C-level executives, with support from the board of directors, are responsible for establishing and promoting a healthy risk and compliance mindset among employees. But they may not grasp the full benefits of enterprise risk management (ERM) because of the siloed nature of risk management efforts across business groups.
Setting the tone from the top down requires approaching risk as an integral part of business strategy. That requires cooperation between senior leadership and audit, risk management, and compliance teams.
That can be difficult to obtain even if risk is top of mind — and it often isn’t.
In a 2018 study by the American Institute of Certified Public Accountants, less than 50% of surveyed C-suiters formally considered risk exposures when evaluating new possible strategic opportunities. Only 29% of their boards discussed top risks in a formal manner when reviewing the organization’s strategic plan.
Additionally, a 2017 AON report revealed a direct correlation between a mature risk culture and higher stock prices.
CFOs and audit, risk, and compliance leaders manage risk most effectively when they collaborate with other senior executives to identify, assess, and respond to the organization’s top risks, including unprecedented risk events such as the COVID-19 pandemic.
Following are five best practices organizations should consider in order to engage senior leadership in strategic enterprise risk management discussions.
Every company manages risk differently, depending on its size and how the departments are structured, among other factors. Some boards may deem it necessary to create a chief risk officer, but that’s usually not a requirement for ERM success.
Depending on where risk management is located within a company, a CFO, chief audit executive, or head of strategic planning might be well-positioned to lead the charge. Whoever it is should have a direct line to the CEO and be a key player in the company’s strategic planning (or have the opportunity to become one). Their role is to champion risk management initiatives to the C-suite and board members, ideally with the help of a working group or committee.
It may seem counterintuitive, but the best way to begin an enterprise risk assessment has nothing to do with risk. The first step is identifying the business’ key strategies and goals, both long term and short term.
Risk leaders might find themselves having to juggle competing priorities and opinions from different departments and leaders, but it’s essential to land on a consensus that everyone can get behind. Approaching the risk assessment with a strategy-centric attitude versus a risk-centric one reduces the likelihood of building an overly risk-averse culture that hinders growth.
Once critical strategies have been identified, the related key risks may be identified by leveraging ERM frameworks such as the Strategic Risk Management Model from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Guide senior management in leveraging the risk assessment to drive strategy.
The next step is validating and prioritizing these risks into a comprehensive plan. The risk leader and their team should proactively foster discussions with executives to determine which risks are opportunities worth taking and which are liabilities that might need mitigation.
It’s important, in these discussions, to consider external and emerging risks that are not actively monitored yet are likely to have a material impact. Such analysis can give senior management the confidence to pursue high-priority opportunities.
Also, embedding risk and opportunity into strategy discussions is extremely worthwhile. It gives executives and decision makers the chance to share their perspectives, collaborate, and collectively vet decisions that impact the entire company.
Facilitate risk management exercises with executives.
Risk management doesn’t stop after the planning months. Engaging the company in ERM exercises throughout the year is crucial to reinforcing risk appetite.
One of the most effective ways risk leaders can keep ERM at the top of mind with company leadership is to host a quarterly tabletop exercise, where executives and risk owners walk through realistic scenarios that could impact the company’s strategic goals. Working through hypotheticals helps reveal gaps in processes, initiate action to fortify mitigation activities, and improve existing action plans.
It is impossible for risk leaders to build a mature ERM program in a day, so take it step by step. Introducing every best practice at once can be overwhelming, especially for executives who may have differing perceptions about ERM’s objectives and benefits.
Guide executives and board members through the learning curve of ERM by taking every opportunity to educate them about the benefits of a mature risk management program. At every stage, clearly define the value and benefit of whichever risk management topic or activity you are involving them in at the outset. COSO provides examples of incremental action steps that internal audit and risk leaders can take to educate executives.
In 2020 and beyond, companies will be tasked with managing increasingly complex and large-scale business risks, including black swan events such as the coronavirus pandemic. It’s crucial, maybe now more than ever, that leadership and decision makers take steps to set a strong example and bolster risk management practices across their organizations.
Daniel Kim is co-founder and co-CEO of AuditBoard. Anand Bhakta is the company’s director of solutions advisory.