Risk management exists in a dynamic world and should have the agility required to address the changing demands of business. The insightful article "Five Questions Directors Should be Asking in 2014" gets to the point quickly and its few questions serve as a good guidepost.
1. Does our risk profile reflect the significant risks we face currently?
While I am not a fan of the concept of a “risk profile” (akin to a risk register) because it is a static representation of a dynamic world, the board (and top management) should question whether the risks that are presented to them for review and discussion represents the risks the organization faces.
For example, is there a difference between the topics on the full board agenda and the list of risks reported to the board? If so, I suggest something is out of kilter.
Are there risks that the board itself, or with the help of the chief executive, needs to manage -- such as CEO succession?
The heart of this question is the board asking the management team about the most significant risks to the achievement of organizational objectives. What are they today and how are they being managed -- which leads to the next question.
2. Are our risk management capabilities continuously improving to ensure we are managing our risks effectively in a changing business environment?
I differ from the author only in the need to ask questions about management’s processes for identifying and assessing risks, in addition to the questions in the article about how they are managed.
I especially like the sentence where the author points out the “speed and complexity of business changes.” It’s not only that we are living in a dynamically changing world, but the processes we have for addressing the risks of yesterday may not be sufficient to address those of today or tomorrow.
Rather than spending a lot of time reviewing individual risks, my preference is that the board members spend the majority of their time reviewing the processes management uses to address uncertainty (i.e., its risk management processes, integrated into daily management of the business -- see question five).
Reviewing individual risks is like giving people fish.
Reviewing the processes for managing risk is like teaching people how to fish.
3. Are directors and executive management on the same page in terms of risk appetite?
While I don’t like the concept of risk appetite or a risk appetite framework (see this earlier post on my personal blog and this on my IIA blog), the idea of a desired level of risk is fine. This article asks not only whether the directors and management have the same understanding of desired risk levels, but whether those levels are achieved every day within the business.
Curiously, I heard last week from a risk thought leader that many organizations, especially banks, don’t share their risk appetite statement with all levels of management!
How can you expect operating management to manage risk within desired levels if you don’t tell them what those levels are?
4. Is our risk culture encouraging the right behaviors?
It’s not enough to have formal processes and policies if the culture does not support and encourage risk responsible behavior. The author tackles the unfortunately frequent situation where the CEO decides he knows better than anybody else what the level of risk is. “Damn the torpedoes, full speed ahead” is not a recipe for sustained success.
The list of questions about risk culture is a good one. I recommend the IRM paper on risk culture for those interested in the topic. (If you are not a member of IRM but are an (enterprise) risk management practitioner, join! While RIMS is good, IRM focuses far more on enterprise risk management).
5. Have we integrated risk management with the appropriate management processes?
This is the heart of effective risk management. The author correctly says “Integration could include such processes as strategy-setting, annual business planning, performance management, budgeting, competitive intelligence, capital expenditure funding, and merger and acquisition (M&A) targeting, due diligence and integration.”
I make it clearer and broader: the consideration and management of risk should be an integral part of decision-making in every business process.
I welcome your views and comments.