Risk Views with Norman Marks, IRM Honorary Fellow and Board Member of IRM India Affiliate
Hersh: In your extensive experience and observation, how have enterprise risk management practices evolved in the last decade, especially regarding the integration of risk management with strategic planning? What do you see as the most significant changes or trends that are shaping the future of ERM?
Norman: I am pleased to see more and more practitioners recognizing that their job is not to ‘manage or mitigate’ risk, but to help leaders of their organization take the right level of the right risks at the right time. Sometimes, that means taking more downside risk because that is the best way to seize upside risk (opportunities) and achieve enterprise objectives.
There is an increasing recognition that it’s all about helping people make the right decisions at the right time, and for that they need reliable, current, and timely information about all the risks (including opportunities) under each option they are considering. Decision-makers need to see the big picture, with all sources of risk measured in comparable ways.
Hersh: One of the persistent challenges in ERM is the existence of silos within organizations that can hinder comprehensive risk assessment and management. Based on your insights, what are effective strategies that organizations can employ to break down these silos and foster a more integrated approach to managing risk?
Norman: Silos certainly make it more difficult to make the informed and intelligent business decisions necessary for success. Managing one source of risk at a time is anything but a recipe for enterprise success. Decision-makers need to see the big picture, especially when there are (and there always are) limited resources. It may be necessary to accept a cybersecurity risk related to a new product in order to seize the opportunity of increased sales. Key is to have the information to balance the upside and downside and make an intelligent decision.
My recommendation is not to look at this as a risk management challenge. Instead it’s a business decision challenge. How can an executive or board maker make the right decision when compliance risk, cyber risk, sales risk (and opportunities), cash flow risk, tax compliance risk, and more are assessed and reported separately with different measurement criteria?
Risk processes and reports have to meet the needs of decisionmakers. Practitioners must understand those needs and tailor what they deliver to meet them.
Hersh: You’ve been a vocal critic of traditional risk heatmaps, suggesting that they may oversimplify or misrepresent the complexities of risk. Can you elaborate on the limitations of heatmaps and suggest alternative approaches or tools that provide a more nuanced and actionable understanding of risks?
Norman: Heat maps, risk profiles, risk registers, and other lists of risks fail to meet the needs of decision makers. They ignore the context of the business decisions as well as the need to take risk in order to achieve objectives. Risk is the effect on objectives, not a color on a heat map.
Another and a fatal error is that a heat map (and the others) portray the level of risk as a point. It’s not. It’s a range of effects on a range of objectives, and each point in that range has its own likelihood.
It’s not that they “oversimplify or misrepresent the complexities of risk”, it’s that they fail to meet the needs of decision makers. They may help limit sources of failure, but focusing on avoiding failure will lead inevitably to failure.
Hersh: How can organizations transition from viewing ERM as a compliance or box-checking exercise to leveraging it as a strategic enabler that contributes to achieving business objectives? Could you share examples or case studies where ERM has been successfully integrated into the strategic decision-making process?
Norman: When practitioners engage with decision makers across the enterprise to help them get the information they need when they need it, they are seen as helping those individuals and their functions succeed.
People welcome you to their table when they can see that you add value and help them achieve their objectives, get to where they want to go.
They don’t welcome you when you talk technobabble instead of the language of the business, their language. You need to show that you listen to them, will work with them, and share their goals.
At Tosco Corporation, management was considering partnering with a Mexican corporation to sell our products in the north of that country. While one element in management (the Sales arm) was keen to move forward, others were not – including the Legal and Logistics teams. They were talking at each other instead of to each other. I had one of my direct reports invite them to our conference room table, where they all shared their views and insights on the opportunities and the several sources of risk. They were for once able to hear each other and know they also were heard. They decided that the downsides outweighed the upsides and did not proceed with the partnership.
At that company, our leaders included a discussion of risks, as well as assumptions they were making, when they discussed the goals for the next period and the strategies for achieving them. The consideration of what might happen (i.e., risk) was an integral part of the strategy-setting process. I also saw that when I was an executive at Business Objects S.A.
Hersh: With the rapid advancement of technology, how do you see digital transformation impacting the future of risk management? Are there specific technologies that you believe will be pivotal in reshaping how organizations identify, assess, and respond to risks?
Norman: My answer may be considered unusual. It is not AI in any of its forms. It’s Zoom, MS Teams, and other virtual meeting applications. The future of risk management will depend on our ability to communicate with each other, working together to make the right decisions at the right time.
In time, AI and related technologies will make a difference, but for me the focus has to be on decision making and its effectiveness, rather than managing one risk at a time.
Hersh: Beyond frameworks and tools, the culture within an organization plays a critical role in the effectiveness of risk management. What strategies would you recommend for cultivating a risk-aware culture that empowers employees at all levels to identify and communicate risks proactively?
Norman: I am not a fan of the concept of a risk culture. There are many dimensions to an organization’s culture, including the empowering of employees, teamwork, entrepreneurship, compliance, and the ability to take the right risks at the right time.
While it is necessary to have early warning of new traffic jams on the road to success, it is first necessary to have everybody working towards that same view of success.
One of my concerns, one I have had for a very long time, is the ability of an organization to recognize and seize opportunities presented by new technology. Many have failed to obtain the full value of advanced analytics in the couple of last decades, using it in siloed areas instead of everywhere it would have a positive ROI.
When you talk about culture, our objective as risk practitioners is to help our organization succeed, not just avoid failure. That requires many everybody working together to achieve shared objectives, while remaining in compliance, by recognizing the existence of both risks and opportunities – an ability to take the right risks at the right time for success.