Board members weigh in on effective risk management
An organization’s risk culture is crucial to its approach to risk management. It’s the foundation on which risk decision-making is based, regardless of any “official” risk management practices. Creating a strong risk culture does not happen overnight — from screening potential executive hires for their “fit” with the organization’s risk culture to coaching executives on the importance of risk-based decision-making, it’s an ongoing process.
Our research has shown that effective risk management starts at the very top, with proper oversight and accountability at the executive and board levels. Although the board doesn’t handle the day-to-day running of the business, it does have a responsibility to ensure that management’s actions are consistent with the corporate strategy, and reflect the culture of the business and what it represents. In turn, the management team must set the tone for the rest of the organization through its own approach to risk management, and through consistent messaging to employees regarding everyone’s risk management responsibilities in their day-to-day activities.
To make this happen, directors agreed that the organization must avoid the “siloed” approach to risk management in favour of cultivating a culture of openness, trust and collaboration at all levels. What and how the board, CEO and other leaders communicate is a true indicator of their organization’s values. They must earn and maintain the trust of both internal and external stakeholders by fostering a risk-aware, “no surprises” culture that is characterized by timely, clear, transparent communication of the risks that matter — throughout the organization as well as between senior management and the board.
During our discussions, some directors in certain sectors voiced the opinion that their organization’s tone is often too focused on complete risk elimination. This mindset stands in stark contrast to the entrepreneurial spirit that is needed for growth. While management is paid to effectively handle an organization’s risk, it is also rewarded for taking well-calculated risks that create value. It is the board’s role to thoroughly evaluate the opportunities brought forward by management, and gauge the associated risks.
Directors are expected to achieve a certain balance — they must “do their homework” and be close enough to each other and to the business to understand and analyze its risks, while still maintaining enough distance to be effective. Given their critical role as challengers and assessors of how executives are performing in managing risk, directors shouldn’t get too cozy. Some directors expressed frustration that key discussions around the management of risks are often deferred to “off the table” conversations. This congeniality can detract from the type of frank conversations that are required on matters that are fundamental to the organization’s strategic direction.
Relevant performance and risk indicators should be reported consistently through standardized self-assessment and reporting tools. Keep in mind, however, that the CEO may tend to convey the risk culture that he or she wants to project to the board — which may or may not reflect reality.
Some directors shared that, in order to get deeper insight, they often invite senior professionals from various areas of the business to present firsthand to the board rather than relying solely on the C-suite to relay high-level information. Others suggested monitoring the organization’s engagement scores and independently surveying senior leadership in order to get a more unfiltered sense of the risk culture.
Early identification of potential problems maximizes the options available to address them. Volatility is increasing with the frequency and magnitude of disruptive events, and with changes in the competitive or operating environment that could introduce emerging risks. Having the right risk culture is crucial for organizations to move with the speed and agility required to react effectively.