I read too much about what GRC needs or what ERM needs but far too often suggestions read like my favourite Monty Python skit (a lot of easier said than done steps):
| Alan | Well, last week we showed you how to become a gynecologist. And this week on ‘How to do it’ we’re going to show you how to play the flute …but first, here’s Jackie to tell you all how to rid the world of all known diseases. |
| Jackie | Hello, Alan. |
| Alan | Hello, Jackie. |
| Jackie | Well, first of all become a doctor and discover a marvellous cure for something, and then, when the medical profession really starts to take notice of you, you can jolly well tell them what to do and make sure they get everything right so there’ll never be any diseases ever again. |
| Alan | Thanks, Jackie. Great idea. How to play the flute. (picking up a flute) Well here we are. You blow there and you move your fingers up and down here. |
So when I read very articulate comments like these from the (defunct) blog Corporate Integrity, it makes me think of how you play the flute:
Risk management does not happen in a vacuum … The board and management have to clearly define and communicate the culture of risk taking, acceptance, tolerance, and appetite. … Once a proper culture of risk management is defined – including risk tolerance, and appetite – this gets established and communicated through policies and procedures.
… organizations need to establish an enterprise committee to initiate a collaboration on defining, communicating, and managing a culture of risk in their environment. The goal is to define and communicate a culture of risk, establish it in policy and procedures, and monitor adherence to staying within boundaries of risk tolerance and appetite.
Again, easier said than done. I am not criticizing this approach, I actually agree 100% with what he writes, it’s just very difficult to execute.
Telling someone how to play the flute is not the same as teaching him or her how to play the flute, which take a lot of time, patience and practice. And telling business leaders or organizations what boards and committees need to do is not the same a getting buy in, getting them to do it and being successful at it.
Pingback: Riskczar Top 10 List « Riskczar's Blog
Pingback: Riskczar Top 10 List « Riskczar's Blog