We frequently read the advice of so called “risk and governance experts” that the Board must ensure the organisation’s desired values and culture aligns to Risk Appetite. We agree, but where is the discussion about the Board’s competency in Risk in a broader context? Risk Appetite is certainly a critical factor in how an organisation pursues achievement of its objectives.
But do directors really understand Risk Appetite? Going one or two steps further, do they really understand Risk Management at all? After all, there is no specific risk management experience requirement at the Board level of companies.
The reasons for this lack of genuine understanding of risk is a reflection of the shallow talent pool from which many organisations draw their directors. Far too many have come through a narrow consulting pathway in which their understanding of risk is skewed by their experience, and where that experience has been audit, not risk. Audit is extremely important, but its only part of the bigger risk picture. I am yet to see an organisation work backward from controls to identify their risks.
This should then suggest that most boards would be highly focussed on assurance of the controls relied upon to ensure risks are effectively managed; threats are prevented, and opportunities are pursued. But that isn’t happening consistently either.
Unfortunately, many boards suffer from overconfidence and complacency. They simply don’t challenge what they are told. The COVID-19 crisis has highlighted this, with many organisations failing to meet even basic levels of planning to mitigate the consequences of disruption. We all agree that the depth of the pandemic was greater than most could have foreseen, but being the 4th pandemic in the current century, it was hardly unforeseen.
Many risk management professionals develop highly effective frameworks for the organisations they work for only to find that their executives and directors simply don’t understand risk management, fail to challenge the assumptions, and ignore the picture the risk analysis shows them. Risk Appetite? These organisations are not even close to maximising the opportunities of an effective risk management function, let alone risk appetite.
It’s largely about culture. The details Boards need to drive change simply don’t come from completion of an annual employee survey. It’s far deeper than that and needs to identify the underlying cultural factors that drive some parts of the business to excellence where others simply fail to fire.
So how can Boards address this obvious weakness in the management of risk? Here’s a few basic steps:
Ensure a level of specific risk management expertise on the Board – ensure this is not accounting, not auditing, not WH&S, but specific risk management experience and expertise
Ensure any guidance you are getting is from risk experts, not auditors (or other non risk professionals) claiming to understand risk - audit is important, but only part of the whole risk picture
Develop meaningful data that measures and drives improvement strategies on:
Risk Culture & Maturity
The relationship between Risk & Performance
Capability and Competency
Develop a Board Framework of Challenge / Assurance – with specific data on material risks, control assurance activities, desktop scenarios. Ask (a lot of) questions
Stop assuming everything will be ok because it has been in the past – probability might suggest its overdue!
At ABM Risk Partnership we believe that from risk comes opportunity.