There is no one-size-fits-all solution for risk management function, how risk is governed varies across industries and organizations. But there are five interrelated principles that underlie effective risk management within organizations in both good times and bad – integrity to the discipline of risk management, constructive board engagement, effective risk positioning, strong risk culture and appropriate incentives. Show Below, we discuss these five fundamental tenets integral to ensuring the success of the independent risk management function. Integrity to the Discipline of Risk ManagementIntegrity to the discipline of risk management means having a firm grasp of business realities and disruptive market forces, engaging in straight talk with the board and executive management about the related risks to achieving the organization’s objectives and the capabilities needed to reduce those risks to an acceptable level.
Integrity to the discipline follows from a strong tone at the top – what the C-suite stands for, how senior executives provide leadership with respect to the appropriate governance and behavior around doing the right things in the right way, and ensuring the affairs of the business are conducted in a fair and transparent manner and at arm’s length. If tone at the top is lacking, the executive team isn’t paying attention to the warning signs and the organization’s affairs are so complex that few can understand them, then risk management faces an almost insurmountable challenge to making a difference. Consider the following common examples, some strategic and some tactical, of integrity failures:
These examples illustrate that integrity must permeate every aspect, every level and every action within the organization as it relates to managing risk. Hoping that risks are managed sufficiently while knowing that business realities are not actively monitored, risks are not really understood, tolerance levels are not set (or are ignored) or projects are performed solely to meet regulatory guidelines is an indicator that integrity to the discipline of risk management is lacking. Constructive Board EngagementEffective board risk oversight begins with defining the role of the full board and its standing committees with regard to the oversight process and working with management to understand and agree on the types (and format) of risk information the board requires. Directors need to understand the company’s key drivers of success, assess the risks in the strategy and encourage a dynamic dialogue with management regarding strategic assumptions and critical risks. The scope of the board’s risk oversight should consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources to deliver on expectations. The board should pay attention to the potential risks in the company’s culture and monitor critical alignments in the organization – of strategy, risk, controls, compliance, incentives and people. Finally, the board should delineate the most critical enterprise risks from the day-to-day risks of managing the business and consider emerging and interrelated risks – i.e., what’s around the corner?[1] Effective Risk PositioningWhile the positioning of the risk management function is not a one-size-fits-all prescription, there are fundamental principles that make it work. The board’s and executive management’s expectations for the chief risk officer (CRO), or equivalent executive, and the risk management function must be carefully considered, and given those expectations, the function must be positioned for success as a separate line of defense. To this end, six key success factors increase the function’s chances of success:
While these attributes may not be exhaustive, they represent a significant step forward in ensuring the risk management function is impactful, setting the tone for effectively functioning risk management. Taking one or more of these elements away produces a red flag that the risk management function may be unable to fulfill its expected role and lacks real authority or influence. Depending on the expectations, the function may be set up to fail. Strong Risk CultureAn actionable risk culture helps balance the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand, and (b) protecting enterprise value through risk appetite and managing risk on the other hand. While risk culture has gained traction in terms of relevancy in financial services in the post-global financial crisis era, the occurrence of reputation-damaging incidents, the decision-making processes preceding those events and the lack of response readiness once those events occurred has made risk culture a topic of interest in other industries, as well. Culture is influenced by many factors. We’ve discussed two – the tone at the top and the quality of the board’s risk discussions. Other factors include:
Incentives that encourage risk awareness and risk-informed decisions help shape risk culture as discussed below. Appropriate IncentivesPerformance and talent management should encourage and reinforce maintenance of the organization’s desired risk behavior. The old saying, “What gets rewarded gets done” is as true with risk management as it is with any other business process. Disconnections in the organization’s compensation structure and an excessive near-term focus can lead to the wrong behaviors, neutralizing otherwise effective oversight by the board, the CRO and other executives. For example, if lending officers are compensated based on loan volumes and speed of lending without regard for asset quality, reasonable underwriting standards and process excellence (e.g., their compensation is not adjusted for borrower and collateral riskiness, portfolio concentrations and the likelihood of unexpected losses), the financial institution may be encouraging the officers to game the system to drive up their compensation and thus expose the company to unacceptable credit risk. This principle requires more than focusing on C-suite executive compensation and upper management. Just as important is an understanding of the incentive plans driving behavior in the sales force and on the “factory floor” where production occurs, as this is where individual “moments of truth” occur that add to, reduce or neutralize the buildup of risk within the organization every day. Questions for Executives and DirectorsIn summary, following are some suggested questions that executive management and boards of directors should consider:
[1] National Association of Corporate Directors, Risk Governance: Balancing Risk and Reward, 14-19: www.wlrk.com/docs/1605831_1.pdf. |