Metrics to Measure Risk Management Strategy Effectiveness

In the last post “Reasons for failure to prepare a risk management strategy” I discussed that just 40-50% of the organizations have a risk management strategy. While it gives a measure of confidence to know this, the question arises – are these strategies effective? How do we measure the effectiveness and suitability of a risk management strategy? I went through various frameworks to find out which metrics to use for it. I did not find a clear-cut list, hence derived the following dozen metrics from them to conduct an annual assessment for effectiveness of risk management strategy.

1.  Percent of business strategy objectives mapped to enterprise risk management strategy

2.  Percent of business value drivers mapped to risk management value drivers

3.  Number of times audit committee reviews risk management strategy.

4.  Number of times board discusses risk management strategy in board meetings.

5.  Number of times board reviews risk appetite of the organization.

6.  Number of times CEO invites risk management teams to participate in business strategy formation and proactively identify business risks. On the negative side check out the number of times, risk functions were not invited for business strategy discussions.

7.  Number of times business strategy implementation failed due to improper risk mitigation. Compare this with number of times timely intervention of risk managers resulted in faster implementation

8.  Number of times improper risk mitigation delayed business strategy implementation. Judge this against number of times timely intervention of risk managers resulted in faster implementation

9.  Number of times the organization received negative media coverage due to improper risk mitigation. Evaluate against number of times timely risk mitigation strategy prevented a media disaster.

10.  Number of times the organization faced legal problems due to improper risk mitigation with number of times risk departments prevented legal problems

11.  Number of times the actual risk level of the organization exceeded the risk appetite of the organization. Analyze this against number of times risk departments controlled risks from exceeding risk appetite of the organization.

12.  Amount of financial losses incurred due to ineffective risk management. Balance this with amount of financial losses prevented due to effective risk management.

Although, this is not an exhaustive list, it does give a starting point. In my opinion, heads of risk management must conduct an annual review of risk management strategy and initiatives in line with these metrics. It will depict whether the risk management strategies are effective or ineffective. Then share the results of the review with CEO, board and audit committee. It will give a clear indication of the value addition done by risk management functions during the year to senior management. In Churchill’s words-

However beautiful the strategy, you should occasionally look at the results.”  -Winston Churchill


Reasons For Failure To Prepare A Risk Management Strategy

In the present economic scenario with escalating risks, it is imperative for organizations to have a risk management strategy. However, more than half of the GRC departments do not prepare an integrated risk management strategy. Despite knowing that lack of it can put the organizations into jeopardy. The graph below from Economist Intelligence Report “Too Good to Fail?” covering financial institutions and insurance companies supports my assertion.

Too Good To Fail? - Economist Intelligence Unit

On an average in Asia-Pacific region just over 50% of financial institutions have a regularly monitored risk management strategy. It would be fair to assume that the percentage will be much lower for all industries.

Hence, the question arises – why are GRC departments not preparing a risk management strategy?  I am discussing below five reasons for the same. Check it out to assess the barriers in your organization for forming a risk management strategy.

1.    Non-involvement in business strategy formation

 As per the survey “Fall guys: Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG” – just 41% of the organizations involve risk management function in formulating and implementing corporate strategy. Non-involvement in business strategy formation results in risk managers failing to get the bigger picture and understanding business strategy risks. Hence, GRC departments’ plans focus on addressing tactical and operational risks. Therefore, risk managers fail to do strategic “risk management”.

2.    Lack of accountability at senior management level

 Most reports mention that risk managers do not have adequate authority. The second challenge is that they do not report to the CEO and GRC department heads are reporting to different functional heads. These challenges give a level of anonymity to the functioning of risk management departments. Their annual strategies are merged with the functional department strategies to which the GRC head is reporting. For example, if CAE is administratively reporting to the CFO, the finance department strategy swallows up internal audit plan and strategy. This results in lack of accountability at CEO and Board level. Hence, there is no focus on preparing an integrated risk management strategy for the company.  

