风险治理结构:它是如何工作的?

作者：Brenda Boultwood

 

来源：GARP

 

无论在大环境好还是坏的时期，冒险都是公司创造收益的方式。在危机时刻，组织各个环节作出反应的有效性决定了公司的敏捷性和弹性。

 

如果公司治理系统的整体系统是由“实现其核心目标”这个理念来指挥控制的，那么风险治理是一个决策框架，用于管理都一致同意的风险偏好以及适应新事物(例如，风险、产品、信息)和正在变化的事物。

 

在危机时期，风险治理更着重问责制、透明度和基于风险的决策。它适用于所有的企业风险管理，无论是定性的还是定量的，而且通常风险治理更多的是“艺术”而不是“科学”。

 

此外，风险治理是一个系统，它让员工知晓并承担正确的风险，对新的事物做出决策，并在出现问题时系统能够升级去处理。它明确风险发展的过去、现在和未来，授权谁去承担风险，以及所承担风险的内容、原因、时间和方式。

 

组织战略管理是风险治理的背景——高增长的创新公司与寻求稳定收益的成熟组织相比，会有不同的风险治理方法。本文的目的是证明风险治理不是短暂的，而是必须随着时间的推移建立在具体的、客观的行动上的系统。

 

理解风险治理:完整的机制

 

What are the mechanisms of risk governance,and what happens if they don't exist?This question can only be answered through a quick risk governance overview:

 

Risk Appetite

 

The risk appetite statement must clarify the types and levels of risk the organization is willing to accept.Quantitative risk appetite statements can be articulated as some combination of acceptable aggregate operational losses,levels of residual risk and risk metric thresholds.Qualitative risk appetite statements reflect a desired organizational norm–for example,zero tolerance for compliance failures or employee drug use.

 

An organization that does not have a risk appetite statement chooses to operate without guardrails and without clear authority for taking risks.

 

Risk Reporting

 

Reporting lines enhance the visibility of expertise.For example,not all companies need a chief safety officer reporting to the CEO.But the large energy company that faces regulatory scrutiny after a mishap may decide this is important.

 

Risk reporting provides needed analytics for decision-making,while risk communication explains the risk culture and provides disclosures.When evaluating risk reporting,consider the following question:Does the management team agree on the top opportunities and risks facing the organization,and are these views clearly communicated?If the answer is“no,”the organization chooses to operate in silos,leaving employees in the dark.

 

Policies and Procedures

 

Policies and procedures describe an organization's control environment.These include risk management policies,a code of conduct and data privacy notices.All establish acceptable levels of residual risk.The lack of a policy for a specific risk is an indicator that the risk is viewed as either acceptable or irrelevant.

 

Risk Committees

 

Risk committees of the board and management,as well as thematic committees,have charters that outline accountabilities,approval authorities and hard and soft risk escalation criteria.If these are not in place,it means the organization has decided to make authority figures opaque.

 

Tracking

 

Accountability can be tracked through issue and action management,incident management,case management and corrective actions.This allows employees,customers and suppliers to report a problem or concern.If this tracking does not exist,it signals that accountability does not matter to the organization.

 

角色和职责:谁执行风险治理?

 

The full board is responsible for risk oversight,and will delegate oversight to specific board committees.It should(1)foster a safe zone for challenging decisions;(2)reward management team members who manage and mitigate risks;(3)understand and approve risk appetite;and(4)understand how current,emerging and strategic risks create either upside or downside to the organization's strategy.What's more,the board must understand any risk management competency gaps.

 

The CEO has overall accountability for risk management,and overtly or tacitly delegates risk-taking authorities to the management team.The CRO,meanwhile,typically designs and administers the risk governance framework.

 

Management team members should manage risks through well-understood processes and strong internal controls;use the key risks in their business to define their staff meeting agendas at all levels in the organization;co-chair“risk”governance committees;and understand business continuity plans.

 

Employees must understand the organization's risk culture.Moreover,they should be trained in relevant policies and procedures,recognize when business activities are outside risk appetite,and“raise their hand”to report any issue.Customers and other third-parties should understand the company strategy and associated level of risk.

 

强有力风险治理的形成路径

 

How do you put the mechanisms in place and empower the right employees to run the system?The mechanisms create the pathways;the people apply analytics and corporate culture to make the right decisions.

 

The first step is the tone from the top and a leader's desire to empower the organization to make decisions.The second step is ensuring accountability for risk governance execution.Under the direction of the CEO and CRO,the mechanisms for risk governance can be put in place and socialized.

 

Without proper risk governance,employees,customers and investors can easily become disengaged.

 

Resilient organizations are nimble and adapt to changing risks and regulations through their risk governance approach.Risk governance ensures there is transparency about risks and that people have the right information to make decisions.

 

作者：Brenda Boultwood

 

Brenda Boultwood是一名独立的风险管理顾问。她曾担任美国联合能源公司的高级副总裁和首席风险官，并曾担任首席风险官委员会(CCRO)和GARP的董事会成员。此前，她曾担任MetricStream的行业解决方案高级副总裁，负责一系列关键行业的垂直领域的投资组合，包括能源和公用事业、联邦机构、战略银行和金融服务。在此之前，她曾在多家风险管理公司工作，并在摩根大通(JPMorgan Chase)担任另类投资服务(AlternativeInvestment Services)全球战略主管。在摩根大通，她为该公司的对冲基金服务、私人股本基金服务、杠杆贷款服务和全球衍生品服务制定了战略。她目前在安妮·阿伦德尔劳动力发展公司（Anne Arundel Workforce Development Corporation.）担任董事会成员。