Originally Published in Biz Magazine, September 2015
A key area of responsibility for all Boards of Directors is risk governance. Risk governance focuses on recognizing the risks inherent to the business of the organization and instilling processes to provide for protection of people, assets, and reputation. Governance risk recognizes that the ability or ineffectiveness of a Board can actually add to an organization’s risk profile rather than providing a deductive factor to the risk profile.
We have seen headlines where risk was allowed to consume the organization and lead to drastic consequences. Costa Concordia sailing an unsafe route which the Captain claims was condoned by superiors. General Motors and faulty ignition switches which staff claim was known within the company but action taken to deal with the risk was not adequate. Montreal, Maine & Atlantic and unsafe transport of dangerous goods; XL Foods and tainted beef; Mattel Toys and lead paint. If the Boards were exercising their risk governance responsibility the unfortunate outcomes of these events could have been prevented.
Enterprise risk management (ERM) is a methodology that has been in place for years. Identify the risk, assess the risk, take action to mitigate the risk, and monitor the behaviour of the risk and effectiveness of the risk response. The illustration shows the phases of an effective risk management approach. As an organization moves through the phases in the risk process, the risk intelligence of the organization builds.
Creating a Risk Intelligent Organization
Risk is an inevitable and acceptable part of all businesses. Not managing the level of risk is not acceptable. The ERM process requires an explicit identification of the risks inherent to the business given the products and services offered and the means by which they are delivered. For example, companies which transact over the internet and which store confidential personal information will identify a cyberattack as a high risk. The Board needs to gain assurance that the inherent risks have been thoroughly identified and evaluated in terms of the severity that each presents to the business. More importantly, the Board needs to gain assurance that appropriate measures are being taken to mitigate the risk to an acceptable level. A level that if the risk does still occur, the situation can be dealt with in a calm and reasonable manner. This is not crisis management. It is making sure you don’t have to activate that crisis management plan. It is the essence of operating in a sound and secure manner to achieve the strategic and business objectives of the organization.
Before establishing a risk framework and undertaking the process to identify the risk profile, the following elements must be in place to permit effective risk management.
- Support at senior levels: Concern for risk management must start and be supported at the highest level within the company. This includes the governance level and the CEO.
- Risk management efforts must be dynamic: This includes active identification, measurement and management of the risks, scanning for changes in the risk profile, and reporting on the risk profile.
- Clarity of understanding: There needs to be a clear definition of the risks and these must be understood across the organization.
- Accountability: Responsibility for responding to and managing the risks must be clearly understood and individuals held accountable for fulfilling the roles. Everyone is a risk owner.
- Resources: Appropriate resources including people and tools need to be deployed and available to help staff, managers, executive, and the Board fulfill their duties within the ERM framework.
- Culture: The organization’s culture must support the active managing of risk in terms of attitude.
Risk governance is one thing; the Board also needs to take action to not create governance risk. Does the Board have the capability to oversee the risk profile of the organization? Has it set an appropriate risk appetite? Does it receive fulsome information to monitor the risk profile on a dynamic basis? Does the Board fit within the framework for a risk intelligent organization? To test your risk literacy capability, I invite you to take the self-assessment here.
Fay Booker is the president of Booker & Associates, a consulting firm focused on promoting excellence in corporate governance, risk management and operational effectiveness.