Hindsight: the ability to understand an event or situation only after it has happened. Is risk management still too reactive and driven by hindsight only in many organizations today? Too often excuses are made for the failure to fully implement and support a robust and effective enterprise approach to managing risk. A light on the hill is needed to describe the desired future state and gain board and management support for the necessary investment and change program. This article seeks to highlight how firms or organizations can aspire to, and look for, greatness in establishing embedded Enterprise Risk Management practices.
Jim Collins, American author, and business consultant, best known for his book Good to Great stated that “Greatness is not a function of circumstance. Greatness, it turns out, is largely a matter of conscious choice and discipline.” Success in enterprise risk management is likewise driven by choice and discipline. Unfortunately for many firms and organizations, this greatness eludes them. In others, even getting to good can seem an insurmountable hurdle. Risk management initiatives and investments are frequently only committed when something goes wrong.
Board members, Chief Executives Officers, Chief Risk Officers, risk managers, and other business leaders should frequently talk about the positive features and attributes in the management of risk they aspire to. Achieving a sustained state of embedded enterprise risk management practices (an ‘ERM approach’) enables organizations to survive and thrive in the short-, medium-, and longer-term
1. Board & Executive Ownership
It all starts at the top. An organization’s efforts to develop and implement an ERM approach, promote the benefits of sound risk management, and strive to establish a proactive risk culture will fail without clear direction and leadership from the board. At every juncture, the board and executive team need to be demonstrating an unswerving
commitment to the management of risk. This is not necessarily being risk-averse – more ensuring that risk-taking is transparently assessed, measured, and understood. The most diligent and well-meaning Chief Risk Officer needs the mandate, endorsement, and ongoing support of the board and members of the executive team.
The board also needs to carefully design the governance of risk across the firm or organization. Whilst the board will delegate key risk management activities, duties, and responsibilities under its delegations’ framework, it will always remain responsible for risk management. High-performing organizations will regularly review the governance of risk management. This will include the board or its risk management subcommittee regularly seeking objective and independent assessments on its own effectiveness – i.e. how well it is doing its job.
Directors need to devote sufficient time at board and committee meetings to understanding the business’ risk profile, challenging management on risk assessments, positively supporting good risk outcomes, and seeking to help the organization understand what went wrong (when it invariably does). A well-designed and implemented ERM approach will in turn engage the board and executive team members and support the achievement of the desired risk outcomes.
For smaller organizations without a Chief Risk Officer, the board and executives will identify who the most senior risk manager is in the organizations and regularly engage with them. They know that a once-a-year discussion with this senior risk manager does not cut it.
2. Clear Governance, Frameworks, and Objectives
Solid foundations must be in place for any approach to risk management to be effective. A fit-for-purpose and up-to-date suite of enterprise risk management framework documentation is essential. The governance and frameworks should be well understood by all key stakeholders – board or risk management committee members, the executive leadership team, and key business owners.
Best practice will see all elements of the framework (or strategy) reviewed annually with consideration given to the adequacy of:
- The governance of risk across the organization, including an outline of the roles and responsibilities
- Key processes for risk identification; risk measurement and assessment and risk mitigation
- Risk monitoring, reporting, and escalation
Beyond risk management frameworks, clarity around the organizational structure and roles and responsibilities, more generally, is important. Often, role summaries are outdated, and the organization’s intranet does not have the current business structure posted. A small investment by the people or human resources department in ensuring these are always up to date can significantly improve risk outcomes.
3. Full Risk Engagement in Strategic and Business Planning
Too frequently, risk managers are left to retrofit risk assessments and risk management practices to investments or business initiatives after they are made. Decisions can sometimes be made or endorsed without a detailed, objective assessment of the risk implications. High-performing organizations seek to actively engage risk managers during the ideation, business case development, approval, and execution stages.
Experienced Chief Risk Officers and risk managers can provide guidance and insights early in the strategic planning process. Sometimes this can simply be a ‘no need to involve us yet’ but ‘keep us updated’ on the initiative. Risk management engagement too early can be an inefficient use of the organization’s scarce risk resources. Risk teams everywhere are usually stretched resources-wise. Too late, however, and critical risk considerations may have been overlooked or dismissed without more fulsome analysis.
Often, the depth of understanding that risk management teams have on the intimate workings of an organization can provide different insights into a range of strategic issues. Customer pain points and the reasons for unexpected customer attrition may also be well understood by risk managers. Second-line assurance activities can provide detailed insights into matters from an independent analysis of items such as customer complaints.
Risk management teams are often responsible for regulatory and compliance matters. This activity can also provide insights into the regulatory landscape and upcoming regulatory changes – both positive and negative. It is critical to feed these insights into the strategic planning process. Risk management functions that are regularly scanning the landscape for new and emerging risks frequently provide support in development of new business strategies.
4. A Well-Funded and Resourced Risk Management Function
How does an organization determine if it has a well-funded and resourced risk management function? As the saying goes, beauty is in the eye of the beholder. The same goes for the resourcing and adequacy of a risk management function.
There are few benchmarks available to ascertain the adequacy and resourcing of a risk management function. Every business is structured differently, and each industry has a unique suite of risks to be managed. The scaling up of a risk management function as the enterprise gets larger is also not linear. Complicating any analysis on the adequacy of the resourcing (and funding) of the risk management function is the organization’s approach to the three lines of defense. A detailed understanding of the resourcing of the risk activities undertaken by the first line is needed.
Nonetheless, it will usually be evident if a risk management function is well funded and resourced. Conversely, it will usually be clear to see if the function is limited in scope and lacking funding. Boards and risk management committees of regulated entities and publicly listed companies are now well versed in enquiring as to the adequacy of the resourcing of the risk management function. All boards or risk committees should be following this practice. A discussion on the adequacy of the risk management function should be scheduled to take place at least annually at the board or risk management committee level.
