Technology change, competitor action, cyber attacks, supply chain disruption, regulatory change, product blunders and executive departures?the risks to business performance are unceasing in a dynamic environment. Yet, in the need for performance lies the seed of improved risk management.
The board is accountable for protecting and growing value. Boards seek to drive a culture of find early and fix fast to ensure the range of risks to return are managed, especially those most painful to explain to investors or regulators.
Complicating this imperative are many hurdles, including two particularly troublesome ones. First, the parade of disconnected risk reports that march into the boardroom?legal securities, legal industry regulation, M&A, finance, operations, HR, audit and more. This is especially complicated by reports with excessive emphasis on compliance relative to performance. Second, determining what ?good? looks like in a risk management process.
Evidence of problems is seen not only in headlines of negative outcomes, but also in board surveys of risk management. It is curious that when questions are asked in more detail, the confidence in risk management process quality tends to drop.
Board members can confront these complications by doing what boards do best? overseeing sufficient capability-building in people and process to achieve objectives through strategy. Ron Dietz, Chairman of the Audit and Risk Committee of Capital One Financial stresses, ?Individual business units generally manage risk taking activities in vertical silos. However, if you don?t have a handle on how that same risk is being managed horizontally across the organization you are not really managing enterprise risk. Therefore, a common framework is needed for managing risk in each category, developing common reports, analyzing root causes and ensuring strong communications between risk taking units.?
A key change that can make it easier to both bring about this integrated, performance-driven view of risk management and improve ability to find risks early is shifting to more life-like scenario analysis. Realistic scenarios unfold the interactions of business capabilities in the real, dynamic world. They read like plot lines from great ?who dun? it?? stories or comedies.
?Getting real? with scenarios stops the disconnected parade of risk reports because realistic scenarios force executives from across silos to come together in structured workshops around that horizontal view of performance objectives and risk to those objectives. The focus might be a strategy, major initiative (new product or acquisition) or business unit. The corporate secretary as board coordinator is a valuable resource to enable this, especially where there is no CRO. She/he can preview board presentations to foster that integrated view to enable more insightful board discussion.
Support scenario analysis with benchmarking ?what good looks like? to evaluate risk management capability (people, process and skills). There are several sources of recognized guidance. To enable the horizontal view, a particularly helpful source is OCEG?s Redbook (www.oceg.org). OCEG is 30,000+ member cross-discipline non-profit think tank for legal, risk, finance, ethics, compliance and audit leaders to focus on ?principled performance.? Principled performance is about achieving business objectives in view of both mandated (legal, regulatory and contractual) and voluntary (board policy) boundaries.
So, silos and the fuzziness of ?good? risk management create hurdles to good risk process and business performance. Board members can overcome these hurdles by setting the expectation for realistic scenarios that force a cross-silo, horizontal view to evaluate risk to performance. Benchmarking evaluates organization capability for that real world, deep understanding of risk to the business. In investigative dramas that unfold across the business news, the question is ?Who know what when?!? The right actions help board members find out ?Who knows what NOW, before it?s too late.?
Brian Barnier, of ValueBridge Advisors, serves on professional guidance committees, and writes and teaches widely. He is the author of The Operational Risk Handbook for Financial Companies. Contact Barnier at firstname.lastname@example.org