 3.    Minimal organization focus on strategy development

Sometimes organizations do not have a strategy formation process. The “McKinsey 2010 Strategy Survey results show that just 6.5% of the organizations have an effective strategy development process. Secondly, 20 % of organizations view corporate strategy development as an aggregation of business unit strategies. Management does not make any exclusive effort on building a corporate strategy. In such scenarios, the risk management departments’ strategy is an accumulation of individual balance scorecards of department heads. Without a right strategy development culture, it is unlikely that GRC departments’ heads have a formal dialogue with senior management to develop an integrated risk management strategy.

4.    Lack of knowledge on strategy formation

While it might sound unlikely that risk managers, the predictors of doom and gloom, do not know how to develop a strategy, it is a possibility worth exploring. It might appear to be an odd failing for people geared towards numbers but one must take into account that most risk managers do not receive formal training on strategy formation. Second aspect to think about is that strategy is much more than numbers. Third aspect is that risk managers in their reports focus on dollops of operational and financial risks but there is just a smattering of strategic risks. Hence, there is a high probability that they lack skills to prepare a strategy.   

 5.    Outdated GRC departments

 Many will raise hands raised to say that GRC departments have more teeth after the financial crises. However, in my view some may still be navigating without a compass. Due to internal politics of the organization, GRC departments may work in silos and execute work with a checkbox mentality. The GRC department heads may put more boots on the ground to do better risk coverage rather than develop risk management strategy. In such situations, GRC heads form blind spots due to poor prioritization of risks, lack of awareness of competitor skills and minimum awareness of new risk management approaches. Therefore, sometimes GRC departments are working with an outdated mindset and skills.

 Closing thoughts

 In my opinion risk managers cannot play the blame game, and hue and cry over lack of visibility at CXO /Board level if they are not focused enough to develop a risk management strategy. One cannot reach a destination without a roadmap and minus a risk management strategy, risk managers are aimlessly conducting various activities. In this volatile business climate, strategic agility is a key competitive advantage. Hence, rather than be mentally resistant to sober analysis, risk managers need to do some introspection to assess the reasons constraining them from preparing a risk management strategy. A successful adoption of risk management strategy will enable their organization to wade through this turbulent economy. To conclude :

“Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” – Sun Tzu


  1.  Report: Too good to fail? New challenges for risk management in financial services – By Economist Intelligence Unit
  2.  Fall guys Risk management in the front line A report from the Economist Intelligence Unit Sponsored by ACE and KPMG


Leading Risk Management Function with Emotional Intelligence

Have you ever felt as a risk manager that business teams don’t want you around them? Behind your back business teams in three words describe you as “critical slimy burger”, in two words “painful preacher” and in one word “#@$&^@#$”. Your ideas and opinions are strongly opposed and good ones too sink due to death-by-association syndrome.

Sometimes, from top to bottom levels of the organization business executives stonewall risk managers’ efforts and the risk management team faces this antagonistic attitude.

Ascending the Maturity Curve - Economist Intelligence Unit

Even the Chief Risk Officer (CRO) and other risk managers fail to cut ice with senior management. A recent report “Ascending the Maturity Curve” published by Economist Intelligence Unit shows that just 28% of business executives consider CRO and other risk oversight members as usually helpful in achieving business objectives. The adjoining graph reflects that thought process of business executives about risk managers.

In light of this, it is clear that risk managers face a challenging and conflicting relationship with business executives. These issues make risk managers’ jobs notoriously frustrating and thankless. Hence, risk managers need a solution to be effective.

 I thought it might be a good idea to study why business teams react negatively and how to make then think positively about risk managers. I read Daniel Goleman’s book – The New Leaders, which covers ways to use emotional intelligence in leadership. It sheds light on disastrous leadership outcomes when leaders deal with teams without sufficient emotional intelligence. There are a number of lessons for risk managers to learn from the book and here are some of them.

Briefly, Goleman has described resonant and dissonant leadership styles. Resonant leaders attune to other people’s feelings and communicate emphatically to move their feelings in a positive direction. While dissonant leaders fail to recognize feelings of the people they are dealing with and create negative emotions – anger, frustration, fear – in them. He has defined six leadership styles, four are resonant and two are dissonant. In my view, risk managers reflect these leadership styles and a better understanding of it will help them in building relationships with business executives and within the team.

