Recently we re-published an earlier blog post, “What do I need to know about risk?” and shared The Savvy Director Guide to Risk with our subscribers as well as our network on LinkedIn.
Of course, there’s no way that a single blog post can cover the full breadth of a complex topic like risk. After all, there are entire books and courses of study devoted to the subject. Comments from some of our Savvy Director readers gave us great ideas for a follow-up blog on the topic.
Many thanks to those who shared their thoughts about additional concepts that Savvy Director readers could benefit from.
Grant Griffiths, board advisor, commented,
“One thing I would add is culture, it is so important when it comes to the management and oversight of risk. Without a risk aware culture - driven from the board who set the tone - achieving effective management and oversight of risk becomes complicated and has less chance of succeeding.”
Implementing a risk-based approach across all parts of the organization and integrating it into the culture, is a fundamental component of a successful Enterprise Risk Management (ERM) program. The most risk mature organizations have a risk-aware culture.
According to the Institute of Risk Management, risk culture is defined as the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.
“Risk culture matters because risk management cannot function in a vacuum, and you’d be hard pressed to find a program that has survived when leadership has failed.” – Boris Khazin. Addressing the Unavoidable: Why a Risk Culture is Important
An organization with a strong risk culture recognizes that risks exist and promotes discussions about them; fosters a timely response to risks as they arise; seeks out information about risk from all over the organization; designs effective risk management processes; and holds people accountable for adhering to them.
On the other hand, organizations with an inadequate risk culture tend to permit actions that contravene policies or fail to address them once they’re discovered. This sets a tone for ignoring issues that could hamper the achievement of strategic goals or even lead to reputational and financial damage.
Understanding the strength of the organization’s risk culture is clearly a matter for board oversight. Look for these signs of a strong risk culture:
Brian Brown, internal audit guru, commented,
“How does a board get assurance that risks are adequately mitigated? The first issue is establishment of risk appetite and risk tolerance so the board has educated frames of reference.”
Risk appetite pertains to long-term strategy - an organization’s risk appetite indicates the amount of risk it’s willing to accept to attain its business objectives. Risk appetite can vary widely based on factors such as industry, culture, competition, objectives, and ﬁnancial strength and capabilities, and can evolve over time as circumstances change.
A risk appetite statement communicates the organization’s risk appetite to its stakeholders, helps the organization understand and manage its exposure, enables executives to make informed decisions, and gives direction to the organization’s risk and compliance programs.
The risk appetite statement can express the corporate attitude toward risk in qualitative terms such as risk-neutral, risk-averse, and risk-seeking, or in quantitative terms such as a dollar amount or financial ratio.
Risk tolerance is the degree of variance from its risk appetite that the organization is willing to tolerate. It’s more granular than risk appetite and affects individual risks, setting the acceptable minimum and maximum variation levels for an organization, business unit, initiative, or risk category.
There are many factors that affect an organization’s risk tolerance. For instance, it may be willing to take more risks on a critical project but far fewer on a project that’s less important.
When it comes to the board’s role in establishing risk appetite and risk tolerance – and the factors that it should consider – the publication ‘A Framework for Board Oversight of Enterprise Risk’ from The Chartered Professional Accountants of Canada offers valuable guidance.
This framework tells us that progressive boards treat risk tolerance as a critical input to strategic and tactical decisions. In setting risk tolerance parameters, the board should understand the organization’s sustainability and the consequences of the risks it takes.
It goes on to explain that risk appetite can be a driving force for growth, so in setting risk appetite, directors should consider the same factors as risk tolerance, while overlaying expectations around returns.
Brian Brown’s comment continued:
“Who is monitoring these on behalf of the board? ... Getting independent expert assurance is even more important than asking questions … For very material risks, boards may wish to engage an external firm to study and provide assurance and recommendations if needed.”
The Three Lines Model refers to a risk management approach that distinguishes among risk owners, risk oversight, and independent assurance. It’s an update of the Three Lines of Defence model, published in 2013, which was designed to address risk management issues by clarifying roles and responsibilities.
The prior model set out three ‘lines of defence’ – first, day-to-day risk decisions made by operational management; second, formal compliance and risk management functions; and third, independent assurance from internal or external audit. The model has been an effective tool, but over time it’s been criticized for inhibiting collaboration and being too bureaucratic.
So in 2020, the Institute of Internal Auditors (IIA) released an update called the Three Lines Model reflecting the evolving role of risk management, encouraging greater collaboration between business functions, focusing on stakeholder value, and promoting strong governance.
With its clear articulation of principles and roles, the IIA's Three Lines Model is a solid framework to guide board directors in their risk oversight responsibilities.
As the board receives reports from management on activities, outcomes, and forecasts, both the board and management rely on internal audit to provide independent, objective assurance and advice that will help the organization reach its goals, while facilitating strong governance and risk management.
Not every organization has its own internal audit function – that’s when the board should not hesitate to call in external resources to provide the independent assurance and advice that it needs.
Julie Garland McLellan, boardroom expert, commented:
“For those looking to add to the steps in the guide I suggest reading about 'risk maturity' which is a very good focus for the board to have in assessing its risk reporting and systems.”
Risk maturity is a way of assessing an organization’s ERM program to help understand its reliability and effectiveness in identifying, assessing, and managing risks and opportunities.
A risk maturity model provides guidance to organizations that want to improve their approach to risk, allowing them to assess their current state, identify targets, and develop improvement plans. There are a few different models out there. Don’t be thrown off by the fact that each model labels the levels differently – the actual labels are less important than the concepts they incorporate. The model introduced by the Risk Management Society (RIMS) in 2006 is likely the most familiar. It features five maturity levels (Ad-Hoc, Initial, Repeatable, Managed, and Leadership).
RIMS is currently working on a new model based on five pillars - strategic alignment, culture, risk management capabilities, governance, and analytics. A sneak peak of the new model, revealed at the 2021 ERM Conference earlier this month, outlined five tiers of risk maturity:
The concept of risk maturity can be valuable to the board’s oversight of risk. It lends itself to the kind of governance questions that board directors can use to fully understand the state of the organization’s ERM program. Like so many business functions, risk management is not static, so it’s very helpful for directors to know where the organization stands now and where it’s headed.
Leave a comment below to get in on the conversation.
Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online hub with hundreds of guideline questions and resources to help prepare for your next board meeting.
Share Your Insight: We’d love to hear your thoughts about the board’s role in oversight of enterprise risk management.