First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Risk and strategy entwined

“Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives.”

I want to tell you a couple of stories about four people, two sets of twins.

The first two people are O and P; the second pair is SR and RS.

O and P are executives at the same company. The CEO, C, is considering a new venture, so he calls a meeting of his executive team. O and P sit opposite each other and just glare with clear disdain for the other.

C outlines the opportunity and asks for comments from the team. The general counsel and CFO look thoughtful, but before they can say anything O jumps in.

“I think that’s great! I already looked into this with my team and we project an 80% success rate, where we either hit or exceed the targets you outlined. There are a few things we need to prepare before launching, but I am very optimistic (no pun intended) that everything will be set for a launch in just a few months. [The “pun intended” comment was because his real name is Optimist, although his position within the company is Vice President for Strategy and Planning.]

“Oh, O, you are always quick to see the upside without thinking about the many risks involved”, retorts P. “My team also thought the scheme would come up and we have worked with the appropriate departments to compile this list of risks”.

O comments quietly but everyone hears him, “P, you always live up to your name – a Pessimist who sees a cloud in every silver lining”.

P looks quickly at O and says “My job as Vice President and Chief Risk Officer is to make sure everybody is aware of the risks at all times. O, you constantly ignore them.”

Meanwhile, P is passing around a 5-page document describing about 30 areas assessed as ‘major’ risks to the company that exceed its risk appetite, as defined by the Risk Framework and Policy.

C responds to all of this as you might expect – frustration and annoyance. He doesn’t say anything, but he is thinking along the lines of “why did I hire these bozos, who can’t get along with each other and give me the advice and insight I need? One is always ‘full speed ahead’, perhaps to please me, while the other is always quick to point out why we should never do anything. But, if I fire either of them, especially P, I will hear from the board and the regulators.”

Out loud, C puts the list face down after glancing at it and asks his CFO and general counsel, “So, what do you think.”

I am sharing this story because when I write about the risk officer considering both the potential positive and the negative effects of events, situations, and decisions, several people have commented that the risk officer should focus only on the potential adverse effects because others, like the strategy people, are looking at the opportunity side.

I disagree with this perspective for a few reasons.

  1. Any event, situation, or decision can have multiple effects. Some may be adverse, some positive. Often, there will be multiple effects. In my Monopoly blog, I talked about the decision whether or not to buy a property. The purchase would create an opportunity to earn rent, but it would also reduce the cash reserves and increase the significance of having to pay rent, a fine, or so on. The smart manager has to decide whether the potential outweighs the risk. Both sides have to be considered, not just one.
  2. When anybody only explains why you shouldn’t do something, they should expect to be increasingly ignored. How would you react if every time you started to leave home you were greeted with a list of all the bad things that might happen?
  3. Every potential positive effect needs to be assessed with the same disciplined and structured process as an adverse effect.
  4. If you want to be perceived as a partner to the business, behave like a partner to the business! Behave like a top executive who has to make an informed and intelligent decision about whether to move forward, change direction, stand still, or even retreat–based on reliable information about all potential consequences under every option. Behave like an executive and talk like an executive, in the language of the business.

In our second story, which is at another company, the CEO (CE) is also considering a new venture and asks his executive team for input.

SR looks at RS, gets a nod, and answers.

“RS and I have been working together to integrate the consideration of risk into the strategic planning and performance monitoring processes. I am pleased to tell you that our Risk and Strategy teams have been looking at this opportunity together. Strategy [ndm: whose middle name is Risk} and I have this joint assessment for you and the team to review”.

Risk, whose middle name is Strategy, passes around a 2-page document that outlines the results of the two team’s assessment. It includes both the potential upsides, their extent and likelihood, as well as the more significant risks, also with extent and likelihood. There is a Summary section that provides an overview of the most likely net effect of each strategic option.

CE beams with satisfaction. What a change this is from his last company! Here, he has two partners that he can trust to provide him with the information he needs as well as a balanced perspective on the options. He has a strategic advantage over his old friend, C.

He congratulates SR and RS for working together to provide a joint assessment. SR looks to RS before replying that they have agreed on a common framework going forward; both teams are cross-trained so that they always look at an event or situation with a balanced view. The Risk team will assess the full range of potential effects on all issues that come to them, and the Strategy team will include an assessment of both positive and negative effects when proposing new or updated strategies, and when reporting on progress towards objectives.

Let me close with a thought.

Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives.

They need to put themselves in the shoes of the CEO and board members. They cannot afford only to concern themselves with reasons not to pursue ventures–implying a desire to stay home and vegetate.

Think like a CEO, act like a CEO, and talk like a CEO. Provide leadership with the information, process, systems, and so on to make effective decisions that lead to success.

I welcome your thoughts.

PS–Do you ‘get’ the pun about ‘entwined’?

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.
Send to Kindle

, , ,

Comments are currently closed.