1.   Visionary style

According to Goleman, visionary leaders articulate the purpose that rings true for themselves, and attune to the values shared by the people they lead. This also initiates transparency by removing barriers and smokescreens within the organization. However, the downside is that visionary leaders sometimes sound pompous and overbearing.

In my view, when CROs and other risk management seniors adopt visionary leadership they facilitate business teams in seeing the bigger picture. The risk management functions are perceived negatively as they adopt a check box mentality and highlight small regulatory issues as major problems. They sometimes do not spend adequate time with business teams articulating how risk management will benefit them in achieving business objectives. Hence, business executives are resistant to suggestions, as they have limited idea on how their risk management ties up to the overall corporate mission, vision and strategy.

Here, the takeaway is that risk managers need to sell the bigger picture of risk management functions and trust the business teams to identify and mitigate risks. Understand the need of business teams to feel important that their work matters.

2.   Coaching style

Goleman states coaching style builds rapports and deep emotional relationships; however, most leaders tend to ignore it. It is a resonant style if done properly. When executed poorly coaching looks like micromanaging or excessively controlling. He further adds managers are inept at giving performance feedback that builds motivation and not fear and apathy. Hence, give coaching that makes the employee feel that it is in their best interest rather than feel manipulated and attacked.

According to me, this is the crux of the problem. Risk manager’s role – especially the compliance and governance – demands identifying weaknesses in business operations. Frequently, risk managers issue draft and final reports to senior management without really explaining the details to the middle and junior level executives. This causes anxiety and fear in business teams. 

Psychologically, mild anxiety results in attention and energy to the job, prolonged distress hampers work performance.  Secondly, chronic anger, anxiety and sense of futility cause emotional hijacking.  Considering this aspect, it isn’t surprising that in long-term audit or investigation assignments, the business teams are distressed. If risk managers do not provide periodic updates on their observations, the continuous anxiety results in negative reactions. Here regular coaching becomes essential.

Therefore, risk managers must attune themselves to the emotions created by their work and communications in the business teams.  Give feedback in a way that doesn’t diminish the value of work being done by the business team.  Not in a manner where the person feels that, s/he is the problem.

3.   Affiliative  style

In Goleman’s view, affiliative style represents collaborative competence in action. This style is good for relationship building as it promotes harmony and friendly interactions. It allows a person to be kind along with being candid. However, the negatives of this style are that it can drive down performance if constructive feedback is not given or if used in a disaster scenario, the person may appear clueless.    

 In my opinion, risk managers can use this style to build relationships with CEO, CXOs and Board. The risk managers are not getting a seat at the board level or do not have sufficient visibility with the CEO. Hence, a few organizations have a slip-shod approach to risk management.

The messages given by senior management on risk management build the risk culture within the organization. According to Goleman’s study – “Roughly 50% to 70% of how employees perceive their organization’s climate can be traced to the actions of one person: the leader”. Hence, CEO’s actions and sentiments towards risk management get reflected throughout the organization. Therefore, relationship building is critical at this level for risk managers. Become a friend of the CXOs.

4.    Democratic style

Daniel Goleman says that democratic style is generally the most successful resonant leadership style. Leaders discuss issues, listen to others, take feedback and then make a collective decision. The advantage is that there is limited backlash for harsh decisions as it builds trust, respect and commitment. The disadvantage is that over-reliance on this approach results in endless meetings without firm direction.

My outlook is that auditors and compliance officials cannot adopt a democratic style for conducting an assignment, as it will hamper independence.

Nonetheless, democratic style should be adopted for recommendations and improvements in business. For example, if process re-engineering or additional controls are being suggested, it is useful to listen to business teams and discuss the solutions to them. The business teams are closest to the problems. Hence, the style benefits when risk managers perform advisory or consulting assignments. It is also a useful tool to understand the business executives concerns and anxiety points. Let the business teams take decisions about risk management and ownership for the same.

5.   Pace-setting style

Goleman says that in modern times pacesetters are thought of as good leaders since the leadership style adds to the bottom-line in short-run. Pacesetters focus on performance and excellence. However, if the leader drives employees too hard the morale plummets. Pace setting only works when employees are self-motivated, highly competent and need little direction. Meeting high standards of excellence has a cost, as it is task focused and not people focused approach.

