I have been involved in risk management and company governance for more than 30 years, – and one thing I have learnt is that risk management is never just a question of tooling or processes, or a matter of organization or people. It’s a state of mind.
Embracing risk at the enterprise level requires a cultural paradigm shift. It means adding the “Management by Risk” capability into the board and the executive committee. In the early 2000s, after the Committee of Sponsoring Organization (COSO) II was released post the Enron crisis, risk became a key focus of audit committees and directors did not know what to do with it. It took more than 15 years to transform how decisions are made at the top level in our companies.
But, have we really transformed the culture of our companies? Many have started adopting governance risk and compliance (GRC) tools to better understand their risks, provide assurance on compliance with laws, regulations, and internal policies, and to manage their system of control. Nevertheless, we find that the initial objectives have not been fully achieved.
The state of risk management
Most of the tools are still siloed in various part of the organization, not truly allowing for end-to-end, bottom up, top down, and horizontal understanding of risk across departments and geographies. You will have a system for IT, another one for finance, a third one for cyber risk, others for human relations (HR), environmental, social, and governance (ESG) management, etc.
Often, you will see business lines, regions, or countries using different tools and of course, they will not talk to each other, they will not aggregate. You cannot manage risk if you cannot consolidate, understand, and respond to your risks in the same way all across your company, whatever the function, business line, country, etc. You need to be able to consolidate at the board level and drill down from there to the individual department or function’s risk and response action plan.
Consolidation is not enough. Adopting risk state of mind means transforming your culture. There are CXOs who understand this. One of them once told me that during management meetings he asks his directors to talk about their top three risks. “If they are unable to, I tell them that I did not recruit them to manage business as usual — their teams can do that perfectly — but to manage the unexpected, the tough decisions and their risks, he said.” This is a great example of how to transform a company’s mentality towards risk. It illustrates the need for a cultural shift.
Another example of effective cultural transformation is rewarding early risk reporting and challenging late discovery of major issues. When you audit company behavior, you often notice that the top management is eager to know about risk, and people in the field are eager to talk about it. It is often the middle management that has difficulty relaying the information. Which is why it is important to focus on changing middle management culture if you want to change the mindset towards risk. Where, on one hand, you do not shoot the messenger who talks about risk, but reward it. On the other hand, you challenge the one escalating major issues belatedly and too late, instead of flagging and responding to the risk earlier.
Move from firefighting to forward (risk) planning. Rewarding people for highlighting risk is not common yet, but it will help to grow your understanding of your true risk exposure, and in making better business decisions.
To achieve risk state of mind, it is important to come back to the definition of risk per ISO 31000. If we agree that risk is a deviation from business objectives, then we need to change our culture and tools accordingly, not only recording and appraising threats, or negative risks, but also mitigating opportunities, or positive risks.
Mostly, they are two sides of the same coin. For, often, a negative risk has proven to have a positive side. This pandemic is obviously a dramatic event for most of us, with serious illness, unexpected death, and mental health issues upending life as we know it. But, at the same time, look at how some companies have succeeded in reinventing themselves, how remote working has thrived, and the positive impact this has had on the climate crisis.
On the other hand, look at how positive risks, or opportunities, can also be risky. How — with large mergers and acquisitions (M&A) — poorly managed exponential growth could be devastating. How your largest contract, with uncapped liabilities, could ruin your company.
Most companies still only consider, record, and manage negative risks. Embracing the positive and negative dimensions of risk management is a great way to transform the culture and to socialize robust risk management across the organization.
Doing good business is taking informed risk.
Connect with us at email@example.com to know more about robust risk management.