According to a Pricewaterhouse Coopers report, many companies rely too heavily on risk models that are necessarily limited, rather than making everyone personally accountable for managing risk.
While there is no doubting the sophistication of some risk models, it is important to remember that such models are essentially simplified versions of reality and deal only with foreseeable risks. However, it’s only when risk management is an integral element of day-to-day business that companies will get the results they want, within the risk parameters they can live with, according to the report, Hands up! Who’s responsible for risk management?
The report details four steps that businesses can take to build an organisation in which risk management is integral to everything employees do:
1. Focus on personal accountability.
Clarify authority and accountability. Before you ask people to do something, make sure they have been given the authority necessary to complete the task and made it clear how they will be held accountable. It’s only possible tomanage risks effectively by addressing all three elements – responsibility, authority and accountability – and ensuring that everyone understands exactly how they’ve been apportioned.
Encourage staff to question the allocation of responsibility. Many people accept responsibility for doing something, even if they haven’t been given the necessary resources. Individual employees must question the allocation of responsibility, where their authority and accountability haven’t been fully articulated.
Watch out for blind spots. Seek out independent thinkers to challenge the status quo and identify any blind spots in your organisation’s risk management processes. Get external help, if you need more – or more objective – input.
Keep the door open. Invite employees to speak out, if they suspect something’s wrong. Conversely, encouraging people to report their concerns internally enables you to solve problems while they’re still small.
Reward the right behaviour. Show that you value employees who behave responsibly and honestly, by recognising the contribution they make. Remember, too, to reward individuals who take considered risks that support your corporate strategy and deliver good returns.
2. Hold your business units accountable.
Make your business units measure the maturity of their risk processes. Ask your business unit managers to assess the relative maturity of their risk management processes and identify potential areas for improvement and act on them.
Get your managers to sign on the line. Insist that your business unit managers sign off on the risks they’ve assumed. Let them know that, as part of this process, you require confirmation that they have updated their assessment of major risks; devised action plans to address these risks; ensured that their plans are being implemented; and notified senior management of any new issues.
Create robust controls. Task each business unit with creating robust controls that reflect the company’s risk appetite, taking into account the legal and regulatory regime and the operating challenges they face. These controls should be efficient, effective and tailored to the needs of the individual units.
3. Lead from the front.
Make your presence felt. Show your business unit managers that you’re serious about risk management by regularly reviewing how they address important risks – including strategic risks, market risks and reputational risks. Balance this with encouragement for those who pursue viable commercial opportunities that could generate sustainable profits.
Look at the big picture. Many large organisations have grown through mergers and acquisitions with systems that have never been fully integrated. Ask your business unit managers which processes can be simplified or safely eliminated.
Dig down to the roots. Insist that any breakdown in a core process or breach of an internal code of practice is analysed in depth to identify the root cause and correct it. Identify the individual or individuals who are responsible and hold them accountable.
4. Refocus your risk management function.
Clarify the risk management function’s role. Once the business units are in control of the risks they’re taking, you can concentrate on getting the risk management function to do what it should be doing: namely, providing information, advice and assurance. You’ll need to start by defining its remit and making sure that it doesn’t continue to assume the responsibilities your operational managers should be handling.
Listen and learn. The risk management function’s first task is to identify and interpret any changes in the external environment, including changes in the expectations of your shareholders. Ensure that it keeps abreast of all new developments.
Assess and advise. The risk management function also has a key role to play in developing a risk framework, giving the business units feedback on the effectiveness of the controls they’re using and helping them modify those controls, where necessary. At this stage, you should therefore ask the risk management function to assess how the risk management processes the business units have established are performing. What progress have they made? What gaps remain and how should they be closed?
Tell the truth. The risk management function’s final duty is to check that the business units are doing what they claim and let you know what’s really happening. That, in turn, means ensuring it has sufficient clout to talk to senior management on an equal footing and challenge the existing order when necessary.
Get it right. Putting risk management back where it belongs – with your business units and individual employees – enables you to create a lean risk management function with lower overheads. More importantly, it helps you build a business that’s as bullet-proof as you can possibly make it – a business that’s more effective and efficient.
Never forget the importance of culture. Remember that this approach won’t succeed unless you have the right culture. Rules are meaningless, if they go against the grain of the organisation as a whole.
Source: Corporate Risk & Insurance CRI, 29th April 2014