There are two key insights to be gathered from Goleman’s analysis. The first one is that if CEO and board are driven by quarterly results and showing good performance, in the long run the organization is likely to pay a huge price. Hence, CROs need to monitor this form of leadership and culture, and guide the senior management.

The second aspect is the CROs and other risk managers need to ensure that they themselves do not become aggressive pacesetters in their functions. Sometimes the targets on number of reports, project timings, and quality of work become so critical that CROs ignore other aspects. In these situations, the star techie gets promoted who may not have adequate leadership and people management skills. Hence, there is burnout in the risk management team and conflicts with business teams. This is a dissonant style of leadership hence use it with care.

6.    Command style

The command style though frequently used is the most dissonant style as per Goleman. It is a coercive style – do it because I say so – being the message that makes employees feel threatened and intimidated. It is least effective as an intimidating cold leader contaminates everyone’s mood and the quality of overall climate spirals down. Employees think of it as a reign of terror so stop bringing bad news as the bearer is killed. The upside is that in crisis this style is effective.

A risk manager may claim that their role is recommendatory in nature and they do not have line authority over business teams. Hence, this kind of situation would not result from their actions.

On the contrary, if risk managers start playing political games and use their negative findings to downgrade a business executive’s career, the same results will ensue. Hence, they definitely have responsibility to ensure that their actions do not intimidate business teams or make them feel threatened.

However, if they are doing a million dollar fraud investigation or detecting a data theft situation, this style will work. It will reduce panic in the business teams since someone is in command and is showing direction.

Closing thoughts

As I read the book, one message was clear – risk managers need a range of leadership styles to be effective.  Risk managers emotional intelligence determines their success and failure in building relationships with business executives.  In Goleman’s words –

“The triad of self-awareness, self-management and empathy all come together in the final emotional intelligence ability: relationship management. Managing relationships skillfully boils down to handling other people’s emotions.”

Here is a clue. Psychologically laughter is the easiest way to create positive emotions. So risk managers leave your serious-brow furrowed look and smile.


Book: The New Leaders – Transforming the art of leadership into a science of results – Author Daniel Goleman

Report: Ascending the maturity curve –Effective management of enterprise risk and compliance – A report from the Economist Intelligence Unit Sponsored by SAP

Good to Great Risk Management

In the aftermath of the financial crises, it would seem fair to presume that risk management functions now have higher visibility, authority and influence. However, a recent report “Too good to fail” issued by Economist Intelligence Unit covering financial institutions and insurance companies shows contrary results. The report indicates that only one-half of the respondents say that risk management function has gained authority. The other half state it has remained the same or declined. Nearly 35% state poor communication between departments as one of the key barriers to risk management. Lastly, progress on revamping and strengthening risk management departments has slowed down. The graph below points out the problem areas:

Too Big To Fail - A report by Economist Intelligence Unit

This graph to me shows that risk managers didn’t properly leverage the lessons learnt from the economic crises and have failed to make a long-term improvement. Risk managers in financial institutions are the best of the breed and still failed to cut ice with business teams. While CFOs have entrenched themselves in the boardrooms, CROs still face a daunting road ahead. Hence, the most difficult question that most risk managers face today is – how to build a risk management function valued by board and business teams.

I was reading Jim Collins book “Good to Great” in which he has developed a framework for transforming good to great companies. I contemplated on ways to apply the framework to risk management function. It was worthwhile exploring the idea and here are some of my thoughts on it. Hope you find them useful.

1.    Level 5 Leadership

The book mentions that at the time of transition of a company from good to great category, the CEO was a level 5 leader. Two main traits – personal humility plus professional will – identify a level 5 leader. The level 5 leader puts organization goals before personal agendas. In contrast the level 4 leader shows the big dog syndrome; an egocentric drive for personal greatness with the organization becoming a monument to their ego.

In my view, in most organizations risk management function is in a transition stage. It needs to make that big leap to become a primary business partner. To do so, CROs and other heads of risk management department need to become Level 5 leaders. Secondly, to be successful they need to have their second-in-commands and/or successors also to have level 5 leadership skills. In short, replace the “I” with “We” to collaborate with business teams.

