, is to be an intellectual resource; to be someone who can articulate the principles and discuss the potential value that people are endeavouring to realize by using risk methods.
But again, there’s a nuance here. It’s not about the leader telling people what to do. This leads us to the qualities or skills of influence and persuasion. Now there’s two tendencies in employing influence and persuasion. One is to convince people to accept something that is imposed, and the other — which is far more effective — is to align oneself with people’s interests, and then do some experimentation, to let the new practice grow by virtue of its own merits… so people can start to see what value it delivers for them as they begin to experiment with it. That’s the kind of influence and persuasion we’re looking for.
I think you can get an idea of my implementation method when you consider the role that the champion is taking on. It’s not a command and control model where you announce a new program and then impose it on people in grandiose [and] monolithic fashion. No, it actually has to do with experimentation, proving value…
Although that does require someone to spearhead the initiative, there’s no question. If that’s not done, if you simply expect people to sort of experiment on their own and then report results, the initiative will very likely die.
[08:50] So let’s summarize these functions of the risk champion. They’re going to act as a central resource… articulate the value proposition… and promote risk ownership.
In other words, they’re not going to be responsible for risk themselves, but they’re going to promote [support] people (who are incurring risk within the various program areas) to initiate risk ID methods, to take responsibility for their own risk ownership.
They’re going to: lead experimentation [by facilitating] sessions and transferring skills… experiment [in cooperation] with people… coordinate the work by making sure people are converging upon common practices and tools… report the results to the higher levels, so that people can see what sort of successes are possible using risk methods… be responsible for celebrating small successes, and this will help with the organic growth of enterprise risk management.
As the Enterprise Risk Management practice matures, more and more people are participating. It’s going to be necessary to somehow coordinate data aggregation and reporting on a grander scale. Similarly, the ERM champion will have to be cognizant of principles of program success, as they lead the initiative from stage to stage — and we’ll discuss in detail the principles of program success when we cover implementation in a later episode.
[10:18] Now that leads me to discuss the reasons for program failure. This is something that every owner, manager, risk champion, ERM champion, etc. must be aware of.
The reason is that managers, analysts, etc., who are charged with instituting new programs of any description — even if they’re subject matter experts — are not necessarily versed in the principles of program implementation, organizational development and change management.
This obviously accounts, at least to some degree, for all of the failure that we’ve seen in ERM implementation that’s reflected in the surveys. You know, back in Ep #3, I talked about program failure both in IT (Information Technology) and in management initiatives generally. I gave you some reference articles (so check that out if you missed that). The point is here: we want to cover some of the principal reasons for program failure, so you can be aware of them. At a later time, we will actually discuss the converse; that is, the principles for program success, which are already somewhat implied (but not exactly the same list).
[11:19] This is the kind of thing that’s really useful to take account of, when you’re either an ERM champion, or champion for any kind of management initiative. It’s the thing that most managers, quite frankly, seem to miss. I scarcely remember anyone answering “Yes” when I’ve asked them, in various workshops over the years, if they’ve received training in change management, principles of program success, and so on.
The first thing to take account of is that when new policies or programs are contemplated in the organization, they might be needed; they might make apparent sense. But it’s the attitudes and behaviors of people who will block it. Or it may fail due to administrative and technical mistakes. So let’s take a look at just a half a dozen of the most common reasons, and in each case, what I will try to do is state the implication for the enterprise management program.
[12:08] The first one is that there are unclear goals. That’s a very common reason for program failure. If people don’t know what success is supposed to look like, if they don’t know what they’re aiming at, then the whole program tends to sort of dissolve, to dissipate.
For enterprise risk management, the very first goal is simply to have some program areas agree to apply risk methods to their projects and programs, to try to prove the method, and then evaluate the results.
The second common reason for program failure is lack of management support; in other words: management support, ironically, although it initiated the program, after a while dwindles and changes direction. So management dedication is rather fickle in that regard, and that’s a very common reason for program failure. At the outset, we have to understand that management really has to have a commitment to giving enterprise risk management a fair trial.
[12:59] The third reason for program failure is lack of staff support. And, of course, that’s a common feature in many stories where programs have not lived up to their promised potential.
What is the implication for enterprise risk management? It means simply that people will not adopt a new practice unless they can see the value in it for themselves; unless it helps them improve the quality, grade and efficiency of their own work. The enterprise risk management champion who brings that understanding to the table when they lead risk ID trials is much more likely to have success.
[13:32] Another common reason for program failure is poorly understood root cause; in other words, a new management practice or initiative undertaken based on the wrong idea of the original problem.
I think this happens in enterprise risk management. People try to institute a practice without understanding (as I’ve been pointing out in earlier episodes) that it was deficient planning and poor formulation of goals and objectives [i.e., in program plans] that really scuttled the efforts to try to identify risk.
[14:04] Well, there are two more items that I wanted to discuss in this list of factors that are responsible for program failure. One is deficient resourcing. I think that’s pretty commonly understood. But thankfully, in enterprise risk management — at least my conception of it — we’re not asking for a lot of resources. We’re simply asking for some repurposed time, and a minimum of resources with respect to new personnel or any other tools, equipment, or time spent.
The last item is: monolithic implementation. That’s again another common factor that you can see in many examples, where the program leads imposed everything, all at once, expecting the entire organization to take up a new practice on Monday morning at 9 o’clock, and it just doesn’t work that way. It has to go gradually and incrementally — and that’s the takeaway for enterprise risk management. Let’s not imagine that we can impose the whole thing in a blanket fashion.
[14:49] My intention in today’s podcast was to consider the role of the enterprise risk management champion, with a view to either you taking on that role yourself, or to consider how it might be delegated to somebody else in the organization. The only stipulation I had for arriving at your solution for enterprise risk management champion was that you observe the principle of minimalist, with regard to bureaucracy: don’t create a huge layer of bureaucracy, policy-making and documentation where it’s not required.
[15:29] So let’s summarize the requirements.
The first requirement for an implementation lead is not necessarily to be experienced in this, but to have an appreciation, on a theoretical level, for what we’re trying to accomplish, and what the possible benefits are — and [to be] able to lead trial sessions to explore the value of the new practice.
The next point is: we don’t insist on any particular formal training, with the possible exception of facilitation skills, but rather what we look for is a certain background or a set of competencies.
Critical thinking is necessary to be able to interpret the business context and apply the methods effectively.
Leadership, in the sense of being able to take the initiative to coordinate the results among different groups, is essential.
Influence and persuasion should be used not to impose a result, but to lead people to prove a result to themselves — in other words, to make other people successful.
Here’s a quote which will summarize my point about success in the role of ERM champion:
“The risk champion guides the gradual development of the program so that those in charge of designing and executing programs can manage their own risks. The success of the champion will not hinge on the degree of authority leveraged. The reason is that willing participation in a genuine ERM program is not a response to formal authority. It’s an outcome of seeing the value of the new process. Therefore, true success goes to the risk champion who can work with program areas to experiment with high quality risk assessment and discover its utility.”