Let me start this blog with how not to do it. Or the other way around: how to easily create friction. Imagine the following case study: The Risk Manager in organization X is responsible for 'risk management'. He has just started and sees that little is happening in Risk Management. Fortunately, he (or: she) has studied up on it and knows exactly how to implement GRC using COSO ERM and ISO31000. In no time, he will have the organization into the GRC era! He has everything neatly worked out in training materials and with well-developed definitions and approaches he tries to convince the organization of the usefulness of risk management and what needs to be done. The goal is to get the organization certified against ISO31000 in the near future. The organization's management/CEO is presented with large lists of risks, which are compiled by interrogations and risk workshops throughout the organization. An army of risk consultants provides processing power, to put everything into Excel sheets and databases. All risks are provided with mitigation measures, responsibilities and deadlines. Escalation procedures are established and accountables appointed to be held accountable, preferably via bonus score cards.
This is a real-world scenario, full of book wisdom and here and there a little disconnected from reality. When I see this in practice, I often see friction, not flow. This leads to dissatisfied organizations and dissatisfied Risk Managers.
So how do we get from friction to flow? Some tools to create more flow:
- Realize that the Risk Manager is probably one of the few managers in the organization who does a whole lot except manage risk! In fact, the business leaders have to do that themselves. Ideally, the Risk Manager has a modest role, more of a coach, sparring partner, start-up help and collector of information. Ensure ownership by the business leaders, then Risk Management will come alive.
- Speak the language of the "real" risk managers: the directors and managers who have to mitigate the risks. If they talk about Performance, make sure they understand that risk management is the same as Performance Management. If 'Make Speed' is the word of the day, explain that it is fine if you Make Speed, that you can then make some adjustments in the turns. If they only talk about Agile, invent an Agile Risk Management method. But above all, make it clear that it's nothing special but "part of their job.
- If you do start working with definitions, realize that risk includes not only threats, but also opportunities. Play around with an Opportunity Chart (itt the Risk/threats Heat Chart). Maybe it won't turn into anything but the organization will appreciate you for making the effort to look at opportunities as well.
- Develop your "elevator pitch," for example, with one-liners such as, "If you are a manager doing something that doesn't involve managing risk, stop doing it immediately," "So you just want to accelerate? Don't you think Jos Verstappen is very happy that he doesn't just have a gas pedal but also a steering wheel and a brake?".
- Use "baby steps. Always take small steps and stay away from 'hard things'. Running a business (or: department) is hard enough. Your strength is time. Hold on, always keep the carrot a little further and help them take small steps. Everyone wants to learn and curiosity is in human nature, but don't overdo it. Everything is relative. A small step in your eyes can be a big step for another.
- Be alert to success. You notice you are successful when (part of) the organization is going faster than you thought. Things get pulled out of your hands, so to speak, and you get the feeling that you no longer have control over them. That, as crazy as it sounds, is actually a good thing. It means business is on the ball and instead of being captain of the team, you can take on the role of the coach. Let it happen, the game should be able to be won even without you.
- Use the principle of naming and faming. Use a Hall of Fame-like progress report where attention is focused on the successful organizational units. Those managers who are somehow doing well. Give them time and attention so they will do even better. Find managers who get you and are doing well; use them as examples of where things are going well. Don't start pushing and pulling. No one wants to be at the bottom of the list; they will come naturally and when they call you, know: That you have created flow.
Carlo Bavius is affiliated with AuditPeople and RiskPeople as a consultant and interim manager. Carlo focuses on the Internal Audit and Risk/GRC field with over 25 years of experience.