Handling Unrealistic Expectations of Enterprise Risk Management

You have been told to put together an enterprise risk management program.  Oh, and by the way, they want X, Y, and Z in 3 months.  After picking your jaw off the floor, your head starts spinning with the impossibility of meeting those expectations.  What do you do?

You think that there is only one opportunity to get it right, and if it fails, the program is dead in the water.  You dread the negative feedback from executives, the bored looks from management, and the phone surfing during a conversation.  You cringe at the thought of presenting an idea to the board and having it thrown back in your face; or, the incredulous looks from people when we start asking them to spend time on this new thing.

Who wouldn’t?  I certainly did…. 

A person’s natural inclination, especially risk management professionals, is to plan the detailed steps of how the program will work because you want the launch to go perfectly.  You have a timeline of activities, a memo from the CEO drafted, a board presentation created, everything. So where did it go wrong?

You are now on year 3 of 2 (yes, that was intentional), and the program isn’t going as fast as the executives expect.  This extended timeframe is starting to hurt the support of the program and has people questioning you and the value of ERM.

The reality is that ERM at any company or non-profit will take years to mature.  No matter how supportive the executives are or how many people you have on the ERM team, it will take time.  So regardless of where your ERM program is in its maturity, whether infant or teenage, you will need to manage the expectations of all people involved in the ERM processes for the life of the program.

How do you manage executives?  Well, first of all, you aren’t managing the executives, just their expectations!  The key to doing this is telling them the realistic timeline of when actions will be accomplished…again, and again, and again.

Making the unrealistic turn to realistic

When doing your planning, if you think an activity will take 2 weeks, are you being realistic with yourself about people’s calendars?  What about the follow-up communications and activities?  What is the typical turnaround time for responses?

managing ERM expectations

There is a good rule of thumb, but it varies based on 2 things:  how well you know the company and how optimistic you are in general.  The rule of thumb is:  if you think it will take 2 weeks, make it 3 weeks.  With the variation in mind, if you are generally more optimistic, then you might want to make it 4 weeks.

When communicating timelines to people, be sure to include the caveats about depending on people’s calendars, other priorities, etc.  If ERM is a top priority for the executives, then you could even ask the executives to work with their management teams to put ERM requests at the top of the pile for a short time.

Ensure that the executive sponsor(s) of the ERM program, whether the CEO, the Chief Risk Officer, the CFO, or another executive, understands the time that goes into ERM.  Not just during “meetings” but all of the behind-the-scenes activities.  For example, you could say that for every 1-hour meeting, we work for 5 hours doing analysis, follow-up communications, and reporting.

And above all…repeat the information in multiple presentations, so they hear it in different settings, different times, using different words.  Once they hear it a few times, it should start to sink in…

How have you managed the expectations of the ERM program at your organization?

I would love to hear from you.  Please share your thoughts in the comment field below, or join the conversation on LinkedIn.

Do you want someone to guide you through the process?  Are you struggling to get your risk management initiative off the ground or back on track? Contact me to discuss your program today, or continue browsing ERMInsightsbyCarol.com to learn more.

, , ,

Related Posts

8 Comments. Leave new

  • I wholeheartedly agree with your analysis on starting an ERM program from scratch,. Most Executives don’t see the value and therefore don’t really embrace ERM constructs. That said, doing risk assessments was one way I found that helped educate not only the Executives but staff seemed participate with a certain level of enthusiasm as they were being brought into a project early on and their contributions were appreciated.

    • Mike – I completely agree that bringing in front-line staff is a great way to garner buy-in. Who doesn’t want to be heard and appreciated? Sometimes doing is the best way to demonstrate the time and effort that goes into a process…and the value that can be gained from it. Thanks for commenting!

  • The sponsorship from the CEO and the leadership is usually lacking. This team has no definition for risk appetite and risk tolerance. It is proven a mature ERM program can improve earnings by 25%. Start with building understanding of ERM with the three lines of defense

    • Hi, Bruce. Thanks for your comment. The active support of ERM is crucial for its success, as mentioned in a previous post (http://erminsightsbycarol.com/4-things-to-ensure-erm-program-success/). With regards to the three lines of defense (3LOD), I personally don’t advocate for that formal design. Instead, I recommend an embedded positive risk culture throughout the organization, with ERM supporting organizational decision-making and acting as a consultant and advisor. Internal audit should provide assurance to the executives and board that the risk management process is designed appropriately for the organization.

      When it comes to the value that a mature ERM program can provide, it’s not just about the earning it can improve (which may be the ultimate result), but ERM also provides valuable insights for decision-making and protects the reputation of the organization. Would you agree?

      • Florent Achille Ndindjock
        May 19, 2017 3:31 pm

        Understandingly so Carol. If a ERM does not have a wholostic approach, it is bound to fail. What you see in most organizations that have settled with traditional risks management is that silos of responsibilities begin to start forming and communication eventually dies across the enterprise. I would add to the need of engaging the entire organization, that proper communication is crucial. Vertical communication is not enough, a lateral one has to take place also to see that a risk culture is embraced. I like to look at the ERM process as a continuous one. Even on a short notice, executives have to realize and understand that of ERM.

        • Good comment, Florent. Communications are critical for an organization to survive…and thrive! And it definitely can’t just be veritical – it has to be lateral to peers. Of course, organizations frequently forget to communicate with suppliers, vendors, and strategic partners. This forgetfulness can be extremely detrimental to the operations of the organization, regardless of whether it is for-profit or non-profit.

  • David Green
    July 22, 2021 8:01 pm

    The greatest challenge with something as profound for an organisation as ERM, is that it should change the organisation. This is where resistance might arise. Indeed, if the ERM activity does not change the organisation, the organisation is not doing ERM, it is doing window dressing.

    • Hello David…Thank you for reaching out! Indeed, people are resistant to change, but in order for ERM to have an impact, it must force change in the organization or else it’s window dressing as you say. If the purpose of ERM is regulatory in nature, not much visual change will occur. But if the goal is to take informed risks to build a strategic advantage, the cultural change needed will likely be significant, and therefore more time will be needed to meet this goal.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.