2.    First Who, Then What

Jim Collins has aptly summarized the importance of right people – “If we get right people on the bus, the right people on the right seats and the wrong people off the bus, then we will figure out how to make it someplace great”.

I think most of the risk management functions suffer because of lack of appropriately skilled resources. For example, in India risk managers are technically good however lack communication skills. In the EIU report, Neil Owen regional director at Robert Half Financial Services Group, a recruitment consultancy, hit the nail on the head by saying – “A high-performing risk team will be made up of individuals with different strengths—both commercial and technical”

 The message is clear, get the right skill set mix in the team and structure the department appropriately. Break the silos between different risk management functions to give accurate, timely and summarized information to business teams.

3.    Confront the Brutal Facts

Risk managers crib list is quite long. It goes – CEO doesn’t give us time, board ignores us, business teams don’t listen to us and on and on. The gist of it is risk managers are blaming everybody else and are not looking in the mirror for their own shortcomings. The irony is that while risk managers find shortcomings and problems in business, they are unable to see their own reality. The graph below depicts the barriers to risk management.

A graph from Too Good to Fail - A report by Economist Intelligence Unit

Risk managers must initiate dialogue and debates to identify brutal facts without playing a blame game. As mentioned in the book, adopt “The Stockdale ParadoxRetain faith that you will prevail in the end, regardless of difficulties and at the same time confront the most brutal facts of your reality, whatever they might me.”

4.  Hedgehog Concept

 In the next step Collins wrote -“The fox knows many things, but the hedgehog knows one big thing.” According to him, people with hedgehog traits “simplify a complex world into a single organizing idea, a basic principle or concept that unifies and guides everything” He has further defined the hedgehog strategy as intersection of three circles –“ what are you deeply passionate about, what drives your economic engine and what can you be the best in the world at.”

 In my view, this is the crucial bit where risk managers are missing the point. As the EIU report states, just 60% of the respondents have a clearly defined risk management strategy. Now these may or may not be addressing the strategic risks of the organization.

 Hence, risk management functions need to develop a hedgehog strategy with everything else falling in place around one simple idea. To give a clue, they are passionate about risk management, need to align the strategy to economic drivers of the business and identify the risks to ensure that the organization is best in the world in its area.

 5.    Culture of Discipline

Collins explained the culture of discipline using the analogy of an airline pilot. A pilot has freedom and responsibility within a framework of highly developed system. Regardless of the information and guidance from ground control room, the pilot has the ultimate responsibility for the safety of the passengers.

 Developing a risk culture within the organization is similar. As Professor Board of Henley Business School stated in the EIU report – “The business should be in a position where it’s not taking gratuitous risks and doesn’t want to do so. Ideally, there should be an autonomous, risk-aware culture in the business that requires only limited intervention from the risk function.”

 I have said before and am repeating it again, building a risk aware culture within the organization is of paramount importance. Risk managers need to train business teams to have the discipline to formally identify risks for each decision and mitigate the same. If it is outside business teams experience or bandwidth, the risk managers must hand hold the teams.

 6.    Technology Accelerators

I really appreciate Collins insight on use of technology in organizations. He summarized it as follows – “How a company reacts to technological change is a good indicator of its inner drive for greatness versus mediocrity. Great companies respond with thoughtfulness and creativity, driven by a compulsion to turn unrealized potential into results, mediocre companies react and lurch about, motivated by fear of being left behind.”

 On the other hand, the EIU report states the following – “Despite this continuing investment in data and IT, the problems are far from being addressed. Most institutions have a patchwork of systems, often as a legacy of mergers and acquisitions, which are incompatible with each other.”

The CROs problem is clearly identified – with multiple platforms and systems it is hard to get accurate data to identify risks in a timely manner. The alternative is that CROs invest in risk management software and systems that facilitate in identifying and managing risks. Some CROs are still slow in investing in technology and this mindset needs to be changed.

 Closing thoughts

Collins captured the transformation of good to great companies in the following words –

“No matter how dramatic the end result, the good-to-great transformations never happened in one fell swoop. There was no single defining action, no grand program, no one killer innovation, no solitary lucky break, no wrenching revolution. Good to great comes about by cumulative process- step by step, action by action, decision by decision, turn by turn of the flywheel – that adds up to a sustained and spectacular results.”

