Enterprise Risk Management: Succeed Through Volatility

When corporate crises or governance failures make the headlines, a weak or underdeveloped risk culture is often cited as a root cause. Conversely, a robust risk culture can transform your organization from simply “checking the boxes” for enterprise risk management to walking it out in your business’s day-to-day.

Healthy risk cultures — in which enterprise risk management establishes and clearly communicates the core values and behaviors that align to risk strategy — share the following characteristics: 

• Leadership exercises risk-aware behavior and decision making. Enterprise resource management and senior leadership collaborate to identify and review deficiencies in risk management at each relevant organization level. Importantly, leaders clearly understand how the organization’s values, expectations and strategic goals align with risk appetite and drive a uniform tone at the top. 

• Employees understand enterprise risk management expectations, and they understand their critical role in maintaining workplace integrity. They recognize risks to operations and strategy, escalate information about those risks and generally contextualize the risks within the organization’s risk appetite. 

• The enterprise risk management function is aware of areas in the organization where risk culture gaps exist and has a plan to address them.

To achieve a robust risk culture, start with the following actions:

Develop a risk appetite framework. Move beyond general codes of conduct and policies to tangibly connect enterprise risk management with strategic objectives. Begin by assessing enterprise risk management values across all levels of the company and how management communicates and promotes them. Consider the following questions:

• Are risk appetite statements clearly linked to strategic objectives?

• Do risk appetite statements give clear guidance on how to make strategic trade-offs and prioritize decisions — and do management and staff embrace this guidance?

• Do strategic and operational decisions typically stay within the bounds of risk appetite?

• Are day-to-day operations conducted in line with the risk appetite?

• Are accountability measures in place within the risk framework?

• Does management proactively address areas of weakness or concern in collaboration with senior leaders?

Learn from past experiences. Work with senior leadership to assess deficiencies in enterprise risk management throughout the organization. Meet regularly with leaders and business units to identify the root causes of weakness — for example, through a postmortem review of a risk event. By assessing and communicating lessons learned from failures and successes, you can enhance risk culture and enact concrete changes for the future.

Communicate enterprise risk management expectations from the top down. Partner with leaders across the organization to convey enterprise risk management expectations clearly and consistently. Use relevant and engaging messaging that includes a purpose for the communication, as well as communicator, stakeholders and delivery method.

Fewer than half of business leaders consult enterprise risk management during a strategic pivot — even though doing so can help organizations achieve their objectives. Sixty-two percent of business leaders who did consult their enterprise risk management function report their pivot fully achieved its intended objectives, compared to only 43% of leaders who did not.

If your enterprise risk management team typically isn’t involved in strategic planning, you can leverage existing capabilities and modify processes to help improve the organization’s strategic agility and organizational resilience by engaging in a range of activities, including: 

• Convening with business leaders on relevant issues 

• Scenario planning — from general, risk-agnostic tabletops to scenario exercises aimed at understanding specific risk implications

• Identifying pivot-associated risks

• Planning and reviewing disruption response plans

Scenario planning, in particular, significantly contributes to resilience and improves the likelihood of pivot success. Sixty-two percent of respondents who conducted scenario-planning exercises to plan for business changes report that the pivot achieved its intended objectives, compared to only 38% of respondents who did not. You can facilitate scenario analysis by helping business leaders think through concepts like risk interdependence and increased risk exposures when pivoting in the face of disruption.

Of those enterprise risk management departments that become involved in strategic pivots, 69% enter the process during planning for the organizational pivot or before. But no matter when your enterprise risk management team gets involved, it can add value to the pivot process and move the organization toward greater risk resilience.

In today’s never-normal business environment, multiple complicating factors amplify the need for risk-informed decision making. These include:

• Abrupt, unplanned business model and strategy changes in response to industry and market shifts

• New-to-world decision types and risks arising from unprecedented challenges and environments

• The need to make more decisions outside an organization’s normal levels of risk tolerance

As a result, 62% of enterprise risk management leaders agree that risk-informed decision making is a more critical priority today than it was a few years ago.

Enterprise risk management leaders estimate that each uninformed decision results in an average project cost increase of 18%. So assuming the average project size to be $100,000, uninformed decision making adds about $24,000 to that cost. For an organization with 100 executive decision makers, this amounts to $12.4 million in increased project costs per year.

Most heads of enterprise risk management try to promote risk-informed decision making by providing decision makers with more information. They focus on:

• Educating decision makers to create awareness of all potential risks 

• Providing access to information or data to help decision makers estimate the likelihood and impact of risks

• Identifying potential areas of risk impact for decision makers to consider

• Communicating the organization’s risk appetite

While this approach does increase the proportion of risk-informed decision making, providing more risk information has no effect on actual decision quality. Excess information can even be harmful if the volume becomes overwhelming. 

To promote risk-informed decision making, enterprise risk management must not only provide the information but also help decision makers make sense of it.

The sense-making approach to promoting risk-informed decision making includes four elements:

• Synthesizing risk information from disparate sources to highlight what is important and what it means in context

• Prioritizing the most relevant risk information to bring key considerations to the forefront so decision makers can weigh those against other priorities

• Guiding decision makers to apply risk information in context to help translate it into the business’s language so decision makers better understand how it applies to their situations

• Preparing decision makers to make sense of information independently to train them on how to make sense of and apply risk information independently

The sense-making approach improves decision quality by 38% — meaning decision makers supported by sense-making efforts from enterprise risk management are less likely to regret their decisions.