In Part I we looked at the impact of boards in driving risk and governance, contemplating general risk principles applicable to all organization while highlighting the imminent selection of national boards and committees and the relevance of the discussion to the process. It also considered broad definitions of risk and governance, applied the fundamental these definitions to organizations, emphasizing actions needed from directors to secure effective boards.
Fundamentally, from a governance perspective, directors should always be thinking in broad terms of where is the Risk Assessment, what our Risk Appetite is and what are the agreed Risk Tolerance? Directors who fully appreciate this will consistently ensure that “We are aware of our overt obligation to curate, nature and enforce our risk culture” as a fundamental foundation for value creation. They will also appreciate that it is through enterprise risk management (ERM) that the major objectives of governance is achieved. According to consulting firm McKINSEY, there are five dimensions of ERM – risk transparency and insight; risk appetite and strategy; risk related business process and decisions; risk organization and governance; and risk culture. Each of these feed into each other, creating an iterative cycle, with risk culture being at the highest tier that informs risk transparency, the lowest tier and leading ultimately back to risk culture. The extent to which directors discharge their responsibility will determine whether this cycle is virtuous or vicious. We will return to the other four dimensions but here we look at risk culture and its relevance to effective risk management and corporate governance.
THE RISK CULTURE
According to McKinsey, with effective ERM allows firms to have a clear understanding of the firm’s risk culture gaps and alignment of culture with the firms risk strategy. The governance framework and its efficacy is generally reflective of the risk culture of an organization. There is an often-observed misalignment between culture and strategy. This generally drives ineffectiveness in organizations, especially public ones where these matters often does not take on their requisite prominence. Always bear in mind, the main role of the board is to protect shareholders-value, everything it does or not do affect that value.
The culture of every organization emanates from its leadership; from the head. The board sits at the pinnacle of all organizational arrangements and is therefore responsible and accountable for the culture displayed. This, regularly referred to as ‘the tone at the top’, is not simply a demonstration of personal attitudes and behaviors but rests on some fundamental issues which are often taken for granted and consequently effective governance becomes a hit or miss affair. From any sound definition of risk management, we will see that risk is supposed to be managed within the risk appetite of the organization and the board is the sole entity responsible for making this determination, with the support of senior management. The risk appetite and risk tolerance set the tone for the risk culture of the organization.
Without an effective risk assessment there is no true risk management! As a director or officer, have you ever signed off on a manual, risk report or strategy document without seeing or understanding the risk assessment? How does the risk assessment match the risk appetite set by you? Has your organization gone where your risk tolerance said it should not go? Where directors do not fully understand and appreciate the importance of these concepts there are bound to be challenges. It is highly likely that dysfunction will emanate from the board itself adversely affecting the effective performance of the organization.
Risk culture is a key indicator of how widely an organization's risk management policies and practices have been adopted and a real measure of the board’s performance and effectiveness. It applies to all organizations, private companies, public, governments and not-for-profits. The efficacy of the culture is based on common values, beliefs, knowledge, attitudes and understanding about risk and commitment displayed to implement and execute for value adding results. Many organizations with great strategies and clear objectives fail to achieve them because culture trumps strategy most of the time. This is one of the foremost reasons great care should be taken at the board level to ensure that the appropriate culture is curated and cascaded across the organization.
Organizations often fail in risk management because of inadequately developed corporate and risk culture through clear understanding of their risk profile, delineating clear and unambiguous risk appetite and risk tolerance. The board is the single most important determinant of culture and hold ultimate responsible for presence of these factors. Risk Appetite refers to the desired level of risk that an organization will take in pursuit of its objectives. For example, we will not pursue projects that are high risk in nature and have an adverse impact on capital. Risk Tolerance on the other hand reflects the limits or range of risks taken in pursuit of different outcomes. Private boards do a much better job with risk management because often a beneficial risk culture is evident and there is greater clarity on what the parameters are. Comparatively public entities tend to do poorly because their culture, risk and organizational, is weak. Consequently, the level of risk discipline often displayed should be understood to be consistent with under-developed risk culture, not anomalous, the result of bad luck or a function of which administration selected the boards. The same hold true in private entities. Weak boards nurture weak risk and governance culture and will generally secure weak performance, toxic corporate culture and diminution in shareholders’ value.
IT ALL STARTS AT BOARD LEVEL
Everything starts at board level. When directors understand the true essence of their role, the organization has the best chance at success. Failure to do so runs the risk of being undermined by executive management and effectively losing control of the oversight of the organization. Alternatively, and this is often observed, the board and directors overreach into the areas of responsibility of executive management either through lack of understanding or as compensation for ineffectiveness and the attendant breakdown of trust and performance. The board is ultimately responsible for the ERM program of the organization. This means that it is accountable for defining ERM as appropriate for the risk profile of the organization; developing and sustaining a culture that is supportive of ERM; deciding strategies and organizational objectives.
In addition to establishing parameters and levels for risk appetite and tolerance, the board is accountable for establishing the ERM structure; approving the ERM plan (as well as communication and reporting plans); and providing consistent and effective oversight for the ERM regime. In the private sector where there is greater continuity at the board level these issues, while important, do not require broad scale consideration of their existence. In the public sector, this may often not be the case and requires directors to ask well considered questions about the state of the risk management regime and corporate governance. There needs to be clear evidence of a robust system in place to help achieve the objectives and importantly whether that system is properly informed by an appropriate level of risk assessment. Consider the paradoxical approach of a social sector entity with a risk management system designed to maximize profit rather than deliver service to the needy in a timely, sensitive, and cost effective manner. This is the import of the board or leadership being able to tie risk management and governance to strategy, value creation and achieving specific desired objectives, not derivatives or alternate “not too bad” outcomes.
Based on best practice, an effective control environment will clearly demonstrate com