In one line, risk managers need to adopt this motto to transform risk management function from good to great.


  1. Report – Too good to fail? New challenges for risk management in financial services A report from the Economist Intelligence Unit
  2. Book: Good to Great – Author Jim Collins

CEO’s Day Out With Risk Managers

CEO’s responsibility for risk management has increased after the financial crises. Risk managers wish that they could read a CEO’s thoughts when they have meetings to do a better job. The big question is – What is really going on in a CEO’s mind?

Here is some telepathy from a CEO on his day scheduled to meet his risk management teams.

9 a.m.: Head of Internal Audit

This is going to be a long day. Let me understand what internal audit team has done the past month. After having three meetings with them I still don’t have the hang of things.

They carry on talking of ERM, ISO 31000, COSO, GRC and a number of other jargons. I don’t have the slightest idea how these will help meet the strategic objectives of the company.

Last time I asked a simple question – “is the organization SOX compliant?” I received a long explanation of the “C” of GRC standing for compliance or internal audit. How do I give a damn? Why can’t they respond with a simple yes or no?

Let it be, the regulators are not knocking at the door, so the team must have taken care of it. The CFO can deal with them.

11 a.m.: Head of Fraud

Oh no, whenever I see this man’s face I break into a cold sweat. He is always delivering one bad news one after another. I can’t take this anymore.

Maybe, I will put his beautiful deputy as the head of the department; at least my heart will race for the right reasons. Stop! That deputy is head of recently formed sexual harassment committee. My fate will be worse than Mark’s. Poor chap. One small indiscretion and the whole roof crashes. CEO’s are not God, why don’t they get it.

I hope this man has everything in control. I hate that competitor’s CEO, but didn’t wish that massive fraud on him. The market price of his company went down by 10% in 5 days and he is not going to meet his targets this year. If something like this occurs here, what will happen to my bonus and stock options?

1 p.m.: Lunch with Physical Security team

It is nice to have lunch with an energetic team. With terrorism and crime, increasing each organization needs these men.

Hey, wait a minute, why are they describing the gruesome details of the recent terrorist attack at lunch. How can they talk about bombs, blood and food in the same breath? When that man was eating the strawberry, I for a minute thought he was swallowing raw liver. Something is wrong with their psyche. Can’t say that to them. I am in my 50’s.

Never mind, they keep the offices and premises secure. Better, pat them on the back for doing a good job.

2.30 p.m.: Head of Business Ethics

Hold on, I got distracted there. What is he saying? He has turned vegan and now he wants me to issue some orders about the non-vegetarian food served in the canteen.  Aha, something about animal fat oil used to cook vegetarian food.  I don’t even know the name of the oil used at my home and he expects me to worry about office canteen food!

What is wrong with this man? Next, he will be talking about having morning prayers in office.

3.30 p.m.: Head of Information Security  

I wonder if his team is reading my mails. Last week when I passed his two confidantes, they were sniggering. That fiasco occurred the same day. Maybe I should get some external consultants to check it. What is the use? The systems are in these guys’ hands, they will again revert to reading my mails. I just hope they don’t leak out confidential information to competitors or have someone hack the systems. With the hackers targeting all big companies, I can’t stop worrying.

 4.30 p.m.: Chief Risk Officer

Welcome, the master of them all! Last week when I crossed him in the corridors, he didn’t wish me. Nowadays he has a frozen look on his face. Completely expressionless ! Maybe dealing with all the bad news is getting to him.

No, wait a minute, why does he have a condensing look on his face. Maybe I have got this wrong. Previously he used to bow in respect, treat me like God. Now he ignores me. Oh, he knows more about what is wrong with the company than I do. I am dependent on him and he gets that. I can’t even fire him without board permission.

I will have to figure out how to set him right.

5.30 p.m.: Day-end

 Thank God, the day is over. I still haven’t figured out how to deal with the Board’s Risk Management Committee. Last month I could pull of the excuse that my throat was bad due to flu and didn’t say much. These risk managers did all the talking. What do I do this month?

