If you’re involved in developing, enhancing or monitoring your company’s risk management activities, you probably know that “risk” and associated terms are used very differently by different people. This too often is the case throughout an organization, right up to the board level. Indeed, experience shows that senior managements and boards think they’re talking the same language, when they are not.
How often have you heard the terms “risk assessment,” “risk management,” and “enterprise risk management” used almost interchangeably? If your experience is anything like mine, it happens all the time. My sense is that busy executives and directors understand the basic concept of risk and don’t take the time to get into what are perceived to be details in terminology. The resulting problem, however, is that we talk at cross purposes and misunderstandings abound. Risk related professionals know well that a risk assessment is a point-in-time snapshot of risks in an organization, risk management includes a number of activities in identifying, analyzing and managing risk, and enterprise risk management raises the bar to a still higher level.
A fundamental issue is that too often top managements and boards believe their organizations have in place effective enterprise risk management processes when in fact they don’t. They know the words, and truly believe they deal with risk as well as any organization. They believe their senior management team focuses on risk and drives risk management throughout the organization. And what we’ve often found is that they are wrong.
It is not a simple task to change the minds of high powered CEOs and directors. And one wonders whether it’s worth one’s political capital to push this issue. But this is so important a matter that to know there’s misunderstanding and allow it to continue is dangerous – for top management, the board, the company, and all of its people.
Mr. Steinberg is very accurate in his assessment of the the terminology issues around risk management. I recently worked on this issue with my board and management team and quickly discovered that each director and senior management team member had their own definition of risk and how it was currently being managed. There is considerable merit in taking the time to reach a consensus definition of risk before a true risk assessment can be undertaken. This is an important issue for every board of directors and avoiding these discussions will not alleviate the problem.