Every so often, something bad happens to an organization and people say that risk management, perhaps governance, failed.
Let’s examine that, with special attention to a recent blog post by my friend, Richard Chambers, President and CEO of the Institute of Internal Auditors: When Boards Are Surprised, Who’s At Fault?
If you go to a casino and play roulette, you are taking risk.
You bet on even and it turns up odd.
Are you surprised? You shouldn’t be. At a European casino, there is only a 48.60% likelihood that you will win. (It’s a little less in the US.)
You are not surprised because you know there’s no more than an even chance you will win.
When the CFO presents his forecast for the quarter or year, there is no certainty that it will be achieved. It’s his or her best, hopefully educated, guess based on projections from the management team.
If I was on the board and the CFO presented that forecast to me, I would ask for his or her assessment of the likelihood of achieving that forecast. Is it 90%, 80%, or something else?
If the company fails to hit the target, the forecast of the CFO, should I be surprised?
There was a solid likelihood (perhaps 20% or more) that it would not be achieved.
Maybe I am surprised, but I should not be shocked and I should think twice before blaming the CFO for a poor forecast.
If the CRO, on behalf of the senior management team, reports to the board that a source of risk is within the desired range (perhaps saying it is within the risk appetite), there is no certainty that there won’t be an event with an unacceptable effect.
The board should know (but often does not) that there is a, say, 20% chance of an event that would be significant in its damage to the organization.
So, just because the board is surprised doesn’t mean they should be surprised! Maybe risk management and earnings forecasts were reasonable and justified. They just didn’t work out. That 20% possibility happened.
Maybe they are surprised, but if a reasonable process was followed that resulted in an estimate of 20%, then they should not be shocked and they shouldn’t blame management for a failure of risk management.
They key question is whether a reasonable process was followed.
Risk management and the estimate of the likelihood of a significant effect are not like looking into a crystal ball and predicting the future with certainty. (Note: I didn’t say the likelihood of an event; I said the likelihood of the effect. An event can have a wide range of possible effects; what we are concerned with is when it occurs with an effect of a certain magnitude.)
Let’s assume that a reasonable process was followed and management knew of a possibility but didn’t inform the board. Ideally, the board has established when it requires management to bring potential issues to its attention.
- They may have told management to inform them if management at any point determines that, taking all the things that might happen into account, the likelihood of achieving an objective falls below aa% (my version of risk appetite). Management would not only have to inform them of that assessment, but what leads them to it – what possibilities (aka risks) underlie the assessment.
- The board may also have identified the threshold for specific sources of risk, where if the likelihood of an effect that is greater than $xx is more than yy%, they will be informed.
In either of those cases, neither the board’s governance activity nor the risk management process failed (perhaps the reporting aspect of risk management failed). Management failed.
I would blame the CEO and maybe the CRO for that failure.
If the risk management process did not identify the possibility of the effect at all, then the question is whether it was reasonable to expect that it would identify it. Risk management is not perfect. Would a reasonable person believe it should have been identified?
If so, then I blame the CEO and maybe the CRO. If not, that’s just bad luck and nobody is to blame.
If the surprise was clearly the failure to have effective risk management processes, then the CEO is to blame (first) and then the CRO. But the board and internal audit may also be to blame.
- The board for not challenging management until risk management might be considered effective, and
- Internal audit for not performing the work necessary to identify the situation – unless the ERM program was effective at the time of their assessment and changes since then have resulted in it failing today.
The bottom line is that s*** happens and it’s not always somebody’s fault.
I welcome your comments.