November 20, 2015
November 20, 2015
Risk governance varies radically across industries and organizations because a one-size-fits-all approach simply does not exist. There are, however, five interrelated principles that underlie effective risk management within all organizations in both good times and bad: integrity in the discipline of risk management, constructive board engagement, effective risk positioning, strong risk culture, and appropriate incentives.
Integrity in the Discipline of Risk Management
Integrity in the discipline of risk management means having a firm grasp of business realities and disruptive market forces. It also means engaging in straight talk with the board and within executive management about the related risks in achieving the organization’s objectives and the capabilities needed to reduce those risks to an acceptable level.
Integrity in the discipline is tied to strong tone at the top. If tone at the top is lacking, the executive team is not likely paying attention to the warning signs.
Consider the following common examples of integrity failures:
Hoping that risks are managed sufficiently while knowing that business realities are not actively monitored, risk is not really understood, tolerance levels are not set, and risk management is addressed solely to meet regulatory guidelines is a clear indicator that integrity in the discipline is lacking.
Constructive Board Engagement
Effective risk oversight by the board begins with defining the role of the full board and its standing committees with regard to the oversight process and working with management to understand and agree on the types of risk information the board requires. Directors need to understand the company’s key drivers of success, assess the risks in the strategy, and encourage a dynamic dialogue with management regarding strategic assumptions and critical risks.
The scope of the board’s risk oversight should consider whether the company’s risk management system—the people and processes—is appropriate and has sufficient resources. The board should pay attention to the potential risks in the company’s culture and monitor critical alignments in the organization: strategy, risk, controls, compliance, incentives, and people. Finally, the board should consider emerging and interrelated risks.
Effective Risk Positioning
The expectations of the board and executive management for the chief risk officer (CRO) and the risk management function must be carefully considered and, given those expectations, the function positioned for success. To this end, six key success factors constitute a significant step toward a successful and effective risk management function.
Taking one or more of these elements away should send up a red flag indicating that the risk management function may be unable to fulfill its expected role and lacks real authority or influence. Depending on the expectations, the function may be set up to fail.
Strong Risk Culture
An actionable risk culture helps to balance the inevitable tension between creating enterprise value through the strategy and driving performance on the one hand, and protecting enterprise value through risk appetite and managing risk on the other hand. While risk culture has gained traction in terms of relevancy in financial services institutions in the post-global financial crisis era, the decision-making preceding the occurrence of reputation-damaging risk events and lack of response readiness when those events occur have made risk culture a topic of interest in other industries as well.
Culture is influenced by many factors. In addition to tone at the top and the quality of the board’s risk discussions, other factors include:
Incentives that encourage risk awareness help shape risk culture, as discussed below.
Performance and talent management should encourage and reinforce maintenance of the organization’s desired risk behavior. The old saying “What gets rewarded, gets done” is as true with risk management as it is with any other business process. Disconnects in the organization’s compensation structure and an excessive near-term focus can lead to the wrong behaviors, neutralizing otherwise effective oversight by the board, CRO and other executives.
For example, if lending officers are compensated based on loan volumes and speed of lending without regard for asset quality, reasonable underwriting standards and process excellence, the financial institution may be encouraging the officers to game the system to drive up their compensation, exposing the company to unacceptable credit risk.
This principle requires more than focusing on C-suite executive compensation and upper management. Equally important is an understanding of the incentive plans driving behavior in the sales force and on the “factory floor” where production takes place, as this is where the individual “moments of truth” occur that add, subtract or neutralize the buildup of risk within the organization’s processes, each and every day.
Questions for Boards
The following are some suggested questions that boards of directors may consider, based on the risks inherent in the entity’s operations:
Jim DeLoach is a managing director with Protiviti (www. protiviti.com), a global consulting firm.