An under-resourced risk management function will almost certainly ensure that an organization’s risk management strategies and frameworks will fail to be effectively implemented.
5. Alignment of Risk Management Objectives & Remuneration
Successful firms and originations ensure alignment of risk management and remuneration programs. For financial services firms in most countries, there are regulatory requirements for the board to review and sign off on the remuneration structures and outcomes. This can ensure that there is a sound understanding of the workings of the risk management components of the performance management and remuneration frameworks in place. These processes operate as a 'checks and balances'. In addition, there can also be requirements for the risk management function to review and sign off on the remuneration outcomes each year.
Too often, however, there are limited risk management objectives or key performance indicators (KPIs) in the performance plans goals and objects of business leaders. Sometimes there are none at all. Often the design of the performance plans can be skewed towards short term sales and earnings targets, to the detriment of sound risk management and long-term business sustainability.
For less regulated or unregulated or firms, it is important to capture elements of the practices in place for financial services firms. It is critical to have meaningful risk management components linked back to the risk management frameworks and processes and the desired risk outcomes, in place. The alignment of the risk management objectives and remuneration will operate both a carrot and a stick. Good risk management practices and outcomes should be celebrated and rewarded through the performance management systems. A well-designed remuneration framework will greatly assist the successful implementation of an ERM approach.
6. A Willingness to Learn from Risk Failures & Mistakes
At many firms and organizations, risk issues continued to be quickly explained away and downplayed. Reviews of risk failures are either not done or only superficially undertaken. Near misses do not even come onto the radar screens at these organizations. However, devoting time and resources to understand the root cause of risk issues and failures will usually be a compelling business case. This analysis can uncover poor business practices and lead to the avoidance of similar losses in the future. Sharing the lessons learned internally also builds a strong risk culture.
External transparency also has many benefits. Following the fatal crashes in last 2018 and 2019 of the Boeing 737 Max aircraft and the government and regulatory inquiries that resulted, The Boeing Company (Boeing), acknowledged the many shortcomings in its risk management processes. It publicly documented the lessons learned and the steps it had taken to address the findings. This was a critical step in regaining the trust and confidence of its external stakeholders – passengers, buyers, regulators, investors, financiers and employees. The steps it has taken to improve risk management are summarised on a specific Boeing website (1). More recently, Credit Suisse commissioned an independent review following its losses related to the US hedge fund, Archegos Capital Management (Archegos). This independent report was also released publicly and similarly has its own webpage, the Archegos Info Kit (2).
Creating a proactive and positive risk culture that learns from mistakes is not easy. It takes leadership and a strong tone from the top. Looking into specific risk incidents requires tact, diplomacy, and clear communication. It is important not to be seen to undertaking a witch hunt whose sole purpose is to single out individuals for responsibility and accountability. It can be helpful to point to the experiences of other firms, such as Boeing and Credit Suisse, in highlighting how a firm or organization can learn from missteps.
7. Strong Risk Management Skills Across the Organisation
For the successful implementation of an ERM approach, it is not enough alone to have a well-skilled and resources risk management function. Success will be driven by the extent to which business owners embrace risk management practices and processes. The end goal is to have the business owners (the first line) taking ownership of their risks and engaging with the risk management function to manage these risks.
Recruitment practices and training and development of business owners lay the groundwork for a high-performing organization, from a risk management perspective. A commitment to ongoing training in risk management, beyond minimal risk and compliance training, is a hallmark of a high-performing organization. Ethics and risk culture training will often feature also. All of this demonstrates the commitment of the firm or organization to positive risk outcomes.
Many organizations also proactively rotate business and risk personal between roles to ensure cross-pollination of skills and expertise between the first and second lime. Where there are remuneration differences or other structural problems that don't facilitate this movement, organizations work to find solutions to address these issues. This can take the form of secondments, top-up remuneration payments, and a review of remuneration benchmarking. Career planning exercises also identify future leaders requiring skills and expertise in risk management.
8. An Established Risk Management Rhythm & Balance
One of the key features observed in high-performing organizations is an established risk management rhythm and balance. The operation of risk management forums is smooth, and hums along as planned. Board risk committees and management-level operational risk committees are held when scheduled and not deferred due to competing work priorities. In addition, committee members always attend the meetings personally and don't send delegates. Frequently absences by committee members send a bad signal on the organization's commitment to risk management. Business owners are frequently observed proactively identifying, managing, and reporting risks. When something does go wrong there is no sense of panic or crisis.
Achieving balance will also be a function of streamlined risk management reporting. Committees can be bogged down by lengthy and detailed risk management and operational reporting. A skilled risk management team will strike a balance between providing the right level of data with appropriate insights and avoiding over-reporting. Excessive risk management reporting is inefficient, will consume valuable management time, and can result in 'analysis by paralysis'.
The best-performing risk teams work very closely with finance, human resources, information technology, and operations teams to produce concise, accurate, and timely management reporting from a ‘single source of truth’. Nothing frustrates directors and executive teams more than conflicting data and reporting on the same issue, from different functional areas.
Risks abound today. The COVID-19 pandemic, climate change, new competitors, disruption, changing industry conditions, and demographic changes create new risks and business challenges every day. To give the firm or organization its best chance of success a significant investment in risk management is needed. This investment will enable risk management to go from good (or not quite good) to great in the long run.
About the Author
Peter Deans is a Non-Executive Director, Risk Advisor, and a former Chief Risk Officer.
Peter is a leading authority on risk management and the Creator & Founder of the 52 Risks® management framework. Peter was awarded Australian Banking & Finance magazine's Chief Risk Officer of the Year award in 2014, 2015, 2016, and 2018.