What are the mechanisms of risk governance,and what happens if they don't exist?This question can only be answered through a quick risk governance overview:
The risk appetite statement must clarify the types and levels of risk the organization is willing to accept.Quantitative risk appetite statements can be articulated as some combination of acceptable aggregate operational losses,levels of residual risk and risk metric thresholds.Qualitative risk appetite statements reflect a desired organizational norm–for example,zero tolerance for compliance failures or employee drug use.
An organization that does not have a risk appetite statement chooses to operate without guardrails and without clear authority for taking risks.
Reporting lines enhance the visibility of expertise.For example,not all companies need a chief safety officer reporting to the CEO.But the large energy company that faces regulatory scrutiny after a mishap may decide this is important.
Risk reporting provides needed analytics for decision-making,while risk communication explains the risk culture and provides disclosures.When evaluating risk reporting,consider the following question:Does the management team agree on the top opportunities and risks facing the organization,and are these views clearly communicated?If the answer is“no,”the organization chooses to operate in silos,leaving employees in the dark.
Policies and Procedures
Policies and procedures describe an organization's control environment.These include risk management policies,a code of conduct and data privacy notices.All establish acceptable levels of residual risk.The lack of a policy for a specific risk is an indicator that the risk is viewed as either acceptable or irrelevant.
Risk committees of the board and management,as well as thematic committees,have charters that outline accountabilities,approval authorities and hard and soft risk escalation criteria.If these are not in place,it means the organization has decided to make authority figures opaque.
Accountability can be tracked through issue and action management,incident management,case management and corrective actions.This allows employees,customers and suppliers to report a problem or concern.If this tracking does not exist,it signals that accountability does not matter to the organization.
The full board is responsible for risk oversight,and will delegate oversight to specific board committees.It should(1)foster a safe zone for challenging decisions;(2)reward management team members who manage and mitigate risks;(3)understand and approve risk appetite;and(4)understand how current,emerging and strategic risks create either upside or downside to the organization's strategy.What's more,the board must understand any risk management competency gaps.
The CEO has overall accountability for risk management,and overtly or tacitly delegates risk-taking authorities to the management team.The CRO,meanwhile,typically designs and administers the risk governance framework.
Management team members should manage risks through well-understood processes and strong internal controls;use the key risks in their business to define their staff meeting agendas at all levels in the organization;co-chair“risk”governance committees;and understand business continuity plans.
Employees must understand the organization's risk culture.Moreover,they should be trained in relevant policies and procedures,recognize when business activities are outside risk appetite,and“raise their hand”to report any issue.Customers and other third-parties should understand the company strategy and associated level of risk.
How do you put the mechanisms in place and empower the right employees to run the system?The mechanisms create the pathways;the people apply analytics and corporate culture to make the right decisions.
The first step is the tone from the top and a leader's desire to empower the organization to make decisions.The second step is ensuring accountability for risk governance execution.Under the direction of the CEO and CRO,the mechanisms for risk governance can be put in place and socialized.
Without proper risk governance,employees,customers and investors can easily become disengaged.
Resilient organizations are nimble and adapt to changing risks and regulations through their risk governance approach.Risk governance ensures there is transparency about risks and that people have the right information to make decisions.
Brenda Boultwood是一名独立的风险管理顾问。她曾担任美国联合能源公司的高级副总裁和首席风险官，并曾担任首席风险官委员会(CCRO)和GARP的董事会成员。此前，她曾担任MetricStream的行业解决方案高级副总裁，负责一系列关键行业的垂直领域的投资组合，包括能源和公用事业、联邦机构、战略银行和金融服务。在此之前，她曾在多家风险管理公司工作，并在摩根大通(JPMorgan Chase)担任另类投资服务(AlternativeInvestment Services)全球战略主管。在摩根大通，她为该公司的对冲基金服务、私人股本基金服务、杠杆贷款服务和全球衍生品服务制定了战略。她目前在安妮·阿伦德尔劳动力发展公司（Anne Arundel Workforce Development Corporation.）担任董事会成员。