For a while, I have been thinking about the value of risk management (ERM) and why it is not embraced by every top executive. Last night, I was privileged to speak at the Institute of Risk Managers in London. I was asked for my views on this very subject. My answer to the risk officers that were present is along the lines of my latest post on my personal blog
But, while most of the onus for changing the hearts and minds of top executives should be borne by chief risk officers, internal auditors should be helping to drive the message home.
This is what I suggest for internal auditors:
- Make sure, through your powers of advocacy and persuasion, that the risk management program becomes a department of "how" (as explained in the blog). The individual running ERM has to have an attitude of enabling optimized performance, instead of being the corporate Cassandra.
- Add your voice in support of the role of risk management as an essential contributor to corporate success, not just protection.
- Help the risk managers get involved with executives where they can help that individual succeed. Help them build a record of wins.
- Tell the stories of success. Nothing succeeds like success. Spread the news so people can believe in the power and potential of risk-based decisions.
- Be an advocate for the risk officer being present at the executive table, a contributor to the development and monitoring of strategy, etc.
As I have said before, I believe CAEs and other senior internal auditors should be the rock stars of change — driving initiatives such as ERM into the organization. But we should not be satisfied when the ERM program is in place. There is a lot we can and should do to make sure it succeeds.
Do you agree?