RAW2022: Risk governance and the board

Norman Marks, author, thought leader and retired chief auditor and chief risk officer, kicked off Risk Awareness Week (RAW) 2022 with a thought-provoking set of questions for boards.

He questioned the need for risk committees, as risk management - or understanding of what might happen - should be factored into management’s daily decisions.

Marks noted the word risk was too often seen in a negative light, with the belief that it is primarily a compliance exercise. According to the OECD’s definitions, risk is a balance between managing and taking risk (innovation and creativity).

“The majority of board members want the CEO to be more involved in understanding and addressing risk, and if they are not involved it is because they don’t see how it’s relevant.”

“If management doesn’t see risk as helping them make decisions, then something needs to change,” he said.

The board’s role, is ensuring that risk insights - both positive and negative - are being used to make appropriate and timely decisions.

This is ultimately an essential part of their oversight role in ensuring management is effective at running the business.

Quarterly meetings are an opportunity to focus on how risk management is functioning on a strategic risk level, rather than getting bogged down with specific areas.

There is inevitably a trade-off where investment in risk management is concerned, said Marks, as it is using money and other resources that could be allocated to revenue-enhancing opportunities and/or investing in managing other sources of risk.

”Management is having to decide where to put the money? If we don’t understand these tradeoffs and how all of this affects our likelihood of achieving objectives, we’re not optimising the long term sustainable value of organisations,” he explained.

Questions for the board:

• CEO, does the risk management activity help you and your team make informed and intelligent decisions? Explain
• CEO, do you have acceptable visibility into what might happen and how it would affect success? Explain
• CEO, are you prepared for unforeseen events or situations? Is the organisation resilient? Explain
• CEO, what is the likelihood of achieving each of our objectives? Is that acceptable?
• CEO, is risk management effective? Explain
• CAE, do you agree with the CEO?
• CAE, have you assessed risk management?
• CAE, do risk management activities meet the needs of the organisation?
• CAE, what needs improvement?
• CAE, what else do we need to know?
• CRO, is risk management effective? Does it meet the needs of the organisation?
• CRO, what are your plans for improvement?
• CRO, is collaboration with management effective?
• CRO, are we in compliance with risk-related regulations?
• CRO, what else do we need to know?
• Tell us how we are handling the more significant sources of risk to our objectives?

”Through this set of questions and discussion the board can get some really good information about the quality of risk management and management - what is left on the table and what we can do to improve how we make decisions? When its right or wrong to take risk?” said Marks.

Questions for risk practitioners:

• Understand what the board needs to know
• Tell them what they need to know
• Avoid technobabble - use their language
• Provide actionable information
• Don’t bury them in a mass of detail

“Don’t expect management to learn risk management language - use their language - the language of the business,” said Marks. ”Make them aware of what they need to do, if anything.”