The word risk means different things to different people; how can you agree on the definition across an organization?
“What exactly does risk mean to you?” one member asked during a recent virtual meeting of NeuGroup’s Corporate Enterprise Risk Management Group. The question was a bit rhetorical—the member answered it himself by saying risk means different things to different people. There is good risk, bad risk, strategic risk, operational risk and catastrophic risk.
- This was true, said one member of an ERM team presenting to the group on risk alignment at her company. She said, “Initial definitions are easier to get consensus” on; but she observed that as you move away from those definitions and go out to the businesses, “That’s where we see more variation of risk.”
Risk council. Another ERM member leading that alignment effort said that risk definitions need to be made uniform and that those definitions should be decided upon company-wide. To do it, ERM created a risk council by recruiting leaders from the regulatory side of the business, HR, accounting, R&D and the business units to help the broader company focus on ERM.
- He added that since ERM reports into finance, he made sure not to “overload finance on the council.” The group sought to determine “where we were different and where were we the same,” when it came to nailing down the meaning of risk in different areas of the business.
No appetite for “appetite.” This member said the process was not straightforward because of the number of different personalities and agendas. “I expected we would stumble on some definitions,” he said, adding that, for instance, ERM’s “view of the world may be influenced by board personality.” Others might be influenced by other necessities; that means “there are words some people want to use and others they don’t want to use.”
- For example, the company’s legal counsel didn’t like the term “risk appetite” and said the company had zero appetite for risk. He wanted to call it something else. Others saw it differently, which made it “challenging in some naming conventions.”
Higher profile. Nonetheless, this effort helped ERM “level set” what risk meant, the member said. The group then presented refined risk definitions to the board to get agreement. “The result has been active engagement.”
- Overall, this and other efforts have raised the profile of ERM within the company. When he first took the position, ERM “was a board-reporting exercise; ERM was muted.” But now with the alignment project, the function is “now more of a presence.”
This has meant building more risk accountability and finding the right risk owners across the company. “The more we can get involved with individual regions or business, the more we can inculcate risk into the organization,” he said.