Promoting a strong risk management function is as much about understanding how the plan could affect real people as it is about clear understanding of the law or ROI. All companies have multiple constituencies both inside and outside the four corporate walls that may be affected by your plan.
To build the business case for risk-based work, risk leaders need to understand those constituencies and how your proposals impacts them.
Knowing the audience in the room is a crucial step to present your business case successfully. You must also know and understand the interests of everyone who will NOT be in the room: the organization’s stakeholders, whose response to your plans can mean its life or death — regardless of what executives in the presentation room might truly want.
Who are the stakeholders?
How many stakeholder groups should you consider as you develop your proposal? Your depth of focus on how your plan affects a particular stakeholder will likely depend on what initiative you are considering. Understanding the impact on all stakeholders can help you create better solutions. There are many different stakeholders:
Management are the leaders of the business functions across the enterprise, whose know-how and support you will need for your risk management project to thrive. Directors of HR or IT security, the corporate controller, the VP of sales, the general manager of the Far East division, the general counsel; the list is long.
Every executive will, naturally, encounter your proposal and wonder: how will this affect me and my team? What resources will the risk leader need from my function? Can I spare those resources? Will this harm my function’s ability to do our job, or to advance our interests? And (cynically) if I don’t like this idea — how can I undermine it?
While middle and lower-level employees across the enterprise may not have specific say in whether your proposal is implemented, they will always influence how the plan is implemented. Risk leaders must respect that fact of life.
At the least, employees need a clear understanding of what you plan to ask of them, and why. If your organization has unionized employees, they may be entitled to negotiate implementation details of your plan. Seemingly mundane or irrelevant details (work schedules, pay plans, or paths to promotion, for example) might assume new significance.
The board of directors or other governing authority.
The board bears ultimate responsibility for the fate of the organization — so its interests are entwined with those of senior management, but those interests can also be larger than those of senior management.
It’s also worth remembering that the full board may have different priorities than other governing authorities. For example, the audit committee is foremost concerned about sound financial reporting and effective risk management procedures. The full board is more concerned with disruption to business models, corporate reputation, and a strong corporate culture.
Under certain circumstances, your organization’s regulator may express views about your approach to risk management. In banking or pharmaceuticals, for example, regulators take a keen interest in controls for operational risk. In other industries, regulators such as the Justice Department will examine your risk and compliance efforts if criminal misconduct is under investigation.
Third parties may support, object to, or not care about your risk management plans. They may also respond to risk management proposals in ways you will need to anticipate to present a thoughtful case to your board. For example, a more robust due diligence program performed upon them may change the prices they try to impose upon you.
Or your proposal might bring more clarity to some business relationships that until now had been murky. For example, new policies might prevent employees from asking local sales agents also to manage real estate purchases for the organization. Perhaps a new conflicts-of-interest policy might seem wise in theory, but in practice it might force influential executives to sever relationships with third parties they view as important.
Customers are a special class of third parties. Not only may they encounter the practical effects of your risk proposal (say, higher due diligence requirements or stronger password controls). They may also express their views about the organization’s conduct by taking business elsewhere.
For example, the discovery of human trafficking in your supply chain could lead to severe reputation harm and disrupt operations, especially if your organization deals with consumers. In that case, the customer base becomes an important stakeholder to consider.
Shareholders are usually one step removed from the organization, but unhappy shareholders can inflict pain in various ways: lawsuits against the company, sell-offs that lower the stock price, or even proxy fights for control of the board.
How often will shareholders actually pay heed to risk management proposals? Almost never.
But they can be powerful concerns to senior executives worried about not acting against risk in a timely manner. Use that to your advantage if it makes sense: “Our failure to address this risk, if it should then strike, might open the door to shareholder litigation against the board.”
Non-governmental organizations and the public
NGOs, and the public at large, have waded into discussions about corporate behavior in recent decades. They now try to influence expectations for labor standards, corporate values, pay policies, environmental protection, and much more.
Moreover, thanks to the rise of social media, we all now live in a much more organizable society. Individuals need little more than an embarrassing video clip and a social media account to launch a campaign that might attract worldwide attention and leave a company’s reputation gut-punched.
Harness the expectations of NGOs and the public where it makes sense. For example, if you are seeking to build an oversight system against slave labor in your organization’s supply chain, consider the fair labor standards promulgated by the International Labor Organization.
An organization’s stakeholders are linked together. Some work together and some work in opposition to the other either explicitly and publicly or in more inherent, subtle ways. Stakeholders are, in many ways, similar to the constituencies of a political district, all jockeying to assert their interests. A skilled politician can build alliances among those groups to propel his or her vision forward; a risk leader must do much the same.