How boards and executive teams communicate about risk, among themselves and through the ranks, determines much of the organization’s approach to risk. Leaders who have been focused on risk management primarily as compliance typically need to examine
The real priority, however, is not risk management for its own sake but risk management as an enabler of growth and profitability. In that light, risk management – and risk governance by the board – either enhances or hampers performance. Risk-resilience results from leaders’ ability to develop, adopt, deploy and integrate risk management methods that enable performance, even amid the disruption that risk and innovation can create.
Companies that traditionally saw little need to leverage opportunities and manage risks now face disruptive competitors that they never saw coming. These competitors often emerge from nowhere, seemingly growing overnight from zero to billions of dollars in market capitalization. To ready their organizations to take acceptable risks, leaders must view risk broadly and holistically and align risk taking and risk management with their business strategy. This alignment should protect the organization from known risks while leveraging risk management skills, capabilities and practices to enhance performance. This method calls for identifying and monitoring current and emerging risks, as well as those that could undermine longer-term drivers of performance. It also calls for an integrated approach to risk.
Gearing up risk governance
Boards are accountable for managing enterprise risk, and can do so effectively only when they have a coherent picture of major risks across the entire organization. Risk-related information comes to the board piecemeal and fragmented, based on different models and narrowly defined risks – compliance, legal, operations, cyber and so on – because those managing these functions focus only on risks they see as related to their area.
Each function also typically speaks its own language of risk. Compliance speaks in terms of regulatory interventions, legal in terms of violations and exposures, cyber in terms of breaches and vulnerabilities. These different risk “dialects” make it difficult for boards and executive teams to recognize, reconcile, prioritize and plan for the full range of risks across the organization.
To deepen and broaden the conversation around risk, the board must push management to develop an integrated approach to risk across the enterprise. Here are potential steps toward that goal, from the board’s perspective:
- Clearly articulate information needs. The issue is not lack of information but rather too much information. Boards need to communicate to business leaders the information they need to properly govern and oversee risk. The board needs to understand the likelihood and impact of actual risks, expressed in a common risk language.
- Develop the capability to view risk across functional barriers. To gain a holistic view of risk to the overall business, boards need visibility across business units. This means that the risks must “roll up” to an integrated picture in which threats to the drivers of performance in various areas become clear.
- Encourage businesses to see and work beyond individual silos. Risk does not respect functional boundaries, and should therefore be managed in an integrated manner. Modeling and scenario planning enable management and the board to gauge the knock-on effects of a risk event in one area on other areas within the organization – and to develop risk-resilient responses.
- Link risk taking to performance. In our post-Sarbanes Oxley, post-financial crisis era, boards should not mistake compliance for risk management. Instead, encourage the executive team to identify and manage strategic risks so as to achieve growth and profitability while protecting value.
A risk-resilient organization embraces risk as essential to innovation and performance, not as something to be avoided and contained at all costs. The perspective should be forward-looking, anticipatory and aimed at identifying and managing new forms of risk. Risk-resilience positions the organization to perform critical functions required for survival amid slow motion disruption as well as a sudden risk event.
Board and management communications about risk must be ongoing. The conversation is never over, nor can it be isolated, because risk permeates every business activity and initiative, and the board must continue to challenge management and remain engaged to fulfill its risk-related responsibilities.