The late president Lyndon Johnson, considered one of the most accomplished legislators and presidents in U.S. history, once said: “What convinces is conviction; believe in the argument you're advancing. If you don't, you're as good as dead. The other person will sense that something isn't there, and no chain of reasoning, no matter how logical or elegant or brilliant, will win your case for you.”
That is the cornerstone concept for any executive who wants to push for greater, smarter, better risk management at your organization. The case is tough to make under the best of circumstances — and above all else, the first person to convince is yourself. What problem must I solve? Know why you want to this and why it matters to your organization.
What is the problem?
Take that time to define the true problem. One of the great challenges of modern corporate life is to think strategically, where you create conditions today to achieve your goals tomorrow. Instead, we’re constantly pulled to respond tactically to whatever issue is demanding attention right now.
We suggest, however, that you try to really think through what is the most important issue or set of issues that need to be solved. Am I spending my time on the right things? Are my risk management proposals offering immediate solutions to immediate problems but are failing to really address more critical issues or problems?
We all know that the goal of risk management is to reduce the instances of events undesirable to the organization. Every event is preceded by a cause. Logically, then, risk management puts safeguards around the causes of potentially undesirable events, so the organization can pursue its objectives.
That’s a nice bit of jargon-speak that overlooks one crucial point: you must identify the correct cause or problem of whatever issue occupies your mind or is fundamental to business operations. Otherwise you squander corporate resources — so even if you do make your business case the first time, you’ll never get a second one.
Why does it matter? And, why now?
The ideal risk management solution isn’t simply framed as a method to reduce the chances or pain of something going wrong.
Rather, good risk management improves what the company already does right or addresses a problem that must be solved for the company. Building a strong case for a risk program clearly articulates why it is so important to focus on this particular problem at this particular time with specific solutions that are relevant to specific business endeavors.
For example, you could frame an investment in third party due diligence as a effort to reduce anti-bribery or data security risk. That is, after all, what effective due diligence should accomplish.
A deeper way to understand the issue, however, is that strong due diligence accelerates your ability to choose business partners wisely — and a more nimble, responsive organization can outmaneuver its competitors. That ability might manifest in many ways: fewer encounters with regulators, smaller amounts devoted to contingencies in the income statement, faster expansion into new markets, lower employee turnover.
That’s the “the why now” in preparing a successful business case, regardless of the specific solution you propose. Knowing why you want to do this at all. You must believe that your idea truly will make the company perform at a higher level.
How will we do it?
Now is not the time to dive into every detail.
However, even at this early stage you must start to consider the category or categories of solutions that you plan to explore to address the problem.
For example, if the problem is that third party management is chaotic, expensive and that too much information is slipping through the cracks; then it is likely that you will consider an enhanced capability. This might take the form of building or buying software; hiring or modifying team structure or engaging with new vendors to help vet third parties.
These are all details that you will explore later.
At this stage, however, you will zero-in on a category of solution and begin to refine the scale of change required.
If the current problem results in delayed business deals that cost the company $5MM / year; and if the problem results in 2 regulator inquiries per year; then you know that the solution must improve the third party management process enough to close the $5MM gap and reduce regulator inquiries.
Again, you don’t need to dive too deep into the details just yet. Save that effort for Phase 2 - The Analysis.