I recently spoke with the CRO of an organization about helping her, her team, executive management and board develop more mature and effective risk management practices.
We planned a visit where I would talk to each of the above in separate sessions. Perhaps the most important of the four sessions was the two-hour meeting with the board. The CRO and I had planned for me to share some of the principles of effective risk management, based on what is considered world-class and the governance of risk management by the board.
I was distressed when the CRO relayed to me a request by the chairman of the board. He wanted me to include, in that same two-hour slot, a discussion of eight sources of geo-political risk. These are all issues of local rather than broader significance and effect. (For example, one was the liquidity of the local government and its ability to provide citizens with essential services; another was the incidence of crime in the region.)
Let’s leave aside the point that I am most definitely not the best person to discuss these local issues (I live thousands of miles away) and their potential effect on the organization. Let’s focus instead on the point that the chairman wants to spend a lot — perhaps most — of the two hours talking about eight sources of risk.
Related Article: Are We Taking Risk, Making a Decision or Gambling?
Putting the Board's Focus in the Right Place
Here are 10 principles for what in my opinion constitutes effective oversight of risk management by the board:
- The board needs to have confidence that it can rely on the management team to understand everything of significance (within reason) that might happen (a.k.a. risk) as it works to achieve the objectives of the organization, including the likelihood of each potential event or situation and how it would affect the likelihood of success. (Note: there would be range of potential effects.)
- The board also needs to have confidence that management will take appropriate action if and when the likelihood of achieving objectives falls below acceptable levels. (Note: this is a far better yardstick than a quantified risk appetite statement.)
- The board needs assurance that the management team is considering what might happen, including what might happen for each option, when it makes both strategic and tactical decisions. These would include decisions around budgeting, capital allocation, project management and more.
- The board needs assurance that the management team is not taking unnecessary and/or inappropriate risks in an effort to achieve goals. In particular, the board needs assurance that the achievement of personal goals (such as bonuses and promotions) is not given priority over the long-term success of the organization. (Note: some might refer to so-called risk culture.)
- The board needs assurance that both the management team and the board can rely on the information they use to make decisions.
- The board also needs assurance that management at all levels is receiving sufficient guidance so they are taking risks consistent with the desires of executive management and the board.
- The board needs assurance that performance management, planning and related activities appropriately consider what might happen, its likelihood, and potential effects.
- The board also needs to have confidence in the quality of the assistance provided to management by the risk function.
- Finally, the board needs to know that an appropriate consideration of what might happen is an essential part of strategy and objectives development.
- The first nine principles are essential for continuing reliance by the board on management to run the organization with their eyes and head toward the future, what might happen. The level of discussion of specific sources of risk should depend on how much confidence they have in management. If management is highly capable, discussions may be short. But if there is little assurance that management is able to understand what might happen (or, risk), then the board should be much more active and assertive in its review of how management addresses specific sources of significant risk to the organization.
Related Article: Finding the Signal in the Noise in the Security World
Don't Get Mired in the Minutiae
The 10 points above are very different from what I have seen from other consultants. They tend to guide boards to discussions of the risks of the day rather than the possibility that management is not managing risk (what might happen) as part of its day-to-day running of the organization.
Managing a list of risks is not risk management. Continuously anticipating what might happen so you make informed and intelligent strategic and tactical decisions that will help you achieve enterprise objectives is risk management.
The periodic discussion by the board of a few significant sources of risk is not risk governance or oversight. Obtaining assurance that management is effectively managing risk (what might happen) and making informed and intelligent decisions every day, combined with hearing from management on the more significant risks, is risk governance.
I welcome your comments. Do you like or dislike my 10 principles? How would you improve them?