If Vikram had managed Citi better, I wouldn’t have to swallow this bitter pill every month. Now CEOs are responsible for risk management and Vikram takes away a cool $200 million payout for all the trouble he has caused us.

What an odd bunch to deal with. At least they are off my back for 30 days. I will just keep my fingers crossed that nothing goes wrong meanwhile.

I need a couple of drinks tonight.

Creativity @ Risk

We presume with the world singing paeans of Steve Jobs, Mack Zuckerberg and Larry Page, people appreciate individuals with creative ideas. CEOs who made it big through their creative thinking are glamorized.  Hence, a perception has formed that organizations reward innovative thinkers.

This myth broke in a study conducted by Jennifer S. Mueller, Jack A. Goncalo and Dishan Kamdar. Their research paper titled – “Recognizing creative leadership: Can creative idea expression negatively relate to perceptions of leadership potential?” states, “the expression of creative ideas may diminish judgments of leadership potential unless the charismatic leadership prototype is activated in the minds of social perceivers”. This indicates that people prefer leaders who follow the status quo and provide useful solutions. People choose a creative thinker as a leader only when they asked to select a charismatic leader.

Hence, creativity is at risk unless organizations specially focus on valuing innovative thinkers as leadership potential. Business Week article reports that due to increasing complexity in business and globalization CEOs want creative thinkers. “According to a new survey of 1,500 chief executives conducted by IBM’s Institute for Business Value, CEOs identify “creativity” as the most important leadership competency for the successful enterprise of the future.” CEOs value employees who disrupt status quo, existing business models and organizational paralysis. However, according to the Jennifer Mueller’s study creative thinkers may not be considered as good leadership potential as employees view them as quirky, weird, non-conformists.

Therefore, in the current economic environment the organization risk is huge if organization culture doesn’t promote creative thinkers into leadership roles. For example, the Business Week article mentions “CEOs say one-fifth of the revenues will have to come from new sources.” Hence, loss of revenue due to lack of creative thinkers in an organization can be significant. In my view, most of the risk managers haven’t considered this risk. Interestingly, this is an upside risk, if addressed can yield significant benefits to the organization. So the question is how does a risk manager check creativity levels in the organization?

Before risk managers collectively say that I am being weird and it is not a risk manager’s job to check creative thinking in the organization, here are some of my CREATIVE ideas on ways to do it.

1.   Culture

With management rhetoric on innovation on public platforms, one can mistakenly believe that the organization culture supports creative thinking. However, as Jennifer Mueller points out – “By definition, people will say creativity is positive. It is almost impossible to get people to say they don’t want creativity. But when someone actually voices a creative idea, there is a response of, ‘Wow — What is that?’ This issue really comes to life at the moment the idea is voiced. There is discomfort when people encounter creativity.”

Hence, DNA of the organization should encompass creative thinking. As Jack Anderson and his team states in the paper, “Developing Systemic Innovation in an IT Organization” state- “The systemic innovation initiative allows us to manage innovation as a culture in the same way that we manage quality and safety.”

Therefore, risk managers should check whether the organization culture is giving lip service to creativity or is it ingrained in the psychology and attitudes of the employees.

2.   Reward

The key point brought out by Jennifer Mueller is that people do not perceive creative thinkers to have leadership potential. Therefore, they miss the career path. She mentions – “The fact is, some people are selected for a leadership [track], while others are not. So companies need to think about this issue, and their performance appraisal systems should be changed accordingly. Managers need help in understanding what stereotypes they might have in their minds and how to overcome them.

Hence, the performance appraisal system should be built to recognize the creative thinkers and reward them appropriately. For example, when I was working in Intel, the organization recognized employees who contributed to innovation, even if the business idea or product was not viable or usable by Intel.

Risk managers need to do a quick assessment on the performance appraisal system to evaluate whether the organization has a process for rewarding creative thinkers. Secondly, conduct an analysis of the number of promotions of creative thinkers to the total. The ratios will reflect whether any bias exists against promoting creative thinkers to leadership positions.

