Selling Risk Management to the Business
The title of this week’s essay is tongue-in-cheek, because everyone manages risk all the time, including business leaders. CEOs might tell you they’re thinking about how to maximize business profits for shareholders—and, in our current economic system, they totally are—but that’s about priorities. It doesn’t mean CEOs don’t manage risk. They’re quite skilled at managing the risks that stand in the way of maximizing business profits.
Risk managers, on the other hand, tend to think of risk management in terms of worst-case scenarios, redundancy and diversity of controls, and risk reduction. And it’s great to consider those things and put defense-in-depth into practice! But when talking risk with business leaders who aren’t especially risk-focused1, a language gap can arise. The risk manager is talking avidly about worst-case scenarios, and the CEO may be thinking, How likely is this really, because I still need to maximize business profits and achieve the business mission?
Finding common ground
The good news is that there is common ground. Maximizing the business’ reputation, making the business resilient to inevitable errors and incidents, and helping business lines grow responsibly are all things that both CEOs and risk managers probably agree on, at least to some significant degree.
One of the unsung but super-important roles of risk management is to bridge the language gap and answer business leaders’ questions (spoken or unspoken!) about risk prioritization. That means talking in terms of return on investment (ROI) and decision modeling. It also means selling.
If you just pictured a door-to-door salesperson, I did, too. For me, the word selling evokes memories of visiting a car dealership. Closing unwanted pop-up ads so I can read a news story on a website. Or that time I went door-to-door selling catalog wares to make enough to buy my first phone (sorry, former neighbors!). Ugh.
But the truth is, we all spend at least part of our time selling—at least if we want to get anything done. And selling doesn’t have to mean haggling, or pushiness, or sleazy deals. Not at all. Selling can just mean explaining in a way that appeals to the values of the other party. When you advocate for your point of view, you are selling what you believe to be the best course of action.
So, what do I tell business executives?
From a risk management perspective, selling doesn’t usually mean giving details of how an exploit works or diving into technical specifications. When you propose an investment designed to reduce risk, executives need to know a few things:
What do I have to do?
Why is it important? (If the answer is, “It’s required by law or regulation,” but there’s also a deeper justification, it’s your job as a risk manager to explain why the investment might be worthwhile even without the requirement!)
What does the best solution appear to be from an ROI perspective, and how much will that solution cost?
Could a workaround or manual process accomplish the goal, and what are the tradeoffs?
The size of your organization, the state of the business cycle, and other expenses facing your organization all matter in this discussion. How does your proposal stack up against other competing proposals that might increase revenue directly? Can your proposal help maximize (not just protect) the business’ reputation or help the business grow? Be prepared to tackle questions like these, because no proposal exists in isolation!
Selling versus telling (or yelling!)
Even if you can mandate your views due to your role, it’s easier and better to sell them persuasively so you get buy-in. Getting buy-in can mean the difference between grudging compliance and strategic implementation. And the latter is far better than the former. Grudging compliance can sometimes even increase risk by increasing paperwork and process complexity without reducing underlying risk. In that sub-optimal scenario, it appears on the surface as if risk has been reduced, so people feel justified in shifting their attention to other things, but meanwhile, the risk continues brewing and possibly even growing under the surface. That’s a terrible outcome.
I saw this firsthand in a role where I was empowered to mandate changes to reduce risk, and I continue to see it happening in the broader world. If you’re in a position of power but choose to deliver a message in a hostile way, without even attempting to sell the approach you’re pushing, don’t be surprised when your targets’ first reaction is, how can I get this person off my back? Some people may say, “I don’t care, they have to do what I say,” and on paper that may be true, but in practice, if you act like a jerk, whatever “remediation” you get is more likely to be tactical, surface-level, and internally despised or even undermined.
On the other hand, if you make an honest effort to sell your viewpoint—to explain your view of the root causes of risk, understand the opposing party’s concerns, and craft action steps in a way that accomplishes your goals (this is, after all, the important part!) while not causing unnecessary humiliation or damage—the remediation you get is more likely to be strategic, tackle multiple and complex root causes and dynamics, and achieve lasting buy-in across the target organization. For example, maybe business leaders will proactively extend an audit finding from one business unit across the entire organization—something you could not have mandated if you only audited one business unit.
This is human relations 101, and human relations drive organizational decisions and actions a surprising amount of the time. Respectful, independent relationships acknowledge the business goals while emphasizing the importance of risk.
Stepping up by stepping back
So, to close this out for now: if you’re getting pushback on a risk management recommendation from business leaders, don’t dig in and get entrenched if you can avoid it. Instead, try to understand why it’s happening. Don’t be afraid to say, “Let’s step back and remember why we’re here” to defuse an argument, or to ask, “What do you need to get this done while also achieving your goals?”
Part of your job as a risk manager is to focus attention on the overlap in the Venn diagram between risk management and business goals—and then build on that area of common ground. That means exploration of risk management as a competitive advantage. It means back-and-forth dialogue, honest and clear explanations of priorities and tradeoffs and ROI, and good-faith questions, challenging the status quo together and working toward a strategic outcome that balances risk and profit.
Some business leaders are consciously risk-focused! And that’s great. But as numerous financial crises and flame-outs have shown us, it’s not a universal norm.
Great post especially stressing the communication.
In the company I work for, it is all about risk management, and effective risk management is not just about identifying threats but also about aligning with business objectives. It's a matter of selling your perspective in a way that demonstrates its value and ROI while fostering collaboration rather than resistance. Great advice for achieving lasting buy-in and strategic risk management. Thanks for sharing Stephanie.