How risk aware is your organization?
Without risk awareness and communication, organizations can so easily fall into a false sense of security. Often, what is communicated at the board-level in the form of an enterprise risk management plan, is not rooted in what risks are emanating from lower levels in the organization. In other words, there is a gap between the understanding of strategic risks and the underlying operational risks.
When this happens, decision-making is misinformed and risk management fails. We saw a prime example of this failure in the lead up to the Great Recession of 2008, when financial institutions were strategically seeking to strengthen their asset bases, but operationally originating sub-prime mortgages that failed to perform. And while these kinds of mistakes don’t always play out in such dramatic fashion — spurring a global financial crisis — today there are no shortage of companies taking a precarious, fragmented or purely reactive approach to risk management, leaving themselves vulnerable to rapidly evolving risks including geopolitical instability, 40-year high inflation rates, continued cybersecurity breaches, and growing ESG regulations.
So how can organizations better prepare for future disruptions, steer clear of miscommunication-driven pitfalls and, instead, infuse risk awareness into how they operate at every level? The truth is, integrated, effective risk management starts at the very top, but does not end there — with the CEO and other key executives communicating about risk at all levels of the organization.
Organizational Leaders Must Set the Tone
The most important factor to consider in developing a risk-aware culture is communication. Without an ongoing, open dialogue about the most critical risks, organizations cannot achieve the full potential of the opportunities they seek.
To create an environment that encourages open dialogue about risk, executives must clearly articulate the risk levels they are willing to accept as opportunities are pursued — otherwise known as risk appetite. When the organization understands the risk appetite, they are better equipped to take the calculated risks needed to succeed.
Why the CEO Must Be a Champion of Risk Awareness
As the most senior executive, the chief executive officer must be the ultimate champion of risk awareness. This is not to say that other leaders within the C-suite should not also be risk champions. However, the CEO is the conduit between the primary risk overseer — the board of directors — and the organization. In that capacity, the CEO can and often does influence the risk management agenda.
As a former senior risk executive, I’ve experienced firsthand the impact of this influence. The risk-aware culture change can happen overnight, as it did when my organization transitioned from a retiring CEO to a successor. The risk culture shifted from very conservative to very aggressive. While one culture is not necessarily better than the other, it is paramount that the changes are communicated quickly and clearly. Without effective communication, the management team becomes disjointed in their efforts to manage risk — and that becomes a major risk.
What Executives Get Wrong About Risk Management — And Why IRM Is the Future
Among executives, a major misconception is that risk management is simply focused on compliance. While compliance is a major risk category, especially in highly regulated industries, it is just one component of risk management. Executives who maintain a compliance-driven view of risk management see it as a non-value added, bureaucratic exercise — and will not generate the value that comes from a proactive, integrated risk-based approach.
These companies are the ones that only invest in technology that will satisfy a specific, mandated compliance objective. This highly reactive approach is exemplified by legacy governance, risk and compliance (GRC) solutions that offer a limited view of risk and quickly become obsolete. However, as organizations have become more dependent on technology, third-party providers and complex supply chains, the value of a more integrated approach to risk management is becoming increasingly hard to ignore.
Companies that have adopted an integrated risk management (IRM) approach have seen benefits in both visibility and understanding of emerging risks across technological, operational and strategic boundaries. Leading companies have also tied elements of corporate performance to risk management by linking key risk and performance metrics. Going forward, as regulators across the globe seek more non-financial measures in areas like cybersecurity and climate change, the need for connected risk tech solutions will only continue to grow.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.