Recently, I have been talking to the CRO of an organization about helping her, her team, executive management, and the board develop more mature and effective risk management practices.
We have been planning a visit where I would talk to each of the above in separate sessions.
Perhaps the most important is a two-hour meeting with the board. The CRO and I had planned for me to share with them some of the principles of effective risk management, based on what is considered world-class (and discussed here), and the governance of risk management by the board.
I was distressed when the CRO relayed to me a request by the chairman of the board.
He wanted me to include, in that same two-hour slot, a discussion of eight sources of ‘geopolitical’ risk. These are all issues of local rather than broader significance and effect. (For example, one was the liquidity of the local government and its ability to provide citizens with essential services; another was the incidence of crime in the region.)
Let’s leave aside the point that I am most definitely not the best person to discuss these local issues (I live thousands of miles away) and their potential effect on the organization.
Let’s focus instead on the point that the chairman wants to spend a lot (perhaps most) of the time talking about eight sources of risk.
Here are some principles for effective oversight of risk management by the board (IMHO):
- The board needs to have confidence that it can rely on the management team to understand everything of significance (within reason) that might happen (a.k.a. risk) as it works to achieve the objectives of the organization, including the likelihood of each potential event or situation and how it would affect the likelihood of success. (Note: there would be range of potential effects.)
- The board also needs to have confidence that management will take appropriate action if and when the likelihood of achieving objectives falls below acceptable levels. (Note: this is a far better yardstick than a quantified risk appetite statement.)
- The board needs assurance that the management team is considering what might happen, including what might happen for each option, when it makes both strategic and tactical decisions. These would include decisions around budgeting, capital allocation, project management, and more.
- The board needs assurance that the management team is not taking unnecessary and/or inappropriate risks in an effort to achieve goals. In particular, the board needs assurance that the achievement of personal goals (such as bonuses and promotions) is not given priority over the long-term success of the organization. (Note: some might refer to so-called risk culture.)
- The board needs assurance that both the management team and the board can rely on the information they use to make decisions.
- The board also needs assurance that management at all levels is receiving sufficient guidance so that they are taking risks consistent with the desires of executive management and the board.
- The board needs assurance that performance management, planning, and related activities appropriately consider what might happen, its likelihood, and potential effects.
- The board also needs to have confidence in the quality of the assistance provided to management by the risk function.
- Finally, the board needs to know that an appropriate consideration of what might happen is an essential part of strategy and objectives development.
- The first nine principles are essential for continuing reliance by the board on management to run the organization with their eyes and head toward the future, what might happen. The level of discussion of specific sources of risk should depend on how much confidence they have in management. If management is highly capable, discussions may be short. But if there is little assurance that management is able to understand what might happen (or, risk), then the board should be much more active and assertive in its review of how management addresses specific sources of significant risk to the organization.
The ten points above are very different from what I have seen from any consultant. They tend to guide boards to discussions of the risks of the day rather than the possibility that management is not managing risk (what might happen) as part of its day-to-day running of the organization.
Managing a list of risks is not risk management.
Continuously anticipating what might happen so you make informed and intelligent strategic and tactical decisions that will help you achieve enterprise objectives is risk management.
The periodic discussion by the board of a few significant sources of risk is not risk governance or oversight.
Obtaining assurance that management is effectively managing risk (what might happen) and making informed and intelligent decisions every day, combined with hearing from management on the more significant risks, is risk governance.
I welcome your comments. Do you like or dislike my ten principles? How would you improve them?
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023
- How do you measure internal audit effectiveness? - October 3, 2023
