In Part I we looked at the impact of boards in driving risk and governance, contemplating general risk principles applicable to all organization while highlighting the imminent selection of national boards and committees and the relevance of the discussion to the process. It also considered broad definitions of risk and governance, applied the fundamental these definitions to organizations, emphasizing actions needed from directors to secure effective boards.
Fundamentally, from a governance perspective, directors should always be thinking in broad terms of where is the Risk Assessment, what our Risk Appetite is and what are the agreed Risk Tolerance? Directors who fully appreciate this will consistently ensure that “We are aware of our overt obligation to curate, nature and enforce our risk culture” as a fundamental foundation for value creation. They will also appreciate that it is through enterprise risk management (ERM) that the major objectives of governance is achieved. According to consulting firm McKINSEY, there are five dimensions of ERM – risk transparency and insight; risk appetite and strategy; risk related business process and decisions; risk organization and governance; and risk culture. Each of these feed into each other, creating an iterative cycle, with risk culture being at the highest tier that informs risk transparency, the lowest tier and leading ultimately back to risk culture. The extent to which directors discharge their responsibility will determine whether this cycle is virtuous or vicious. We will return to the other four dimensions but here we look at risk culture and its relevance to effective risk management and corporate governance.
THE RISK CULTURE
According to McKinsey, with effective ERM allows firms to have a clear understanding of the firm’s risk culture gaps and alignment of culture with the firms risk strategy. The governance framework and its efficacy is generally reflective of the risk culture of an organization. There is an often-observed misalignment between culture and strategy. This generally drives ineffectiveness in organizations, especially public ones where these matters often does not take on their requisite prominence. Always bear in mind, the main role of the board is to protect shareholders-value, everything it does or not do affect that value.
The culture of every organization emanates from its leadership; from the head. The board sits at the pinnacle of all organizational arrangements and is therefore responsible and accountable for the culture displayed. This, regularly referred to as ‘the tone at the top’, is not simply a demonstration of personal attitudes and behaviors but rests on some fundamental issues which are often taken for granted and consequently effective governance becomes a hit or miss affair. From any sound definition of risk management, we will see that risk is supposed to be managed within the risk appetite of the organization and the board is the sole entity responsible for making this determination, with the support of senior management. The risk appetite and risk tolerance set the tone for the risk culture of the organization.
Without an effective risk assessment there is no true risk management! As a director or officer, have you ever signed off on a manual, risk report or strategy document without seeing or understanding the risk assessment? How does the risk assessment match the risk appetite set by you? Has your organization gone where your risk tolerance said it should not go? Where directors do not fully understand and appreciate the importance of these concepts there are bound to be challenges. It is highly likely that dysfunction will emanate from the board itself adversely affecting the effective performance of the organization.
Risk culture is a key indicator of how widely an organization's risk management policies and practices have been adopted and a real measure of the board’s performance and effectiveness. It applies to all organizations, private companies, public, governments and not-for-profits. The efficacy of the culture is based on common values, beliefs, knowledge, attitudes and understanding about risk and commitment displayed to implement and execute for value adding results. Many organizations with great strategies and clear objectives fail to achieve them because culture trumps strategy most of the time. This is one of the foremost reasons great care should be taken at the board level to ensure that the appropriate culture is curated and cascaded across the organization.
Organizations often fail in risk management because of inadequately developed corporate and risk culture through clear understanding of their risk profile, delineating clear and unambiguous risk appetite and risk tolerance. The board is the single most important determinant of culture and hold ultimate responsible for presence of these factors. Risk Appetite refers to the desired level of risk that an organization will take in pursuit of its objectives. For example, we will not pursue projects that are high risk in nature and have an adverse impact on capital. Risk Tolerance on the other hand reflects the limits or range of risks taken in pursuit of different outcomes. Private boards do a much better job with risk management because often a beneficial risk culture is evident and there is greater clarity on what the parameters are. Comparatively public entities tend to do poorly because their culture, risk and organizational, is weak. Consequently, the level of risk discipline often displayed should be understood to be consistent with under-developed risk culture, not anomalous, the result of bad luck or a function of which administration selected the boards. The same hold true in private entities. Weak boards nurture weak risk and governance culture and will generally secure weak performance, toxic corporate culture and diminution in shareholders’ value.