3.   Engagement

The tone at the top matters for ensuring commitment to creative thinking. Jack Anderson mentions that at Intel –“Managers play a key role in enabling an environment that supports innovative behavior. We engaged senior managers and employees as innovation champions, allocated adequate budget for the initiative, and set up a management-based steering committee for innovation and research” I remember in my business group at Intel senior management allocated 1 hour every month of their weekly meetings for juniors to present new ideas. They would evaluate the idea, and if it was useful give the go ahead to the team to submit a concept note.

Risk managers can check the existence and working of management committees dedicated to the task of nurturing creative thinking within the organization. Secondly, analyze the time committed by senior managers for mentoring creative thinkers.

4.    Agents

Management appoints agents or champions to transmit the creative thinking message across the organization. Agents are responsible for the transformation. Agents develop strategy, implement, monitor and measure creative thinking initiative within their business unit. At Intel in a business unit, there were innovation sponsors and agents who acted as contact points for the business unit staff. They aligned the global process with the business unit and provided regular guidance to the team.

Risk managers must check the process of delivering creative thinking message to employees lower down the ladder. If agents are appointed, risk managers need to check their role, performance and effectiveness.

5.    Training

Sometimes we believe that creative thinkers are born or it is a mindset. However, creative thinking can be taught to all. Organizations have commenced creative thinking classes that provide basic training on how to do it and merge it in daily working environment. For example, in a recent article of Businessweek Chief Technology Officer Ananth Krishnan of Tata Consulting Services (TCS) says – “TCS has made innovation a component of training programs, from its leadership institute, to which 50 senior managers are sent every year, to its four-day “Technovator” workshop, at which its programmers are taught to think creatively.”

Risk managers should review the training strategy for creative thinking. Then check the delivery, coverage and content of the training. Review training feedback forms and performance evaluation forms if available. This will facilitate in measuring effectiveness of training.

6.    Investment

Investment means budgets allocated for tools, technology, training and processes to make creative thinking mainstream in the organization. As TCS Chief Technology Officer Ananth Krishnan says – “If I come up with an innovation, whether it’s an incremental or a disruptive idea, I need to know whom to go to with it, and there needs to be an organizational process for moving it forward.” TCS launched IdeaMax, a Digg-like social network that allows employees to submit, comment and vote on ideas. They are applying collective intelligence techniques for harnessing creative ideas.

Risk managers must review the budgets to ensure that organization allocates appropriate amounts and uses them correctly.

7.    Value

Organizations invest in creative thinking to get business value. Business value can be assessed by calculating the amount of cost savings and revenue generated from creative ideas. New ideas, innovations and process changes result in new/modified products, patents and business models, which add to the profitability of the organization.

A cost-benefit analysis of investing in creative thinking helps to determine success of the initiative. Risk managers can either prepare or review the cost-benefit analysis of creative thinking to assess business value derived from the program.

8.    Evaluation

A periodic evaluation of the program is a must to measure its effectiveness otherwise one is moving without a compass. The creative thinking initiative evaluation can be done by conducting an organization survey to take employee feedback. The purpose is to measure change in behaviors. Another aspect to look at is the key performance indicators. Some key performance indicators are number of rewards and recognitions,  number of people trained in creative thinking, number of new ideas etc.

Risk managers need to verify the results of the organization survey and review key performance indicators to evaluate the success of the program.


In my view, neither size nor good reputation ensures success unless the organization has a competitive edge. Innovation is the key component for ongoing prosperity of a company. Hence, most organizations need creative thinkers. To hire and retain creative thinkers’ organizations must promote them to visible leadership positions. In short, organizations require a culture that encourages creative thinking. Risk managers can contribute by periodically assessing organization commitment to creative thinking and value received from the investment.   To end:

“Go round asking a lot of dam fool questions and taking chances, only through curiosity can we discover opportunities, and only by gambling can we take advantage of them” – Clarence Birdseye


  1. Recognizing creative leadership: Can creative idea expression negatively relate to perceptions of leadership potential? By Jennifer S. Mueller, Jack A. Goncalo and Dishan Kamdar
  2. What Chief Executives Really Want- IBM Study
  3. How to Build a Culture of Innovation- TCS- Bloomberg Businessweek
  4. Developing Systemic Innovation in an IT Organization – by Jack Anderson, Luis Gimenez, Deanna Nunley, and Esther Baldwin, Intel Corporation