I am in Sweden this week, where tomorrow I provide a keynote to 102 risk officers and directors at the SWERMA (Swedish Risk Management Association)’s ERM Day 2023. In general, I find the risk management thinking in Europe to be more aligned with the business, whereas, in North America, it is more of a compliance exercise, too often tied to Sarbanes Oxley.
Let me tell you a story . . .
I taught my Risk and Resilience Management by Design Workshop in Amsterdam in September. During the day, I had a great interaction with a Chief Risk Officer from a European life sciences company. He told me the following story . . .
After being hired as the Chief Risk Officer, he met the CEO for the first time. The CEO looks him in the eye and states, “So, you are the new CRO. Tell me what that means to me?”
He looked him back in the eye and stated, “My job is to ensure you have no surprises in achieving the organization’s objectives.” The CEO thought that was brilliant and the best definition of risk management he ever heard.
ISO 31000 defines risk “as the uncertainty on achieving objectives.” Risk needs context, and that context starts with the organization’s objectives. They can be financial objectives, they can be operational objectives, or even ethical/ESG objectives. Objectives can be high-level entity objectives that are driven down into division, department, process, project, or asset-level objectives. Even supplier and third-party relationships start with objectives and purpose to the relationship.
The context for risk management is objectives, as ISO 31000 states. That is why ISO 31000 and its foundation in AUS/NZ 4360 influenced and framed the OCEG GRC Capability Model. GRC, as defined in the OCEG model, is “a capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE].”
Risk management needs context, and that is the organization’s objectives (at their varying nested levels). As an analyst covering software in the market, I specifically look for how a risk management solution starts with objectives. If it does not, it is not my ideal solution. Even in ESG, I look for how the solution starts with the ESG objectives of the organization. Any ESG solution that starts with risks and not objectives is not worth much.
As this CRO states, his job is managing uncertainty to ensure there are “no surprises” in achieving the organization’s objectives. Of course, there can still be surprises as things catch us off guard. However, it is the role of the Chief Risk Officer to ensure that executives and the business are fully informed of risks to their objectives to minimize uncertainty and surprises so they can reliably achieve those objectives.
What also is brilliant about this CRO’s response . . . it puts risk accountability with executives and the business. Risk management’s job is to facilitate risk management across the organization and communicate and engage on risk in the context of objectives. Risk management has done its job if the risk management function has fully communicated this and the business owns and drives forward for gain or loss. It is not the job of risk management to ‘own’ risk but to communicate risk in the context of objectives. It is the role of executives and the business to own the risk in their decisions.