Frank discussions are a must
While the board is ultimately responsible for risk governance, sound risk management calls for close partnership between the board and management. Frank discussions may be needed to clarify the role of risk taking in organizational strategy and performance, and to clarify the role of the executive team in risk management and of the board in risk governance and oversight.
Questions the board should pose to management to begin discussions:
- What are the key risks now posed to implementation of our strategies and achievement of our goals?
- How would you characterize our organization’s approach to risk? Are we taking enough of the right risks? How do we know?
- How does our organization balance compliance-driven activities with performance-driven risk management?
- How can we develop a more integrated and holistic view of all the risks to our organization?
- What have we done to make our organization risk-resilient, meaning resilient both to major risk events and to disruptors such as new technologies and competitors?
How boards and executive teams communicate about risk, among themselves and through the ranks, determines much of the organization’s approach to risk. Well, don't try googling solutions. The search term "risk management" generates some 246,000,000 results in 0.99 seconds.
Leaders who have been focused on risk management primarily as compliance typically need to examine and discuss the broader risk picture. Those who have already begun those discussions often face a different dilemma, in which every issue and problem is categorized as a risk, making it difficult to set priorities.
The real priority, however, is not risk management for its own sake but risk management as an enabler of growth and profitability. In that light, risk management – and risk governance by the board – either enhances or hampers performance. Risk-resilience results from leaders’ ability to develop, adopt, deploy and integrate risk management methods that enable performance, even amid the disruption that risk and innovation can create.
These needs now apply to all organizations. Companies that traditionally saw little need to leverage opportunities and manage risks now face disruptive competitors that they never saw coming. These competitors often emerge from nowhere, seemingly growing overnight from zero to billions of dollars in market capitalization. Seven start-ups on CNBC's Disrupter 50 list raised a combined total of more than $25 billion from over 400 investors, and enjoy a market valuation of about $120 billion, according to PitchBook.
To ready their organizations to take acceptable risks, leaders must view risk broadly and holistically and align risk taking and risk management with their business strategy. This alignment should protect the organization from known risks while leveraging risk management skills, capabilities and practices to enhance performance. This method calls for identifying and monitoring current and emerging risks, as well as those that could undermine longer-term drivers of performance. It also calls for an integrated approach to risk.
How are companies doing in these areas? By their own estimation, not too well, according to Grant Thornton LLP's Governance, Risk, and Compliance Survey
. Some 43%t of respondents noted that their governance, risk and compliance (GRC) were ad hoc or fragmented and siloed. A mere 7% characterized their GRC as value adding and integrated.
How can organizations do a better job of developing an integrated view of risk, which both plans for known risks and can accommodate those yet to come?
The answer begins with the board.
Gearing up risk governance
Boards are accountable for managing enterprise risk, and can do so effectively only when they have a coherent picture of major risks across the entire organization. But as our survey indicated, views of risk and risk management itself are siloed. Therefore, risk-related information comes to the board piecemeal and fragmented, based on different models and narrowly defined risks – compliance, legal, operations, cyber and so on – because those managing these functions focus only on risks they see as related to their area.
Each function also typically speaks its own language of risk. Compliance speaks in terms of regulatory interventions, legal in terms of violations and exposures, cyber in terms of breaches and vulnerabilities. These different risk "dialects" make it difficult for boards and executive teams to recognize, reconcile, prioritize and plan for the full range of risks across the organization.
To deepen and broaden the conversation around risk, the board must push management to develop an integrated approach to risk across the enterprise. Here are potential steps toward that goal, from the board's perspective:
Clearly articulate information needs. The issue is not lack of information but rather too much information. Even the most dedicated directors lack the time to wade through and interpret reams of data. Boards need to communicate to business leaders the information they need to properly govern and oversee risk. The board needs to understand the likelihood and impact of actual risks, expressed in a common risk language. The progressive organizations are leveraging artificial intelligence and machine learning to enhance their ability to be more predictive of the risks and then using the principles of human cognitive computing to get information into a “business user” format.
- Develop the capability to view risk across functional barriers. To gain a holistic view of risk to the overall business, boards need visibility across business units. This means that the risks must “roll up” to an integrated picture in which threats to the drivers of performance in various areas become clear. With a clear view of all risks across the organization and with those "dialects" translated into a common risk language, the board can compare apples to apples and prioritize risks and likely scenarios.
- Encourage businesses to see and work beyond individual silos. Increasingly, the relationships and interdependencies among risks across functions must be understood from an enterprise perspective. Risk does not respect functional boundaries, and should therefore be managed in an integrated manner. Modeling and scenario planning enable management and the board to gauge the knock-on effects of a risk event in one area on other areas within the organization – and to develop risk-resilient responses.
- Link risk taking to performance. Conflating risk management and compliance can stifle innovation and growth, a situation that highly regulated industries may face. In our post-Sarbanes Oxley, post-financial crisis era, boards should not mistake compliance for risk management. Instead, encourage the executive team to identify and manage strategic risks so as to achieve growth and profitability while protecting value.
A risk-resilient organization embraces risk as essential to innovation and performance, not as something to be avoided and contained at all costs. The perspective should be forward-looking, anticipatory and aimed at identifying and managing new forms of risk, rather than looking in the rear-view mirror and fighting the last risk "war." Risk-resilience positions the organization to perform critical functions required for survival amid slow motion disruption as well as a sudden risk event. The board's plans and actions may need to withstand a good deal of scrutiny, so it is wise to document a state-of-the-art risk management process.
Board and management communications about risk must be ongoing. The conversation is never over, nor can it be isolated, because risk permeates every business activity and initiative, and the board must continue to challenge management and remain engaged to fulfill its risk-related responsibilities.