IT ALL STARTS AT BOARD LEVEL
Everything starts at board level. When directors understand the true essence of their role, the organization has the best chance at success. Failure to do so runs the risk of being undermined by executive management and effectively losing control of the oversight of the organization. Alternatively, and this is often observed, the board and directors overreach into the areas of responsibility of executive management either through lack of understanding or as compensation for ineffectiveness and the attendant breakdown of trust and performance. The board is ultimately responsible for the ERM program of the organization. This means that it is accountable for defining ERM as appropriate for the risk profile of the organization; developing and sustaining a culture that is supportive of ERM; deciding strategies and organizational objectives.
In addition to establishing parameters and levels for risk appetite and tolerance, the board is accountable for establishing the ERM structure; approving the ERM plan (as well as communication and reporting plans); and providing consistent and effective oversight for the ERM regime. In the private sector where there is greater continuity at the board level these issues, while important, do not require broad scale consideration of their existence. In the public sector, this may often not be the case and requires directors to ask well considered questions about the state of the risk management regime and corporate governance. There needs to be clear evidence of a robust system in place to help achieve the objectives and importantly whether that system is properly informed by an appropriate level of risk assessment. Consider the paradoxical approach of a social sector entity with a risk management system designed to maximize profit rather than deliver service to the needy in a timely, sensitive, and cost effective manner. This is the import of the board or leadership being able to tie risk management and governance to strategy, value creation and achieving specific desired objectives, not derivatives or alternate “not too bad” outcomes.
Based on best practice, an effective control environment will clearly demonstrate commitment to integrity and ethical values; proper oversight by directors and well-designed structures with clear reporting lines and responsibilities. All these elements are structured and executed to enhance consistent achievement of the organization’s objectives. For directors in the private and public sector the big takeaway is get your risk culture right as everything rests on its foundation. One of the first things I would encourage newly minted public sector directors to do is to ask whether and how the entity risk regime/culture encourages and incentivizes employees to do the right thing every time. Consider the expansiveness of the regime and the extent to which it extends to all appropriate stakeholders.
All boards and directors must understand that the risk culture starts at the top, with the board and executive management and then flows down from there. Is this the case in your organization? The board must assure that the risk culture is actually emanating from it and not senior management with a mere “rubber-stamping” acknowledgement because it failed to intentionally address it. Directors must ensure that there are processes in place to hold employees accountable for understanding the desired risk culture and the implications of their actions on the achievement of objectives. Finally, as a board, ensure that central to the discharging of its oversight is the responsibility for continuous reinforcement of policies, respect for the risk appetite and risk tolerance and committed and competent guardianship of the risk culture.
If boards and directors in both the private and public space pay attention to these important factors, they create the ability to bring great value to their organization. In the private sector, it is often taken for granted that all the pieces necessary are in place given that things are moving well, much like last year. This is only true because there is a structure and system in place that works. The public sector often see perennial bad performance with no attention paid to the underlying systems. This only becomes tenable because of a failure to appreciate that a risk management regime that consistently fails to enhance value is indicative of failure of the board and executive management, lack of accountabilities. In the public sector, with the anticipated board appointments, taking into account the challenging economic state of the country and the nature of reforms needed in state owned or operated entities, understanding of corporate governance and risk management and effective implementation must become central to the drive for effective of performance.
Always be reminded that risk management is “to provide reasonable assurance regarding the achievement of the organization’s objectives” and governance is “the structures through which the objectives of the organization are set, the means of monitoring those objectives and monitoring performance are determined”. The effectiveness of a board and directors are inextricably tied to performance output and output and performance is driven by the creation and existence of an appropriate risk culture. If this truth is kept at the forefront of the thinking, as the new administration considers its selections, one should anticipate a general shift in the quality of performance we have experienced from public sector agencies and enterprises to date. The focus, as in the private sector, should be and must be consistent value creation. Next, I will take a more granular look at the various elements of risk and governance discussed here.
© Hubert Edwards 2021
Hubert Edwards is the Principal of Next Level Solutions Limited (NLS), a management consultancy firm. He can be reached at email@example.com. Hubert specializes in governance, risk and compliance (GRC), Accounting and Finance. NLS provides services in the areas of enterprise risk management, internal audit and policy and procedures development, regulatory consulting, anti-money laundering, accounting and strategic planning. This and other articles are available at www.nlsolutionsbahamas.com.