By Elisabeth A. Wilson and Sunil K. Kansal
The COVID-19 Pandemic sparks an opportunity to break down traditional risk management silos, build “risk empathy,” and impart the message that across the enterprise, we are all risk managers.
Enterprise Risk Management: Why?
We have a theory, that if people could know in advance what the future holds, none of us would ever get out of bed. We would just hide underneath the covers. If you had known in 2019 what 2020 would bring, would you have been hard-pressed to wake up and start making coffee? Didn’t think so.
And yet, this is what we as Risk Managers are employed to do. Get out of bed to face the future and all that could go wrong with it. Our job is to think in advance, to analyze the pitfalls of tomorrow that could stem from the faulty, error-riddled processes of today. We do not do this because we are cynical or prone to the dramatic. We honestly don’t want things to break. We don’t want to see customers negatively impacted. We don’t want to see businesses flounder. But how do we communicate this to our business partners who, understandably, are more inclined to see big dollars, enhanced efficiencies, and the customer satisfaction that may result from a particular strategy? When the bright lights of progress are calling, it is easy to disregard risks that seem hazy in the far-off future. And to be fair, it is not our business partners’ main job to think in this risk-minded manner. Or is it?
Enterprise Risk Management: Who?
The goal of Enterprise Risk Management (ERM) is to drive risk awareness and adherence across the organization. This formal, independent second line of defense function implements the guardrails necessary to ensure business strategies, systems, products, services, and processes all stay within risk appetite and do not result in breakdowns or failures that impact the bottom-dollar, negatively affect shareholders and customers, result in regulatory citations, or expose the company to reputational risk. But ERM’s role is also to educate. To help weave the tenants of risk management in the fabric of the enterprise so that at all levels, sound decisions are made, and risk is balanced appropriately against reward.
These concepts cannot be driven by ERM alone. To be thoroughly effective, the message must be disseminated from the top-down, by executives and business leaders. But it must also be touted from the bottom-up, by the first line of defense individuals responsible for driving daily strategy and production. Far too often for ERM programs in the early-to-moderate stages of development, the concept of risk management is siloed. The first line expects the second line ERM professionals to safeguard against risk, to make those decisions. The first line’s role is to get on with what they are doing and continue to grow the business.
Enterprise Risk Management: How?
Prior to the COVID-19 Pandemic, risk managers might have noticed that their first line of defense business partners were fairly positive in their outlook about future growth and business development. But the pandemic has been a great leveler, and even the most optimistic of us has been shaken. People across the world have experienced or witnessed profound loss, whether it is loss of a loved one or loss of economic security. Our mortality feels fragile. The stability of our institutions seems facile.
Risk now seems to be everywhere around us, both microscopic and overwhelming. It is in times like these, when everyone is facing the same bitter challenge, that camaraderie is born. Mindsets just beginning to embrace the concepts of ERM are now grappling with risk exposures of epic proportions. We are all facing a low probability, high impact scenario that will likely shift our viewpoint for a generation to come. This is where risk managers can build on the increased risk awareness of our business partners to help reinforce and expand their conceptualization of risk management.
It is not the simplest task for risk managers to uproot business partners from their everyday work in order to have a meaningful conversation about risk, especially if exposures seem theoretical and unlikely to materialize in the immediate future. But the COVID-19 Pandemic and resultant economic and health crises have helped to create a foundation on which ERM Programs can build what can be termed “risk empathy.”
Risk Managers should emphasize the urgency with which their business partners should begin to think that inconceivable, low likelihood/high impact scenarios can happen within their own organizations. This is where firms have an opportunity to reassess their risk threats, risk appetite, and static ERM processes, to replace manual and archaic labor-intensive checks and balances by simply embracing more efficient and dynamic ERM models to better support operational resiliency and to foment strategies to cope with the unexpected. Our business partners now have tangible and immediate examples to help inform and revise their perception of risks in their business lines and organizations. With a worst-case scenario directly in front of them, our business partners may be more likely to conservatively assess risk exposures. It is all important, however, for risk managers to reinforce that this enhanced risk understanding should not leave our organizations excessively risk adverse. Instead, risk should be assessed clearly and rationally to reinforce sound business decisions and to propel development of control infrastructures required to balance risk against reward.
Enterprise Risk Management
Our business partners, whether first line or executive, are facing a risk awakening. As economies rebound and businesses reopen, it is crucial for risk managers to continue to leverage the lessons garnered from the COVID-19 Pandemic, to enhance our risk relationships and drive more reflective, disciplined risk analyses across our organizations. Outdated, indecisive, or ineffective ERM programs can be honed through strengthened partnership between the first and second line of defense. Skillsets and mindsets, both for Risk Managers and their business partners, can be sharpened through awareness of evolving risk trends and scenarios.
It is human and natural to shed memories of past struggles when hope is on the horizon. But it is the risk manager’s job to gently temper the hubris that gets us all out of bed in the morning and to remind our risk partners of the trials we have faced together in the last year. It is this risk empathy that will augment our risk partnerships and drive greater understanding of the steps we need to take across our organizations to counteract the risks of tomorrow with the sound business judgements of today.
As we move toward what is still an uncertain future, Enterprise Risk Management cannot be an isolated practice. To thrive and endure, it must be championed across all business lines, by all employees. It is a methodology that must be embraced across our companies, vertically and laterally, for only when we are aware of our weaknesses can we embrace and bolster our strengths. The second line alone cannot drive that level of introspection. But the COVID-19 Pandemic affords both risk managers and business partners a unique opportunity: seizing on our common response to the current crisis to deeply embed risk management principles in our company cultures. To make Enterprise Risk Management simply Enterprise Management.
Disclaimer: All views expressed in this article are our own and do not represent the opinions of any entity that we may be associated with.
Elisabeth A. Wilson, Risk Manager at Atlantic Union Bank, Virginia, USA.
Sunil Kansal, Head of Consulting at Shasat, Chartered Accountant, and a Fellow of the Institute of Chartered Accountants in England and Wales.